Fairness is an essential principle in the GDPR. Arguably, all of data protection and thus the GDPR is about fairness towards data subjects. The GDPR can be seen in spelling out what fair actually means. In the case of data gathered through the use of social networks, it is particularly important to avoid biases related to gender, race, age, sexual orientation, national origin, religion, health and disability, etc. This might be problematic since it is possible that some of the data gathered via social networks do not correspond to real users, or their sensitive data are not at all accurate. This might create hidden biases (see the “Lawfulness, fairness and Transparency” subsection of the Main Principles section of the General Part of these Guidelines).

Transparency, on the other hand, is a main strategy to balance power between controller and data subject. It works by pulling everything into the light and thus opens it up to scrutiny. The main focus of transparency is to inform data subjects up-front of the existence of the processing and its main characteristics. Other information (such as the data about the data subject) is available on request. Data subjects also have to be informed of certain events, most notably data breaches (in the case where the data subject is exposed to high risk). Evidently, transparency is a pre-requisite for detecting and intervening in case of non-compliance see the “Lawfulness, fairness and Transparency” subsection of the Main Principles section of the General Part of these Guidelines).

In the case of using data from social networks, transparency means, in our opinion, that “intended research subjects should be informed at some point about the research being performed, what sort of personal data controllers are collecting and how it will be used.+ Some services make it clear this must be done before you start harvesting. For others without a specific policy and where researchers/innovators are conducting observational research which obtaining consent up front could damage, they should let the individuals concerned know as soon as possible. The ICT researchers/innovators should always remove individuals from their harvesting who do not consent to being included.”^[1]

In the case of using data from social networks, it is necessary to point out that, in general, Article 14 of the GDPR will be applicable at some point. Thus, data subjects should be made fully aware that their data is being shared with third parties (see the “Right to information” subsection in the Data Subjects Rights section of the General Part of these Guidelines). This could be done in different ways. For instance, the CNIL advised that data controllers could either include all third-parties in an exhaustive privacy notice, but periodically updated, or insert a link in this notice and redirect individuals to the list with the third-parties and their own privacy policies.^[2]

Controllers shall guarantee transparency not only by providing adequate information, but also by using a number of complementary tools. Appointing a DPO, who then serves as a single point of contact for queries from data subjects, is an excellent option. Preparing adequate records of processing for the supervisory authorities, or performing DPIAs, are also highly recommended measures to promote transparency. Likewise, undertaking analysis that evaluate the effectiveness and accessibility of the information provided to the data subjects helps to ensure the efficient implementation of this principle^[3].

Last but not least, implementing the so-called Transparency Enhancing Tools (TETs)^[4] might be an excellent option to guarantee that the Transparency principle rules, especially when massive or automated data processing is expected. 

References

¹https://info.lse.ac.uk/staff/divisions/Secretarys-Division/Assets/Documents/Information-Records-Management/Social-media-personal-data-and-research-guidance-v.1.pdf ↑

²https://www.cnil.fr/fr/transmission-des-donnees-des-partenaires-des-fins-de-prospection-electronique-quels-sont-les ↑

³See EOSC-Pillar Guidelines ´D4.1: Legal and Policy Framework and Federation Blueprint´ (2021), pp. 44 et seq. At: https://repository.eosc-pillar.eu/index.php/s/tbqe6B7rDycdFCJ#pdfviewer ↑

⁴TETs can be subdivided into ‘ex ante’ and ‘ex post’- TETs. Ex ante-TETs guide the user’s decision making process before she makes her choice pertaining to disclosing any personal data to a data controller.Conversely, ex post-TETs visualise disclosed personal data in such a way as to make transparent the processes that have taken place since the user has disclosed her data (see P. Murmann; S. Fischer-Hübner, `Usable Transparency Enhancing Tools – A Literature Review´ (2017), working paper. At: http://www.diva-portal.org/smash/get/diva2:1119515/FULLTEXT02.pdf). ↑