[Air-L] Social media research and the GDPR. How to comply?

Fri Sep 6 03:09:34 PDT 2019

Dear list,

at Utrecht Data School<https://dataschool.nl/?lang=en> and Datafied Society<https://datafiedsociety.nl/>, we frequently carry out social media analysis. Many colleagues on this list do similar research. I turn to you with questions about the GDPR and how it might affect our research processes.

I was wondering how you (EU-based researchers) comply with the GDPR and whether your institutions developed guidelines concerning the conduct of social media research. Are there privacy officers reviewing your proposals, do they use an online tool (and which) for DPIA's, submitting and reviewing the proposals, and what is the understanding and practice of informing data subjects?

For example considering the duty to inform data subjects: for our research on topic-communities<http://mtschaefer.net/entry/political-topic-communities-and-their-framing-practices-dutch-twittersphere/> on Dutch Twitter, we used a sample of one week of Twitter NL. According to the interpretation of the GDPR by some privacy officers, researchers would be now required to inform the 600.000 accounts captured in this sample about the research. They (privacy officer) cite a case from Poland, where a data broker was fined<https://www.bakermckenzie.com/en/insight/publications/2019/03/first-fine-for-violation-of-the-gdpr> for not informing their data subjects.

I was thinking that the GDPR was exactly meant for this as the data broker used the data for his commercial business without informing the data subjects. But does the GDPR implementation act not provide exceptions here for researchers (journalists and artists)?

What would happen if researchers would be indeed required to inform 600.000 users on Twitter about their research project (thinking here mostly about the feasibility and the related costs which would render most research projects too expensive to be carried out without a major grant and significant institutional support; but think also about the possible reactions to researchers if you would investigate topics such as hate speech and you should inform the authors of said hate speech about your research.

I hope I am not the only one struggling with this and would be very grateful if you could help me with these questions:

- how do you deal with the right to be informed when collecting large data sets?

- what kind of assistance to you receive from your institution in legal information, review of project proposals and facilitation of compliance with GDPR requirements?

- are there precedents of research projects that have been altered or blocked by privacy officers?

- are the interpretations of privacy officers of the GDPR related to research projects widely different?

- is there expertise within AoIR on these issues and where researchers can find advice on how to proceed in order to comply with GDPR?

Help and input are much appreciated!

Best wishes,

mirko

Mirko Tobias Schäfer | Associate Professor |
Project leader Utrecht Data School|
Utrecht University | Muntstraat 2a | 3512 EV Utrecht |
T: +31-644620751 | M: m.t.schaefer at uu.nl<mailto:m.t.schaefer at uu.nl> | W: www.mtschaefer.net<http://www.mtschaefer.net>