Untag!: A look at the GDPR ruling which required a grandmother to delete social media photos of her grandchild from an EU perspective
June 19, 2020
2 min read
What's going on here?
After a Dutch grandmother refused to remove photos of her grandchild on Facebook and Pinterest, this family dispute became an example of the GDPR in practice when the child’s mother (her daughter) took her to court (for more information, see our article on that here). But what does this mean for the EU?
What does this mean?
The grandmother was ordered to delete the photos within 10 days of the ruling or face a fine for every day the photos were left up after this deadline. The Dutch interpretation of the GDPR requires the legal guardian’s permission when posting photos of individuals under 16 years old. In this instance, both the child’s father and mother did not consent. While the GDPR’s provisions do not apply to “purely personal or domestic” processing of data (BBC), the court ruled the photos’ publication on social media meant they could be available to view by a wider audience; there was a possibility that third parties could gain access to these photos (the woman’s privacy settings are unknown).
What's the big picture effect?
Despite criticism that the GDPR has not been consistently or steadily enforced, this ruling around the 2-year anniversary of its implementation reminds institutions, companies as well as private individuals to beware.
This ruling reminds us that large companies and their data collection policies are not the only ones liable under GDPR provisions. The judgement has potentially widened the scope of the regulation to include actions against private individuals. This raises concerns about the “floodgates” opening for similar claims in domestic and EU courts by those featured on their friends’ social media accounts or even homeowners’ CCTV (Evening Standard). This may be viewed as a win for privacy campaigners, but ironically, it may be the EU’s own European Court of Human Rights (ECHR) which could limit future attempts to leverage this new precedent on the grounds of freedom of expression.
It is also the first case that has invoked the GDPR to settle a family dispute. It is unlikely that similar cases will become mainstream practice for family and technology/privacy lawyers because of the costs involved and the difficulty in establishing, on the facts, that defendants are liable as “data controllers” or “data processors”. Nonetheless, it indicates that this regulation could be applied in innovative ways for family matters in the future, potentially including divorce proceedings.
While the grandmother must pay a fine up to €1000, GDPR fines have reached the combined total of 114m Euros since its implementation in May 2018; these are pertinent warnings to companies, including social media platforms, of how the GDPR can be enforced in the future. It is also an interesting “status update” about the GDPR’s impact on individuals – as protector and enforcer – and how it may influence our social media use.
Report written by Hannah-Mei Grisley
Share this now!
Check out our recent reports!