Report – Defending Data: Privacy Protection, Independent Researchers, and Access to Social Media Data in the US and EU

Executive Summary

Access to social media data by independent researchers is at the forefront of efforts to improve tech transparency. Article 40 of the European Union’s Digital Services Act (DSA) requires providers of very large online platforms and very large online search engines to provide vetted researchers with access to data, subject to certain conditions. In the United States, lawmakers are considering several bills, which vary in their details, that would require social media companies to provide data to researchers. 

But social media data is a rich source of information not only for researchers; law enforcement agencies are also often interested in obtaining social media data. In some cases, these demands are lawful and justified. However, law enforcement personnel have also used social media data in the past for illegitimate purposes such as monitoring protestors, dissidents, and members of religious or racial minorities. 

Legal requirements that social media companies make data available to independent researchers should not inadvertently become tools for unjustified and increased law enforcement surveillance of social media users. This report examines existing legal protections for stored social media data in the US and EU and how they might be impacted by researcher access to social media data. 

In the US, there is a significant risk that disclosure of social media data to independent researchers may make it easier, as a matter of law, for law enforcement personnel to access that data and surveil social media users. In particular, the uncertainty of how courts may apply the Fourth Amendment’s third-party doctrine and gaps in the Stored Communications Act may allow law enforcement agencies to have more access to data that is disclosed to independent researchers. We also find that legal protections that allow journalists and others who disseminate information to the public to resist law enforcement demands for information may not always apply to academic researchers or may provide only limited protections.

In contrast, in the EU disclosure of social media data to independent researchers likely will not impact the legal requirements governing the disclosure of data to law enforcement found in the General Data Protection Regulation, European Convention on Human Rights, EU Charter of Fundamental Rights, and Law Enforcement Directive and national implementing legislation. However, there remains a risk that, in practice, law enforcement personnel may find it easier to access social media data from researchers, regardless of legal protections. 

In light of these increased risks, policymakers implementing or enacting requirements that social media companies share data with independent researchers in both the US and EU may want to consider the following mitigating measures: 

1. Not allowing law enforcement agencies to qualify as vetted researchers in the legal regimes that establish access mechanisms. 
2. Providing independent researchers with access to data through or at the social media company, rather than allowing the researcher to possess it. 
3. Requiring researchers to destroy data after a certain time period or when their research has concluded. 
4. Additional research to understand whether providing data to independent researchers will make law enforcement more aware of—and likely to demand access to—users’ social media data. 

The report recommends that US lawmakers, in particular, may want to consider:

1. Restricting access to research tools that offer public data, such as APIs, to vetted researchers. 
2. Requiring government entities to seek access to data subject to the Stored Communications Act only from providers of an electronic communications service or remote computing service subject to the Act’s requirements, and not from a researcher when the researcher obtained such data under a researcher access to data law. 
3. Requiring law enforcement agents to obtain a warrant, supported by probable cause, before they may access social media data obtained by researchers under a researcher access to data law, in addition to (2) (with respect to data not covered by the Stored Communications Act) or as an alternative to (2).
4. Prohibiting researchers from voluntarily disclosing data. 
5. Enacting a federal shield law and expanding state shield laws to clearly cover researchers. 

The report recommends that EU lawmakers, in particular, may want to consider:

1. Requiring data sharing agreements that prohibit researchers from sharing data with any other party unless legally obligated to do so. 
2. Additional transparency obligations for social media platforms and independent researchers. 

Read the full report here.