EU DisinfoLab fined for processing and classifying tweets and Twitter accounts according to political orientation Summary In an effort to combat the issue of online fake news, a ° Not implementing sufficient technical and Belgian NGO called EU DisinfoLab undertook an analysis organizational measures within the non-profit of a large number of ‘tweets’ posted on Twitter now organization (GDPR, Article 32). concerning the “Benalla affair”. This criminal case involved a senior French security officer employed ° Not having carried out an impact assessment (GDPR, by the President of France. As part of their study, the Article 35). NGO categorized Twitter accounts according to users’ ° Not observing the principle of accountability (GDPR, political, religious, ethnic, and sexual orientations, with Articles 5(2) and 24). the aim of identifying the political affiliations of the Twitter users in question. The DPA imposed a fine of 1,200 EUR on an individual The study, published in 2018, included personal data researcher who was deemed the data controller for from over 55,000 Twitter accounts. The NGO performed the publication of the Excel file containing raw personal several processing activities for this study, including data, alongside the NGO. The researcher was fined for processing the publicly available information from the following violations: Twitter, as well as publishing an Excel spreadsheet • GDPR, Articles 5(1)(a), 5(1)(c), 5(1)(f), 6(1), 9, 12, 14, online, which contained the raw personal data and 32. extracted from Twitter. This spreadsheet was published in response to challenges regarding the integrity of the Our remarks study. • The public nature of personal data posted on Following more than 240 complaints from data social networks such as Twitter does not mean subjects, the Belgian Data Protection Authority (DPA) that such data is not protected by the GDPR. When launched an investigation in collaboration with its processing personal data obtained from such French counterpart, CNIL. platforms, the general principles must be observed, and an appropriate legal basis identified. Collaborative decision of the Belgian DPA • In cases where personal data is processed for and the French DPA journalistic purposes, exemptions to the GDPR may The DPA’s imposed a fine of 2,700 EUR on EU DisinfoLab apply. In the present case, the Data Protection for the following violations: Officer (DPO) acknowledged that the NGO was exempted from the obligation to individually inform • For activities related to the conduct of the study: the data subjects pursuant to GDPR, Article 14. This ° Not having a privacy policy (GDPR, Articles 5(1)(a), 12 exemption was granted to protect the integrity of and 14). the study. Nonetheless, the DPA concluded that the publication of sensitive personal data used in ° Not having carried out a balancing of interests (GDPR, the study, without proper pseudonymization, did Article 6(1)(f)). not have a legal basis. According to the DPA, the legal publication of such sensitive data without ° Not having contracts in place with data processors pseudonymization would have required the consent (GDPR, Article 28(3)). of the individuals concerned. ° Not having a record of processing activities (GDPR, Article 30). Published: 22-01-2022 Journal number: DOS-2018-04433 Tags: 01 Legal basis and principles of processing 87