* Photos of a person is personal data, particularly those that are scraped from social networks. This is pretty much the whole point of GDPR.
* Screwing up someone's life, as it is extensively desribed in the article, fits well into the definition of "vital interest".
I find it quite baffling how someone posting on HN is oblivious to the link between GDPR and the need to punish those who abuse data collected from social networks against the wishes and best interests of the users to screw up their lives.
We are talking here about the law, not about ideal world to live in.
The question is if photograph is personal data according to GDPR. Here is what I found [1]:
Under GDPR Article 9, biometric data is among the special categories of personal data that is prohibited from being processed at all unless certain exceptional circumstances apply, and the definition of biometric data specifically refers to "facial images".
Any images collected, whether via photos or videos, will only constitute biometric data if “specific technical means” are used to uniquely identify or authenticate an individual.
GDPR makes an important distinction between facial-recognition data and photographs. Recital 51 of the GDPR states the distinction as follows:
The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
* What the heck is vital interest ? For person playing in a movie it may as well be that everybody watch it.