Ch 17.6.4–17.6.8 - Art 9, rights, children

Social media: legal basis, special category data, children

SMP processing needs an Article 6 basis, and Article 9 applies to special category data. One Art 9 route is data manifestly made public by the data subject - a high threshold. The EDPB warns that inferences (e.g. likely political views) are special category data, but Article 9 is not engaged if the SMP genuinely prevents inferences. For children, Article 8 requires parental consent under 16 (states may lower to 13), and the UK's Children's Code sets design standards. The ICO fined Facebook £500,000 (its pre-GDPR maximum) for unfair friend-data sharing.

Photos generally are NOT special category data unless specifically intended to reveal such data (WP29)
But inferences/assumptions about special category data (e.g. likely voting) ARE special category data (EDPB)
Article 9 is not engaged if the SMP prevents such inferences being made or used to target
Under-16 consent needs parental consent (states may lower to 13)
Legitimate interest (Art 6(f)) may be unavailable where the data subject is a child

Facebook fine

The ICO fined Facebook the pre-GDPR maximum of £500,000 for allowing third-party apps to access the data of users' Facebook friends without informing them - beyond data subjects' reasonable expectations, so unfair processing.

Key terms - quick answers

What is “Manifestly made public”?

An Article 9 condition where the data subject has clearly made special category data public - a high threshold.

What is “Children's Code”?

The UK Age Appropriate Design Code (in force Sept 2021) setting standards to design data protection into services likely to be used by children.

What is “Article 8”?

GDPR provision requiring parental consent for children's consent-based processing under 16 (states may lower to 13).

← Social media: roles, joint controllership, transparency Targeted online advertising: ecosystem and law →