Consent is the first of six bases for lawful processing of personal data listed in Article 6. According to Article 6, paragraph. 1(a)[1], such processing is lawful if the data subjects have given consent to the processing of their personal data for one or more specific purposes. Thus, if data is used for multiple purposes, consent shall be given for each purpose separately. Specific consent is key to avoiding invalid consent. Indeed, “if a data processing has multiple purposes, then consent must be sought for each of them. Specificity of consent promotes transparency as the data subjects know about each purpose of data processing, increases their control over these purposes and safeguards against function creep.”[2]
The specificity requirement is particularly important in the case of the re-use of data from social networks. End users of social networks are often unaware of the fact that their data are used for purposes other than those that they pursue when they provide those data. However, most social networks ensure that the data subjects provide consent to this further processing and their Developer Policies will surely cover this issue. Researchers and developers willing to process the data obtained from social networks for research purposes might obtain a new consent from the data subjects. This, of course, is hard and not always necessary. They could rely on the original consent provided by the data subject to the social network. However, the researchers/innovator should, however, ensure that the processing they are willing to perform is allowed by the consent originally provided by the data subject or find an alternative legal basis (by asking for a new consent or using legitimate interest or public interest as an alternative, for instance). Consulting the terms of use of the social network and the consent gathered originally is an excellent way to check if the secondary use of data could be considered compatible with the purposes for with data were originally collected(see the “Purpose limitation principle” subsection in the Principles section of the General Part of these Guidelines).
If the research involves using data gathered from different social networks, researchers should focus on designing intra-provider and eventually inter-provider privacy risk evaluation mechanisms that take into account personal data revealed for all data processing activities for a concrete social network and for all OSNs that a data subject uses, respectively.
Last, but not least, since researchers will be processing data that have not been obtained from the data subject, they shall provide the data subject with the information requested by article 14 unless any of the circumstances quoted in its point 5 apply (see the “Right to information” subsection in the Data subject’s rights section of these Guidelines).
| Box: the case of deleted dataSome social networks users post data to their platforms and subsequently delete it. If that data has been retrieved by a researcher before deletion, it is not clear whether the user’s initial consent for their data to be used remains intact. Depending on the sensitivity of the data and analysis researchers should agree up-front how to manage this issue. For example, it may not be necessary to delete the count of a post from a time series, but it may be unethical to quote an individual post which has since been deleted. However, this is as yet an unclear issue. Therefore, researchers should still be cautious about the use of deleted data.
See: Social Media Research Group, Using social media for social research: An introduction May 2016, p. 17 at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/524750/GSR_Social_Media_Research_Guidance_-_Using_social_media_for_social_research.pdf |
| Checklist: consent
☐ Controllers are able to demonstrate that, after balancing the circumstances of the processing, they have concluded that consent is the most appropriate legal basis for processing. ☐ Controllers have made sure that the consent provided by the data subject to the social network covers the type of processing they are willing to perform ☐ If this is not the case, controllers must ask data subjects for a renewed consent |
References
1EDPB: Guidelines 05/2020 on consent under Regulation 2016/679, https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf ↑
2Joyee De S., Imine A. (2019) On Consent in Online Social Networks: Privacy Impacts and Research Directions (Short Paper). In: Zemmari A., Mosbah M., Cuppens-Boulahia N., Cuppens F. (eds) Risks and Security of Internet and Systems. CRiSIS 2018. Lecture Notes in Computer Science, vol 11391. Springer, Cham. https://doi.org/10.1007/978-3-030-12143-3_11 ↑