GDPR tip: Am I allowed to use personal data from social media in my research?

Social media platforms such as Facebook, LinkedIn and Twitter are full of data that could be valuable for a research project. For example, personal data such as age, gender, education, and political and religious beliefs are often freely available on social media.

It can be tempting to think that, once people have decided to publish this information themselves, it is no longer subject to the rules on data protection. But, unfortunately, this is wishful thinking. AU’s data protection unit is often asked how people should process the personal data they have collected from social media platforms.

Data Protection Officer Søren Broberg Nielsen insists that, regardless of whether or not personal data is freely available, it should always be processed according to data protection laws.

Facts: Research and GDPR

AU’s web pages about GDPR for researchers contain useful information on how to keep personal data safe when conducting research projects. Every autumn and winter, AU’s data protection unit focuses on different aspects of GDPR based on researchers’ dilemmas and experiences. This time it is about personal data and social media.

Think carefully before you start

“This means that researchers need to think very carefully before they start their research project. For example, they must have a legal basis to process the data, they must comply with the legal requirements for how personal data is stored, and they must adhere to the duty of disclosure to the people whose data is being processed,” says Søren Broberg Nielsen, who also points out that the rules are general and not limited to social media.

Read more about the legal basis for processing data and the duty of disclosure on AU’s GDPR pages for researchers.

Professor: Closed groups are not off limits

The School of Communication and Culture is one of the places where social media is often used in research. Niels Brügger is professor of media studies at the school and conducts research into the history of the internet. He has extensive experience collecting data from digital media, which is why his colleagues often come to him for good advice. One of the questions he is often asked is whether it’s possible to collect personal data from closed Facebook groups, where access is restricted.

“In principle, it is possible, if you have access to the group. But you still need to have a legal basis for processing the data and comply with the duty of disclosure. It’s not enough, for example, to just have the informed consent of the group’s administrator. In addition to data protection rules, if you are collecting data from closed forums, you should also consider ethical implications, because you can stumble across statements that were clearly not intended for wider publication,” says Niels Brügger.

On AU’s GDPR webpages for researchers, you can read more about what you should consider when assessing how to process data collected from closed groups.

Facts: GDPR and social media

An overview of the guidelines on the use of personal data and social media.
See also FAQ about research and data from social media.

Be aware of the social media platform’s Terms of Service

If you are using personal data from social media sites in your research, it’s not enough to familiarise yourself with data protection rules. As a researcher, you also need to be aware of the social media platform’s Terms of Service, because some platforms have rules regarding informed consent and personal data that are more restrictive than data protection rules.

“Take Twitter as an example. In their Terms of Service, they state that it’s not possible to collect, for example, 100 tweets and publish them. The only thing you can publish is the ID number for each tweet,” says Niels Brügger.

Read more about GDPR and social media on AU’s GDPR website for researchers.