The concept of “public domain” must be adequately analyzed in the context of social networks. If the ICT researcher or innovator has had to register with a community of users in order to have access to specific data, these data are not public: they are data that the data subjects have wished to share exclusively with a community of users and under the terms and conditions determined by the social network in question, which are accepted at the moment the users create their profiles. If researchersare able to access a profile or other kinds of social media data on a site simply because they are registered users, this is not the same as that information being publicly available. It is therefore absolutely essential for the ICT researcher or innovator to have a precise knowledge of these terms and conditions, which may differ substantially from one social network to another.
Furthermore, even though the data are in the public domain, this does not at all mean that you could use them for purposes other than those for which they were made public. This is extremely important, since otherwise you could face legal responsibilities.
|The Equifax case: using data from the public space does not necessarily legitimate processing
Equifax is a company that obtained data from the information portal used by public administrations to transmit information to citizens. From this data it created a file that supposedly transmitted information on the solvency of citizens. All this, without informing the data subjects of these processing operations and using the legitimate interest of the company as a basis for legitimacy. On 26 April 2021, the Spanish Data Protection Agency (AEPD) fined Equifax € 1 million for breach of data protection regulations, prohibited the continued use of this file, ordered the deletion of all the data of those affected and ordered Equifax to notify all companies that have consulted its file of the content of this Resolution so that they did the same and stopped using this data.
This ruling is of great importance for several reasons. The first is that it is the first major sanction arising from the change in criteria brought about by the GDPR and the national regulation (LOPDgdd) regarding the use of publicly accessible sources: the fact that data is accessible to the public does not mean that it can be used for any purpose and without further explanation. In the previous Spanish law, the 1999 LOPD, this criterion was not so clear and seemed to be the opposite.
In its Resolution, the AEPD recalled that (1) any secondary use of data must be compatible with the original purpose for which they were collected (principle of purpose limitation of data processing, article 5.1.b GDPR), (2) it must have its basis for legitimization (it is not sufficient to allege that the data are from publicly accessible sources), and that (3) the data subject must be notified of the secondary use of his or her data. The fine of €1 million was based on the breach of the purpose limitation principle.