On Stack Exchange, someone was wondering about when the GDPR applies versus when the GDPR's household exemption applies. They gave the following example scenarios:

Alice takes photos of people in public and puts them into a portfolio binder for grading by her photography class instructor but does not publish them.

Barbara takes photos on her nights out and publishes them on her personal social photo blog mainly for her friends to like and giggle about.

Charlotte does the same but her photoblog is visible to “friends only.”

Danielle has an open photo blog but she has a buy me a coffee donation link.

Esther does the same but she limits her blog’s access to paying subscribers.

Francesca publishes her photos of current events with political commentary and they include many strangers. Her blog is purely a labour of passion/love.

Gwendolyn has a current events blog like Francesca’s but accepts donations.

Harriet has a similar one but charges readers for access, though is it not her full time job.

Which of these is a data controller and which are using the captured photographs purely for household purposes?

Adapted from the post Is amateur/hobbyist journalism/photography a purely household purpose? by user "TylerDurden" on Law Stack Exchange, used here under the CC BY-SA 4.0 license. The post was lightly edited for legibility.

In the following, I'll try to summarize key points from the GDPR, and relate those concept to the example scenarios.

Material Scope of the GDPR

The GDPR applies to all processing of personal data, as long as a filing system or automated means are involved (Art 2 GDPR). However, Art (2)(1)c) exempts:

processing of personal data […] by a natural person in the course of a purely personal or household activity

So for GDPR to apply to a data processing activity, we have to fulfill three criteria:

  1. the information being processed is personal data,
  2. automated means or a filing system are involved, and
  3. the processing doesn't happen in the course of a purely personal or household activity.

For the purpose of this discussion I'll take criteria 1 and 2 as given.

  • There's some debate whether (non-biometric) photographs are personal data. As pointed out before, personal data is more than just identifying information. The GDPR's definition of personal data is pretty broad, so I'll assume those photos qualify.

  • Automated means are necessarily involved due to the online publication in all scenarios except Alice.

The rest of this discussion will focus on the third aspect.

The GDPR's household exemption

Art 2(1)(c) GDPR exempts purely personal or household activities, as quoted above.

This is further explained in Recital 18:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

The second sentence suggests that a "connection to a professional or commercial activity" disqualifies the household exemption.

The household exemption was not introduced by the GDPR, but was lifted almost verbatim from its predecessor, old 1995 Data Protection Directive where it is found in Art 3(2)(2). Thus, we can benefit from almost three decades of jurisprudence on this matter.

Relevant court cases

The CJEU ruled on this household exemption in two important cases: Lindqvist and Ryneš.

The Lindqvist case (C-101/01) was about a person who published a website with personal data about her coworkers. This was a really early case that also delved in whether EU law can apply here, but it also addressed the household exemption directly. In its decision, the CJEU says:

47. That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.

(emphasis mine)

Compare the idea of a "private sphere" and "public sphere". The household exemption protects the private sphere, but is forfeited when entering the public sphere, e.g. by publishing data to a wider audience.

The Ryneš (C-212/13) case is relevant here for underlining the need for a narrow interpretation of the household exemption:

29. Since the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68), the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed.

30. The fact that Article 3(2) of Directive 95/46 falls to be narrowly construed has its basis also in the very wording of that provision, under which the directive does not cover the processing of data where the activity in the course of which that processing is carried out is a ‘purely’ personal or household activity, that is to say, not simply a personal or household activity.

(emphasis mine)

There's some good stuff here.

First, the purpose of all this legislation is protection of privacy. The household exemption cannot be interpreted in a way that would jeopardize this overall goal.

Secondly, the exemption does not cover any activity related to personal purposes or household activities, only those that are "purely" so.

Whereas the CJEU discusses the high-level interpretation of EU laws, lower courts get to deal with practical examples. One of them is the Dutch Facebook Grandma case (2020), see summary on GDPRHub. Someone had posted photos of her grandchildren on her Facebook page. The parents sued to get the pictures taken down. The household exemption was offered as a defense, but the court rejected this argument. Machine translation of the relevant part:

Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the [GDPR] apply to the present dispute.

So the household exemption might have applied if visibility of posts on social media had been restricted suitably, but the defendant didn't offer evidence to this effect. This tracks with Lindqvist (publication to an indefinite number of persons isn't purely personal) and with Ryneš (the household exemption is a narrow privilege, not the default state).

Analyzing the scenarios

From this background, we can derive a couple of criteria to see whether the household exemption could apply.

  • Per Ryneš, the exemption must be interpreted narrowly, and can only apply in a purely personal/household context.
  • Per Recital 18, a professional or commercial context is disqualifying.
  • Per Lindqvist, making the personal data accessible to an indefinite number of people is disqualifying.

Alice takes photos of people in public and puts them into a portfolio binder for grading by her photography class instructor but does not publish them.

The household exemption might apply.

There are no apparent factors that would be disqualifying.

Barbara takes photos on her nights out and publishes them on her personal social photo blog mainly for her friends to like and giggle about.

This is unlikely to be covered by the household exemption.

While the purpose is purely personal, the description suggests that there are no access controls or similar that would restrict the audience. Thus, per Lindqvist, Barbara couldn't rely on the household exemption.

Charlotte does the same but her photoblog is visible to “friends only.”

This access control makes all the difference, so the household exemption probably applies – provided that we're talking about actual friends, not random followers on social media.

Danielle has an open photo blog but she has a buy me a coffee donation link.

Again, offering the blog to the public is likely sufficient to disqualify the household exemption.

The donation link is interesting. I think such "donation" links are problematic because they're not donations but gifts, and bookkeeping/taxation might become difficult. Focusing purely on the GDPR aspects, it would be difficult to say whether such a payment method would move this out of the "purely personal" sphere, even if not yet commercial.

Esther does the same but she limits her blog’s access to paying subscribers.

While there are access controls, the blog is still available to the general public. So, per the Lindqvist argument, the household exemption won't apply.

Additionally, that seems like a commercial activity, which Recital 18 explicitly excludes.

Francesca publishes her photos of current events with political commentary and they include many strangers. Her blog is purely a labour of passion/love.

Again: public availability → no household exemption.

The motivation (hobby) is not sufficient, the entire processing activity must be purely personal.

The mention of political commentary is probably meant to invoke the GDPR's broad exceptions for journalistic purposes in Art 85. But that won't matter here.

  • Art 2 (including the household exemption) is about whether GDPR even applies. The Art 85 derogations can modify some aspects of the GDPR (such as data subject rights), but that is only relevant when the GDPR applies in the first place.

  • Art 85 only provides derogations (opening clauses) that require or allow EU members states to implement more specific laws. So this can't be fully analyzed on a GDPR level. However, those derogations can't be arbitrary, they must align with the GDPR, and of course must still be in line with the protection of fundamental rights.

  • When invoking journalistic privileges, it might be important to consider which specific processing activities are covered. For example, a journalistic publication should not be able to invoke journalistic privileges for non-journalistic activities like "delivering personalized ads" or "employee payroll".

(If I'm already digressing about journalistic data protection, it might be worth mentioning the weird position of Germany's public broadcasters. They fall outside of the normal federal structure for data protection authorities, and instead self-supervise. This has led to very questionable positions, such as arguing that visitor analytics are strictly necessary in order to fulfill their constitutional mandate. See reporting by kuketz-blog.de (German) for details, which also has a good section touching on the distinction between journalistic and commercial publishing activities.)

Gwendolyn has a current events blog like Francesca’s but accepts donations.

The same arguments from the Francesca and Danielle scenarios apply here: no household exemption.

Harriet has a similar one but charges readers for access, though is it not her full time job.

The same arguments as before apply: no household exemption.

I don't think a part-time or side-hustle commercial activity would make it "purely personal".

Disclaimer

I am not a lawyer, and this article is not legal advice. The article discusses general concepts, not concrete fact patterns.