The Belgian Data Protection Authority (DPA) recently fined an NGO and its researcher for publishing raw and sometimes sensitive data from social media accounts as part of an investigation.
The NGO, which aims to combat the spread of disinformation, published an analysis in 2018 to determine the possible political origin of tweets circulating about the 'Benalla affair'.[1] The GBA and its French counterpart, the CNIL, received a total of more than 200 complaints about:
- the re-use of personal data from 55.000 social media accounts to carry out the study (in which more than 3.300 accounts were politically classified); and
- the online publication of files containing the raw data of the study (including information on the religious beliefs, ethnic origin, and sexual orientation of the persons whose accounts were analyzed).
As the NGO is based in Belgium, the Belgian DPA is responsible for the matter and made the decision in collaboration with the CNIL. The Belgian DPA decided that the NGO was exempt from its obligation to inform the persons individually about the personal data processed for the study, as this could have jeopardized the study and its publication. The Belgian DPA, however, finds that the publication of sensitive data used for the study - which was not properly pseudonymized - had no legal basis due to the disproportionate infringement of the rights of the authors of the tweets concerned. The Belgian DPA also stated that their consent was required for the publication of such non-pseudonymized sensitive data.
The Belgian DPA concludes that the data controller did not comply with various obligations under the GDPR. Balancing the right to journalistic freedom of expression and the right to data protection was not possible given the very large number of social media accounts involved. The Belgian DPA therefore decided to fine the NGO 2.700 EUR and the investigator 1.200 EUR, and to issue a reprimand.
The Belgian DPA emphasized that compliance with the GDPR is essential in the context of the large-scale collection of data for political profiling, and its publication, which may have adverse effects on individuals.
An important take-away from this decision is that publicly available data also falls under the protection of the GDPR. Hence, the fact that you have shared something publicly does not mean that you just have to accept any subsequent re-use.
If you have any questions, do not hesitate to reach out to us.
[1] Alexander Benalla, the former employee of President Emmanuel Macron, was discredited after the newspaper Le Monde revealed that he had dealt harshly with protesters at the 2018 May 1 celebrations.
Related news
How can we help?
Discover our expertises