Social networks for research purposes: ethical and legal requirements regarding data protection
Jose Antonio Castillo Parrilla and Iñigo de Miguel Beriain (UPV/EHU)
Preliminary versions of this document were reviewed by Dr Denise Amram, DPO, affiliate researcher at LIDER Lab – DIRPOLIS Institute, ScuolaSuperioreSant’Anna (Italy) and DPO of Private comparative law at Scuola Superiore Sant’Anna and Prof. Giovanni Comandé, Dirpolis, Sant’Anna School of Advanced Studies, Pisa, Italy.
This part of the Guidelines was validated by Iñaki Pariente, former director of the Basque Data Protection Agency.
Social media can be described as online platforms that enable the development of networks and communities of users, among which information and content is shared. Additional functions of social networks are personalization, analytics and publishing (mainly via targeting services), allowing either freelance initiatives or wider service offers. Social media allow individuals to create accounts for themselves in order to interact with other users and to develop and broaden connections and networks. Users share data with the with network administrators and with other users for totally different purposes. The content shared by individuals can be created by themselves (user-generated content) or not.
On the other hand, it is important to mention that the main purpose of the data placed in a social network is to allow people to interact, to relate. In fact, users establish two types of relationships: a vertical relationship with the company that owns the network, and a horizontal relationship with other people with whom they want to interact. This relationship can be general (open profiles) or particular (profiles with limited access). Depending on the type of interaction at stake, the legal status of data processing will probably be different.
In general, social networks are optimal for massive data extraction practices. Indeed, there are software tools available that can automatically collect web users’ data from online public spaces. Furthermore, most social networks enable Application Programming Interfaces, or APIs, that simplify software development and innovation and make it possible for applications to exchange data and functionality easily and securely. These circumstances make social networks particularly attractive for some kinds of research, but it also creates demanding challenges in terms of data protection issues.
This part of the Guidelines is aimed at helping ICT researchers or innovators using personal data obtained fromsocial networks. It is worth mentioning that we will not address here the use of social networks to collect data (such as, for example, by using Google surveys to get data back on a specified set of questions from real people). This is due to a simple reason: in these cases, the data itself does not come from a social network but through a social network. Indeed, social networks only act as a tool to gather those data. Therefore, these data are not so different to any other data collected by a more traditional way (such as a survey in paper) and, thus, they do not deserve special attention here.
If ICT developers consulting these Guidelines are planning to use AI tools to process data obtained from these networks, they should consult the part of the Guidelines devoted to Artificial Intelligence (AI). If they are planning to use them for purposes related to biometrics, Internet of Things or Geospatial location, they should consult the parts of these Guidelines that are devoted to those issues. In order to avoid unnecessary repetitions, we are leaving such issues out of this analysis.
This part of The Guidelines was written at a time when the ePrivacy Regulation had not been approved. It may happen that, at the time of using this tool, the Regulation is in force. If so, it will be necessary to take into account the possible changes that this may have produced in the regulatory framework. Until the ePrivacy Regulation enters into force, a fragmented situation will exist. Indeed, supervisory authorities face now a situation where the interplay between the ePrivacy Directive and the GDPR coexist and pose questions as regards the competences, tasks and powers of data protection authorities in those matters that trigger the application of both the GDPR and the national laws implementing the ePrivacy Directive.
1EDPB Guidelines 8/2020 on the targeting of social media users, p. 3. ↑
2See, on APIs: Oscar Borgogno& Giuseppe Colangelo, Data Sharing and Interoperability Through APIs: Insights from European Regulatory Strategy, Stanford-Vienna European Union Law Working Paper No. 38, http://ttlf.stanford.edu; Russell, N. Cameron and Schaub, Florian and McDonald, Allison and Sierra-Pambley, William, APIs and Your Privacy (February 5, 2019). Available at SSRN: https://ssrn.com/abstract=3328825 or http://dx.doi.org/10.2139/ssrn.3328825 ↑