The DPA has fined an NGO, and a researcher for posting raw data from Twitter accounts online as part of an investigation “without taking minimal security measures.”
The NGO will be fined 2,700 euros, the researcher 1,200 euros, and both will also receive a reprimand, the GBA reported on Thursday.
The NGO working to curb the spread of disinformation published an analysis in 2018 to determine the possible political origin of tweets circulating about a particularly lively polemic in France, ‘the Benalla affair’. Alexandre Benalla, the former aide to President Emmanuel Macron, has been discredited after Le Monde newspaper revealed that he had cracked down on protesters at the May 1 celebrations in 2018.
The GBA and its French counterpart CNIL received a total of more than 200 complaints about the reuse of personal data from 55,000 Twitter accounts to conduct the study – in which more than 3,300 accounts were classified politically – and about the online publication of files containing the raw data from the study. The GBA is responsible for the file because the NGO is located in Belgium.
The GBA ruled that the NGO was exempt from its obligation to individually inform the individuals concerned about the personal data processed for the study, as this could have jeopardised the study and its publication. However, the publication of sensitive data used for the study and not properly pseudonymised had no legal basis due to “the disproportionate violation of the rights of the authors of the tweets concerned.” Their consent was also required for the publication of such non-pseudonymised sensitive data.”
“While there was no doubt that there was no malicious intent, this publication put those involved at risk of discrimination or disparagement for its non-anonymised political profiling,” the GBA said. The files also contained information about the individuals’ religious affiliation, ethnicity, and sexual orientation whose accounts were analysed.
The GBA also emphasises that the General Data Protection Regulation still protects that personal data is publicly available on social networks. “So it’s not because you’ve shared something publicly that you just have to accept any later reuse,” says chairman David Stevens.
“The rules on the protection of personal data have been put in place to protect people. Therefore, compliance with it is essential in the context of the large-scale collection of data for political profiling and its publication, which may have adverse consequences for individuals’, concludes Dispute Chamber Chair Hielke Hijmans. “Of course, we think it’s legitimate to want to contribute to the public debate about the dissemination of (dis)information, but it would have been possible, and even necessary, to do so in a way that infringed less on people’s privacy.
