Data treatment
Recently, the Spanish Data Protection Agency through the Sanctioning Procedure with number of file EXP202204530 imposed a €10,000 fine for a natural person for publishing on social networks, specifically on Facebook, a video lasting one minute and thirty-five seconds, where a person appeared in a state of intoxication that led to multiple comments and shares. As a result of this sanctioning procedure and others published by the Control Authority There is debate about whether or not this fact constitutes the application of the General Data Protection Regulation 2016/679 based on the provisions of article 2.2-C thereof..
The General Data Protection Regulation 2016/679 establishes in its article 2.2-C the following; “This Regulation does not apply to the processing of personal data carried out by a natural person in the exercise of exclusively personal or domestic activities.”
Does sharing content on social networks fall within domestic and/or personal activity?
Yes, but with nuances. As a general rule, when we use social networks (Instagram, Facebook, Twitter...), we do not request the consent of our friends or families to upload content to them, whether images or photographs, because it would be practically impossible to control all these authorizations, and therefore Therefore, the European regulations themselves introduced this exception in article 2.2-C of the RGPD 2016/679.
It is important to know that Not all the content we share on social networks is under the umbrella of article 2.2-C of the General Data Protection Regulation 2016/679 and therefore, sharing certain content can lead to the application of European regulations and, consequently, the Spanish Data Protection Agency acting as a Control Authority.
The General Data Protection Regulation (GDPR) applies to the processing of all information relating to an identified or identifiable natural person, understanding that someone is identifiable when your identity can be determined directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements specific to physical, physiological, genetic, mental identity , economic, cultural or social of said person.
Therefore, to the extent that the images and videos that we share on social networks allow us to identify the affected people and are not applied to the same digital parameters that prevent their identification (for example: pixelated or masks), these will remain within the scope of data protection regulations, which will mean that the individual who captures and disseminates the images is considered responsible for the treatment and requires one of the bases of legality or legitimation of those provided for in article 6 RGPD, among which, in these cases, that of consent could be applied.
When does the domestic and/or personal exception not apply?
To do this, we have to go to jurisprudence and resolutions and opinions of the Control Authorities.
- Court of Justice of the European Union (CJEU), in its ruling on the issue C – 25/17, July 10, 2018.
The CJEU points out, on the one hand, that the expression "personal or domestic" refers to the activity of the person who processes the personal data, not to the person whose data is processed. On the other hand, it is understood that the exception must be interpreted in the sense that it contemplates only activities that fall within the framework of the private or family life of individuals.
In this regard, it does not consider that an activity is exclusively personal or domestic when its purpose is to allow an indeterminate number of people access to personal data or when the activity extends, even in part, to public space and is, therefore, , directed towards the outside of the private sphere of the person who processes the data.
- European Data Protection Committee (CEPD), in its Guide 2/2019 for the processing of personal data through video devices.
The CEPD determines that the so-called domestic exception, in the context of image capture, should be interpreted restrictively, including only activities that are carried out in the course of the private or family life of individuals, which is clearly not the case with the processing of personal data that involves publication on the Internet so that the data is accessible to an indefinite number of people.
- Legal Report 0615/2008 of the Spanish Data Protection Agency.
The Agency has been pointing out that for us to be faced with domestic exclusion, what is relevant is that it is an activity typical of a personal or family relationship, comparable to what could be carried out without the use of the Internet, so It will not be those cases in which the publication is made on a page that is freely accessible to anyone. or when the high number of people invited to contact said page is indicative that said activity extends beyond what is typical of said area.
In short, one might think based on their interpretation that, in cases such as those analyzed in this article, in which the images captured by individuals end up in the hands of an undetermined number of people, the domestic exception would not apply, therefore, in the absence of consent from the affected people for its collection and dissemination, the regulations on data protection would be violated.
Over the last few years we have had various examples that have been subject to sanction by the control authorities, and which have not been exempt from controversy. For example, several buttons:
- Sanction Austrian Data Protection Authority of €11,000 to a coach for recording players in the shower for years.
- AEPD sanctions an individual with a fine of €2,000 for recording with his mobile phone, from his home, a police officer who was carrying out a performance in the street, and disseminating it through WhatsApp without consent.
- Sanction of the AEPD of €10,000 to an individual for publishing, in the WhatsApp "status", intimate photos and conversations of a third party without their consent.
Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management.
