Transparency
Home » Social networks » Fairness and Transparency issues » Transparency

Research bases on data gathered via social networks often involves processing a lot of personal data. This creates a complex scenario. Controllers must be aware that, even though it might be hard to achieve, data subjects must be able to understand how, and for what purpose, their personal data is being used. In general, this means that the researchers should use tools able to provide such knowledge in the easiest possible way.Explainability is particularly important in the case of automatic processing of data or profiling. “The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.Therefore, information policies must focus on information which is understandable by the user and should not be confined to a general privacy policy on the controllers’ website”.[1]

If the controller “plans” to carry out a processing for purposes other than those for which the data were collected from the social network, they must inform users or data subjects beforehand of such further processing, providing information and complying with all other requirements, such as having a legal basis for this new purpose or carrying out a compatibility assessment (see the “Purpose limitation principle” subsection of the Main Principles section of the General Part of these Guidelines). Of course, the requirements of transparency are clearly related to the fairness principle, since the harder it is for the user to understand data processing, the greater the difference between different types of users. In general, “the larger the amount of data, the harder is a clear, intelligible overview in text form. Symbols offer a way to represent personal data categories in a lean and recognizable way. This requires meaningful and self-explanatory graphical representations of the data.”[2]

According to the GDPR, the information that a controller must provide to the data subjects varies depending on whether this information has been obtained from them or not.If the personal data is not obtained from the user (Art. 14 GDPR), such as in the case of receiving the data from a social network, the controller must be particularly attentive to providing the data subject with adequate information, especially since massive data gathering is being performed. Thus, controllers shall inform the user of the provisions of Art. 14 of the GDPR[3].

It is necessary, however, to mention that sometimes it might be extremely difficult for controllers who have gathered the data from a social network to inform data subjects about the processing. If this is the case, they might recall article 14.5 (b), which states that “the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing” (see “Data protection and scientific research” subsection of the Main Concepts section of the General Part of these Guidelines).

In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available (see the “Right to information” subsection of the Data subjects Rights section of the General Part of these Guidelines). Thus, in principle controllers could avoid providing information about the processing to the data subjects if this is rendered impossible, but only if they take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.

Note with caution however, that disproportionate effortmay in some jurisdictions be interpreted narrowly. For example there was a recent decision (March 2019) by the Polish Data Protection Authority (Polish DPA) when it fined a data scraping company €220k for its failure to provide privacy notices to 5.7 million individuals whose data was scraped from a public register. The Polish DPA rejected the argument that placing a privacy notice on the data scraping business’ website was enough to notify individuals, particularly where individuals were not aware that their data had been scraped and was being processed.[4]

Checklist: fairness and transparency

Fairness

☐ The controllers perform audits aimed at detecting biases in the datasets built and/or the conclusions of the analysis

☐ The controllers have implemented adequate measures to avoid biases provoked by the use of AI tools.

Transparency

☐ The controller provides

  • a panoramic overview of what personal data have been disclosed to what data controller under which policies;
  • online access to the personal data and how they have been processed;
  • counter profiling capabilities helping the user to anticipate how their data match relevant group profiles, which may affect future opportunities or risks

☐ Since the personal data were not provided by the data subject, the controllers provided all the information listed in Article 14.1 GDPR;

☐ Since the personal data is not provided by the data subject, the information is provided:

  • within a reasonable period after obtaining the personal data, but at the latest within one month;
  • if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject;
  • if a disclosure to someone else is envisaged, at the latest when the personal data are first disclosed

☐ The information is provided concisely, transparently, intelligibly, and in an easily accessible way. It is clear and redacted in plain language.

☐ If providing the information is rendered impossible, the controllers take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.

☐ The controllers have documented all the information regarding these issues

 

 

References

1Art 29 Data Protection Working Party (2014) Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088

2Bier C., Kühne K., Beyerer J. (2016) PrivacyInsight: The Next Generation Privacy Dashboard. In: Schiffner S., Serna J., Ikonomou D., Rannenberg K. (eds) Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science, vol 9857. Springer, Cham. https://doi.org/10.1007/978-3-319-44760-5_9

3See: CNIL, La réutilisation des données publiquement accessibles en ligne à des fins de démarchage comercial, at: https://www.cnil.fr/fr/la-reutilisation-des-donnees-publiquement-accessibles-en-ligne-des-fins-de-demarchage-commercial

4Campbell, Fiona, Data Scraping – Considering the Privacy Issues, at: https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/data-scraping-considering-the-privacy-issues

 

Skip to content