As society moves towards an even deeper reliance on social media, the distinction between one’s private life, social media life and professional life is increasingly skewered and distorted. More and more, young people are choosing not to keep private profiles searching instead to be reachable, to become influencers or to be the next trending tweet, Instagram photo, or YouTube cover.

At the same time, technology and data science are moving at an exponential pace providing for artificial intelligence and machine learning capable of predicting one’s interests, preferred products, or even electoral decisions, on the basis of benign information found on public social media profiles. Indeed, major corporations such as IBM are pouring billions of dollars on data analysis with budgets totaling over $24 billion. In 2014, AXA distributed Withings Pulse health wristbands to policyholders to collect and analyze their health data. The incentive for participants was to benefit from a €100 discount from their insurance policy whenever they walked more than 10,000 steps per day

The role of Big Data analytics in electoral decisions can be seen as early as 2012, when the Obama campaign staff used it to sway undecided voters in Ohio[1]. However, the magnitude of the potential impact of analytics was fully revealed by the 2018 Cambridge Analytica Affair, which shed light into the practice of capturing personal data via third-party applications found on Facebook and reusing the information to influence the United States presidential election of 2016. Facebook users were profiled on the basis of their personal data, finding themselves on the receiving end of targeted political content. In addition, the Cambridge Analytica affair highlighted the unlawful use of collected data in the context of the electoral campaign. While the data processing was subject to a consent mechanism via Application Platform Interfaces (APIs), Data Subjects were never informed of this ulterior use of their data.

While there are major issues about data provided to companies via a service agreement or contractual arrangement, what about personal data, tweets, photos or videos freely published on public social media profiles? For this information, there are no pseudo-consent mechanisms for they are accessible by any Internet user, anywhere. Did the Data Subject give their consent to employers, companies, public authorities when they made this information available on their public social media profile? Should this information be considered “manifestly made public” or found in a “publicly accessible source” and therefore allowing companies to process this information without the Data Subject’s consent? In essence, can publicly accessible social media personal data be considered as “open bar” for lawful processing supporting companies’ business interests?

In order for Data Protection Officers to advise on how to frame this type of data processing, it is essential for them to 1) understand the potential consequences of social media for the rights and liberties of data subjects. As per Article 6 of the GDPR, the legitimate interests of the controller can constitute a lawful basis of processing unless said interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Also, DPO must 2) explore the legal context surrounding public social media data. Based on these two premises, DPOs can establish the limits of this type of processing. In this regard, DPOs can apply 6 Data Protection by Design Guidelines to stay GDPR compliant while processing publicly accessible social media data.

Potential Consequences of Social Media Personal Data Are Unknown or Underestimated to Most Data Subjects and Must Be Assessed

Social media has the power to render viral a story of courage just as quickly as a tweet or Facebook comment taken in the wrong context. Most social media users do not understand the power behind the rendering public certain information or opinions nor the extent of positive and negative consequences.

Take for instance the case of Justine Sacco, a public relations officer with only 170 followers on Twitter. Before taking a trip to Africa, Justine tweeted a racist comment about getting AIDS just before getting on her plane[2]. While this tweet was supposed to be humorous and taken in 2nd degree, Twitter blew up and she became viral within the 11-hour flight without being able to defend herself or erase the tweet. Twitter members and the public eye called for retribution and her employer consequently fired Justine from her Public Relations position.

Another 2018 example was a Facebook security analyst who had “Facebook stalked” a young woman he had met on Tinder and told her about it in a Tinder private message. His objective was to comment on how she was hard to find. The young woman took a screenshot of the private message and tweeted it publicly to Facebook. Facebook found the public message and immediately fired the individual for abusing access privileges[3]. It is essential to grasp that this person was not caught by internal review mechanisms but by means of a public tweet to the individual’s employer.  

All in all, social media can not only have an impact on one’s private life but also in one’s professional life. Young people and minors should be considered a vulnerable population regarding social media as they are less likely to grasp these consequences. Indeed, the difficulties lie in the fact that the general population is not educated on data protection rights and the consequences of Big Data. Before pursuing commercial interests through the processing of data found in social media, DPOs must carefully consider all the potential harm that can result from such processing.

Construing a Data Protection Legal Framework in the Absence of Guidance from Authorities

Data Protection Officers are often confronted by the subject of Big Data and analytics by their marketing departments as these are buzzwords on every marketing director’s lips. According to a 2017 Gartner study, in 2020, 20 billion objects will be connected worldwide collecting and constantly analyzing individuals’ data.  While most of these will hopefully be structured by service agreements, the legal framing of publicly accessible social media data remains uncertain.

Data Protection Authorities have given numerous guidelines on “Consent” or “Transparency” for personal data given to companies in a B to C relationship. However, there is an absence of clear guidelines for Data Controllers and the use publicly accessible social media personal data that is obtained from a pseudo-public source. Therefore, DPOs must look to similar analogies to construct a roadmap for GDPR compliant data processing of this social media data.

GDPR Provisions and Publicly Accessible Social Media Data

The General Data Protection Regulation foresees only two provisions where “publicly accessible data” are mentioned: Article 14 for Information obligations on Data Controllers for indirectly collected personal data and Article 9 for exceptions on the prohibition of the processing of special categories of personal data (herein known as “Sensitive Data”[4]).

The purpose of Article 14 is to provide a framework for all personal data that was not collected directly from the person. Public social media data must fall into this category as while data subjects gave this information to the social media network for a specific social media purpose[5], this information remains publicly accessible by private and public organizations if the individual does not block their account.

Article 14 cites the information required to be provided within one month of the collect to data subjects for indirectly collected personal data. It subsequently retains the fact that the fundamental principles for compliant data processing still apply (legal basis, data subject rights, prior information, 3rd country transfers framing, data retention, right to object or withdraw consent, etc.). Therefore, public and private organizations must still inform data subjects of the indirect data processing either at the first communication with the individual, before the first disclosure to a 3rd party or within one month to ensure the execution of data subject rights such as right to object. Moreover, they must demonstrate a legal basis for the processing of public social media data which can include “consent[6]”, legitimate interest, contracts, etc.  

Publicly Accessible Does Not Equal Consent

While the conditions for free, unambiguous consent established by Article 7 may have been met by the social media network, it is almost unconceivable for a DPO that this consent may be extended to the infinite companies or public authorities that may access this information for their own purposes. Moreover, Article 9(2) distinguishes consent from “manifestly made public” as it foresees two distinct exemptions on prohibition on processing Sensitive Data: a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes and e) the personal data have been manifestly made public by the data subject.

For “manifestly made public data”, the Article 29 Working Party[7] explained in WP258 for the Law Enforcement Directive (EU2016/680) that for Sensitive Data, publicly available sources must be interpreted as the data subject “was aware that the respective data will be publicly available which means to everyone including authorities”[8]. The Data Protection Authorities go on to establish a difference between information found on an internet biography, press or public website and social networks. For the latter, the WP29 states “In such cases most of the users probably do not actively take notice [national police authorities have access to personal data] and are in fact not aware that their data are available to police authorities[9].”

In 2011, the French Data Protection Authority’s (herein known as “the CNIL”) jurisprudence Pages Jaunes[10] was confronted by the use of public social media data for the construction of a universal registrar. The company argued that because individuals could change the settings on their accounts to stop them from being publicly viewed, this is a manifestation of their willingness for their data to be public. When determining such willingness and its link to the consent to the data to being reused by a third party, the CNIL found “If these Data Subjects signed up for a social network willingly, this does not directly result in their systematic and conscientious acceptance of their data being obtained, aggregated and reused by a third party[11]”. Therefore, organizations need to respect the obligation to inform at the first communication or first disclosure to a third party to ensure Data Subjects have the right to object to the processing.

The CNIL goes even further to highlight the vulnerable status of the youth given their lack of education on the consequences of social media. Indeed, it would be inconceivable that minors understand the infinite number of public and private organizations that may access the public social media data when they create a public profile.

Publicly Accessible Professional versus Private Personal Data—To Consent or Not to Consent

While the GDPR has provided little legal framework for publicly accessible data, it remains silent when it comes to the difference between professional and private personal data. These two can be difficult to separate. Case in point: after Justine Sacco’s tweet, the entire world debated on whether she should be fired while she was on her 11-hour flight.

 The European Courts as well as the French Data Protection Authority have tried to provide some guidance on this distinction. In the context of publicly accessible social media data, an analogy can—and must—be made with a data protection right established by the Court of Justice of the European Union: the right to be forgotten (de-indexed) through the Costeja case. It should indeed be noted that the CJEU established an exception to this data protection right for public figures. The court recognized a long standing European Court of Human Rights jurisprudence[12]: public figures would enjoy less protection because of their status in the public eye as contributing to a public debate in a democratic society. While “public figure” was originally created for those holding public positions, in today’s democratic society where any individual may go viral and create a public debate, anyone can become a public figure within hours.

In the Right to Be Forgotten Guidance established by the Article 29 Working Party[13], the Data Protection Authorities also created a necessary distinction between professional and private data. The WP29 advances that all personal data are not necessarily “private” and data concerning a person’s public or professional persona shall not enjoy the same scrutiny of protection as private personal data[14].

This distinction is also made by the French Data Protection Authority (the CNIL) for electronic marketing directed to private individuals and to professionals[15]. According to the CNIL guidance, while an opt-in consent mechanism is required for private individuals, only an informed, opt-out is required for professionals when they are being targeted by public and private organizations proposing products and services having a link with their profession. This therefore means public and private organizations are able to market to professionals without their prior consent, but by providing an informed opt-out mechanism.

Given this data protection legal context, it is possible to establish a framework for the processing of publicly accessible social media personal data. Firstly, it is business as usual as data protection rules still apply requiring a legal basis and information notice for the processing. Secondly, “publicly accessible” does not equal de facto consent as social media users are unaware of the infinite number of public and private organizations who can access this information and the extent of its consequences. Thirdly, a distinction must be made between data concerning one’s private, public, and professional lives.

6 Data Protection by Design Guidelines for Publicly Accessible Social Media Personal Data Processing

As DPOs, there is a constant battle for balancing the interests of your public or private organizations and the possible consequences for the rights and liberties of Data Subjects. As stated before, social media can cause severe consequences for the private and professional lives of Data Subjects. Therefore, while fulfilling your Data Protection Impact Assessment, it is essential to reflect on 6 Data Protection by Design Guidelines for the processing of publicly accessible social media personal data. These Guidelines not only help you comply with the lawfulness of the processing, but also help you demonstrate Accountability, ensure Transparency and apply effective Data Protection by Design measures.

1. Determine a specific purpose for the data processing

If your organization is going to start using public social media networks as a source for marketing to private individuals or professionals, this data must be used solely for marketing purposes. Any information, comments, photos, or tweets concerning employees or other actors cannot be used for other purposes such as employment litigation. If this information is transferred on to another department for a different purpose, the information shall become “fruit of the forbidden tree” and must be erased.  This singular purpose, however, is not limited to marketing. The data could be used for anti-fraud or anti-money laundering purposes. Nevertheless, if they are collected for one purpose, they must be used only for this specific purpose.

Starting with choosing your singular purpose will also help you establish the other 5 Data Protection by Design Guidelines for a GDPR compliant processing.

2. Limit the population targetd by the public social media processing

When you have established your data processing purpose, you can then start to limit the target population.  To ensure a high quality of data and to avoid the indiscriminate targeting of public profiles for profiling purposes, it is essential to understand and limit your target populations. Indeed, some data subject populations require a higher protection. Some of these include: health care patients, minors protected by the GDPR, political or LGBT associations, and social media accounts that overtly display “Sensitive Data”.

As previously stated, your target population will help you understand also if consent is required. If you are targeting purely private individuals, prior consent will be required before you process their information. However, if this population is found in a professional network and you are proposing products or services linked to their profession, only an informed opt-out is required.

3. Limit the personal data collected by the public social media processing

When you have understood your data processing objective as well as the targeted population, the DPO must work with the Business Lines to structure which data will be collected and limit the collect to ensure a high quality and utility.

It is at this time, the DPO must eliminate all “Sensitive Data” collection as for this category of publicly accessible social media data, consent cannot be inferred and must be explicit. Indeed, as the French Data Protection Authority underlined in the Meetic and Attractive World jurisprudence, “the fact someone spontaneously provides information regarding their sexual orientation shall not be considered explicit consent as the individual may not necessarily be conscious of the sensitive character of this data and the possible consequences linked to their communication.[16]” Therefore, such data can also refer to tweets, Instagram photos, as well as Facebook information, comments and page likes providing information about religious or political beliefs, sexual orientation or religious views.

Realistically speaking, the marketing departments of public or private organizations will never really need this information. As DPOs, you must be ready to draw the red line when it comes to sensitive data and require informed, explicit consent.

4. Limit the social media sources by focusing on the "public or professional life"

While Data Subjects’ “public life” and whether they are a “public figure” contributing to current debates in today’s democratic society remains debatable, the professional life is easier to discern. As DPOs, it is your task to work with the Data Controller to limit social media sources to those only publishing data referring to one’s “public life” or “professional life”. Such social media includes professional social networks and public university alumni networks but can also include mixed social media such as Twitter and Instagram. Indeed, Instagram and Twitter can be the sole or primary channels of communication for some professions such as Public Relations Representatives, Social Influencers, Community Managers, etc. In these cases, the Article 29 Working Party has underlined the need to determine the professional purposes of the social media profile[17].

The key to mixed social media networks is focusing on the guidelines 2 and 3: your target population and the target data. Your Information Technology team needs to work on creating algorithms that only collect information which reflect your limited target population and your specific set of personal data. If this is not possible and if you still think Twitter, Facebook or other mixed social media networks are still necessary, then you need to reflect on your model of collect. Publicly accessible social media data would not be your best option and your company should go towards a 3rd party social connect Application Platform Interface where the individual is informed of your collect and can give their informed consent.

5. Inform the individuals of data processing responding to transparency obligations

As foreseen in Article 14 of the GDPR and as reminded by the CNIL in the Pages Jaunes jurisprudence, data protection transparency obligations regarding prior information still apply to personal data collected indirectly via public social media sources. Given this, DPOs must ensure their public or private organizations inform individuals either at the first contact, before the first distribution and in any case within one month.

As Guideline 1 states, determining your data processing purpose will help you understand when you will be informing the individual. If your organization is using the public social media data to market products or services, the information should be sent at the first communication. However, if you are a data broker or a recruiting agency and are collecting the information to be sent or sold to third parties, you must inform the data subject before the first distribution of the information.

If you find your company does not respond to the previous examples, you must remember the GDPR has implemented a strict timeline that supersedes “first communication” or “first disclosure”: the obligation to inform individuals within least one month of the initial collect (Article 14(3)(a).

6. Effectively execute the right to object and erase the subsequent data

As the triggering issue for the CNIL Pages Jaunes jurisprudence was the lack of effective execution of data subject rights, it is essential DPOs establish with the Data Controllers procedures and processes that efficiently execute these rights, notably the right to object. This is a topic to be researched with the Departments responsible for implementing the data processing (ex: Marketing Department, Anti-Fraud Department, etc.). In most cases, the right to object and its execution mechanism will be integrated into the “Data Processing Information” responding to transparency obligations. This may take the form of a button allowing the person to opt-in or opt-out depending on the “professional” or “public” status of the person and the informational notice (see Guidelines 2, 3 & 4). Moreover, when the individual withdraws their consent or does not consent to the processing, their personal data must be erased.

DPOs may find it helpful to remind Data Controllers and Marketing Departments that keeping personal data on individuals you cannot market (ergo “fruit of the forbidden tree”) will not only create a disproportionate processing but will also will negatively impact the quality of the datasets and the marketing campaigns.

Striving for More Education, a Wider Democratic Debate, and Coherent EDPB Guidance

While these 6 Data Protection by Design Guidelines are not the answer to every question about the processing of publicly accessible social media data, they are a concrete action plan towards walking that DPO tightrope constantly balancing Data Controllers’ interests, Accountability, Transparency and the founding principle of data protection: informational self-determination[18].

To truly ensure a less opaque legal framework for this data processing, there must be more widespread education on the consequences of public social media profiles, especially directed towards the younger generations. This debate must leave the technical fields of data protection experts and be taken on by the democratic society. And finally, the European Data Protection Board needs to provide coherent guidance at the European Union level on the proportionate and lawful processing of publicly accessible social media personal data.    

[1] Using data collected on the State’s previous voters, a data analytics program reproduced the elections 66,000 times under different scenarios to understand voter behavior and tailor the arguments to sway the undecided to the Democratic Party.

[2] https://www.nytimes.com/2015/02/15/magazine/how-one-stupid-tweet-ruined-justine-saccos-life.html

[3]https://www.reuters.com/article/us-facebook-privacy-firing/facebook-employee-fired-over-bragging-about-access-to-user-information-idUSKBN1I334E

[4] Special categories of personal data defined as: “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.

[5] Article 29 Working Party, WP260, Guidelines on transparency under Regulation 2016/679, pg. 15

[6] Article 6(1)(a), GDPR; Lawfulness of processing: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

[7] The EU organ regrouping the European National Data Protection Authorities or “WP29”.

[8] Article 29 Working Party, WP258, Opinion on some key issues of the Law Enforcement Directive (EU 2016/680), pg 10.

[9] Idem

[10] CNIL, Délibération n°2011-203 du 21 septembre 2011 portant avertissement à l’encontre de la société X.

[11] Idem, Section II, paragraph 1, translation made by the Author

[12] ECHR cases Minelli v. Switzerland (dec.), no. 14991/02, 14 June 2005; Petrenco v. Moldova, no. 20928/05, 04 October 2010, para 55; and von Hannover v. Germany (no.2), 2012

[13] Article 29 Working Party, WP225

[14] Idem, pg. 16

[15] CNIL, La prospection commerciale par courrier électronique, 30 mars 2018, https://www.cnil.fr/fr/la-prospection-commerciale-par-courrier-electronique

[16] CNIL, délibération n°2016-405 du 15 décembre 2016 prononçant une sanction à l’encontre de la société X, translation made by the Author

[17] Article 29 Working Party, WP249, 8 June 2017, Opinion 2/2017 on data processing at work, pg. 11

[18] A principle founded by the German Federal Constitutional Court in 1983, BVerfGE, 1 - Census