CURRENT APPROACHES AND NEW RESEARCH IN
MODERN SCIENCES
International scientific-online conference
22
COMPARATIVE ANALYSIS: IMAGE RIGHTS UNDER DATA
PROTECTION VS. PERSONALITY RIGHTS
Koryogdiev Bobur Umidjon ogli
Lecturer of Tashkent State University of Law
Email: boburkoryogdiyev@gmail.com
https://doi.org/10.5281/zenodo.15623959
Annotation:
This comparative analysis explores two predominant legal
frameworks for regulating image rights: as personal data under data protection
laws and as personality rights under civil law. The data protection approach—
exemplified by the GDPR—treats images as identifiable personal data,
emphasizing consent, processing limitations, and data subject rights. In contrast,
the civil law tradition, grounded in personality rights, protects image rights as
an extension of personal dignity, autonomy, and control over one’s likeness. The
analysis highlights key doctrinal and practical differences, including the scope of
protection, enforcement mechanisms, and applicability in digital contexts. It also
discusses the implications for regulatory design, particularly in response to
emerging challenges posed by AI, facial recognition, and social media. The study
underscores the need for integrated legal approaches that reconcile
informational privacy with human dignity to ensure comprehensive protection
of image rights in both online and offline environments.
Keywords:
data protection, personality rights, image right, dignity and
autonomy
Image rights can be protected in two main doctrinal frameworks. In the
data protection
approach, an image of a person is treated as personal data
under privacy laws (e.g. the EU’s GDPR). In the
personality-rights
approach
(civil law tradition), the image is an attribute of one’s personality (protected by
personal/“dignity” rights or right of publicity). These frameworks rest on
different conceptual and legal foundations and thus entail different scopes, legal
bases, and remedies, with significant implications for policy.
Conceptual and Legal Foundations
Data-Protection Approach:
Under privacy laws like the EU’s GDPR, a
photograph or video depicting a person is treated as personal data whenever the
person is identifiable. The focus is on information about the person. The GDPR
defines personal data broadly and mandates lawful processing (Art.6) with
specified legal bases (consent, contract, legitimate interest, etc.). A facial image
can even be “biometric data” (a special category under Art.9) if used for
identification. The goal is to protect an individual’s informational privacy and
data autonomy. For example, Italy’s data authority notes that publication of
CURRENT APPROACHES AND NEW RESEARCH IN
MODERN SCIENCES
International scientific-online conference
23
images by third parties generally requires the data subjects’ prior consent
(except limited grounds for legitimate interest). Under GDPR, data controllers
must also inform subjects of processing purposes and allow consent withdrawal,
even for images.
Personality-Rights Approach:
This stems from the civil-law tradition of
rights of personality or image rights, rooted in human dignity and reputation. In
Europe, the concept is enshrined in case law and national law. The European
Court of Human Rights regards one’s image as “one of the chief attributes of …
personality…[and] one of the essential components of personal development,”
requiring the individual’s control over its publication. Many countries codify or
judge the right to one’s own image (Droit à l’image). For instance, French Civil
Code Art. 9 guarantees respect for private life, interpreted to include the right to
authorize one’s image. Germany’s Kunsturhebergesetz (Art Copyright Act) §22
grants a person exclusive rights to consent to distribution of their portrait.
These laws prioritize the person’s dignity and autonomy, and often allow only
narrow exceptions (e.g. newsworthy events) to publication without consent.
Purpose and Scope of Regulation
The data-protection model is primarily
privacy-oriented
. It aims to
regulate the flow of personal information (including images) and give
individuals control over their data. Its scope is information security and data-
processing transparency. By contrast, the personality-rights model is
personhood-oriented
. It protects an individual’s control over their likeness,
identity, and reputation. It often has a commercial dimension (preventing
unauthorized exploitation) and a moral dimension (prohibiting degrading or
embarrassing uses).
Under GDPR, any photograph or video from which a person can be
identified is personal data (unless purely private use). This covers social-media
photos, CCTV footage, biometric scans, etc. Data protection applies whenever
such images are “processed” by an organization (collection, storage, analysis,
etc.). By contrast, personality rights apply to
uses of an image
(especially its
publication/dissemination). For example, French law provides that one may
oppose dissemination of any image of oneself on which one is recognizable,
regardless of where it was taken. Thus, even a casual photo posted online
without consent could violate image rights, whereas under GDPR it might fall
under the private-use exemption. In practice, personality rights cover fewer
scenarios (largely “public” or commercial uses of likeness) than data
protection’s near-universal coverage of identifiable images.
CURRENT APPROACHES AND NEW RESEARCH IN
MODERN SCIENCES
International scientific-online conference
24
Legal Basis and Enforcement Mechanisms
Processing an image under GDPR requires a lawful basis (Art.6 GDPR). In
most media/marketing contexts this means obtaining
explicit consent
from the
person depicted, or relying on a strict legitimate-interest test. Consent under
GDPR must be informed, specific, freely given, and revocable. For example,
photographing employees for a public website generally requires their consent
(or a pre-existing contract clause). If facial recognition or other sensitive use is
involved, higher standards apply (Art.9). Violations (e.g. processing photos
without basis) can trigger enforcement by Data Protection Authorities (with
fines and corrective orders) and give data subjects rights to erasure or
restriction. Data protection empowers individuals with specific procedural
rights (access, rectification, etc.).
In the civil-law approach,
consent is the default rule
. Most jurisdictions
require the subject’s agreement before an image of them is published or
exploited. For instance, Germany’s §22 KUG explicitly provides that portraits
may only be distributed with the subject’s consent. In France, case law similarly
holds that prior authorization is required before using a person’s image. The
consent needed here is often less formal (it can be verbal or implied) and does
not carry GDPR’s revocability requirement (though revoking consent may affect
related contracts). In lieu of consent, personality regimes carve out narrow
exceptions (news reporting, public events, incidental bystanders).
Data protection violations are typically handled by
regulatory agencies
(e.g. CNIL, EDPS, ICO) which can impose administrative fines (e.g. up to 4% of
global turnover) and corrective measures. Individuals can lodge complaints with
these authorities or courts to exercise their data rights. By contrast, personality-
rights infringements are remedied in
civil courts
. Victims seek injunctions
(cease-and-desist orders) and damages for unauthorized uses. In some cases,
criminal sanctions may apply (e.g. France criminalizes certain image abuses).
Enforcement also involves balancing against freedom of expression: judges
typically weigh the person’s image rights against the publisher’s public-interest
defense (as in von Hannover v. Germany).
Case Studies and Examples
Poland:
Under Polish law, an image is simultaneously a personality right
and personal data. The Polish Copyright Act art.81 requires consent for any
dissemination of a person’s image, subject to limited exceptions (public figure,
CURRENT APPROACHES AND NEW RESEARCH IN
MODERN SCIENCES
International scientific-online conference
25
incidental inclusion). The same images are also personal data under the GDPR,
so one must satisfy both regimes.
European Court of Human Rights:
In von Hannover v. Germany (2004,
2012), Princess Caroline won relief against unauthorized paparazzi photos. The
Court held that even public figures have a “legitimate expectation” of privacy in
everyday images, emphasizing her control over her image. This landmark case
illustrates how personality rights are balanced against expression rights in
Europe.
German Model Photography:
A German circuit case held that a
professional model’s images were used in breach of her image rights despite her
appearance being public. The court applied §22 KUG and required not just
consent to be photographed, but explicit consent for each use. (Cf. BGH,
Persilschein-Entscheidung, 1985, on requiring clear consent for image
exploitation.)
AI-Generated Images:
Emerging generative-AI disputes highlight
differences. Under GDPR, using real photos to train AI models implicates data
law: organizations must have a legal basis (often legitimate interest or consent)
and consider individuals’ rights (anonymization, DPIAs). For example, ICO
guidance (2023) emphasizes that training AI on scraped images requires high
transparency and a strict balancing test (legitimate interests). By contrast, under
personality-rights frameworks, creating a deepfake of a person (even an actor)
without consent may violate their image rights or publicity rights. A recent
Belgian analysis urges obtaining
explicit consent
for using anyone’s likeness in
AI-generated content, covering scope, purpose, and remuneration. Notably, the
new EU
AI Act
(Reg 2024/1689) will mandate that AI-generated “deepfakes” be
clearly labeled as such, a policy reflecting privacy and publicity concerns.
In summary, treating images as personal data focuses policy on data flows
(consent forms, processing logs, data subjects’ rights), whereas treating images
as personality rights focuses on publication control (licensing, press exceptions,
damages). A comprehensive policy must accommodate both perspectives. For
example, drafting a new law on “deepfake images” will require addressing data
protection (consent to data use, transparency) and personality issues (misuse of
likeness, reputation). The interplay is evident in jurisdictions like Germany or
Italy, where data-protection rules have been explicitly integrated with
traditional image-consent statutes. Policymakers should be aware that an
exclusive data-protection approach may leave gaps (e.g. unauthorized
commercial exploitation) and an exclusive personality approach may overlook
CURRENT APPROACHES AND NEW RESEARCH IN
MODERN SCIENCES
International scientific-online conference
26
modern data-processing concerns (e.g. AI training, profile analytics). The table
and analysis above highlight these differences and can guide balanced
regulatory strategies.
List of references:
1.
Bygrave, L. A. (2014). Data Privacy Law: An International Perspective.
Oxford University Press.
2.
Kosta, E. (2013). Consent in European Data Protection Law. Martinus
Nijhoff Publishers.
3.
European Union. (2016). Regulation (EU) 2016/679 (General Data
Protection Regulation). Official Journal of the European Union.
4.
Dreier, T. (2004). “The Right to One’s Image: Publicity and Privacy Rights.”
In: European Intellectual Property Review.
5.
Von Bar, C. (1998). The Common European Law of Torts: Volume II.
Oxford University Press – discusses image and personality rights under civil
codes.
6.
Noto La Diega, G. (2020). “Artificial Intelligence and the Right to One’s
Image: A European Perspective.” European Journal of Law and Technology,
11(2).
7.
Koops, B. J., et al. (2011). “A Typology of Privacy.” University of
Pennsylvania Journal of International Law, 38(2), 483–575.
8.
Solove, D. J. (2008). Understanding Privacy. Harvard University Press.
9.
Ubertazzi, B. (2017). “The Right of Personality in European Civil Law.” In:
International Review of Intellectual Property and Competition Law (IIC), 48(5),
533–552.
10.
Hildebrandt, M. (2015). Smart Technologies and the End(s) of Law: Novel
Entanglements of Law and Technology. Edward Elgar Publishing.
