On September 7, 2020, the European Data Protection Board (EDPB) published its guidelines on the targeting of social media users (the Guidelines). This is one of a number of moves by regulators and legislators to contain the perceived risks caused by the use, especially by big tech, of information on individuals’ online behavior to generate personal profiles for advertising purposes.
The Guidelines build on recent case law of the Court of Justice of the European Union (CJEU). The EDPB aims to clarify the roles and responsibilities of social media providers and targeters, while considering the legal parameters for protecting online users.
The Guidelines explain how targeting may expose individuals to significant risks. The targeting of social media users may involve uses of personal data that go beyond individuals’ reasonable expectations. This can result in a lack of control and transparency. Targeting can even influence the behavior and choices of individuals. The Guidelines touch on how targeting can have a “chilling effect” on freedom of expression, including access to information.
The main actors in the social media targeting context are users, social media providers, targeters, other adtech actors and data brokers. The Guidelines focus on social media providers and targeters. The importance of correctly identifying the roles and responsibilities of the various actors has been highlighted in recent CJEU judgements.
Following CJEU case law, the EDPB will consider social media providers and targeters when determining the purposes and means of processing. The EDPB clarifies that it will treat their relationship as joint controllership when they decide what ad to display to which person (but possibly as independent controllership before or after that point). As part of this joint controllership, both the social media providers and targeters must be able to demonstrate the existence of a legal basis for their use of personal data.
The EDPB takes the view that the legal bases that would be likely to apply in the targeting context are:
- consent (Art. 6 (1) (a) GDPR); and
- legitimate interests (Art. 6 (1) (f) GDPR).
The EDPB notes that consent is the most suitable legal basis when it comes to tracking or more intrusive profiling for advertising purposes. Valid consent involves meeting the high standard of the GDPR. This requires a clear explanation to the user of why they might be seeing an ad – a mere reference to advertising is not enough. And, even if consent is obtained, this would not legitimize any targeting that is disproportionate or unfair. Valid consent must be obtained prior to the processing, which implies that joint controllers need to assess when and how information should be provided and consent should be obtained.
The Guidelines also tackle the application of key data protection requirements, such as transparency and right of access; Data Protection Impact Assessments; special categories of data; and the level of responsibility which is maintained throughout joint controllership arrangements.
33 comments were submitted by the close of the consultation period in October 2020. We are now waiting for the EDPB to adopt the final version of the Guidelines.