With close to one billion active users on social media, platforms and businesses are constantly rolling out new features, upgrading their ad tools and creating new ways to engage with users, moving away from traditional marketing strategies. Those emerging practices are also extensively relying on data analyses to gain insights and enhance more targeted opportunities, therefore shifting platforms and businesses’ focus on revenue.

The evolution towards increasingly personalized marketing practices occurs in parallel with end-users’ awareness of data protection frameworks, which may lead to a rift between transparency expectations towards complex advertising solutions based not only on personal data provided by the users themselves, but also in conjunction with other data collected by social media providers or third parties. Recent headlines about the roles played by social media targeting on democratic decision-making and electoral processes reinforce such perceptions.

The European Data Protection Board (EDPB) published two sets of new guidelines on 2 September 2020, on the concepts of controller and processor (Guidelines 07/2020 – see our Alert here) and on the targeting of social media users (Guidelines 08/2020, the Guidelines). The latter identifies potential risks for the rights and freedoms of individuals, the main stakeholders, and their roles, in order to clarify the key data protection requirements between social media providers and targeters.

EDPB’s Analysis of Scope and Consequences of Targeting on the Rights of Data Subjects

In the Guidelines, the EDPB points out that targeting social media users may involve the use of personal data, beyond individuals’ reasonable expectations, amounting to several data protection risks. Where such risks would not be accounted for and mitigated, they would lead to breaches of applicable data protection principles, in particular where combining personal data from different sources, as well as profiling activities by social media platforms for targeting purposes, which may exceed the initial purposes of the collection of personal data. The prominence of the associated risks also relies on the lack of means provided to individuals to reasonably anticipate such practices and their related purposes, and to exercise control over their personal data. Without effective control, the ever-expanding use of personal data may possibly pave the way to discrimination, exclusion, manipulation, and influencing, in turn causing a chilling effect on freedom of expression by fostering self-censorship.

As such, the EDPB analyses several types of targeting mechanisms, based on:

• data actively provided by the user to the social media provider or the targeter;
• observed data (data obtained via observation by virtue of social plug-ins or other tracking technologies); and
• inferred data (data created by comparing the previous data set with existing models in order to predict or anticipate missing data).

Depending on the context of the data usage, the EDPB acknowledges that legitimate interests and consent would be the two main legal bases for all types of social targeting, and dismisses the legitimacy of a legal basis relying on a “contractual necessity”.

The Characterization of the Role of “Controllers”

Through its recent decisions (Wirtschaftsakademie – C‑210/16 and Fashion ID – C‑40/17), the Court of Justice of the European Union (CJEU) had already had the opportunity to detail the importance of identifying the interactions and the respective responsibilities of the various stakeholders involved in the chain of processing for targeting individuals, more often than not resolving in a characterization of joint-controllership relations under the EU’s General Data Protection Regulation 2016/679 (GDPR).

Continuing on that reflection, and also drawing on the companion Guidelines 07/2020 on the concept of controller and processor, the EDPB excludes the possibility for social media providers and targeters to be independent controllers (or “co-controllers”), instead considering them to be “joint controllers” and the ecosystem will need to adapt its terms and conditions accordingly.

Therefore, joint controllers should implement joint-controller agreements, addressing their respective obligations and responsibilities, all the while making the essence of this arrangement available to users. Moreover, prior to initiating the expected targeting operations, both joint controllers should check whether the processing operations would “likely result in a high risk” and determine whether the designated targeting could be subject to the requirement to conduct a data protection impact assessment (DPIA) to identify, address and mitigate such risks. However, the joint controllers remain free to decide that only one controller will carry out the DPIA as such (According to EDPB’s predecessor, the WP29, and its Guidelines WP248, the provider of the technology, regardless of its role, should be able to provide all required elements to its customers.) Such contractual arrangements should be specified in the joint-controllership agreement. Regardless of the wording of such agreement, all joint controllers will nevertheless remain jointly and severally liable toward the Supervisory Authorities and the data subjects alike.

Action Items for Social Media Providers and Targeters When Operating Personal Advertising Mechanisms

Social media providers and targeters alike will need to find ways to balance personalization of the advertising and privacy considerations, while empowering individuals with more control over their user experiences. While waiting for the revised and final Guidelines later this year, the following best practices should already be considered:

• Allowing users to make informed choices about how their data will or will not be used by providing them clear information on the processing operations;
• Enabling users to access, object/opt out, and exercise control over their personal data;
• Providing users clear and transparent information about the origin of the data (especially when aggregated from publicly accessible sources), shared (with whom) and for what purposes;
• Offering transparency proactively and managed, as the case may be, by adopting industry standards and codes of conduct (see our previous Alert here), as well as implementing Privacy by Design and Privacy by Default best practices users’ expectations;
• Minimizing data collection and refraining from extracting all public data available on third-party websites;
• Obtaining users prior consent for targeted advertising purposes, the general requirements for consent being hereby applicable, i.e., (i) freely given, (ii) by an affirmative act (iii) specific, (iv) informed, and (v) unambiguous (see our previous Alert on consent here)
• In case consent would not be required, making sure to have (documented) legitimate interests that could be the ground of data processing;
• Establishing joint-controllership agreements encompassing all the respective obligations and responsibilities, and ensuring to make their essence easily available to users; and
• Conducting a preliminary DPIA when required under Article 35 GDPR.

The European Data Protection Board welcomes comments on the Guidelines before 19 October 2020, via this form. K&L Gates remains available to assist you in achieving the compliance of your data transfers at global levels.

If you are interested in privacy and data protection, K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in the preparation of your comments to the EDPB or implementing the expected changes in the development of targeting mechanisms.

First publication: K&L Gates Hub, in collaboration with Natali Adison & Clara Schmit