Social networks can provide researcherswith three different types of data: provided data, observed data, and inferred/derived data (or a combination of them all). These types of data could be defined in this way:
- “Provided data” refers to information actively supplied by the data subject to the social media provider and/or the controller. For example: social media users might indicate their age in the description of their profiles. In these Guidelines we will not address the processing of such data, since this is not different to other data gathered by a service provider.
- “Observed data” refers to data provided by the data subject by virtue of using a service or device. These include:
- data from a particular social media user might be gathered on the basis of the activity on the social media platform itself (for instance the content that the user has shared, consulted or liked);
- data related to the use of devices where the social media’s application is executed (for instance GPS coordinates, mobile telephone number);
- data obtained by a third-party application developer by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers;
- data collected through third-party websites that have incorporated social plugins or pixels;
- data collected through third parties (e.g. parties with whom the data subject has interacted, purchased a product, subscribed to loyalty cards); or
- data collected through services offered by companies owned or operated by the social media provider.
- “Inferred data” and “derived data” are those created by the data controller on the basis of the data provided by the data subject or as observed by the controller. These could be derived through deterministic computations or inferred probabilistically. For example, a social media provider might infer that an individuals are likely to be interested in a certain activity or product on the basis of their web browsing behavior and/or network connections.
The way of obtaining the data is neither relevant when qualifying them as personal or non-personal data, nor when deciding whether they belong to special categories of data pursuant to Art. 9 GDPR. However, it may have important consequences in other respects. For example, when determining whether the data subjects could foresee, or not, a particular processing, or when determining the limits of their right of portability or the information to be provided to them. One must keep in mind that in the case of observed, inferred or derived data, users are usually unaware that data is being collected or generated.
|Box 1: Inferring data. Examples
“Company X has developed an application that, by analyzing raw data from electrocardiogram signals generated by commercial sensors commonly available for consumers, is able to detect drug addiction patterns. The application engine can extract specific features from ECG raw data that, according to previous investigative results, are linked to drugs consumption. The product, compatible with most of the sensors on the market, could be used as a standalone application or through a web interface requiring the upload of the data. Explicit consent of the user should be gathered to process the data for that purpose. Compliance with this consent requirement can be satisfied in the same conditions and at the time as when the consent is collected from the data subject under Article 7(a).”
Source: Art 29 Data Protection Working Party Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088.
Fitbit data could be relevant to prospective employers, who could make inferences about “impulsivity and the inability to delay gratification-both of which might be inferred from one’s exercise habits-correlate with alcohol and drug abuse, disordered eating behavior, cigarette smoking, higher credit-card debt, and lower credit scores. Lack of sleep-which a Fitbit tracks-has been linked to poor psychological well-being, health problems, poor cognitive performance, and negative emotions such as anger, depression, sadness, and fear.”
Source: Peppet, Scott R ‘Regulating the Internet of Things: First Steps toward Managing Discrimination, Privacy, Security and Consent’ (2014) 93 Tex. L. Rev. 85.
One must consider that inferring health data is a particularly sensitive processing since those data (no matter if they are inferred or not) are data of special categories.
1Guidelines 8/2020 on the targeting of social media users Version 2.0 Adopted on 13 April 2021, at: https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf ↑