Have you ever shared a family photo on WhatsApp, Instagram or Google Photos without thinking too much about it? You’re not alone. But since the GDPR came into force in 2018, sharing photos online is no longer a truly trivial act â especially when these photos represent children, loved ones or people who haven’t necessarily given their consent. In this article, we take stock without legal jargon of what the GDPR really says about photos, what you’re legally allowed to do, what’s forbidden, and how to concretely protect your memories without sacrificing the pleasure of sharing them.
The GDPR and photos, what exactly is the connection?
Many people think the GDPR only concerns businesses or public authorities. This is a very common misconception â and potentially an expensive one.
In reality, as soon as a photo allows someone to be identified â their face, recognizable silhouette, license plate, or even their home in the background â it constitutes a personal data in the sense of the General Data Protection Regulation.
And the rules apply, whether you’re a multinational corporation or an individual who just wants to share their vacation with their in-laws.
If you didn’t know yet, the GDPR came into force on May 25, 2018 throughout the European Union.
Its objective? To give European citizens real control over their personal data, and to oblige all those who process it â businesses, associations, public authorities, but also individuals in certain cases â to do so transparently, securely and respectfully of everyone’s rights.
Behind this regulation lies a clear political ambition: to protect European internet users from the power of American and Asian tech giants, whose business model is based precisely on the massive collection of personal data.
Facebook, Google, Amazon, TikTok â these platforms absorb billions of data about their users every day: their habits, preferences, movements, social relationships.
And of course, their photos. The GDPR was designed as a legal barrier against these practices, by imposing strict obligations on any company processing data of European citizens, regardless of where their servers are located. Let’s be honest: in reality, the GDPR hasn’t ended the dominance of American platforms over our digital lives.
Fines are handed down, sometimes record-breaking â Google condemned to 150 million euros by the CNIL in 2022, Meta to 1.2 billion euros in Ireland in 2023 â but practices evolve slowly.
What the GDPR has truly changed, however, is user awareness: today, more and more Europeans know they have rights over their data, and that they can assert them.
Is a family photo personal data?
Yes, in the vast majority of cases. As soon as a photo allows someone to be identified, directly or indirectly, it falls into the category of personal data. A portrait is obviously concerned, but also a group photo where faces are visible, a photo from behind if the person is recognizable by other elements (characteristic clothing, context), or even a photo published with a name or caption that allows identification.
On the other hand, a landscape photo without any identifiable person, or a blurry photo where no one is recognizable, does not constitute personal data within the meaning of the GDPR.
Does the GDPR apply to individuals?
Yes and no â and that’s where the answer becomes nuanced. The GDPR provides an exception for strictly personal or domestic uses: if you share photos within your immediate family circle without distributing them further, you are not subject to the same obligations as a business.
But as soon as you post photos on social media, even a « private » profile with hundreds of followers, this exception no longer applies. And as soon as you photograph third parties without their consent and distribute these images, you can be held responsible.
What you are legally allowed to do with your photos
Good news: the GDPR doesn’t prohibit sharing your photos. It simply regulates how you do it. Sharing photos with your loved ones in a strictly private context remains entirely legal â provided you follow a few common-sense rules that most people ignore, often because no one has ever clearly explained them to them.
Sharing privately with family is permitted
Sending photos via private message to your parents, siblings or close friends falls under strictly personal use.
The GDPR imposes no particular obligation on you in this context. To go further, creating a private shared photo album on a secure platform is much more reliable than a WhatsApp group: your photos don’t pass through American servers, and you keep complete control over who can see them. Legality is one thing, real security is another.
Publishing on social media, under what conditions?
Publishing a photo on social media is legal if the people photographed have given their explicit consent. For an adult, verbal consent or implicit consent (the person willingly poses for the photo) may be sufficient in a friendly context.
For major events like a wedding, for example, many couples now choose to share their wedding photos with their guests via a private platform rather than on Facebook â to maintain control over who accesses the memories and avoid any unwanted publication. Publishing a photo of a stranger taken on the street, or of a person who explicitly asked you not to publish it, exposes you to legal action for violation of the right to image.
The right to image, what does it actually mean?
The right to image is a fundamental right in France, anchored in Article 9 of the Civil Code on respect for privacy.
Every person has the right to control the use of their image. Concretely, this means you cannot photograph someone in a private space without their consent, or publish a recognizable photo of a person without their permission â even if the photo was taken in a public place. This right applies independently of the GDPR and can result in civil or even criminal proceedings.
What is forbidden â and what many people do without realizing it
This is where it gets really complicated. Every day, millions of people commit violations without knowing it by sharing photos online.
Not out of malice, but out of habit, ignorance, or because « everyone does it ». Here are the three most common major mistakes.
Publishing photos of children without parental authorization
In practice, prosecutions are rare between individuals â but they do exist, and courts have already convicted parents for publishing photos of other families’ children without consent.
For professional organizations (schools, daycares, community centers), it is an absolute obligation, and non-compliance can be very costly â up to 20 million euros in fines or 4% of annual turnover according to the GDPR.
Sharing photos on non-GDPR-compliant American platforms
Facebook, Instagram, Google Photos, iCloud, WhatsApp: all these platforms are American and primarily subject to American law.
However, the Cloud Act, adopted in the United States in 2018, authorizes American authorities to demand access to data stored by American companies â even if that data concerns European citizens and is physically stored in Europe.
By using these services, you implicitly accept that photos you upload there may be accessed by third parties without your consent. We have moreover compared in detail 12 photo sharing solutions â American and European â to help you choose the one that truly respects your data.
Concrete risks: fines, complaints, civil liability
For an individual, the main risk is civil action for violation of the right to image or infringement of privacy. Damages awarded by courts can range from a few hundred to several thousand euros depending on the harm suffered. For a business or association, penalties from the CNIL can be much heavier.
Since 2018, the CNIL has issued several record-breaking fines against companies that did not comply with personal data rules, including photos.
Google Photos, iCloud, WhatsApp… are they GDPR compliant?
This is the question everyone avoids asking. The short answer: not completely, and that’s an understatement. These services make efforts to display superficial compliance â privacy policy in French, GDPR mention, transparency center â but the technical and legal reality is far more nuanced.
The Cloud Act, what is it and why it concerns you
The Clarifying Lawful Overseas Use of Data Act (Cloud Act) is an American law adopted in March 2018. It obligates American technology companies to provide American authorities with data requested in investigations â even if that data is stored on servers outside the United States.
Concretely: if you store your family photos on Google Photos or iCloud, the American government can legally access them without you being informed, and without Google or Apple being able to really oppose it.
This is precisely why the CNIL and the European Data Protection Board (EDPB) recommend prioritizing solutions hosted in Europe for all sensitive data â and photos of people, especially children, are sensitive data.
What Google and Meta really do with your photos
Google analyzes your photos to feed its image recognition algorithms, improve its services, and potentially use them to train its artificial intelligence models.
Meta does the same with photos published on Facebook and Instagram â and since 2023, Meta has explicitly stated that it uses public content to train its AIs, a practice that many European users have contested with the CNIL.
By accepting the terms of use of these platforms, you grant a very broad license for use of your photos. This is not at all the same thing as keeping them on a secure space dedicated, hosted in Europe, where you remain the sole owner of your content.
Facial recognition: how your photos feed American AIs
Facebook developed one of the world’s largest facial recognition databases â built largely by photos that its users have tagged over the years. Apple uses facial recognition to organize photos in iCloud. Google does the same in Google Photos.
These systems are convenient, certainly. But they also mean that the faces of the people you photograph â your children, your parents, your friends â feed biometric databases over which you have no real control.
How to share your photos online while respecting the GDPR?
There are simple, accessible and truly GDPR-compliant solutions for sharing your photos without taking unnecessary risks. The key: choose a platform hosted in Europe, with real access control, a transparent privacy policy, and a business model that doesn’t rely on exploiting your data.
Criteria for a truly GDPR-compliant platform
A truly GDPR-compliant platform must check several essential boxes. Servers must be hosted in Europe â ideally in France or Switzerland, where data protection laws are among the strictest in the world.
Access to photos must be protected by an invitation and password system, so anyone cannot access content with just a link. The platform must not analyze your photos for commercial purposes or use them to train algorithms.
And finally, it must allow you to permanently delete your data at any time. If you’re looking to assess your options, our guide to the best online photo storage helps you compare available solutions according to these criteria.
European servers vs. US servers: what concrete difference?
A server hosted in Europe is subject to European law â notably the GDPR. If an authority wishes to access your data, it must go through European legal channels, with all the protections that implies.
A server hosted in the United States is subject to the American Cloud Act, which allows much more direct access without prior notification. The difference is not theoretical: it has concrete implications for who can access your photos and under what conditions.
Fammies.com, a sovereign and private alternative
Fammies.com is a photo and video sharing platform whose servers are hosted in Switzerland â one of the countries with the highest data protection standards in the world.
Unlike American giants, Fammies doesn’t sell your data, doesn’t analyze your photos, and doesn’t use your content for commercial purposes. Access to your private space is protected by invitation and password: only the people you explicitly invite can see your photos.
That’s exactly what the GDPR recommends.
Local authorities, daycares and community centers: an inescapable legal obligation
For early childhood and recreational activity professionals, the question no longer arises: publishing photos or videos of children on social media â Facebook, Instagram, WhatsApp â or on any platform hosted in the United States is now strictly prohibited.
Educators, daycare directors, community center coordinators: all are subject to the same legal obligations arising from the GDPR.
Photographing a child as part of a group activity means processing sensitive personal data â and distributing it on American servers without explicit parental authorization exposes the organization to CNIL sanctions that can reach 20 million euros.
This is not a theoretical warning: establishments have already been required to comply for this type of practice. The good news is that solutions designed specifically for these professionals exist.
The special case of children’s photos
Children deserve special attention on this topic. They are not just small adults â their legal protection is enhanced, and their inability to give informed consent imposes much greater responsibilities on the adults who photograph them and share their images.
Until what age is parental authorization required?
In France, legal age is set at 18 years. Until that age, parental authority is exercised, and parents are the only ones authorized to give permission for the publication of their children’s photos. The GDPR provides that a minor under 15 cannot give valid consent alone â parental consent is required. Concretely: a photo of a 14-year-old child published on social media without parental consent constitutes an offense.
What risks do parents who share too much run?
Sharenting â a portmanteau of « sharing » and « parenting » â refers to the practice of massively sharing photos of your children on social media.
This is now a serious matter: studies show that some children have their entire lives documented on the internet before they even understand what it implies. Specialized lawyers warn that children who have reached adulthood could, in the years to come, sue their parents for infringement of privacy. This isn’t science fiction: the first cases have already started to emerge in Europe.
How to protect your children’s photos sustainably
The safest solution is simple: never publish photos of your children on public or semi-public platforms.
For newborns and toddlers, many parents now create a private baby album accessible only to grandparents and invited close ones â it’s the safest way to share the first months without exposing these intimate memories on American servers. Also avoid photos that are too identifying (school uniform, visible name, precise location) and regularly delete photos shared in less secure contexts in the past.
5 concrete reflexes to protect your photos online starting today
You don’t need to be a lawyer or computer scientist to protect your photos. Five simple habits are enough to drastically reduce risks, and most of them will take you only a few minutes to implement.
1. Choose a platform hosted in Europe. This is the number one criterion. Servers in France, Switzerland or another European country, subject to European law and the GDPR. Check the legal notices and privacy policy before signing up â if hosting is not mentioned or if servers are in the United States, move on.
2. Never use a Facebook group for children’s photos. Even a « private » closed group. Meta’s terms of use deprive you of your rights over photos published, algorithms automatically analyze them, and you cannot guarantee to other parents that their children won’t be seen by strangers. This is a practice to abandon definitively.
3. Verify who can download your photos. On a good private platform, you should be able to choose whether your invitees have the right to download photos or just view them. This is an essential feature often absent from mainstream solutions like Google Photos or iCloud.
4. Remove GPS metadata before sharing. Photos taken with a smartphone often contain precise geolocation data â the exact address where the photo was taken. On iOS, you can disable geolocation for the photo app. On Android too. And before sharing a photo by email or on a platform, verify that metadata has been removed.
5. Always ask permission from people photographed before publishing. This is an elementary rule of courtesy that is also a legal obligation. A simple « can I publish this photo? » avoids many complications. And if someone asks you to delete a photo they appear in, do it immediately â it’s their right, and refusal exposes you to legal action.
FAQ â Your questions about the GDPR and photos
Does the GDPR prohibit posting photos on Instagram?
No, the GDPR doesn’t inherently prohibit posting photos on Instagram. However, it requires you to have the consent of identifiable people in your photos before publishing them. And the right to image, independent of the GDPR, also applies. Instagram itself is not a platform compliant with European data protection standards â which means you take additional risk by hosting photos of people who trusted you there.
What are the risks of publishing a photo without authorization?
For an individual, risks range from a simple conflict with the person concerned to legal action for infringement of privacy or violation of the right to image. French courts have awarded damages ranging from a few hundred to several thousand euros in similar cases. For a business or association, CNIL fines can be much higher â up to 20 million euros in the most serious cases.
Does a photo deleted on social media really disappear?
Not necessarily. When you delete a photo on Instagram or Facebook, it disappears from your public profile, but it may remain on the platform’s servers for weeks or months before being truly deleted â if it is at all. And if someone took a screenshot in between, or if the photo was shared elsewhere, you can no longer do anything. This is another reason not to post something you might regret.
How do you know if a platform is truly GDPR compliant?
First check where the servers are hosted â this is mentioned in the legal notices or privacy policy. Then check whether the platform has appointed a Data Protection Officer (DPO), which is mandatory for organizations processing sensitive data on a large scale. Finally, verify that you can exercise your rights easily: right of access, right of rectification, right to erasure (right to be forgotten). A truly compliant platform makes these procedures simple and fast.
Conclusion: protecting your photos is protecting the people you love
The GDPR is not an abstract bureaucratic burden. It is concrete protection for you, for your loved ones, and especially for your children. Sharing your photos safely is not complicated â you just need to make the right choices upfront: a platform hosted in Europe, controlled access, and systematic respect for the consent of people photographed.
At Partagephotos.com, that’s exactly what we offer: a secure private photo space, hosted in Switzerland, where you keep full control over your photos and who can see them. Without algorithms analyzing your images, without targeted advertising, without reselling data. Just your memories, shared with the people you choose.
Say goodbye to social media risks
Create your 100% private photo sharing space in 2 minutes to share photo albums and videos with your contacts securely
â Create Your SpaceCan I post photos of my wedding guests without their consent?
No. Even at your own wedding, guests have the right to control their image. You should inform attendees that photos will be taken and ask permission before posting recognizable images online. The safest approach is to use a private sharing platform where only invited guests can view the photos, rather than publishing on social media.
Are screenshots of photos protected under the GDPR?
Yes. A screenshot containing an identifiable person is still personal data under the GDPR. The same rules apply: you need consent to share it publicly. Screenshots can actually increase privacy risks since they bypass download restrictions and remove metadata that could prove ownership.
Can my employer use my photo without permission?
Your employer needs your explicit consent to use your photo for external communication, marketing, or website publication. Internal directories may have different rules depending on your employment contract. You can withdraw consent at any time, and your employer must then remove your image from all materials.
What happens to my photos if a platform goes bankrupt?
When a platform shuts down, your photos may be sold as assets to another company, deleted, or left on abandoned servers vulnerable to hackers. The GDPR requires companies to inform users and allow data retrieval before closure, but enforcement is difficult with bankrupt entities. Always keep local backups.
Is sending photos via email GDPR compliant?
Email is not inherently GDPR compliant for sensitive photos. Messages pass through multiple servers, often outside Europe, and recipients can forward them freely. For family photos or images of children, a password-protected sharing platform offers better control and security than email attachments.
Frequently asked questions on the topic: « GDPR and photos online »
- GDPR and sharing photos online: what you need to know
- Can you publish family photos on social media?
- Is Google Photos GDPR compliant?
- How to share photos online without violating the GDPR?
- Right to image and GDPR: what’s the difference?
- Can you publish photos of children without parental consent?
- Cloud Act: why it’s dangerous for your photos
- What alternative to Google Photos that’s GDPR compliant?
- How to delete your photos from social media?
- Sharenting: what risks for photos of your children?
Additionally: What is the GDPR? (official UE source)
