New EDPB Guidelines on targeting of social media users
On 2 September 2020, the European Data Protection Board (EDPB) adopted draft guidelines n°08/2020 on targeting of social media users (the Guidelines). While the draft guidelines n°07/2020 adopted on the same day by the EDPB deal with the concepts of (joint) controller and processor in general, in the present Guidelines, the EDPB focuses on the different roles and responsibilities of advertisers and providers and those using targeting services on social media platforms.
Nowadays many social media providers offer services making it possible for natural or legal persons to communicate specific messages to the users of social media in order to advance commercial, political or other interests. Such services are often referred to as “targeting”. This implies privacy risks for users of social media and involves a variety of different actors that have different roles and responsibilities. In the aftermath of the judgements Fashion ID (C-40/17) and Wirtschaftsakademie (C-210/16) of the Court of Justice of the European Union, the new Guidelines of the EDPB focus on the importance of correctly identifying the roles of the different actors and to define their respective responsibilities in this sector.
Social media users can be targeted on the basis of three types of data:
- data provided by the data subject either to the social media provider or to the platform;
- observed data, i.e. data that is provided by the data subject by virtue of using a service or device;
- inferred data, i.e. data that is created by the controller on the basis of provided or observed data (typically involving profiling).
For each of these scenario’s, the EDPB discusses the role of the social media providers and the targeters and the legal basis they could invoke to process the personal data.
According to the Guidelines, social media providers and targeters are often considered joint controllers as they determine together the means and purposes of a processing activity (concept broadly defined in the draft guidelines n°07/2020 – read our ezine). The joint control does not, however, extend to operations involving the processing of personal data at other stages occurring before the selection of the relevant targeting criteria or after the targeting and reporting has been completed, and in which the targeter has not participated in determining the purposes and means.
The joint controllers shall each have a separate legal basis for processing the personal data. The most appropriate legal bases in this regard are the consent of the data subject and legitimate interest.
Although the EDPB states that there is no specific hierarchy between the different legal bases of the GDPR, it considers that there are clearly situations in which the processing would not be lawful without the valid consent of the individuals concerned, such as tracking individuals across multiple websites, locations, devices or services or data-brokering. Furthermore, the EDPB takes into account the ePrivacy Directive, which is applicable for example to cookies, pixels and social-plugins and establishes that such processing activities always require consent.
Furthermore, the EDPB focuses on the necessity of Data Protection Impact Assessments (DPIA). Prior to initiating the targeting operation, joint controllers should determine if a DPIA is needed for the designated targeting activity. Furthermore, the parties should consider whether special categories of data are involved. Interesting is that also assumptions or inferences regarding special category data, for instance that a person is likely to vote for a certain party, would constitute a special category of personal data. The Guidelines also highlight that, although under the GDPR special categories of personal data may be processed where data have been made manifestly public by the user, the threshold for relying on this exemption is rather high and a case-by-case assessment is needed.
Lastly, the EDPB states that joint controllers must enter into an arrangement, determining their respective responsibilities for compliance with the obligations of the GDPR (read our ezine on draft guidelines n°07/2020). As joint controllership does not mean equal controllership, the level of responsibility must be assessed taking into account the ability to influence the processing on a practical level, as well as the actual or constructive knowledge of each of the joint controllers. Furthermore, it is important to specify at what stage of the processing and to what extent or degree the targeter and the social media provider are responsible for the processing. However, the allocation of responsibilities is not binding for supervisory authorities, as they may exercise their competences and powers in relation to either joint controller, as long as the joint controller in question is subject to the competence of that supervisory authority.
The Guidelines are subject to public consultation until 19 October 2020. It is now time to comment, (dis)like and share your point of view. The EDPB will review the result of the public consultation and may decide to update (part of) the Guidelines before publishing a final version.