Once researchers/innovators become the controllers of the data gathered from social networks, they have to decide on the legal basis that will legitimate further processing of those data as soon as possible. However, and even before selecting the legal basis (or bases) for processing, the controller must consider whether the processing involves personal data of special categories. In that case, the controller should be aware of the fact that the processing is vetoed by Article 9.1 of the GDPR unless any of the circumstances described in Article 9.2 apply.
Once concluded that no data of special categories are involved or the veto posed has been adequately addressed, the controller shall select the appropriate legal basis for data processing. This must be done very carefully, since the legal basis cannot be changed during the processing. These are some criteria that should be kept in mind for this purpose:
- The necessity or usefulness of the use of the data obtained from the social networks for the achievement of the purpose or interest of the processing must be sufficiently justified in the lens of the legal basis selected.
- The data controller must carefully weigh up (1) the basis of entitlement used, against (2) the possible risks arising from the data processing.
- In addition, the controller should consider all adequate safeguards so as to ensure that the interests, rights and freedoms of the data subject are adequately preserved. This balancing must be particularly careful if the data subject’s consent acts as the legal basis for processing.
The following tables provide brief overviews of the various alternative bases of legitimation under Articles 6 and the circumstances that circumvent the veto created by Article 9.1 of the GDPR and their relation to the processing of data from social media
Consent is the most traditional legal basis for data processing in the context of social networks. However, where a controller seeks to process personal data for research purposes, public interest might be an excellent option. Unfortunately it requires that certain conditions apply (see “Data protection and scientific research” subsection in “Main Concepts” part of the general part of these Guidelines). Legitimate interest, on the other hand, is an alternative suitable legal basis for processing in this context, but one cannot assume it will always be appropriate[1].It is likely to be most appropriate where controllers use people’s data in ways they would reasonably expect and which have the least possible relevant impact on data protection or privacy issues, or where there is a compelling justification for the processing.[2]
| Possible Legal bases (Art. 6 GDPR) | |
| Legal bases forprocessing | Use in the context of social networks |
| 6.1.a – consent | Probably, the most popular legal basis for data processing, although its widespread use is increasingly being questioned[3] (see following section) |
| 6.1.e – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller | It may be applicable, but the following cautions should be observed: – The public interest purpose must be clearly identified as well as the connection to the research, – Reasons must be given as to why the use of data from social media is necessary or highly desirable for the objectives pursued. -The basis for the processing has been laid down by Union law; or a Member State law to which the controller is subject. |
| 6.1.f – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child | It may be applicable, and indeed is the best alternative to consent as a basis for legitimacy. The following cautions should be observed: – the data controller must carry out and give reasons for an appropriate balancing of (1) the legitimate interest pursued and (2) the impact on the fundamental rights and freedoms of the data subject;this balancing must be carried out with particular care if data from minors are involved |
| Special categories of personal data (Art. 9 GDPR) | |
| Basis for legitimacy | Use in the context of social networks |
| 9.1.a – consent | It is widely used |
| 9.2.e – processing relates to personal data which are manifestly made public by the data subject | It may be applicable, but particular caution should be taken with regard to the following safeguards: – respect for the purpose limitation principle (Art. 5.1.b GDPR), taking into account the expectations of the data subject and the context (social network and impact of the profile) in which the data has been published[4]; – measures of aggregation in order to lower possibilities of re-identification |
| 9.2.g – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject | It may be applicable, provided that the data controller observes the following precautions: – the public interest pursued must be clearly identified, as well as the applicable regulations; – it must be sufficiently justified that the research via social networks is necessary or highly suitable for this purpose; – special care must be taken to develop measures to protect against undue impacts on fundamental rights of data subjects. |
| 9.2.j – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject | It is fully applicable. It has the advantage that the purpose limitation principle is less strict (cf. Art. 5.1.b GDPR) and that it allows the processing of data independently of the consent of the data subjects, provided that the data controller observes the following safeguards: – it must clearly identify its purpose (archiving, scientific research, historical research or statistical purposes); – it must justify the proportionality of the data processing in relation to the intended purpose; – it should justify the usefulness of the use of social networks in the research; – must develop measures to avoid undue impacts on fundamental rights of data subjects, focusing on (1) sufficient level of aggregation, and (2) other safeguards to avoid re-identification – must strictly follow the prescriptions of art. 89 GDPR |
References
1Ad ex., Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority, so “public task” is a better legal basis in these situations (ICO: Legitimate interests, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/). ↑
2ICO: Legitimate interests, at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ ↑
3See, on data processing for health purposes in the American privacy system, Charlotte A. Tschider, ´The consent myth: improving choice for patients of the future´ (2019) 96 Washington University Law Review 1506. ↑
4Recently, the Spanish Data Protection Board fined Equifax for using creditworthiness data published by official sources to feed its own files, for breach of the purpose limitation principle insofar as it is an incompatible use of the data despite being publicly accessible data. The criterion of this Resolution may also be applicable if data published by the data subject itself is used, insofar as the uses derived from such data are incompatible. ↑