Privacy & Information Security Law Blog

On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).

The EDPB explains that social media providers and targeters will be considered joint controllers when they effectively co-determine the means and purposes of a processing activity (i.e., the display of a specific ad via a targeting tool to a targeted audience). Conversely, the social media provider and the targeter will not be considered joint controllers for any processing operations taking place before the selection of the relevant targeting criteria or after the targeting and reporting is completed, or in which one of the controllers did not participate. In particular, the EDPB identified four specific scenarios, in which targeting is based on (1) data actively provided by the users to the social media provider or the targeter; (2) personal data provided by the user to the targeter; (3) data observed from the user’s use of a service or a product (“observed data”); or (4) data inferred from data provided by the users (“inferred data”). For each scenario, the EDPB explains the role of the parties and provides advice on the legal basis used to justify the processing for targeting purposes. The EDPB highlights in particular that:

• Both joint controllers must be able to demonstrate the existence of a legal basis justifying the processing of personal data. Consent or legitimate interest may be appropriate legal bases to justify a targeting activity if demonstrated by both parties. However, the EDPB emphasizes that legitimate interest would not be an appropriate legal basis for certain processing activities, such as intrusive profiling and tracking practices for marketing purposes, which would require collection of users’ consent. In addition, the EDPB stresses that the performance of a contract legal basis cannot be relied on when carrying out targeting activities.
• When processing involves social plug-ins, cookies or pixels, the social media provider and the targeter must comply with both the GDPR and the ePrivacy Directive, and as such must obtain users’ valid consent.
• The collection and use of inferred data typically involves profiling activities. As profiling typically constitutes an automated processing of data, in circumstances where the automated decision produces legal effects or significantly affects users, controllers may only rely on the user’s explicit consent, the necessity of the automated-decision making for entering into, or performance of, a contract, or authorization by EU or the controller’s Member State law.

In addition, the Guidelines provide information on the application of key data protection requirements and on the joint agreement social media providers and targeters must implement, including:

• Compliance with the transparency requirement: The EDPB states that the use of the word “advertising” alone is not sufficient to inform users that their behavior is monitored for targeted advertising purposes. As joint controllers, social media providers and targeters must agree on their respective responsibilities, including their duty to inform users of the processing, and should make the content of this agreement directly available to users by including a link on the social media platform and a reference in its privacy policy or on the targeter’s website or through link, such as “Why am I seeing this ad?” Joint controllers may agree that one of them will be responsible for providing information to users even though each party ultimately remains responsible for the processing activities under its control.
• Compliance with the right of access: To simplify the exercise of data subjects’ right of access, the social media provider and the targeter should designate a single point of contact for data subjects.
• Duty to carry out a Data Protection Impact Assessment (“DPIA”): Joint controllers are both responsible for assessing whether a DPIA is required. If so, the joint agreement should specify which one of the joint controllers is responsible for carrying out the DPIA as one of them may be better placed to assess the risks of the targeting activity.
• Processing of special categories of data: The social media provider and the targeter must determine whether the targeting activity involves the processing of special categories of personal data. If so, they must ensure that they can rely on one of the legal bases under Article 9 GDPR for the processing of such data for targeting purposes. The EDPB also distinguishes situations where processing involves special categories of data that are explicit, inferred, combined or made manifestly public and their legal implications.
• Adhering to a joint agreement and allocation of responsibilities: The social media provider and the targeter must conclude a joint agreement detailing the processing, allocating responsibilities between them and describing how the obligations that apply to both joint controllers will, in practice, be fulfilled. To establish this, the EDPB recommends taking into account the ability of each joint controller to influence the processing, and their actual or constructive knowledge, in order to determine their levels of responsibility. As the existence of joint controllership does not necessarily imply the equal responsibility of the joint controllers, the EDPB also highlights the importance of clarifying at what stage and to what degree each joint controller is responsible of the processing. Finally, the EDPB highlights that insofar as these joint agreements do not bind supervisory authorities, the competent supervisory authority may exercise its competence and powers in relation to either joint controller.

The EDPB is accepting comments on these Guidelines until October 19, 2020.