A Dutch Court has issued a preliminary ruling this month that a grandmother is in breach of the GDPR by refusing to delete photographs of her grandchildren from Facebook and Pinterest. She will also receive a daily fine if she does not remove them, or if she posts new pictures.
While this decision does not necessarily mean Courts in other countries will make the same determination, it raises a number of interesting questions, which could affect virtually every social media user.
The Dutch Court’s decision essentially rested on whether the grandmother could rely on her actions falling within “purely personal” or “household” use, such that the GDPR would not apply to her (Article 2(c) GDPR). Most people would assume that they were not exposing themselves to legal complaints by posting family pictures on social media.
On average, around 350 million photographs are added to Facebook each day. A significant number of these will be family members posting images which include minor children in them. If the parents of any children were unhappy with their family posting such pictures, that would ordinarily be resolved with nothing more than a polite conversation. However, in this case, the family relationship had broken down and the grandmother did not remove the photographs, even after being requested to do so by the police. The mother then asked the Court to intervene, arguing that the grandmother’s publication of the photographs breached the grandchildren’s privacy and data protection rights.
At the Court hearing, the grandmother’s defence was that she took the grandchildren’s privacy seriously and had, by then, deleted all but one photograph on Facebook, of the grandchild who had lived with her for a number of years and who she felt she had a special relationship with. The mother argued there was also a photograph of her and her children on the grandmother’s Pinterest page, although the grandmother said she had not used Pinterest for years.
The Court did not consider who owned copyright in the photographs, so was only concerned with privacy and data protection arguments. Its decision was an interim one, not following a full trial, but the Court found that:
Although it cannot be ruled out that posting a photo on a personal Facebook page falls under a purely personal or household activity, it was not sufficiently established how the grandmother’s accounts were set up or protected.
It is unclear whether the photos can be found via search engines.
It cannot be ruled out that photographs put on Facebook can be distributed, or may come into the hands of, third parties.
It is therefore not apparent that the grandmother is carrying out a purely personal or household activity, and so the GDPR applies.
As the grandmother did not have the parents’ consent, the Court found that she was processing the grandchildren’s personal data in breach of her obligations under the GDPR and ordered her to remove the photographs and not post new ones. Failure to do so would lead to a daily fine, up to a maximum of €2,000.
Interestingly, the Court ruled that the “emotional importance” to the grandmother in posting pictures of her grandchildren on social media “cannot lead to a different judgment”.