Dutch court rules on social media posts, consent and domestic exemption....
The Court of First Instance of Gelderland has determined that the processing of personal data (photos) of the plaintiff’s children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR.
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.
The mother of the three children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant did not obtain a consent from her or her ex-partner – the legal representatives of one of the children concerned.
Despite sending several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request. The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The plaintiff, as a legal representative has not given permission to post photos of her children on social media. In the case of child 1, his father also did not grant permission to the defendant.
The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.
Given the lack of consent, the Court decided to command the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant will be prohibited from posting photos of plaintiff’s minor children on social media without having permission to do so first.
This outcome will obviously spark much debate as to whether this decision is heavy handed or not however, in light of CJEU case law, the reality is that posting personal data on Facebook (other social media platforms are available!!), or other publicly accessible service, without implementing available security and privacy settings to restrict who can view your account, you cannot rely on domestic exemption.