Germans sceptical about new EU data protection regulations

The majority of Germans (87%) have heard of the new EU General Data Protection Regulations (GDPR), which came into effect in May, according to a survey conducted by IP Deutschland for the European netID Foundation.
However, 1 in 2 have no idea what this means for them personally, with only 17 percent believing the new rules will result in their personal data being better protected. The majority (61%) of respondents believe that companies will continue collecting as much data as before, but will be more transparent about their data collection practices. Almost two thirds (65%) of respondents find data protection guidelines too complicated and long, and 17 percent of Germans accept cookie notices without reading them.

Since May 25, 2018 at the latest, the question has arisen as to whether the new data protection provisions must be observed for a wide variety of digital applications/processes. The new data protection provisions from the European General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act must always be observed when personal data is processed in non-private areas.

Processing of personal data

Photos (and films) may also contain personal data. On the one hand, the facial image is a personal datum, on the other hand, additional data such as location and time of image capture or other GPS information are frequently stored as metadata for the individual digital photos. High-resolution recordings in HD quality often also enable biometric recognition of the persons depicted. These cases are even considered particularly protected sensitive personal data (Art. 9 GDPR).

Legal basis for data processing

Any processing of personal data must be done lawfully, meaning that there must be a legal basis in accordance with Art. 6 GDPR. In this context, however, the legitimate question arises as to what role the German Act on Copyright in Works of the Fine Arts and in Photography (also referred to as the Art Copyright Act “Kunsturhebergesetz”) continues to play. Will the Art Copyright Act become meaningless because of the GDPR? Or do the provisions of the Art Copyright Act apply to photographs as the more specific provisions?

The data protection supervisory authority of the state of Brandenburg has now commented on these issues (LDA Brandenburg: “Processing of personal data in case of photographs,” available at: The supervisory authority clarifies that the Art Copyright Act only contains provisions for the distribution and public display of photographs. As far as the actual “photographing” activity is concerned, i.e., the production of the photograph, the Art Copyright Act does not include any provisions. In this respect, the legal basis of the GDPR must always be used, such as consent, contract performance, or legitimate interests.

Legal basis for photography

The legal basis to be considered is therefore consent under data protection law. The problem with this legal basis is, however, that the consenting party has the right to revoke the consent at any time with effect for the future. This may result in the photograph having to be deleted and no longer being permitted to be used. In addition, the GDPR requires detailed information of the data subject for the consent to be effective at all. Under this consideration, a different legal basis should be chosen if one is available.

Taking photographs may also be permitted because the person photographed has concluded a contract with the photographer about the photos. No other persons may be photographed on the basis of this contract, however.

In addition to contract performance and consent, processing (here: photographing) on the basis of overriding legitimate interests may also be considered. In this case, the interests of the parties worthy of protection must be weighed against each other. The interests of the photographer may include the wishes to pursue the professional activity, which is subject to professional or artistic freedom, or the interests of the organizer (as third-party interests) to document an event. These interests are to be weighed against the photographer’s interests. The interests of the photographer depend on his or her reasonable expectations. At public or large events, the photographer must expect the event to be documented in photographs. Secret or discrediting photographs, however, will not outweigh the photographer’s legitimate interests, so that such photographs predominantly cannot be taken on the basis of legitimate interests. LDA Brandenburg cites further examples, in which the photographer cannot rely on legitimate interests, such as the photographing of children and photos of persons that relate to religion, health, sex life, or the sexual orientation of the person photographed. The latter situations, like biometric data, fall under the special categories of personal data that are particularly worthy of protection under Article 9 GDPR.

Legal basis for the use of photographs

For the use of photographs, such as publishing, the Art Copyright Act could take precedence, however. Section 22 Art Copyright Act stipulates that portraits may only be distributed or publicly displayed with the consent of the person depicted. Section 23 Art Copyright Act governs situations in which, by way of exception, no consent is required, such as relating to photographs of events or if the person is only accidentally (“as an accessory” of a place) included in the photograph. It is currently unclear whether the Art Copyright Act will remain applicable alongside the GDPR.

Article 85(1) and (2) GDPR provide that the Member States must or may provide for exemptions from the GDPR for journalistic, scientific, artistic, and literary purposes to ensure freedom of expression and information. It is unclear whether Germany has so far made such provisions. According to current information, Germany has at least not notified any exception laws to the Commission. The Art Copyright Act may possibly be a legal provision under Art. 85(1) GDPR for which no notification to the Commission is required. Legal uncertainty currently exists in this respect. The Federal Ministry of the Interior, Building and Community has published a statement on this issue (available at: The independent data protection authorities, on the other hand, have not yet submitted their positions. Nor does LDA Brandenburg position itself with the above-mentioned statement. It merely holds that the use of photographs requires the consent of the person photographed or another legal basis. The exceptional provisions of Section 23 Art Copyright Act could be taken into account at least in the context of a balancing of interests when processing on the basis of justified interests, as long as no provisions to the contrary would be made.

In order to avoid legal uncertainties, it is advisable to obtain consent for the publication of personal photographs, wherever possible.

Exemptions for the press

Exceptions will at least exist for the press, because LDA Brandenburg considers the “media privilege” to still apply. For photography and distribution of photographs for journalistic-editorial purposes, the media privilege, which is governed by Section 9c and Section 52 Interstate Broadcasting Treaty on the one hand, and by various national laws on the other hand, is a provision in accordance with Art. 85(1) GDPR. The press is thus exempt from numerous provisions of the GDPR. It must be ensured, however, that only the journalistic press (e.g., newspapers or photojournalists, possibly also blogs) falls under this exemption. A corporate press department will likely not be able to invoke this exemption.

Information duties

Since personal data are processed, the information duties under Articles 13, 14 GDPR must be met. The Brandenburg Data Protection Authority recommends privacy policies to be communicated in invitations or on information signs at events. In the case of photographs with a large number of individuals, the provision of information may be disproportionate in individual cases, so that according to Art. 14(5) GDPR, in exceptional cases, no information would have to be provided. This could be conceivable in a public space where people cannot be reached, such as in the subway or in public places. In this respect, however, the individual case must always be considered.

Duties to erase

Personal data, thus also photographs depicting persons, are to be erased as soon as they are no longer required. As long as the data are necessary to enforce legal claims, however, there is no duty to erase them. The German Copyright and Related Rights Act (also referred to as Copyright Act) stipulates how long works enjoy protection. Accordingly, photographs enjoy copyrights 70 years after the death of the author, i.e., the photographer. For this period, there is no obligation to erase the data. Due to the media privilege or other statutory provisions, additional and differing duties to erase data may exist if, for example, there is a historical interest in storage of the photographs.


Personal data are involved where individuals may be identified on photographs. This means that data protection laws must be observed if photographs are not taken and published exclusively in private areas. The GDPR definitely applies to photography. It is currently unclear whether the Art Copyright Act applies primarily to the publication or other use of photographs depicting individuals. It also remains to be seen whether legislation will be passed to add simplifications. In any event, drafts for the revision of the Art Copyright Act that are known to date do not yet offer sufficient solutions to the questions raised above.

As long as the supervisory authorities and courts do not position themselves, it is currently advisable to obtain the consent of the persons photographed, wherever possible, to publish photographs and to rule out legal uncertainties. In any event, information should be provided wherever reasonably possible.

How Bad is GDPR for Photographers? Another opinion from PetaPixel

The EU has a new data protection law, the so-called GDPR, the General Data Protection Regulation, or as we Germans like to call it: “Datenschutzgrundverordnung” (Gesundheit!). The rules took effect on May 25th and so far it’s pretty chaotic: in the EU we cannot reach some newspapers in the outside world because they cannot comply with the new rules.

A guy in Austria is using the law to file $8.8 billion dollar lawsuits against Facebook and Google. Hundreds of bloggers have taken down their sites, fearful of the possibility of serious fines. Internet light bulbs have stopped working properly. And photographers are being targeted, too.

Just how bad is it?

If you’re a professional, then you will need to fix your customer relationship management, your website, your data security, and much more. Just don’t email those stupid GDPR emails if you run a newsletter — chances are, you’ll just make things worse. If in doubt, ask a lawyer. And there will be doubts.

If you’re just a mom or pop shooting pictures of your family, you should be fine. The GDPR does not apply to data processing “in the course of a purely personal or household activity.” But beware: if you have a million Instagram followers, your kid’s birthday party is probably not a “household activity” anymore.

If you’re a photo enthusiast, then things get tricky.

See, the GDPR sees photography as something even the first Terminator could do: processing personal data. Yes, your dreamy picture of that girl in the sunflower field is the “collection and sharing of personal data” in the eyes of a data protection officer. Many things in a photo are personal data: her face, the location, the time and date, and everything that is tied to her identity.

The legal consequence: you need to provide some kind of justification to take that picture and to put it on your hard disk or — god forbid — to share it on Instagram. If you’re a pro, you have a model release. If you’re just a friend, it’s out of the scope of the GDPR (again, “personal or household activity”). But an enthusiast sits uncomfortably in the middle.

Are you ready to comply with your data duties? To wipe out personal data of someone who files a complaint, years after you took his or her photo? Are you ready to find each photo you ever made for your Flickr portfolio and delete it upon request?

Street photography especially becomes a legal nightmare. You cannot get consent before you take the shot because that would usually destroy the moment. According to the data protection law, you’re not allowed to only ask for it afterward. If you take a picture as an event photographer, you might argue that taking pictures of visitors at a conference is “necessary for the purposes of the legitimate interests” (Art. 6 lit f GDPR). You don’t need consent then.

But can you do that if you shoot that amazing shot of an elegant business guy in a light cone on the street? Probably not. And you certainly cannot do it when a child is in your picture. That “legitimate interests”-argument does not apply “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

Of course, there were laws for photography before. Germany has had a law for photography dating back to 1907, when the Bundesrepublik was still a “Kaiserreich”: The Kunsturhebergesetz. You could be sentenced if you circulated pictures of people without their consent. It’s a reaction to the world’s first paparazzi: two photographers had taken a shot of the deceased Otto von Bismarck on his deathbed. Thank you, Willy Wilcke and Max Priester! People like you are the reason why we cannot have nice things anymore.

Bismarck on the deathbed of July 31, 1898 by Willy Wilcke and Max Priester

Over the years, our courts had found an acceptable balance between privacy rights and photography freedom. Very recently, the German Constitutional Court even ruled that street photography is protected by the constitution because it is “art”! Hear, hear!

That fair balance is at peril with the GDPR. The nature of an EU regulation is brutal and relentless: these laws come into force in every country and the courts have to ignore all national laws that contravene.

There is some hope though: some lawyers argue that the good old law from 1907 persists despite the GDPR. They cite Art. 85, a provision that deals with “Processing and freedom of expression and information”. It calls for Member States “to reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information” — also for “artistic expression”, read: street photography.

Sweden seems to have such a law. Many other EU countries don’t, including Germany. Some argue that the old law from 1907 simply is such a reconciling law. But nobody knows for sure, and that’s the biggest problem: the legal uncertainty alone drives many photographers up the walls, especially in Germany.
The current situation is tragic: Germany should welcome street photography. While it may not be the birthplace of street photography, at least a German developed the tool for some of the most famous photography artists: Leica cameras! Also, in Heinrich Zille we had one of the first photographers who captured everyday scenes instead of posed pictures. As early as 1900 he showed Berlin of the Kaiserreich as it is. (Probably. There are people who doubt that it was really him who pressed the button.)

Don’t get me wrong. It is okay to learn from history. The EU has traditionally had a thing for data protection. We’ve had quite an impressive history with dictators and devilish intelligence agencies (e.g. Gestapo, Stasi), so we’re keen not to allow anyone to know too much about us. No wonder it was a German guy from the Green Party who pushed for the GDPR.

It’s also okay to look for a legal answer to mass surveillance and mighty Internet companies like Facebook and Google.

Still, it makes you wonder: are we doing the right thing when the outcome of a law is paralyzing legal uncertainty and, at least for photographers, not more liberty but less?

This interesting opinion was written by

This article is sponsored by:

GDPR certified

Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious competitors – It Pays Off!