Consent is the first of six bases for lawful processing of personal data listed in Article 6. According to Article 6, paragraph. 1(a), such processing is lawful if the data subjects have given consent to the processing of their personal data for one or more specific purposes. Thus, if data is used for multiple purposes, consent shall be given for each purpose separately. Specific consent is key to avoiding invalid consent. Indeed, “if a data processing has multiple purposes, then consent must be sought for each of them. Specificity of consent promotes transparency as the data subjects know about each purpose of data processing, increases their control over these purposes and safeguards against function creep.”
If the research involves using data gathered from different social networks, researchers should focus on designing intra-provider and eventually inter-provider privacy risk evaluation mechanisms that take into account personal data revealed for all data processing activities for a concrete social network and for all OSNs that a data subject uses, respectively.
Last, but not least, since researchers will be processing data that have not been obtained from the data subject, they shall provide the data subject with the information requested by article 14 unless any of the circumstances quoted in its point 5 apply (see the “Right to information” subsection in the Data subject’s rights section of these Guidelines).
|Box: the case of deleted dataSome social networks users post data to their platforms and subsequently delete it. If that data has been retrieved by a researcher before deletion, it is not clear whether the user’s initial consent for their data to be used remains intact. Depending on the sensitivity of the data and analysis researchers should agree up-front how to manage this issue. For example, it may not be necessary to delete the count of a post from a time series, but it may be unethical to quote an individual post which has since been deleted. However, this is as yet an unclear issue. Therefore, researchers should still be cautious about the use of deleted data.
See: Social Media Research Group, Using social media for social research: An introduction May 2016, p. 17 at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/524750/GSR_Social_Media_Research_Guidance_-_Using_social_media_for_social_research.pdf
☐ Controllers are able to demonstrate that, after balancing the circumstances of the processing, they have concluded that consent is the most appropriate legal basis for processing.
☐ Controllers have made sure that the consent provided by the data subject to the social network covers the type of processing they are willing to perform
☐ If this is not the case, controllers must ask data subjects for a renewed consent
1EDPB: Guidelines 05/2020 on consent under Regulation 2016/679, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf ↑
2Joyee De S., Imine A. (2019) On Consent in Online Social Networks: Privacy Impacts and Research Directions (Short Paper). In: Zemmari A., Mosbah M., Cuppens-Boulahia N., Cuppens F. (eds) Risks and Security of Internet and Systems. CRiSIS 2018. Lecture Notes in Computer Science, vol 11391. Springer, Cham. https://doi.org/10.1007/978-3-030-12143-3_11 ↑