On September 7, 2020, the European Data Protection Board (‘EDPB’) published its draft guidelines on targeting of social media users (the ‘Guidelines’). The EDPB is accepting feedback from stakeholders on the Guidelines until October 19, 2020.
The Guidelines not only provide guidance on the obligations of social media providers (‘Providers’) under the EU General Data Protection Regulation (‘GDPR’), but also emphasize the fact that ‘Targeters’ (those that ‘use social media services in order to direct specific messages at a set of social media users […]’) will in many circumstances have a ‘joint controllership’ relationship with Providers. This entails a number of obligations under the GDPR.
Amongst other things, the Guidelines:
- Set out the risks which should be considered by Providers, Targeters and others when processing personal data for the purposes of targeting social media users.
- Clarify the respective roles and responsibilities of Providers and Targeters, who may be joint controllers in relation to certain processing activities but separate controllers acting independently with respect to other processing activities. In doing so, the Guidelines draw on the Court of Justice of the European Union’s: (i) Wirtschaftsakademie case, in which the Court decided that the administrator of a so-called ‘fan page’ on Facebook must be regarded as a joint controller with Facebook; and (ii) Fashion ID case, in which the Court decided that a website operator can be a considered a controller when it embeds a Facebook social plugin on its website.
- Provide specific examples of the particular roles which Providers and Targeters may play, and the relevant legal bases which they may rely on when targeting users on the basis of (i) data provided by the user or by the Provider; (ii) data generated from observations about user behavior; and (iii) ‘inferred’ data. In this section, the Guidelines focus in particular on how Providers and Targeters can comply with lawfulness and purpose limitation requirements under the GDPR.
- Provide guidance on when personal data may constitute a ‘special category of personal data’. In particular the Guidelines note that making assumptions or inferences regarding special category data (for instance that a person is likely to vote for a certain party after visiting a page preaching liberal opinions) would also constitute processing of a special category of personal data. This is true regardless of whether the categorization is ultimately correct/true or not.
- Contain sections on how Providers and Targeters can meet their obligations under Article 26 GDPR when they act as joint controllers. Amongst other things, Article 26 GDPR requires joint controllers to have an arrangement in place to ‘in a transparent manner determine their respective responsibilities for compliance’ with the GDPR. In particular, the Guidelines note that the joint arrangement ‘must contain specific information about how the obligations under the GDPR shall be fulfilled in practice’, and that ‘the purpose of the processing and the corresponding legal basis should be also reflected in the joint arrangement’.
- Detail how the levels of responsibility may differ as between Providers and Targeters. In a section which may resonate with many companies, the EDPB acknowledges that Providers may offer ‘take or leave it’ T&Cs, however the EDPB considers that such a situation ‘does not negate the joint responsibility’. Nevertheless, the Guidelines do concede that the degree of responsibility of the Targeter and of the Provider in relation to specific obligations may vary.