If the controller “plans” to carry out a processing for purposes other than those for which the data were collected from the social network, they must inform users or data subjects beforehand of such further processing, providing information and complying with all other requirements, such as having a legal basis for this new purpose or carrying out a compatibility assessment (see the “Purpose limitation principle” subsection of the Main Principles section of the General Part of these Guidelines). Of course, the requirements of transparency are clearly related to the fairness principle, since the harder it is for the user to understand data processing, the greater the difference between different types of users. In general, “the larger the amount of data, the harder is a clear, intelligible overview in text form. Symbols offer a way to represent personal data categories in a lean and recognizable way. This requires meaningful and self-explanatory graphical representations of the data.”
According to the GDPR, the information that a controller must provide to the data subjects varies depending on whether this information has been obtained from them or not.If the personal data is not obtained from the user (Art. 14 GDPR), such as in the case of receiving the data from a social network, the controller must be particularly attentive to providing the data subject with adequate information, especially since massive data gathering is being performed. Thus, controllers shall inform the user of the provisions of Art. 14 of the GDPR.
It is necessary, however, to mention that sometimes it might be extremely difficult for controllers who have gathered the data from a social network to inform data subjects about the processing. If this is the case, they might recall article 14.5 (b), which states that “the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing” (see “Data protection and scientific research” subsection of the Main Concepts section of the General Part of these Guidelines).
In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available (see the “Right to information” subsection of the Data subjects Rights section of the General Part of these Guidelines). Thus, in principle controllers could avoid providing information about the processing to the data subjects if this is rendered impossible, but only if they take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Note with caution however, that disproportionate effortmay in some jurisdictions be interpreted narrowly. For example there was a recent decision (March 2019) by the Polish Data Protection Authority (Polish DPA) when it fined a data scraping company €220k for its failure to provide privacy notices to 5.7 million individuals whose data was scraped from a public register. The Polish DPA rejected the argument that placing a privacy notice on the data scraping business’ website was enough to notify individuals, particularly where individuals were not aware that their data had been scraped and was being processed.
|Checklist: fairness and transparency
☐ The controllers perform audits aimed at detecting biases in the datasets built and/or the conclusions of the analysis
☐ The controllers have implemented adequate measures to avoid biases provoked by the use of AI tools.
☐ The controller provides
☐ Since the personal data were not provided by the data subject, the controllers provided all the information listed in Article 14.1 GDPR;
☐ Since the personal data is not provided by the data subject, the information is provided:
☐ The information is provided concisely, transparently, intelligibly, and in an easily accessible way. It is clear and redacted in plain language.
☐ If providing the information is rendered impossible, the controllers take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
☐ The controllers have documented all the information regarding these issues
1Art 29 Data Protection Working Party (2014) Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088 ↑
2Bier C., Kühne K., Beyerer J. (2016) PrivacyInsight: The Next Generation Privacy Dashboard. In: Schiffner S., Serna J., Ikonomou D., Rannenberg K. (eds) Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science, vol 9857. Springer, Cham. https://doi.org/10.1007/978-3-319-44760-5_9 ↑
3See: CNIL, La réutilisation des données publiquement accessibles en ligne à des fins de démarchage comercial, at: https://www.cnil.fr/fr/la-reutilisation-des-donnees-publiquement-accessibles-en-ligne-des-fins-de-demarchage-commercial ↑
4Campbell, Fiona, Data Scraping – Considering the Privacy Issues, at: https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/data-scraping-considering-the-privacy-issues ↑