The Non-Governmental Organisation (NGO) EU DesinfoLab conducted a study of Twitter messages concerning the so-called Benalla affair. The Belgian Data Protection Authority (Belgian DPA) fined the NGO EUR 2,700 for violating the General Data Protection Regulation (GDPR). This clarifies once again that also publicly available personal data falls within the scope of the GDPR.
The backstory of the GDPR fine
In 2018, a number of incidents related to Alexandre Benalla, one of President Emmanuel Macron’s security officials, were reported by French media. The Belgium-based NGO EU DesinfoLab noted an exceptionally high level of user activity on social networks in relation to this Benalla affair. In a study, it analysed tweets posted in relation to this topic, investigated why the Benalla affair received so much attention on Twitter and analysed whether disinformation played an essential role in this context. In particular, the EU DesinfoLab analysed the political profiles of the authors of the respective Twitter messages. The NGO later published the raw data, including the data from 55,000 Twitter accounts.
This led a number of data subjects to file complaints with the Belgian DPA regarding the re-use of their personal data. The study undertook a political classification of more than 3,300 accounts and published the raw data of the study, and therefore a large amount of personal data. The Belgian DPA subsequently fined the NGO with EUR 2,700 for violating the GDPR.
GDPR fines explained
Do not repeat the mistakes of other companies! Better read our analyses of the GDPR fines from European supervisory authorities.
The use of publicly available personal data under the GDPR
With its decision, the DPA clarified once again that personal data published on social media is still protected by the GDPR.
Therefore, the purpose limitation principle in Art. 5 (1) (b) GDPR also applies to publicly available data, unless an exception applies. The purpose limitation principle requires that data is only used for the initial processing purpose for which it was collected, or a purpose that is compatible with this initial purpose. Exceptions to the purpose limitation principle are provided for by Art. 5 (1) (b) GDPR “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
Even though the NGO was using the data for a scientific study, the DPA found that in this case the defendant could not rely on the exception for scientific research, as no additional safeguards provided by Art. 89 GDPR (e.g., pseudonymisation) had been taken by the defendant. Such safeguards, as well as thorough documentation of the compliance with data protection law, are required to rely upon the exception for scientific research.
Thus, if the data is processed for a purpose that is incompatible with the initial one (and no exception applies), there has to be a legal basis for the processing under Art. 6 GDPR. These are:
- Data subject’s consent;
- In terms of a contract or potential contract with an individual;
- To comply with legal obligations;
- To protect the vital interests of the data subject or another natural person;
- To perform a task carried out in the public interest or in the exercise of official authority; or
- Legitimate interests.
In this regard it should be noted that the publication of personal data (e.g., on social media) does not constitute implicit consent to further use, even if this is often assumed!
If legitimate interests are intended to be the basis for the processing, it should be kept in mind that the GDPR obliges controllers to provide the respective data subjects with certain information – even if the personal data has been obtained from public sources. If personal data has not been obtained from the data subjects themselves, but from other sources like social media, Art. 14 GDPR obliges the controller to provide data subjects, for instance, with the following information:
- Name and contact details of the controller and, if applicable, a representative and/or a data protection officer;
- Legal basis and purposes of the processing, and if the processing is based on legitimate interests, a separate list of all legitimate interests;
- Recipients or categories of recipients of personal data;
- Information on data transfers to third countries or international organisations outside the EU/EEA;
- Retention period of personal data; and
- Information on the rights of data subjects under Art. 15-21 GDPR.
Moreover, legitimate interests can only be used as basis for data processing if the legitimate interests outweigh the interests of the data subjects. To assess this a legitimate interest assessment has to be performed.
The DPAs decision should be a reminder for companies that GDPR compliance, and a thorough documentation of it, are required even if publicly available personal data is processed. Moreover, the relatively low fine imposed in this case should not lead to negligence in connection with publicly available personal data. In the present case, a mitigating factor was the subsequent improvement of the defendants GDPR compliance. Furthermore, the amount of the fine also depends on the turnover of the respective organisation, and therefore may be significantly higher in other cases.