Consent plays a key component of any data protection and privacy legislation. It has been very well defined in the European Union’s General Data Protection Regulation (GDPR). Before we discuss further, it is important to note that GDPR is considered as one of the most stringent data protection laws across the globe.

How is consent defined?

Consent of a data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data related to him or her. For the sake of clarity, a data subject is an individual whose data is being processed. (You can read more about this in Article 4 of GDPR.)

Consent and Minors

Article 8(1) of GDPR states that a consent given by a data subject will only be considered as lawful if the said data subject is more than 16 years of age. In cases involving children below the age of 16 years, the consent will only be considered lawful if it is given or authorised by an individual holding parental responsibility for a child.

So, it is clear here that for individuals that have not attained the age of 16 years, consent must be given by their parents or legal guardians. On these premises, do you think it would be unlawful for a grandparent to post pictures of their grandchildren who are minors without taking consent from the parents?

What actually happened?

Do grandparents require parental consent to post photos of their minor grandchildren online?

Generally, one would presume that GDPR will not be applicable for storing pictures by family members. However, in May 2020, a grandmother was asked to take down photos of her three grandchildren that she uploaded on Facebook and Pinterest. According to a local news report, the children’s mother requested her mother to take down the pictures multiple times before she approached the court.

The children’s mother requested the court to impose a hefty fine of €250. The court ordered the grandmother to take down all the pictures within ten days; otherwise, she will have to pay a fine of €50 per day. Further, the same fine will be applicable if the grandmother posts pictures of her grandchildren without the consent of their mother.

Though the grandmother submitted before the concerned court that she had removed a majority of photos from Facebook and Pinterest; but she wanted to have at least one photo on both the platforms. The court denied this request stating that the permission from the children’s mother had not been taken.

If this is a family matter, why is GDPR involved?

This is the first question that struck me when I read about this incident. After doing a bit of research and going through the details of this case, I found that since the photos were published on platforms such as Facebook and Pinterest, they were not limited to a small circle of family members. As soon as they were uploaded, they were available in the public domain. The court referred to one of its rulings given earlier this year wherein it stated that

On Facebook, it cannot be ruled out that placed photos could be distributed and that they may come into the hands of third parties.

Though GDPR is not applicable to either purely personal or household processing of personal data, this ruling is bound to make social media users think twice before uploading pictures of their friends or family members. While we are yet to have a dedicated data protection and privacy legislation in India, the proposed Indian Personal Data Protection Bill derives substantial inspirations from GDPR. A couple of years down the line, we might see similar instances in India.

Featured Image Credits: Camera vector created by brgfx – www.freepik.com