Updated 19 May 2021
The European Data Protection Board (EDPB) has adopted finalised Guidelines 8/2020 on the targeting of social media users under GDPR, following public consultation.
Many social media providers offer 'targeting' services making it possible for individuals or businesses to communicate specific messages to social media users to advance commercial, political or other interests. Targeting implies data protection risks for users of social media and involves a variety of different actors with different roles and responsibilities.
In the aftermath of recent judgments, such as the Fashion ID judgment (C-40/17) concerning the use of the Facebook 'like' button, the Guidelines provide practical guidance and use example scenarios to assist stakeholders including users, platforms and targeters (i.e. advertisers) with recognising advertising situations that may be applicable or relevant to them, as well as clearly clarifying the rights, roles and responsibilities of each.
What do the Guidelines say?
The Guidelines note the following:
- Social media users can be targeted on the basis of four types of data.
- Data provided by users to a platform - e.g. a user provides gender, date of birth or employment on their social media account
- Data provided by user to an advertiser - e.g. a platform matches pre-existing list data, such as email address or phone number, from the advertiser with data from the user's social media account
- Data based on observed data - e.g. based on users' use of a service or device (for example the Guidelines confirm that, in respect of location-based targeting, an advertiser and a platform are joint controllers with user consent required as location-based targeting relies on monitoring individuals' behaviour)
- Data based on inferred data by the platform or advertiser - e.g. data created or derived from users' browsing behaviour or interest in an specific activity (often involving profiling)
For each of these scenarios, the EDPB discusses the role of platforms and advertisers and the legal basis they could rely upon to process users' personal data.
- Advertisers and platforms may be joint controllers as they determine together the means and purposes of a processing activity. The Guidelines provide clarification as to when and how the responsibilities might be distributed between the two, supported by practical examples. As joint controllers, they will each have a separate legal basis for processing the personal data. The most appropriate legal bases in this regard are the data subject's consent and legitimate interest.
- Advertisers and platforms should consider carrying out a Data Protection Impact Assessment (DPIA). The Guidelines clearly state that, before initiating any targeting operations, the joint controllers each need to assess whether a DPIA is necessary for the designated targeting operation (i.e. is the targeting "likely to result in a high risk", see EDPB's Guidelines on DPIA and determining the processing risks), and whether special categories of data (SCD) are being processed (see below for further information within the Guidelines where SCD is involved). If so – both are responsible for complying with the DPIA requirements – each should have a "sufficient level of information on the processing to carry out the required DPIA".
- Advertisers and platforms need to identify the potential risks for the rights and freedoms for users and coordinate their respective responsibilities. For example, advertisers and platforms must ensure a "suitable mechanism" is in place to allow users access to their personal data in a "user-friendly manner". They must also designate a single point of contact for data subjects which is referred to in a privacy policy and made directly accessible by a link, for example, on the advertiser's page on the platform or in links such as “Why am I seeing this ad?".
- Advertisers and platforms need to be transparent. The EDPB stresses the importance of ensuring that users are informed of how their personal data are processed, which should be, in all cases concise, transparent, in an intelligible and easily accessible form, using clear and plain language. The mere use of the word “advertising” is not enough to inform users that their activity is being monitored for the purpose of targeted advertising.
- Advertisers and platforms should consider whether special categories of data are involved. If an advertiser engages a platform to target users based on SCD, the platform and the advertiser are jointly responsible for processing such data. Further, the Guidelines state that assumptions or inferences regarding SCD in certain contexts will also be considered SCD. For example, a user's statement in relation to their political or religious associations is SCD (as was the case previously), and if assumptions or inferences as to a user's political or religious association are made (e.g. based on the user visiting a liberal/conservative page on social media), then that will also be considered SCD. The Guidelines also highlight that, although under the GDPR, special categories of personal data may be processed where data has been made manifestly public by the user, the threshold for relying on this exemption is rather high and requires a case-by-case assessment. It can be queried whether, other than in exceptional circumstances, this threshold is likely ever to be met.
What's next?
Following public consultation, the Guidelines were finalised and published on 13 April 2021. Whilst the Guidelines state that joint controllers must enter into an arrangement determining their respective responsibilities for compliance with GDPR, the allocation of these responsibilities may not be split equally between them (as considered in the Wirtschaftsakademie judgment). Therefore, the level of responsibility must be assessed taking into account the ability to influence the processing on a practical level, as well as the actual or constructive knowledge of each of the joint controllers.
Furthermore, it is important to specify at what stage of the processing and to what extent or degree advertisers and platforms are responsible for the processing. However, the allocation of responsibilities is not binding for supervisory authorities (in the UK, this is the Information Commissioner's Office, although it is important to note that as a result of Brexit, the ICO is not a member of the EDPB and GDPR no longer directly applies in the UK), as they may exercise their competences and powers in relation to either joint controller, as long as the joint controller in question is subject to the competence of that supervisory authority.
In light of this, stakeholders, and particularly platforms and advertisers, should review their existing and future arrangements in respect of any advertising undertaken by them (or on their behalf) in the context of these Guidelines. Specifically, stakeholders should consider any remediation to arrangements and/or processes in respect of determining and allocating joint controller responsibilities in the processing of personal data that are required to comply with the final version of the Guidelines and their obligations under the GDPR.