A Dutch court has held that a grandmother was in breach of the General Data Protection Regulation (GDPR) for posting pictures of her grandchildren on social media platforms without their parents’ consent and refusing to delete them after multiple requests.

The GDPR does not apply to the processing of personal data by an individual “in the course of a purely personal or household activity”.

However, the court said that it was not sufficiently established what security settings the grandmother had on her social media accounts, and it was not clear whether the photos could have been found via search engines. As a result, the court was not convinced that posting the photos on social media sites constitutes a “purely personal or household activity”, as this places them in the public domain, and they could then be further distributed and used by third parties.

The court therefore held that the GDPR applied in this case and ordered the grandmother to delete the photos on the basis that she did not have the children’s parents’ consent to post them (which the court considered was needed as they were under 16).

The court said she would have to pay a penalty of €50 for every day that she failed to delete the photos (up to a maximum of €1,000) and the same daily penalty would apply if she posted new photos of the grandchildren.

Comment

On a personal level, it is obviously the polite thing to do to not post, or to delete if requested, pictures of other people if they (or their parents if they are minors) are not comfortable with it. However, to say that ‘consent’ is required under the GDPR has far-reaching consequences, not least because of the stringent requirements for consent to be valid – e.g. it has to be opt-in, clear, specific and informed. Do we need to give people privacy information before we post pictures of them? Do we need to keep a record of the consents that we obtain? Do we need to tell them that they have the right to withdraw consent at any time?

Further, if GDPR-standard ‘consent’ is required, does this mean that we are each individual controllers of the personal information we post on our social media pages? If we are controllers, what does that make the social media companies – are they co-controllers? Joint controllers? Processors? Do we need data processing contracts in place with them? And if we are controllers, what other provisions of the GDPR would apply to us?

It should be noted that this was a preliminary ruling and there was not a full trial. It is not clear whether the court would have reached the same decision if it had in fact been established that the grandmother’s account settings were set to private, or if it had been confirmed that the photos would not come up in a search engine. Further, it is not clear whether consent would only be required in respect of minors, or whether the same decision would have been reached if the dispute only concerned adults. It also does not mean that courts in other jurisdictions would come to the same decision.

However, clearly this judgment raises many more questions than answers at this point, and is definitely an interesting one to keep an eye on from a data protection perspective.

See the judgment here (available only in Dutch).