Street Photography, the law and data collection

mickyatesDocumentary, Ethics, Ideas, Journalism, Mick's Photo Blog, News, Photography, Practice, Reportage, Social Media, Street Leave a Comment

This summarises my understanding of the UK legal and data collection frameworks as they apply to street photography. There is much confusion on the subject, and this is a small attempt to provide a few facts. Let me start with some overall comments:

Street photography in public spaces is a perfectly legal activity in the UK. Even under new data regimes, this right to photograph is unchanged. Below is a detailed discussion on this breaking into two broad areas. First, the law pertaining to and the rights of street photographers, and second, data protection implications.

That said, just because one is legally able to do something does not mean that it should be done.

Street photography in a public place is a fully legal activity in the UK, although harassment is not. Conversely, photographers might themselves be harassed if people do not want their photographs taken. Common sense is required throughout.

So within the legal framework, every photographer must make ethical choices. Personally, I do not take ‘sneaky’ images, in the sense of deliberately obscuring what I am doing. Nor do I take pictures of the socially disadvantaged unless consent and conversation happens, and only then if there is a documentary purpose.

‘Do as you would be done by’ is a very practical principle, as is exhibiting respectful behaviour at all times.

If my street photography catches someone’s attention, an exchange of smiles usually happens, and maybe that would lead to a conversation and a request to take a candid portrait. I also have a collection of business cards with a variety of images on them to hand out as this adds transparency and credibility. If someone objects, I politely acknowledge and desist. ‘In your face’ work, a la Bruce Gilden is just not my thing.

I wrote an earlier post on what I consider street photography to be, which might be helpful in understanding where I am coming from.

I should also state that whilst I have many years of experience of street photography, assessing ethics issues and data management, I am not a lawyer, so I stand open to correction, and in fact very much welcome comments and debate to make thing even clearer. Nothing I write here provides any form of professional or legal advice, and everyone should do their own due diligence and take their own decisions. It is simply my (hopefully) informed opinion.

Context changes, in legal, cultural and social norms, and in data protection regulation. So, whatever the interpretation of the current situation may be, the possibility of the limits of street photography being tested in the courts is always possible.


There are many good summaries of a street photographer’s right and responsibilities. For example, Street Photography and the Law from Amateur Photographer is from 2016, though it is still accurate. I find this an important comment:

‘If you are standing on public property you can legally photograph private property, but you still need to be respectful of personal privacy. If, for example, you shoot a house from a public road and the resident can be seen getting dressed through an upstairs window, you could be sued for invasion of privacy’.

As is this:

‘Be careful with captions. Taking a picture of an oversized gentleman walking past a fast-food advert and then proceeding to post it on a forum with the caption ‘obese man ate all the pies’ could land you in a whole lot of trouble. Describe your picture using the facts and you will avoid a libel case’.

In other words, common sense and decency should be applied at all times.

Ask the Police and the Metropolitan Police offers Photography Advice. A police officer might have reason to stop an individual anywhere, especially in these days of suspected terrorist activities, but as the Met notes:

‘Members of the public and the media do not need a permit to film or photograph in public places and police have no power to stop them filming or photographing incidents or police personnel’.

Transport for London also has some clear guidelines. Anyone seeking to take photographs for commercial purposes on the London tube system should be aware that formal permission and fees apply. However, for private photographers this is not required. Their website notes:

We get many requests from tourists, train enthusiasts, budding photographers and customers ‘passing through’ a station who may want to take photographs for their own personal use. We agree that this is acceptable, at the station’s discretion, as long as additional camera equipment (including flash and tripods) is not used.

However, images clearly promoting the London Underground brand/logos must not be published or broadcast without our permission ahead of time. Also, people filming or taking photographs for their own purposes on TfL’s network are responsible for ensuring they comply with the requirements of privacy and data protection legislation’.

Perhaps the key legislation in the UK affecting street photography is Freedom of Panorama. Under UK law any public space is also a social space that is open to everyone. This includes roads, public squares, parks and beaches. The 1988 Copyright, Designs and Patents Act 1988 (as amended 2003) allows photographers to take pictures of buildings, sculptures and other items of artistic craftsmanship in a public place without  violating copyright. This includes making video of it. The key section is Article 62:

Representation of certain artistic works on public display

(a) buildings, and (b) sculptures, models for buildings and works of artistic craftsmanship, if permanently situated in a public place or in premises open to the public.

The copyright in such a work is not infringed by

a) making a graphic work representing it,
b) making a photograph or film of it, or
c) making a broadcast of a visual image of it.

Nor is the copyright infringed by the issue to the public of copies, or the communication to the public, of anything whose making was, by virtue of this section, not an infringement of the copyright.

That said, Article 4 specifically notes that items of graphic work (‘any painting, drawing, diagram, map, chart or plan, any engraving, etching, lithograph, woodcut or similar work‘) are not included. In practice this means that using photographs commercially of branding and other copyrighted artwork could break the law. When using images made in the street for commercial purposes such graphic works if they are central to the photograph would be best used with permission. There is, however, much precedent in photographic history for the use of signage to communicate some point other than to highlight the brand concerned. This goes back to the beginnings of the medium.

Private spaces

Many places frequented by the public are not actually legally defined public spaces – shopping malls for example are often privately owned. Thus legal permission is required to photograph, although that is rarely enforced for individual photographers. One only has to walk through a mall and see the mobile phones in use. Malls often want publicity!

Still, some private sites will have ‘no photography’ signs which should be respected.

In a private space, security personnel can request photographers to desist. If asked, a photographer should comply.

It is also reported that photographers in such situations have been asked to delete photographs. No one has the legal right to ask anyone to delete photographs on the spot, not even the police. A court proceeding is required. If a police officer suspects that an image on a camera might throw light on an ongoing incident, they have a right to view the image there and then, but not delete it.


The European Union General Data Protection Regulation (GDPR) is enforced in the UK by the Information Commissioners Office (ICO), and it has been incorporated essentially without change into post-BREXIT UK law. There are continued efforts to alter the Government’s ‘right’ to snoop, but that is not appropriate to this post, however concerning.

In my view, GDPR is a very good and necessary regulation to protect individual data protection right, maintaining their privacy and providing transparency on data use. It is bad news for spammers and companies that are sloppy with data or who abuse personal rights.

All personal data should be kept secure, and transparency is required. The intent of GDPR is to:

  • provide easier access to one’s own personal data (what data is held & by who).
  • provide clarity on how personal data is processed and used by all kinds of organisations.
  • define the right to personal data portability, making it easy for individuals to transfer.
  • ensure every organization to appoint a Data Protection Officer
  • create a framework for compliance, with big fines for non-compliant companies

All businesses, big and small, and freelancers do need to be sure that personal data that they hold is properly secured.

Personal data is anything that can be used to identify someone, including web browsing, location, biometrics (which may include certain types of photograph), health and so forth. Personal data should only be held:

  • by explicit individual consent (which raises the issue of ‘informed consent’)
  • for the legitimate interests of the company (e.g. credit scoring)
  • other specified interests (e.g. audit compliance)

So not every item of personal data needs to be accompanied by consent. When GDPR came into force, there was a very nervous response from industry. If a business had an email list which is already in existence, as long as there is an opt-out / unsubscribe button on every email sent you didn’t really need to get prior approval from anyone on the list to send them anything. Many business and organisations overreacted on GDPR day to get opt-ins re-confirmed – hence the deluge of email we all got.

It all depends on the justification of the purpose of the data collection and subsequent analysis.

The ‘EU enforcement tracker‘ shows every fine so far imposed or proposed. A quick glance shows that this focuses on quite large companies who use large quantities of personal data. The biggest fine so far proposed on a  UK company is British Airways (€204,600,000). As a reference point, Equifax was fined a record £500,000,000 fine in 2018 by the ICO for a 2017 cyber-security breach.

Home users and individuals are essentially exempt from GDPR. This is also confirmed in the UK’s EU Exit legislation (2019) which notes:

2. This Regulation does not apply to- 

(a) the processing of personal data by an individual in the course of a purely personal or household activity;
(b) the processing of personal data by a competent authority for any of the law enforcement purposes (see Part 3 of the 2018 Act);
(c) the processing of personal data to which Part 4 of the 2018 Act (intelligence services processing) applies.

The chances of an individual having GDPR issues are very slim, unless, for example, someone misuses a commercially available data base.

UK ICO registration

Every UK business is being asked by the ICO to register and pay a data protection fee unless formally considered exempt. Exemption is allowed for:

Staff administration (including payroll). You only hold the personal information of the people you need to for your staff administration.

Accounts or records (ie invoices and payments).You only hold the personal information of the people you need to for your own accounts and records – for example information about past, existing or present customers or suppliers.

Advertising, marketing and public relations (in connection with your own business activity).  You only hold the personal information of the people you need to for your own advertising, marketing and public relations – for example information about past, existing or present customers or suppliers. The information is restricted to what is necessary for your advertising, marketing and public relations – for example, names, addresses and other identifiers. You only advertise and market your own goods and services.

I just ran my own consulting / photography company through the ICO’s online checker, and it appears that it is exempt.


A colleague has suggested that posting a photograph on Facebook is not a ‘personal activity’, and neither is putting a photograph in a book or gallery. That latter of course has been a consideration since before social media and the modern data universe.

There is only one specific mention of photographs in the full text of the GDPR.

‘The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person’.(pg 10: 51)

This is clearly applying to the special uses of photography for personal identification purposes.

In fact the ICO notes in What is Special Category Data?:

‘If you process digital photographs of individuals, this is not automatically biometric data even if you use it for identification purposes. Although a digital image may allow for identification using physical characteristics, it only becomes biometric data if you carry out “specific technical processing”. Usually this involves using the image data to create an individual digital template or profile, which in turn you use for automated image matching and identification’.

Special Category Data is defined as something particularly sensitive – such as racial, religious, health, biometric and so on. Not all photographs can be automatically put into this category.

On a different tack, one could argue that the ‘right to privacy’ could include asking for photographs published on social media to be taken down, which would also be a matter of courtesy. Making a change to a printed book would, of course, be more difficult.

There are some interesting cases on the EU Enforcement Tracker. A Cyprus newspaper firm was fined €10,000 over insufficient legal basis for data processing. Details:

‘The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case’.

It seems that the fine was not about the use of the photograph per se, but rather was about the way the individuals were identified unnecessarily.

The ICO has also clarified that when a photograph is focused on an individual and could impact that individual in some way, then it could become personal data in the GDPR sense. They give  examples of how context and intention changes things. (What happens when different organisations process the same data for different purposes?). For example:

A journalist takes a photograph of the beach on a sunny day to publish in a local newspaper alongside a story about record-breaking temperatures. The photograph includes some individuals who are relaxing on the beach and is of sufficient quality that some of the individuals may be identifiable.

The journalist is not processing the photograph to learn anything about any of the individuals whose images were captured, nor is it likely that the journalist would ever process the photograph for that purpose. Whilst processed by the photographer, the photograph would not be personal data as it is not used to record, learn or decide something about the individuals.

One of the individuals photographed on the beach had told their employer they needed to attend a funeral and had taken compassionate leave from work on that day. Their colleague sees the photograph published in the newspaper, scans a copy and e-mails it to the manager of the individual photographed. The photograph is added to the individual’s personnel file in order to start disciplinary proceedings for taking compassionate leave under false pretences.

When being processed by the individual’s employer, the photograph is being used to record, learn or decide something about the individual. For this reason, it would be personal data when processed by the employer‘.

Whilst there is clear legality in taking photographs in public places, their distribution (a form of processing) might have either privacy, defamation or data protection considerations. A visit to any bookstore will see thousands of books using various forms of documentary photography, with many levels of informed consent (or not).

A related issue is one of ownership of the image. The UK Gov Intellectual Property Office makes these points:

‘We know that photographs not only have meaning to the photographer, but to the people in the image. And there may be times when a model in a photograph objects to their image being shared. In this scenario, under GDPR a photograph is classed as someone’s personal data. Here are the steps you can take to prevent your greatest work remaining secret:

Choose the lawful basis that most closely reflects the relationship with the individual and the purpose of publication:

    • Consent
    • Contract
    • Legal obligation
    • Vital interests
    • Public task
    • Legitimate interest’

Legitimate interest is a rather broad idea, and can be ‘tested’ on the ICO’s Lawful basis interactive guidance tool. Legitimate Interest is something that an individual or organisation can define and defend as necessary to their activities, as above, or possibly something in the public interest. Somewhat open-ended perhaps but a very useful concept. To quote the ICO again:

‘The legitimate interests of the public in general may also play a part when deciding whether the legitimate interests in the processing override the individual’s interests and rights. If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing these against those of the individual’.

A paper by Lien Verbauwhede of the World Intellectual Property Organization (WIPO) is also relevant and provides another framework for consideration. In the section on photographing people, the document says:

‘Often, you may be free to take a photograph of a person, but the way the image is used may give the person shown in the photograph a right to take legal action’.

Individuals cannot consider themselves intellectual property for copyright purposes, though any photographs of them may still breach their privacy rights, or have significant commercial impact. WIPO suggests the common sense approach of seeking permission if in doubt. The WIPO paper predates most of the data protection concerns or legislation, but remains pertinent. The issues of publication are issues that photographers have always had to grapple with, and it often falls to personal judgement.

Finally, here is a real-life case study on a pub using images of their property featuring customers, which addresses the right and potential wrongs.

My conclusion at this point is ‘that it all depends’ on how the photograph is used rather than the fact that it was taken.

To my knowledge the interpretation of photographs taken by individuals and their use going forward on social media has not yet been legally defined or tested other than for ‘traditional’ reasons of defamation etc. I suspect that it is not likely a high priority concern for any regulatory data body unless some very clear personal right has been abused or major monetary gain is in contention.

Even then, any such case also would also have to take into consideration historically accepted practice, the rights of the photographer, freedom of expression, the role of the social media platform and so forth.

Still, at some point this all may eventually get tested in the courts, if only on some narrowly defined ground.

Until then, use your best judgement!


Amateur Photographer. 2016. Street Photography And The Law. Available at: (accessed 27/02/2020).

Ask The Police. Q717: I want to take some photos / video footage in public, is it now illegal? Available at: (accessed 27/02/2020).

Copytrack. 2017. Pictures in Public: Simple Guide to UK Street Photography. Available at: (accessed 27/02/2020)

European Union Official Journal. 2016. General Data Protection Regulation (GDPR Full Text). Available at: (accessed 27/02/2020).

European Union. 2020. GDPR Enforcement Tracker. Available at: (accessed 27/02/2020)

ICO. 2019. Guide to GDPR. Available at: (accessed 27/02/2020).

ICO. Undated. Lawful Basis Interactive Tool. Available at:  (accessed 27/02/2020).

ICO. 2018. Registration Self-Assessment. Available at: (accessed 27/02/2020).

ICO. Undated. What happens when different organisations process the same data for different purposes? Available at: (accessed 27/02/2020).

ICO. Undated. What is Personal data? Available at: (accessed 27/02/2020).

ICO. Undated. What is Special Category Data? Available at: (accessed 27/02/2020)

Metropolitan Police. 2020. Photography Advice. Available at: (accessed 27/02/2020).

Nick Turpin, 2019. A Complete Beginner’s Guide To Street Photography. Available at: (accessed 27/02/2020).

Transport for London (TfL). Undated. Filming & photography on TfL. Available at: (accessed 27/02/2020).

UK Government. 2020. Copyright, Designs and Patents Act 1988. Available at: (accessed 27/02/2020).

UK Government. 2019. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Available at: (accessed 27/02/2020).

UK Government Intellectual Property Office (Rebecca Trussell). 2019. Copyright and GDPR for photographers. Available at: (accessed 27/02/2020).

World Intellectual Property Organization (WIPO – Lien Verbauwhede). 2006. Legal Pitfalls in Taking or Using Photographs of Copyright Material, Trademarks and People. Available at: (accessed 27/02/2020).

Leave a Reply

Your email address will not be published. Required fields are marked *