Tonya Hall: Keeping grandma out of trouble with GDPR. I'm Tonya Hall and joining me is Jason Hart, CEO of Fresh Security and Chief Technology Officer at Trustonic. Welcome back, Jason.
Jason Hart: Hey Tonya, how are you?
Tonya Hall: I am good. Remind us, if you will, what you do for Fresh Security and also what Trustonic does.
Jason Hart: Yeah, so Fresh Security is one of my new startups. It's the ability for any organization to instantly see highly visible individuals in their organization that are highly susceptible to an attack. So it's a real time service where any of our audience can sign up to now, actually, if they send an email to Risk, R-I-S-K@freshsec.com that's F-R-E-S-H-S-E-C.com. Don't put anything in the subject line, just send an email to freshsec.com. They will be automatically onboarded to the service and they'll see the magic happen right in front of their eyes.
Tonya Hall: All right, let's get into this. A few weeks ago, a court in the Netherlands ruled that a grandmother violated GDPR by posting photos of her grandchildren on social media without the permission of the children's parents. GDPR does not apply to purely personal or household processing of data. So what's the basis for this ruling?
Jason Hart: Yeah, it's a really interesting ruling by the Netherlands there, because as you said, this is actually personal information, which essentially then I assume, was taken by the grandmother of their grandchild. So it sets a bit of an interesting situation. Does this mean now that any family member that's taken a picture of any family during a period of time, and then suddenly because there's a falling out within the family that suddenly legislation kicks in? For me, ultimately it comes down to who is the custodian of the data in the first place. And at the point of taking that photo, were the people who were in the photo, did they originally give permission? But from a digital media point of view, it becomes a really, really interesting and sticky wicket.
Tonya Hall: Do you expect that the ruling itself is going to set a precedent for social media platforms? I mean, will they have to change sharing permissions for images?
Jason Hart: Yeah. I think there's a wider problem here, Tonya, as well, because we all know that any photo or media you put on a social media platform, even if the user who's posted it has deleted it, we know it's still there, yeah? So, it's the ability to prove, as a custodian, that your data is shredded or deleted and that there's no further trace of it. It's a really hard one.
Tonya Hall: There were also some financial penalties for this violation, right? I mean, do you expect the court to actually enforce those under GDPR?
Jason Hart: Yeah, so I believe it was 50 pound for every day up to a maximum of a thousand pound. Now, to a normal person, 50 pound a day up to a thousand pound in total, that could be a considerable amount of money. But let's assume they applied for a small business and the value they were getting from that initial posting or the advert, which had a picture in, and let's assume they're making 50, 60,000 on the revenue. A thousand pound is actually going to influence or actually change the situation in any way. Moreover, suddenly now, if you've got thousands of cases out there, how are you going to optimize that, or from an operational processes point of view, how are you going to ... Are you going to set up a whole new business unit to collect the money? And how do you keep track of that?
Tonya Hall: Well, let's talk about that, especially from the standpoint of the courts. I mean, what are the implications for the court system? Don't they have better things to do besides handle Facebook photo disputes?
Jason Hart: I think if I was the lawyer involved or the judge it's, "Hold on. So when was it originally posted? When was the photo originally taken?" Because within the photo itself, it'll have metadata. So if it was taken two, three years ago, and then it went to court six months ago, obviously there was permission in the first instance to do that. Yeah? Surely you would push for a court action if you knew the photo had been taken without permission prior to it being posted. So I think personally from a court point of view, there's maybe a few things that they could have done or they may have done that and we're only seeing a small part of the wider story.
Tonya Hall: Naturally, we need to protect the safety and privacy of children and we should also respect the wishes of parents. But from a strictly legal aspect, what are the implications for anyone who shares photos?
Jason Hart: I think anyone who's sharing photos, first of all, you could argue there is a business case for an online service to say, "Right, this photo here, get a ... " I've just taken a photo of you, Tonya. Right? Now I've taken a photo. You're going to receive an email. Yeah? You're going to approve and give me permission to share that photo. Yeah? You could argue there is a bit of a business case for that going forward. Yeah? Just to show that you care and that you have considered privacy. Yeah? Maybe that's the way we have to go.
Tonya Hall: Jason Hart, CEO of Fresh Security and Chief Technology Officer at Trustonic. If somebody wants to connect with you, Jason, maybe they want to find out more about the work that you do. How can they do that?
Jason Hart: Just reach out to me at Jason Hart, H-A-R-T.co.uk. That's my website. And you can connect with me there, or you can find me on Twitter, Hart_Jason.
Tonya Hall: Thanks again, Jason, for joining us. And find more of my interviews right here or at tonyahall.net (http://tonyahall.net/). Thanks for watching.