If photos are PII under GDPR, how are most photos on the web legal?
It has been established that identifiable photos of individuals are Personally identifiable information. They MAY even be Special Category Data. It seems to me that ones photo is the most personal and the most identifiable form of data available.
Many sites not only collect and process photos, they publicly distribute them. These range from major multinationals, through international academic organisations to small clubs. I am probably on all 3 of these, and have not knowingly given any consent for my face to be distributed around the world.
What is the legal situation with this? Is it just that this has not yet been challenged so is not proven illegal? Is there some exception for this sort of data? Is there something I am missing?
gdpr european-union website
asked 10 hours ago
DaveDave
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
It has been established that identifiable photos of individuals are Personally identifiable information. They MAY even be Special Category Data. It seems to me that ones photo is the most personal and the most identifiable form of data available.
Many sites not only collect and process photos, they publicly distribute them. These range from major multinationals, through international academic organisations to small clubs. I am probably on all 3 of these, and have not knowingly given any consent for my face to be distributed around the world.
What is the legal situation with this? Is it just that this has not yet been challenged so is not proven illegal? Is there some exception for this sort of data? Is there something I am missing?
gdpr european-union website
asked 10 hours ago
DaveDave
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
It has been established that identifiable photos of individuals are Personally identifiable information. They MAY even be Special Category Data. It seems to me that ones photo is the most personal and the most identifiable form of data available.
Many sites not only collect and process photos, they publicly distribute them. These range from major multinationals, through international academic organisations to small clubs. I am probably on all 3 of these, and have not knowingly given any consent for my face to be distributed around the world.
What is the legal situation with this? Is it just that this has not yet been challenged so is not proven illegal? Is there some exception for this sort of data? Is there something I am missing?
gdpr european-union website
asked 10 hours ago
DaveDave
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
It has been established that identifiable photos of individuals are Personally identifiable information. They MAY even be Special Category Data. It seems to me that ones photo is the most personal and the most identifiable form of data available.
Many sites not only collect and process photos, they publicly distribute them. These range from major multinationals, through international academic organisations to small clubs. I am probably on all 3 of these, and have not knowingly given any consent for my face to be distributed around the world.
What is the legal situation with this? Is it just that this has not yet been challenged so is not proven illegal? Is there some exception for this sort of data? Is there something I am missing?
gdpr european-union website
gdpr european-union website
asked 10 hours ago
DaveDave
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
DaveDave
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 9 hours ago
Dave
asked 10 hours ago
DaveDave
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
DaveDave
1162
asked 10 hours ago
DaveDave
1162
1162
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Dave is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
What many people miss in relation to GDPR is the other five lawful bases for processing - there's a lot of discussion about consent, but this is only one lawful basis of six.
The full list from Article 6 :
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests of
the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested
in the controller;
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.
Arguable bases would include performance of a contract or public interest, though there's also room to argue whether legitimate interests of the controller are, or are not, overriden by the subject's fundamental rights and freedoms.
The short answer is it's not just about consent, and press and social media sites are likely to have covered themselves with their contract or with a public interest argument.
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
add a comment |
They're not necessarily legal
It may well be that many of the smaller sites don't actually have a legal right to use these photos. GDPR is a new law that's not yet widely enforced, especially in minor cases. Many active organizations did implement GDPR policies and obtained (for example) legal consent from their members regarding allowable use, however, many (especially smaller and less active organizations) did not.
While a news site or a search engine would have some basis for using these photos, a commercial organization (i.e. like the UK club/pub in one of your links) using photos in what's essentially advertising would not have anything other than consent as the legal basis of using these photos. Maybe they have asked the consent of all the people seen in their galleries - there's no way for others to know that. I've seen all kinds of organizations (e.g. a school publishing photos that include their students) now asking explicit consent according to GDPR to enable publishing these photos, naturally including the option to decline.
The enforcement is very loose
The main factor in this is the GDPR (non-)enforcement process by the appropriate local agencies. In essence, unless you have a really large scale or public visibility (e.g. Facebook), enforcement is based on addressing complaints by those whose rights were violated, and even then usually only if they've attempted to resolve this issue with the data controller and they didn't react accordingly. So for some academic organization or small club it's not causing really any problems unless (until!) one of the people in these pictures complains. Often, the result of such a complaint is the owner simply taking down all the photos from the site.
Ask them
There's a simple way to determine this experimentally - if you're in EU, you may simply ask any organization who distributes photos with your face about their handling of your PII, and they're required to answer you under what lawful basis, in their opinion, they're doing this. It may well be that they'll answer "oooh, we actually can't, we'll take them down if you don't like them". It may also well be that if they haven't thought about GDPR (yet) that they'll be unable or unwilling to answer reasonably, in which case nothing will happen unless/until you involve the local regulatory agency.
answered 5 hours ago
PeterisPeteris
80357
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "617"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f37355%2fif-photos-are-pii-under-gdpr-how-are-most-photos-on-the-web-legal%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
What many people miss in relation to GDPR is the other five lawful bases for processing - there's a lot of discussion about consent, but this is only one lawful basis of six.
The full list from Article 6 :
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests of
the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested
in the controller;
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.
Arguable bases would include performance of a contract or public interest, though there's also room to argue whether legitimate interests of the controller are, or are not, overriden by the subject's fundamental rights and freedoms.
The short answer is it's not just about consent, and press and social media sites are likely to have covered themselves with their contract or with a public interest argument.
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
add a comment |
What many people miss in relation to GDPR is the other five lawful bases for processing - there's a lot of discussion about consent, but this is only one lawful basis of six.
The full list from Article 6 :
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests of
the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested
in the controller;
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.
Arguable bases would include performance of a contract or public interest, though there's also room to argue whether legitimate interests of the controller are, or are not, overriden by the subject's fundamental rights and freedoms.
The short answer is it's not just about consent, and press and social media sites are likely to have covered themselves with their contract or with a public interest argument.
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
add a comment |
What many people miss in relation to GDPR is the other five lawful bases for processing - there's a lot of discussion about consent, but this is only one lawful basis of six.
The full list from Article 6 :
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests of
the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested
in the controller;
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.
Arguable bases would include performance of a contract or public interest, though there's also room to argue whether legitimate interests of the controller are, or are not, overriden by the subject's fundamental rights and freedoms.
The short answer is it's not just about consent, and press and social media sites are likely to have covered themselves with their contract or with a public interest argument.
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
What many people miss in relation to GDPR is the other five lawful bases for processing - there's a lot of discussion about consent, but this is only one lawful basis of six.
The full list from Article 6 :
- Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her
personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to
which the controller is subject;
(d) processing is necessary in order to protect the vital interests of
the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority vested
in the controller;
(f) processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except where
such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child.
Arguable bases would include performance of a contract or public interest, though there's also room to argue whether legitimate interests of the controller are, or are not, overriden by the subject's fundamental rights and freedoms.
The short answer is it's not just about consent, and press and social media sites are likely to have covered themselves with their contract or with a public interest argument.
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
edited 9 hours ago
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
answered 9 hours ago
ItWasLikeThatWhenIGotHereItWasLikeThatWhenIGotHere
6956
6956
add a comment |
add a comment |
They're not necessarily legal
It may well be that many of the smaller sites don't actually have a legal right to use these photos. GDPR is a new law that's not yet widely enforced, especially in minor cases. Many active organizations did implement GDPR policies and obtained (for example) legal consent from their members regarding allowable use, however, many (especially smaller and less active organizations) did not.
While a news site or a search engine would have some basis for using these photos, a commercial organization (i.e. like the UK club/pub in one of your links) using photos in what's essentially advertising would not have anything other than consent as the legal basis of using these photos. Maybe they have asked the consent of all the people seen in their galleries - there's no way for others to know that. I've seen all kinds of organizations (e.g. a school publishing photos that include their students) now asking explicit consent according to GDPR to enable publishing these photos, naturally including the option to decline.
The enforcement is very loose
The main factor in this is the GDPR (non-)enforcement process by the appropriate local agencies. In essence, unless you have a really large scale or public visibility (e.g. Facebook), enforcement is based on addressing complaints by those whose rights were violated, and even then usually only if they've attempted to resolve this issue with the data controller and they didn't react accordingly. So for some academic organization or small club it's not causing really any problems unless (until!) one of the people in these pictures complains. Often, the result of such a complaint is the owner simply taking down all the photos from the site.
Ask them
There's a simple way to determine this experimentally - if you're in EU, you may simply ask any organization who distributes photos with your face about their handling of your PII, and they're required to answer you under what lawful basis, in their opinion, they're doing this. It may well be that they'll answer "oooh, we actually can't, we'll take them down if you don't like them". It may also well be that if they haven't thought about GDPR (yet) that they'll be unable or unwilling to answer reasonably, in which case nothing will happen unless/until you involve the local regulatory agency.
answered 5 hours ago
PeterisPeteris
80357
add a comment |
They're not necessarily legal
It may well be that many of the smaller sites don't actually have a legal right to use these photos. GDPR is a new law that's not yet widely enforced, especially in minor cases. Many active organizations did implement GDPR policies and obtained (for example) legal consent from their members regarding allowable use, however, many (especially smaller and less active organizations) did not.
While a news site or a search engine would have some basis for using these photos, a commercial organization (i.e. like the UK club/pub in one of your links) using photos in what's essentially advertising would not have anything other than consent as the legal basis of using these photos. Maybe they have asked the consent of all the people seen in their galleries - there's no way for others to know that. I've seen all kinds of organizations (e.g. a school publishing photos that include their students) now asking explicit consent according to GDPR to enable publishing these photos, naturally including the option to decline.
The enforcement is very loose
The main factor in this is the GDPR (non-)enforcement process by the appropriate local agencies. In essence, unless you have a really large scale or public visibility (e.g. Facebook), enforcement is based on addressing complaints by those whose rights were violated, and even then usually only if they've attempted to resolve this issue with the data controller and they didn't react accordingly. So for some academic organization or small club it's not causing really any problems unless (until!) one of the people in these pictures complains. Often, the result of such a complaint is the owner simply taking down all the photos from the site.
Ask them
There's a simple way to determine this experimentally - if you're in EU, you may simply ask any organization who distributes photos with your face about their handling of your PII, and they're required to answer you under what lawful basis, in their opinion, they're doing this. It may well be that they'll answer "oooh, we actually can't, we'll take them down if you don't like them". It may also well be that if they haven't thought about GDPR (yet) that they'll be unable or unwilling to answer reasonably, in which case nothing will happen unless/until you involve the local regulatory agency.
answered 5 hours ago
PeterisPeteris
80357
add a comment |
They're not necessarily legal
It may well be that many of the smaller sites don't actually have a legal right to use these photos. GDPR is a new law that's not yet widely enforced, especially in minor cases. Many active organizations did implement GDPR policies and obtained (for example) legal consent from their members regarding allowable use, however, many (especially smaller and less active organizations) did not.
While a news site or a search engine would have some basis for using these photos, a commercial organization (i.e. like the UK club/pub in one of your links) using photos in what's essentially advertising would not have anything other than consent as the legal basis of using these photos. Maybe they have asked the consent of all the people seen in their galleries - there's no way for others to know that. I've seen all kinds of organizations (e.g. a school publishing photos that include their students) now asking explicit consent according to GDPR to enable publishing these photos, naturally including the option to decline.
The enforcement is very loose
The main factor in this is the GDPR (non-)enforcement process by the appropriate local agencies. In essence, unless you have a really large scale or public visibility (e.g. Facebook), enforcement is based on addressing complaints by those whose rights were violated, and even then usually only if they've attempted to resolve this issue with the data controller and they didn't react accordingly. So for some academic organization or small club it's not causing really any problems unless (until!) one of the people in these pictures complains. Often, the result of such a complaint is the owner simply taking down all the photos from the site.
Ask them
There's a simple way to determine this experimentally - if you're in EU, you may simply ask any organization who distributes photos with your face about their handling of your PII, and they're required to answer you under what lawful basis, in their opinion, they're doing this. It may well be that they'll answer "oooh, we actually can't, we'll take them down if you don't like them". It may also well be that if they haven't thought about GDPR (yet) that they'll be unable or unwilling to answer reasonably, in which case nothing will happen unless/until you involve the local regulatory agency.
answered 5 hours ago
PeterisPeteris
80357
They're not necessarily legal
It may well be that many of the smaller sites don't actually have a legal right to use these photos. GDPR is a new law that's not yet widely enforced, especially in minor cases. Many active organizations did implement GDPR policies and obtained (for example) legal consent from their members regarding allowable use, however, many (especially smaller and less active organizations) did not.
While a news site or a search engine would have some basis for using these photos, a commercial organization (i.e. like the UK club/pub in one of your links) using photos in what's essentially advertising would not have anything other than consent as the legal basis of using these photos. Maybe they have asked the consent of all the people seen in their galleries - there's no way for others to know that. I've seen all kinds of organizations (e.g. a school publishing photos that include their students) now asking explicit consent according to GDPR to enable publishing these photos, naturally including the option to decline.
The enforcement is very loose
The main factor in this is the GDPR (non-)enforcement process by the appropriate local agencies. In essence, unless you have a really large scale or public visibility (e.g. Facebook), enforcement is based on addressing complaints by those whose rights were violated, and even then usually only if they've attempted to resolve this issue with the data controller and they didn't react accordingly. So for some academic organization or small club it's not causing really any problems unless (until!) one of the people in these pictures complains. Often, the result of such a complaint is the owner simply taking down all the photos from the site.
Ask them
There's a simple way to determine this experimentally - if you're in EU, you may simply ask any organization who distributes photos with your face about their handling of your PII, and they're required to answer you under what lawful basis, in their opinion, they're doing this. It may well be that they'll answer "oooh, we actually can't, we'll take them down if you don't like them". It may also well be that if they haven't thought about GDPR (yet) that they'll be unable or unwilling to answer reasonably, in which case nothing will happen unless/until you involve the local regulatory agency.
answered 5 hours ago
PeterisPeteris
80357
edited 4 hours ago
answered 5 hours ago
PeterisPeteris
80357
answered 5 hours ago
PeterisPeteris
80357
answered 5 hours ago
PeterisPeteris
80357
80357
add a comment |
add a comment |
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Dave is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Law Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f37355%2fif-photos-are-pii-under-gdpr-how-are-most-photos-on-the-web-legal%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
