Are photographs sensitive personal information?

The country’s data privacy law (i.e., DPA) is not as black and white as some people make it out to be. Allowing the public to figure it out for themselves without adequate guidance would be courting controversy, or even conflict. People will regularly arrive at varying interpretations of its provisions. Even so-called privacy professionals frequently offer differing views.

One gray area requiring urgent clarification concerns the proper categorization of certain types of personal data—photos, in particular. The DPA currently makes a distinction between plain personal information and sensitive personal information (and privileged information). It lays down for each type a different criteria for lawful processing and different schedules of penalties, because the latter kind are more likely to negatively impact the person they pertain to compared to the first. When dealing with photos, the distinction gets blurry pretty quickly.

Here’s why.

The DPA lists down the types of personal information which are considered sensitive personal information. While the enumeration is rather straightforward, it doesn’t take long to realize it is too generous in its descriptions, and could cause trouble for those regularly processing this kind of data. This problem manifests fully in certain cases, such as when photos are involved. Take a person’s color, race, or ethnicity. These are currently considered sensitive personal information by the DPA. Now, one could argue that all three may be revealed by a person’s photo. Does this now make the photo sensitive personal information? If so, any organization seeking to process a portrait photo must look to the criteria for processing sensitive personal information, which are far more restrictive and therefore more difficult to meet. The simplest solution may be to get that person’s consent, but how about instances where images of hundreds or even thousands of people are captured?

Problem areas like this should be addressed by the country’s data protection authority—the  National Privacy Commission (NPC) via timely issuances. It can begin by looking at the experiences of its peers and any opinions they may have already said about the subject.

I’ve done some initial digging. It seems data protection laws are inconsistent in their approach to photographs. In Argentina, Belgium, France, Spain, Italy, and the UK, the law considers photos as merely personal information. They do recognize that, in some cases, it may be regarded as sensitive personal information. Meanwhile, in countries like Germany, pictures are immediately classified as sensitive data. It’s worth noting, though, that most of these agencies have yet to issue relevant guidelines.

Taking things further, I’ve also made notes of some factors to consider when deciding on the proper classification of images:

• Format and Quality. The European Union’s General Data Protection Regulation (GDPR) treats a photo as a special category of data only when it is “processed through a specific technical means allowing unique identification or authentication of a natural person”. Otherwise, it is only personal information. With this, the Article 29 Working Party—an advisory body composed of representatives from the data protection authorities of the EU member-countries—has gone on to conclude that only digital photos may be considered as sensitive personal information, especially those that could allow the analysis of biometric data.
• Purpose. In Belgium and Spain, specifically, a photo is treated as personal information if it is processed for identification purposes (e.g., in the workplace or school)—even if it reveals sensitive information such as a person’s race, ethnicity, religion, or disability. However, if the purpose for processing  relates to the sensitive information itself (e.g., ethnic screening, profiling of immigrants, investigation of misconduct of student, etc.), then the photo may be categorized as sensitive personal information. Meanwhile, in the UK, it is recognized that while a photo is personal information, it may not always accurately determine a sensitive trait of an individual. Thus, it may only be regarded as sensitive personal information when the organization processing the same possesses other data that confirms the said sensitive trait. Ultimately, it is the photo, together with the other data, that is categorized as sensitive personal information.
• Context. While I was unable to come across references taking them up extensively, I would say culture and social norms are also important influences. Photos portray different scenarios and, on occasion, they include details that are considered sensitive by the prevailing context. What is normal and acceptable in some jurisdictions, may be taboo in others. A photo showing a man practicing his faith may have no consequences in one country, but could spark a controversy (or worse) in another.

Of course, there will still be other factors. Many would be hard to be predict, let alone control. But they will all play a part when dealing with data protection issues that revolve around photos and the kind of information they represent.

This is where the importance of a regulator like the NPC comes in. Even with comprehensive privacy programs in place, the internal controls of organizations do not always solve problems, especially if these are caused by confusing provisions in the law, or outright policy gaps. At least with a proactive data protection authority, the organizations and the people they engage with can be steered towards the right direction.

Of course, this doesn’t mean organizations are off the hook. They will still have their parts to play. They may, for instance, look into other ways of transacting with individuals without having to rely too much on their photos. For instance, there are other options when verifying people’s identities or authenticating their submissions. They just need to be sure that, whatever alternative they resort to, it must not pose greater risks or bigger problems.

What then do we make of photos for now? Until the NPC steps in (or maybe even the courts), it would seem classifying photos will continue to be a challenging exercise, the results of which will depend on the facts and circumstances of each situation. As I’ve highlighted here, a lot of factors will surely come into play. As for the NPC, it should make sure to consult with the different stakeholders in order to capture the problem fully and be able issue guidelines that also address it in its entirety.