GDPR – business or pleasure?
Do you remember GDPR (or, for mnemonic assistance, Gitte and Per)? This is one of three posts on the EU law that everybody feared last year: What did we think it was, what is it, and what effects has it had?
When the EU legislation was announced, many researchers at my department were in doubt of exactly what to do (see also: What is GDPR? A compliance guide) — and after more than a year, still no general practice has emerged.
A survey of among my research colleagues in linguistics show highly individual solutions to the new law. Researchers of social media in particular are frustrated about how to interpret the law when it comes to already publicly available data.
No more research in SoMe?
One researcher who looks at the specific linguistic phenomena polyphony, which is especially prevalent in online dialogues with harsh discussion, has been told that even though a dialogue is publicly available in open groups, it cannot be used for research without getting each writer’s informed consent. And consent is probably hard to get, since the dialogues often reveal less flattering sides of the writer.
This creates a paradox:
“The problem is that the dialogues — and so the identity of the writers — in publicly available groups can be found via Facebook’s search function. Ethically it is highly problematic to cite from a closed group or from a private profile, but GDPR-wise this is not a problem whereas citing from an open, searchable group or profile is.”
So GDPR is supposed to protect ethical rights but it does the opposite? Does this mean that we cannot research social media anymore? We don’t know yet, since no legal precedence has been established.
Researchers wish for clearer answers — especially from the university management:
“When it comes to social media, every answer I get is different from the last one”
“I have attended loooong presentations from the university’s lawyers and I have asked my colleagues abroad what they do. Still no definite answer”
“Information regarding keeping of data has been insufficient and self-contradictory”
Business as usual
Social media data seems to cause the most trouble and researchers with other kinds of data take it more loosely. On the question “What have you done with data you already have?” my colleagues reply “nothing” or “we already storage our data safely!” Some have registered their data-driven projects with the university’s data protection agency. This meant “filling out some forms and stating an end date for the project — No big deal.”
One researcher says that they always worked and will keep working on basis of a set of self-formulated ethical guidelines:
- Make sure no one is harmed or can get in trouble because of your data or publications
- Is it even the tiniest bit likely that a person will sue me for using their data? If yes, then don’t use it
- Remember that big companies running search engines, social media, academic scholarly services etc. already know everything about you. But they themselves hide from the law. GDPR is made for them, but they will never get caught. It is most likely that we researchers or some other small fish will end up in court [presumably guideline c should handle your own ethical concerns, ed.]
- Still no legal precedence has been established regarding GDPR. The university lawyers are always covering themselves for unrealistic worst-case-scenarios
Most of my colleagues preferred to remain anonymous for this blog post, and so will I. As a junior researcher I have no courage to ‘lay my head on the block’, as we say in Danish, and risk to be the little fish fried for misunderstanding an unclear law.
The author of this blog post is a PhD student of something in a department of something at a university in the Western hemisphere. Since information revealed in this post is of a particularly sensible kind, all content is anonymised. No original documents are stored by neither the author nor the editorial board of Lingoblog.