The Singapore Personal Data Protection Commission ("PDPC") recently released Advisory Guidelines on the application of the Personal Data Protection Act 2012 ("PDPA") to Photography (the “Guidelines”).
In particular, the Guidelines addressed the perennial issue of whether a photographer needs to obtain an individual’s consent to take the individual’s photograph. The Guidelines also examined a broad range of other issues including whether photographers should enter into written contracts with event organizers before providing event photography services, whether the “solely for artistic purposes” exemption applies, and whether individuals can withdraw consent for the publication of photographs or the removal of photographs that have been published.
This article does not cover every issue in detail but highlights some of the salient points and examples raised in the Guidelines.
An image of an individual is personal data, and is regulated by the PDPA. Generally, consent is required for the collection, use or disclosure of photos. However, exceptions to the consent requirement may apply depending on the circumstances, such as where photographers are acting in their personal or domestic capacity.
Example: Taking photographs of family or friends for personal purposes would constitute acting in a personal or domestic capacity, but using such photos to obtain commercial contracts would not be considered acting in a personal or domestic capacity.
Professional photographers taking photos of individuals in the course of business will need to obtain consent, unless they are acting on behalf of and for the purposes of another organization (including photographers or photography companies) pursuant to a written contract, in which case the organization will be required to obtain the requisite consent.
Example: If the photographer is an employee of the organization or a data intermediary acting on behalf of the organization, the obligation to obtain consent lies with the organization.
Taking photos in public places
Organizations are exempted from the requirement to obtain consent in respect of the collection, use and disclosure of personal data that is publically available. If an individual’s photo is taken when the individual is at an event or location that is open to the public, taking a photo of that individual is likely to be regarded as a collection of personal data that is publically available, for which consent is not required. A location that is “open to the public” is one with few or no restrictions on who can enter or access the location. However the Guidelines note that there can be “private spaces within public spaces” and the mere fact that members of the public may look into the premises does not make it public.
Obtaining consent for photo-taking at private events
Generally, written consent should be obtained. The Guidelines do not prescribe how consent should be obtained. However some examples include:
- clearly stating on its invitations to guests; or
- putting up a prominent notice at the reception or entrance of the function venue that photographs of the attendees will be taken at the event for particular purposes.
If an individual voluntarily permits his/her photo to be taken or poses for photos, deemed consent may apply. If an individual is unaware that his/her photo is being taken, consent is unlikely to be deemed. However if express consent has already been obtained, no deemed consent is required.
Consent of individuals in the background of the photo
If individuals in the background of the photo can be identified, consent will generally be required, unless an exemption applies.
Signing a written contract before providing event photography services
The PDPA does not prescribe the types of contractual arrangements photographers should enter into. However, an event photographer hired by an organization and acting on its instructions may wish to be considered a “data intermediary”, as data intermediaries are only required to comply with the PDPA’s Protection and Retention obligations, unless contractually bound to comply with any other PDPA obligations (i.e. the photographer will not be responsible for obtaining consent – that will fall to the organization). In order to be considered a data intermediary under the PDPA, the data intermediary must be providing services on behalf of and for the purposes of the organization pursuant to a contract evidenced or made in writing.
If the photographer is not a data intermediary or employee, the photographer him/herself will be subject to the obligations under the PDPA’s data protection provisions, unless any relevant exception applies.
Whether the “solely for artistic purposes” exemption applies
An organization may collect, use or disclose personal data without consent if the personal data is collected solely for artistic or literary purposes. “Artistic” is not defined in the PDPA and its meaning may be highly subjective. To avoid uncertainty, the PDPA advises obtaining consent as a best practice.
Can individuals withdraw consent for the publication of photographs or the removal of photographs that have been published?
Individuals can withdraw consent for the collection, use and disclosure of their personal data at any time. Notwithstanding this, where consent is not required under the PDPA or any other written law, an organization may still collect, use and disclose the individual’s personal data (or choose not to, at the organization’s discretion).
If a photo has already been published and made publically available, the organization does not need to cease publication of the photo, although it may wish to cease further use or disclosure of the photographs as good practice.
The PDPA does not provide a right for individuals to request that an organization cease to retain their personal data per se. Therefore, even if an individual withdraws his/her consent, an organization is not obliged to delete all its photos or records of the individual. The organization may continue to retain the individual’s photos where necessary for business or legal reasons.