EDPS opinion on the use of social media monitoring for epidemic intelligence purposes by The European Centre for Disease Prevention and Control

Reading Time: 6 minutes

Authors:  

Sandra Moran | Senior Data Protection Advisor

Date: 20 February 2024

On 9th November 2023 the European Data Protection Supervisor (EDPS) published an opinion related to a request for prior consultation (Art. 40 of the EUDPR) received from the European Centre for Disease Prevention and Control (ECDC) regarding a pilot study on the use of social media monitoring for epidemic intelligence purposes. On 12 July 2021, the ECDC sought advice from the EDPS as regards this processing activity, which is already ongoing and, in some part, even suspended. As noted by the EDPS, since the processing had already started at the time of the consultation, the EDPS considered the prior consultation as inadmissible; therefore, it issued the Supervisory Opinion, which includes recommendations with respect to the project. 

This article outlines the project in scope of the Opinion and the Recommendations provided by the EDPS and may be a useful resource for those EUIs intending to undertake monitoring of social networks. 

Background  

The ECDC was undertaking a monitoring of social media, to assess the benefits of trend analysis of social media sources for epidemic intelligence, in order to improve threat detection through during epidemics.  

The Centre used its accounts on X (formerly Twitter) and on Facebook to follow posts of different stakeholders, which were selected according to a criterion established by the ECDC (e.g., the stakeholders were selected for providing accurate information on public health events and threats, and more specifically on infectious diseases). The monitoring was done by manual and automated social media monitoring (the latter, only on Twitter accounts as explained below).   

Manual monitoring1
ECDC staff, through the above-mentioned accounts, would screen Facebook and Twitter once or twice a day by checking the latest posts of the selected accounts (in total 100 Twitter and 40 Facebook accounts are followed).  The monitoring was done as follows:  

  • The monitors’ tasks are restricted inter alia to the collection, collation, storage, and evaluation of data and information included in those posts relating to different aspects, such as cases of communicable diseases (i.e., confirmed cases, suspected cases, deaths, etc.), situation reports on specific events, and relevant public health campaigns (e.g., vaccination campaigns).  
  • At no point, did ECDC staff collect, store, evaluate or disseminate personal data of the individuals that are suffering from a communicable disease and /or of its sources (i.e., persons who publish and disseminate data or information on social media). 

In some instances, data was included in the ECDC’s Threat Tracking Tool to produce materials, such as ECDC reports. This is only applicable if the data are coming from official social media accounts of public health authorities, public health organisations or any other official organisations (e.g., civil protection or government) and their core employees (e.g., a president or a minister). 

Automated monitoring2
This method of monitoring social media was undertaken using the tool Epitweetr, which was used by the ECDC for the collection of tweets and automatic aggregation of data. In the words of the EDCD: “these aggregated data do not contain personal data and are used for data visualization in the Epitweetr dashboard”.  

As explained in the Opinion, through Twitter’s Standard Search API, Epitweetr focused on monitoring tweets that include any or some of the keywords selected by the ECDC relating to specific and popular nomenclature surrounding infectious diseases and the keywords were regularly revised and updated (e.g., to add COVID-19 in 2020). 

Among others, the following categories were in scope of the automated monitoring: 

  • Date and time of posting of the tweet, as well as its identification number; 
  • Content of the tweet (including the language of the content of the tweet user as well as hashtags, symbols, URLs and mentions of other users); 
  • Information about the user who posted the tweet: identification, name, screenname, location, description of his/her Twitter profile, URL, if the account is protected and/or verified, number of followers and friends, number of Twitter lists which includes the user, date, and time of the creation of the account, number of favourites, and time zone and language of the account. In the words of the ECDC, the same metadata are available for the user of a tweet that has been replied to, retweeted or quoted;
  • Epitweetr and its machine learning processes allowed also, in parallel the collection of tweets, the processing (and storage) of some insights connected to geolocation (e.g., tweet geolocation and user location from the available metadata).  

The EDCD had prepared the following data protection documentation for this project: A Data Protection Impact Assessment (DPIA) and a Privacy Statement. The Privacy Statement was published in different ECDC portals. The ECDC identified Article 5(1)(a) of the EUDPR as the legal basis for the processing operations (affirming that the processing is necessary for the performance of tasks in the public interest attributed by Union or Member State legislation).  

Key insights from the EDPS:  

Data Controllership
In the view of the EDPS, it is clear that the ECDC would be the sole controller, as it determines the purpose of this data processing, as well as most of the essential means of the processing.
 

Recommendations related to the Legal Basis (including the processing of special category data)
As outlined by the EDPS, a legal basis should be provided for the processing and, at present, the ECDC does not have a sufficient ‘basis’ in ‘Union law’ for these monitoring activities. In this regard, the EDPS understand that the seriousness of the measures’ interference with the rights to data protection and privacy is mitigated considering that the ECDC’s monitoring activities are in a pilot phase and do not aim at targeting individuals. As mentioned by the EDPS, the main scope of the gathering of information may enable the early detection of potential outbreaks and communicable diseases and detecting serious cross-border threats to human health at an early-stage. This would, in principle, fit under the ECDC’s mission related to, e.g., the identification of current and emerging threats to human health from communicable diseases. Also, to establish procedures for systematically collecting, collating, and analyzing data with a view to identify emerging health threats. 
 

It is to be noted that the EDPS provides interesting notes on legal basis, including a brief review of the options in the ECDC (Amended) Founding Regulation and a suggestion of how to meet the requirements of Article 5(2) of the EUDPR in connection with this processing. 

However, in view of the EDPS, special categories of personal data may be also be processed within the project, inter alia due to the following reasons: 1) Twitter profile descriptions often include e.g., racial origin, political opinions, sexual orientation and 2) The ECDC did not provide sufficient information to clearly demonstrate that it does not collect entire tweets which may include a selected keyword but also contain special categories of personal data, such as health data – for example, where an individual discloses in a tweet that they have tested positive for COVID-19. This implies the requirement to have one of the conditions in Article 10(2) of the EUDPR fulfilled. The EDPS mentions in its Opinion Art. 10.2. (i) of the Regulation (the processing is necessary for reasons of public interest in the area of public health) as the potential legal basis which the ECDC may use to cover this processing activity.  

EDPS recommendations to ECDC related to accountability: 

  • The undertaking of a thorough assessment of the necessity and proportionality of the processing operations in the context of its monitoring activities. All categories of data processed should be detailed and ECDC should demonstrate that the proposed processing operations are ‘essential’ to meet the identified objective. The EDPS recommends to the ECDC to conduct a more thorough assessment of the seriousness of the interference of the measure (the monitoring) in relation to the benefits brought to the public interests served by the performance of the ECDC’s tasks.  
  • ECDC should update the DPIA. 
  • As regards the Privacy Statement, the main adjustments needed would be: 1) to inform the data subjects, in scope of the manual social monitoring, of the processing of their personal data and about their rights as data subjects, at the time of collection. This can be done by sending them a standardised direct message on their public account (unless the ECDC can show that one of the exceptions under Article 16(5) of the EUDPR applies) and 2) EDCD should mention the processing of special categories of personal data in the context of its automated social media monitoring and the applicable legal basis. 

Considering the above, European Union Institutions and other organisations acting as controllers should ensure that their use of social media is closely assessed with respect to the processing to be undertaken. This can be done, for example, by paying specifically attention to the data controllership, its purposes, the personal data categories under processing, tools to be used and the applicable legal basis. Close attention should be given as well to the accountability documents (e.g., DPIA, Data Protection Notices etc.) and potential (and timely) consultation with the EDPS. 

Trilateral’s Data Protection and Cyber-risk team includes data protection specialists with extensive expertise and experience in helping EUIs to be more strongly aligned with Regulation 2018/1725 (EUDPR). Our services that can help EUIs on their current and future projects. Trilateral Research has also created different articles  to help EUIs on the understanding on their specific requirements to enhance compliance (among others, see: “Challenges and recommendations when moving to the cloud” and “Coordinated Enforcement Action on the role of Data Protection Officers: What to Expect?”). Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs. 

 

Foot notes
1 Manual monitoring is still ongoing and undertaken on Facebook and Twitter
2 Automated monitoring was only undertaken on Twitter and discontinued in April 2023 for economic reasons. 

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career