Say Cheese!: Court orders grandma to delete Facebook photos of grandchildren

June 5, 2020

3 min read

Sign up to our mailing list! 👇

What's going on here?

A District Court in the Netherlands has ordered a grandmother to delete photographs of her grandchildren under GDPR, which she uploaded to her Facebook and Pinterest accounts without the parents’ permission.

What does this mean?

The claimant – and daughter of the defendant – alleged that by posting photos of her young children without express permission, the defendant was violating her grandchildren’s privacy; acting unlawfully under the General Data Protection Regulation 2016 (GDPR). This EU legislation came into force in 2018 and aims to ensure individuals have control over their personal data.

The point of law for the court to consider was whether the defendant’s actions amounted to a “purely personal” or “household” activity, which would have permitted the defendant’s actions under Chapter 1, Article 2, paragraph 2(c) of GDPR. The court was unable to rule out whether the photos could be accessible via a search engine, or whether they could be distributed and become property of third parties. As such, these images were considered to be subject to a wider audience. Consequently, the “purely personal” or “household” activity exclusion did not apply, and the defendant was ordered to delete the photos from her Facebook and Pinterest accounts, facing a fine of €50 for each day of non-compliance.

This case might seem like a win for digital rights as the ruling suggests that an adult is legally entitled to make similar requests for themselves, for example asking an ex-partner to take down pictures from social media. But the case also highlights a common criticism of GDPR, that penalising big tech offenders – the initial impetus for comprehensive data-privacy legislation – has been thwarted in favour of punishing smaller parties.

What's the big picture effect?

In its first two years, GDPR generated around £102m in fines and over 160,000 data breach notifications. Although this might indicate success, critics are quick to point out how little of this action has been taken against big tech companies such as Facebook, Amazon and Google which many claim are the primary data privacy offenders. For example, although Google was fined around £44m in 2018, this equals just 10% of what the company generates in sales each day. 

 Eduardo Ustaran, partner in Hogan Lovells’ Global Privacy and Cybersecurity Practice, has said that “GDPR is a long-term project” and this sentiment could soon be realised with GDPR’s biggest test likely emerging  in the next few months. Two important Irish cases against Twitter and Whatsapp (two Facebook owned services) are progressing and COVID-19 will potentially exacerbate GDPR breaches. The latter point is a consequence of companies being forced to rapidly shift their employees to work from home arrangements which has reduced security procedures. One example is EasyJet’s security hack in May which has led to US law firm PGMBM issuing a class action claim on behalf of nine million customers whose data was stolen. 

If nothing else, GDPR has increased people’s awareness of their rights as  this Dutch case illustrates. The subject considered by the court underlines the increasing concern felt by individuals and government bodies over privacy issues and whether the law can keep pace with technology. Ultimately, it remains to be seen whether GDPR can stand firm against the tech giants and be the privacy legislation it was intended to be.

Report written by Keir Galloway Throssell

If you’d like to write for LittleLaw, click here!

Share this now!