Using publicly available data under GDPR

Many organizations involved in market research often collect data from publicly available sources such as Google Searches, Social media postings etc. This information is processed and some useful market information is gathered. This may also be commercially traded as market research reports.

In the light of the recent discussions on whether WhatsApp can share some of its information internally to FaceBook and whether FaceBook can use it for advertising profiling of the users has re-kindled the debate on how data protection laws need to address publicly available information.

The regulatory authorities can take the easy way out and stick to the exact narration of Article 14 of GDPR that Where personal data have not been obtained from the data subject, the controller shall provide the data subject with  certain information about the collection and the purpose etc., within a reasonable period not exceeding one month.

There is also a proviso that the restriction shall not apply where and in so far as

(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

In the context of the above we can re-visit the decision of the Polish supervisory authority imposing a fine of Euro 220K on a company by name Bisnode .

The Company had a total of 7.5 million data records (Personal and proprietary business) and the supervisory authority expected that all of them are duly notified as required. The Company represents that it had to incur a cost of around Euro 8-9 million if proper notices are to be sent which was disproportionate to the cause. There was no issue regarding the quality of security measures otherwise adopted by the company to secure the data.

This incident raises some specific issues which require a deeper debate.

Are the GDPR authorities interested in closing down all businesses which are into market research out of the public information?

Is it not fair to consider that Data Protection is essentially giving a control to the data subject about what information he wants to keep unshared and what information he wants to share. If the data subject wanted the social media information not to be shared, then would it not have been possible for him to set the privacy settings to his posts as “Visible only to approved Contacts” rather than making it open for a search engine to parse the data?

If a data subject has taken a decision not to enforce his privacy settings, is not correct to consider that there is a “Deemed Consent” that the data can be used for purposes consistent with the disclosure as long as no adverse impact on the privacy of the person is envisaged in the processing?

In most of the cases the data may be used for statistical analysis and only part of the data subjects may need to be contacted for further use of the data such as sending a marketing message. In such cases, will a consent request only for the data subjects short listed for further communication be sufficient? is to be explored.

Also, like in the case of WhatsApp obtaining the consent of the data subject to share the data to Face Book and Face Book using it on the basis of the consent obtained by WhatsApp, would it be possible for the social media platform like Twitter to obtain a general consent which includes some thing similar to the following.

“In case the user does not restrict the visibility of the data through privacy setting, the data may be shared with search engines and research agencies subject to no automated decision making on the data subject or direct contact with marketing messages”… etc.

It is time that experts represent with EDPB for a suitable relaxation in the interpretation of Article 14 to include the legitimate interest of market research agencies.

Until such time, those companies which are directly liable under GDPR as “Data Controllers” need to prepare a DPIA and file it for pre-consultation.  If the company is a “Data Processor” then he may depend on the Data Controller to take the responsibility.

In case the data processing is outside GDPR, then there is no need to worry about Article 14 of GDPR. Companies should follow the principles enunciated in the Personal Data Protection Standard of India (PDPSI) for this purpose.

The above is towards development of Jurisprudence regarding data protection.

Comments are welcome.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.