GENERAL INFORMATION ON HOW TO PROCESS PUBLICLY AVAILABLE DATA IN COMPLIANCE WITH GDPR
- What Does GDPR Say About Publicly Available Data?[1]
General Data Protection Regulation (“GDPR”) requires that when information is provided to individuals from whom personal data has not been directly obtained, it must include the source of the personal data and whether it came from publicly accessible sources.
Therefore, it is clear that data subjects must be notified in accordance with Article 14 of GDPR when their personal data comes from publicly available sources.
Special rules govern the processing of special categories of personal data and seem to exempt publicly available data from certain requirements. Specifically, according to Article 9, if the processing concerns personal data that the data subject has clearly made public, explicit consent or other legal basis listed in Article 9 is not necessary. However, the data must have been made public by the data subject and must clearly indicate their intention for the data to be further processed. It should be noted that all other provisions, including principles and Article 6, still apply, and the processing of personal data is only allowed if the purpose cannot reasonably be fulfilled by other means.
Finally, GDPR has special provisions relating to the right to be forgotten and publicly available data. It is clear that this right would be fully applicable, and in addition to that, the controller who has made the personal data public shall take reasonable steps, including technical measures, to inform other controllers who are processing the personal data that the data subject has requested the erasure by such controllers of any links to or copy or replication of that personal data.
- What would be the Usual Legal Basis?[2]
In light of the above, there is no doubt that when publicly available data is processed, this process is subject to GDPR provisions. This entails the necessity of establishing a legal basis from the outset, documenting it, and including it in relevant assessments (such as data protection impact assessments), as well as communicating it to the data subjects.
There are various scenarios for using such data, and theoretically, different types of legal bases could apply. For example, the data subject may provide consent or enter into an agreement for companies to compile publicly available data about them. This may be in the data subject’s interest, especially if they are well-known and wish to analyze trends for a broader audience. Specific laws and regulations may also require or provide exemptions for the collection or analysis of data for journalistic, academic, artistic, or literary purposes.
However, generally data controllers using publicly available information will rely on legitimate interests. As indicated by the Article 29 Data Protection Working Party, the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward or more controversial. It will then be in a second step, when it comes to balancing these interests against the interests and fundamental rights of the data subjects, that a more restricted approach and more substantive analysis should be taken. Even though this opinion has been issued under the European Data Protection Directive, these considerations would be still fully valid and up to the point. One of the specific examples in favor of making the data public would be in the case of publication of data for purposes of transparency and accountability, where public disclosure is done primarily not in the interest of the controller who publishes the data, but rather in the interest of other stakeholders, such as employees, journalists or the general public, to whom the data is disclosed.
- Decision and Analysis of the Use of Publicly Available Personal Data under GDPR
With one of its decisions, the Belgian Data Protection Authority (the “DPA”) clarified that personal data published on social media is still protected by GDPR.[3]
Therefore, the purpose limitation principle in Article 5 (1) (b) of GDPR also applies to publicly available data, unless an exception applies. The purpose limitation principle requires that data is only used for the initial processing purpose for which it was collected, or a purpose that is compatible with this initial purpose. Exceptions to the purpose limitation principle are provided for by Article 5 (1) (b) of GDPR “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
Even though the NGO was using the data for a scientific study, the DPA found that in this case the defendant could not rely on the exception for scientific research, as no additional safeguards provided by Article 89 of GDPR (e.g., pseudonymisation) had been taken by the defendant. Such safeguards, as well as thorough documentation of the compliance with data protection law, are required to rely upon the exception for scientific research.
Thus, if the data is processed for a purpose that is incompatible with the initial one (and no exception applies), there has to be a legal basis for the processing under Article 6 of GDPR. These are:
- Data subject’s consent;
- In terms of a contract or potential contract with an individual;
- To comply with legal obligations;
- To protect the vital interests of the data subject or another natural person;
- To perform a task carried out in the public interest or in the exercise of official authority; or
- Legitimate interests.
It’s important to highlight that the public sharing of personal data (e.g., on social media) does not automatically imply consent for further use, despite common assumptions.[4] The reuse of data for the study led to their publication without pseudonymization and without a legal basis. DPA views the violation of the authors’ rights to their tweets as excessive, as they did not consent to the publication of their data without prior pseudonymization.[5]
If legitimate interests are intended to be the basis for the processing, it should be kept in mind that GDPR obliges controllers to provide the respective data subjects with certain information – even if the personal data has been obtained from public sources. If personal data has not been obtained from the data subjects themselves, but from other sources like social media, Article 14 of GDPR obliges the controller to provide data subjects, for instance, with the following information:
- Name and contact details of the controller and, if applicable, a representative and/or a data protection officer;
- Legal basis and purposes of the processing, and if the processing is based on legitimate interests, a separate list of all legitimate interests;
- Recipients or categories of recipients of personal data;
- Information on data transfers to third countries or international organisations outside the EU/EEA;
- Retention period of personal data; and
- Information on the rights of data subjects under Art. 15-21 GDPR.
Moreover, legitimate interests can only be used as basis for data processing if the legitimate interests outweigh the interests of the data subjects. To assess this a legitimate interest assessment has to be performed.[6]
- Right to be Forgotten
The right to be forgotten is regulated under Recitals 65 and 66 and in Article 17 of GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of the conditions applies. “Undue delay” is considered to be about a month. Therefore, reasonable steps shall be taken to verify the person requesting erasure is actually the data subject.
The right to be forgotten is closely linked to individuals’ right to access their personal information in Article 15 of GDPR. Without the ability to take action when they no longer consent to data processing, when there are significant data errors, or when they believe data is being stored unnecessarily, individuals’ control over their data becomes meaningless.
In such cases, individuals can request the data to be erased. However, this is not an absolute right. If it were, the critics who argue that the right to be forgotten is simply a way to rewrite history would be justified. As a result, GDPR carefully navigates on data erasure.[7]
In Article 17, GDPR regulates the specific circumstances in which the right to be forgotten applies. An individual has the right to have their personal data erased if:
- The personal data is no longer necessary for the purpose an organization originally collected or processed it.
- An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
- An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
- An organization is processing personal data for direct marketing purposes and the individual objects to this processing.
- An organization processed an individual’s personal data unlawfully.
- An organization must erase personal data in order to comply with a legal ruling or obligation.
- An organization has processed a child’s personal data to offer their information society services.
However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in GDPR that trump the right to erasure:
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to comply with a legal ruling or obligation.
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
- The data being processed is necessary for public health purposes and serves in the public interest.
- The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
- The data is being used for the establishment of a legal defense or in the exercise of other legal claims.
Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive.
[1] Publicly available data under the GDPR: Main considerations (iapp.org)
[2] Publicly available data under the GDPR: Main considerations (iapp.org)
[3] decision-quant-au-fond-n-13-2022.pdf (autoriteprotectiondonnees.be)
[4] GDPR fine for NGO using tweets for a study | activeMind.legal
[5] Digital Law Up(to)date: Belgian DPA fines NGO and researcher for GDPR violations regarding the political profiling of tweets (stibbe.com)
[6] GDPR fine for NGO using tweets for a study | activeMind.legal
[7] Everything you need to know about the “Right to be forgotten” – GDPR.eu