Public consultation on the Guidelines on the targeting of social media users (Guidelines)
The European Data Protection Board (EDPB) has recently launched public consultation on the Guidelines on the targeting of social media users. The European Data Protection Board (EDPB) is an independent European body competent to contribute to the consistent application of data protection rules throughout the European Union. The EDPB also facilitates cooperation between the EU data protection authorities.
The reason for drafting the Guidelines is the availability of mechanisms with a high degree of sophistication and organisations able to target individuals by the application of a wide range of criteria. The EDPB general statement draws public attention to the fact that such criteria may have been developed on the basis of (i) the personal data which users have actively provided or shared, (ii) the personal data which was observed or (iii) the personal data which was inferred.
Since the targeting of social media users comprises a complex process, the document analyses the roles of the following actors: (i) social media providers (entities offering an online service that enables the development of networks and communities of users, among which information is shared); (ii) users (meaning those who are registered with the service – have an “account” or “profile”, however, non-registered users could also be data subjects), (iii) targeters (those who use social media services in order to direct specific messages at a set of social media users based on specific parameters or criteria) and (iv) other actors involved in the targeting process (such as marketing service providers, data management providers, data analytics companies, data brokers, etc.).
The Guidelines seek to clarify the distribution of responsibilities between targeters and social media providers, considering also the CJEU case-law. The EDPB notes that even if the targeter only specifies the parameters of its intended audience and does not have access to the personal data of the users involved (such access being limited to the social media provider), she will still be considered a joint-controller. Although the GDPR does not preclude joint controllers to use different legal basis for different, processing operations they carry out, it is recommended to use, whenever possible, the same legal basis for a particular targeting tool and for a particular purpose.
The EDPB states in particular that there are two legal bases that could theoretically justify the processing that supports the targeting, respectively (i) data subject’s consent or (ii) legitimate interest. Regarding legitimate interest, it is still considered that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes. Such activities could be, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. As for consent for cookies, EDPB expressly mentions that it is not valid if the use of cookies is permitted by a pre-ticked checkbox.
Here are several other important highlights from the EDPB Guidelines.
The mere use of the word “advertising” would not be enough to inform the users that their activity is being monitored for the purpose of targeted advertising. Users should also be additionally informed if a profile is built. The targeter is not directly responsible for providing the information relating to any further processing that is carried out by the social media platform and does not fall under the scope of joint controllership. A data protection impact assessment might be necessary in some cases, depending on the nature of the product or service advertised. It is worth recalling that Article 35 of the GDPR covers Data Protection Impact Assessments (DPIA) as part of the “protection by design” principle. According to the law: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
The types of conditions that would require a DPIA could be the following:
· If one is using new technologies;
· If one is tracking people’s location or behavior;
· If one is systematically monitoring a publicly accessible place on a large scale;
· If one is processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”;
· If one’s data processing is used to make automated decisions about people that could have legal (or similarly significant) effects;
· If children’s data is processed;
· If the data under processing could result in physical harm to the data subjects if it is leaked.
One should also bear in mind that in other cases, where the high-risk standard is not met, it may still be wise to conduct a DPIA to minimise organisation’s liability and ensure best practices for data security and privacy.
The Guidelines are open for public consultation until 19 October 2020.
Compiled by Media 21 Foundation from: EDBP
