The Dutch case
On 13th May 2020 the Rechtbank Gelderland (Court of First Instance of Gelderland) in The Netherlands published its judgment in the case of a grandmother who was being pursued by her daughter in relation to the publication of photographic images of her and her children on social media web sites. The names of the parties in the judgment were anonymised in order to protect the children who are minors.
This case has been picked up by English speaking media and some journalists appear to consider the result surprising and even draconian (e.g. New York Post and Fox News). CNN, curiously, along with the Evening Standard appear to have got it right.
It seems that the grandmother had not sought her daughter’s permission nor that of the daughter’s ex- partner who were the persons with parental responsibility for the children whose photographs were published.
It is clear that the photographs comprised personal data as they related to an identified or identifiable natural person (the mother and the children each) (Article 4(1) GDPR). Furthermore, photographs could be considered to be biometric data (depending upon the way in which they were taken and I have not seen them so I cannot say for certain whether this is a likely issue or not) as defined in Article 4(14) GDPR in which case they fall under the additional constraints of Article 9 of the GDPR which requires additional care and justification for processing such information. As the children were below the age of child consent in The Netherlands, which is 16, Article 8(2) GDPR was also engaged.
In the complaint, it was alleged that the defendant grandmother had failed to obtain consent. It is submitted that given that photographs are potentially biometric information, these fall under Article 9 and the consent should have been obtained pursuant to Article 9(2)(a) where explicit consent is required. The provisions of Article 6(1)(a), Article 7 and Article 8(2) read together with Recitals 32, 38, 40, 42, 43, 65 and 171 still apply. It is not made clear if the photographic images were originally posted prior to the coming into effect of the GDPR. If that were the case Recital 171 in relation to a transitional period where processing was previously carried out under consent valid under Directive 95/46/EC and the relevant implementing legislation in The Netherlands may have provided a partial defence for the grandmother.
The Dutch court held that it was not possible to establish with certainty that the posting of photographs on social media sites fell under the so-called “household exemption” provided in Article 2(2)(c) of the GDPR and as a result it determined that the GDPR did apply in this case. Moreover, as the children were below the age of 16 which is the age in the Netherlands above which a child is able to give their own consent for data protection matters (indeed, the default age of child consent in the Regulation), the grandmother should have obtained permission from those with parental responsibility for them, in this case their mother and her ex-partner, which it appears she did not do.
That the grandmother is a data controller for the purposes of the GDPR appears to be unavoidable as she was the person who was processing (the scope of which is very wide and includes simple storage) personal data (photographs) of natural persons (the daughter and the grandchildren). As such she had all of the responsibilities of a data controller as set out in inter-alia Articles 24, 25, 26, 30, 31 & 32 of the GDPR.
It seems that the Dutch supervisor was not involved or, at least, that organisation is not mentioned in the judgment. The plaintiff mother relied, therefore, on remedies which run concurrently with any regulatory intervention and independent of it.
A similar case in Sweden
The Dutch case is similar to case C-101/01, an ECJ judgment in the case of criminal proceedings brought against Bodil Lindqvist, a Swedish lady who published personal details of members of her church on a personal web page, including the fact that one of them had injured her foot and was on half-time work as a result.
The Swedish case was decided under the pre-GDPR legislation which was a Member State implementation of Directive 95/46/EC and judgment published in November 2003.
The Dutch case was decided under Regulation 2016/679/EU (the “GDPR”) and the Dutch national implementing legislation (UAVG). Implementing legislation is not required for a Regulation save for putting in place Member State derogations which are permitted by the text. In the Dutch case the age of child consent was left at 16 by the Dutch Parliament (Art. 8(1)).
Why are these cases similar?
First, in both cases the question arose as to whether the publication of material done otherwise than for business purpose or for profit amounted to the processing of the personal data of data subjects for purely domestic purposes.
Second, in the Bodil Lindqvist case it was held that the information regarding the person who had injured her foot and was on restricted duties amounted to sensitive data while in the Dutch case some of the images complained of were of minor children where the consent of those with parental responsibility had not been obtained.
In the Bodil Lindqvist case, the national court in Sweden made a reference to the European Court of Justice in relation to seven questions regarding the interpretation of terms in the Directive and the applicability and limitations of national implementing legislation.
The seven questions were (my interpretation):
1. Whether the act of referring, on an internet page, to various persons and identifying them by name or by other means... constituted the “processing of personal data wholly or partly by automatic means” within the meaning of Art. 3(1) of Directive 95/46;
2. If the answer to 1. above is ‘no’, can the act of setting up a series of internet pages whereby persons names can be searched be considered to constitute “the processing otherwise than by automated means of personal data which form part of a filing system...” within the meaning of Art. 3(1) of Directive 95/46?
If the answer to either questions 1 or 2 is ‘yes’, then:
3. Can the act of loading information about work colleagues onto a private home page which is nonetheless accessible to anyone who knows its address be regarded as outside of the scope of Directive 95/46 on the ground that it is covered by one of the exceptions in Art. 3(2)?
4. Does stating that a named colleague has injured her foot and is on half-time on medical grounds as a result amount to disclosing personal data concerning health contrary to Art. 8(1) of Directive 95/46?
5. Does the act of putting information onto a web site within Sweden that can nonetheless be accessed from other countries amount to a transfer of the information to those countries?
6. Do the provisions of Directive 95/46 bring about restrictions which conflict with the general principles of freedom of expression or other freedoms and rights enshrined in inter-alia Article 10 of the European Convention on the Protection of Human Rights and Fundamental Freedoms?
7. Can a Member State in its implementing legislation give more extensive protection for personal data or have wider scope than the Directive?
In its judgment in Lindqvist, the ECJ held that the answer to question 1 above was ‘yes’ and therefore there was no need to consider question 2. In relation to question 3, the court held that the processing was not covered by the exceptions in Article 3(2) of the Directive. As to question 4, the court held that the information regarding the person who had injured her foot was personal data concerning health within the meaning of Article 8(1) of the Directive.
The ECJ also held that putting information on a web site in, say, Sweden, which was readable from elsewhere in the world, did not constitute transmission to those third countries. To do otherwise would have placed severe constraints on the open nature of the internet. The court also held in response to question 6 that there was no conflict with Article 10 of the ECHR and that in response to question 7 there was nothing to prevent national implementing legislation providing for greater scope as long as that was not in conflict with other Community Law.
In general, there are significant similarities between the definitions and scope of the Directive and the Regulation. To that extent the case law flowing from the Directive is, it is submitted, relevant to the application of like elements of the Regulation.
The argument behind the decision concerning question 3 is of most relevance to the Dutch case. In Lindqvist the Court considered the two exceptions to the scope of the Directive in Article 3(2) of Directive 95/46. These were, first, the processing of personal data in the course of an activity which fells outside of the scope of Community law (and cited examples such as public security, defence and criminal law); and second, the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.
In relation to the first exception the court considered that charitable or religious activities such as those carried out by Mrs Lindqvist could not be considered to be equivalent to the activities covered by the exception. In relation to the second exception, the court held that the exception must be interpreted as relating only to activities which were carried out in the course of private or family life of individuals and held that this was clearly not the case with the processing of personal data where it was published on the internet and made accessible to an indefinite number of people.
Article 3(2) of Directive 95/46 provides as follows:
2. This Directive shall not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Community Law, such as thoes provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
- by a natural person in the course of a purely personal or household activity.
The GDPR deals with the equivalent exception as follows:
Recital 18 provides:
(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Article 2(2)(c) provides:
2. This Regulation does not apply to the processing of personal data:
(c) by a natural person in the course of a purely personal or household activity; ...
It is submitted that in relation to the contentious second exception to Article 3(2) of the Directive, the text of the Regulation in Aricle 3(2)(c) is identical. On that basis, it seems plain that the Dutch court, following ECJ case law, should have found that the exception was not met. Whether, as indicated in the judgment, there were questions that were not answered concerning whether the grandmother’s Facebook or Pinterest pages had been in some way protected so that all and sundry could not see the images, or not, it seems that her activities, given that she (apparently) lived in a different household to her daughter and her grandchildren, fell outside of the exception and it could not be relied upon.
In the Dutch case, it is not clear from the judgment whether the Bodil Lindqvist case or any other European Court of Justice judgments were referred to or whether the court simply interpreted the legislation as it saw fit.
Nevertheless, the decision of the Court of First Instance of Gelderland appears to be entirely in line with the development of EU legislation and ECJ jurisprudence since the late 1990s.
Applicability of the Dutch decision
Any binding effect of the Court of First Instance of Gelderland will be within the legal framework unique to The Netherlands upon which I cannot comment. It is certainly not applicable directly in England and Wales nor in Ireland. However, it is submitted that were the case to go to appeal and eventually find its way to the ECJ, that court would decide in line with its previous decision in Lindqvist and therefore agree with the first instance tribunal. In Ireland that would then be binding. In England and Wales whether or not that decision would be binding will be determined to some extent by the outcome of post-”BREXIT” negotiations in relation to the position after 31st December 2020 but in any event since the UK claims to be implementing the GDPR in full post “BREXIT” any ECJ decision should at least be persuasive to an English court.
It is becoming increasingly clear, if it was not already so, that the courts are interpreting the text of the GDPR very strictly and this should be a caution to all data controllers, whether formal data controllers or informal ones (such as Mrs Lindqvist and the Dutch grandmother) that personal data of any kind should be treated with great care.