PETLP: A Privacy-by-Design Pipeline for Social Media Data in AI Research
This addresses the regulatory complexity for AI researchers handling social media data, though it is incremental as it builds on existing ETL and compliance concepts.
The paper tackles the problem of overlapping legal obligations for AI researchers using social media data under GDPR, copyright, and platform terms by introducing PETLP, a privacy-by-design compliance framework that embeds legal safeguards into ETL pipelines, demonstrating through Reddit analysis how extraction rights differ between research organizations and commercial entities while highlighting the unachievability of true anonymization.
Social media data presents AI researchers with overlapping obligations under the GDPR, copyright law, and platform terms -- yet existing frameworks fail to integrate these regulatory domains, leaving researchers without unified guidance. We introduce PETLP (Privacy-by-design Extract, Transform, Load, and Present), a compliance framework that embeds legal safeguards directly into extended ETL pipelines. Central to PETLP is treating Data Protection Impact Assessments as living documents that evolve from pre-registration through dissemination. Through systematic Reddit analysis, we demonstrate how extraction rights fundamentally differ between qualifying research organisations (who can invoke DSM Article 3 to override platform restrictions) and commercial entities (bound by terms of service), whilst GDPR obligations apply universally. We demonstrate why true anonymisation remains unachievable for social media data and expose the legal gap between permitted dataset creation and uncertain model distribution. By structuring compliance decisions into practical workflows and simplifying institutional data management plans, PETLP enables researchers to navigate regulatory complexity with confidence, bridging the gap between legal requirements and research practice.