On 7 September 2020, the European Data Protection Board (“EDPB”) published its guidelines on targeting social media users (“Guidelines”).
The main takeaways are:
- joint control, between social media providers and advertised businesses, will apply extensively; and
- the available lawful bases for this type of targeting are consent and legitimate interests (depending on the circumstances of the processing): performance of contract is ruled out by the EDPB.
The Guidelines were open to public consultation until 19 October.
The Guidelines build on recent case law of the Court of Justice of the European Union (“CJEU”) and aim to clarify the roles and responsibilities of social media providers and targeters. The Guidelines:
- examine the potential risks of targeting to the rights and freedoms of individuals and the main actors in the targeting process;
- analyse the role of targeters and social media providers, as well as the applicable legal bases in the context of specific targeting mechanisms;
- summarise key data protection requirements (data protection impact assessments, transparency and right of access) and reflect on joint control arrangements between social media providers and targeters.
1. Risks to the rights and freedoms of individuals
The EDPB considers that targeting may pose significant risks to individuals; targeting could involve using data in ways that individuals do not reasonably anticipate, resulting in lack of control and lack of transparency. Combining the user’s data on the social media platform with data from various third-party sources is given as an example. Targeting which uses criteria related – directly or indirectly – to protected characteristics (such as race, health status or sexual orientation), for example, to target job offers, housing or credit, may reduce the visibility of opportunities to certain groups of individuals and lead to discrimination and exclusion.
Another risk identified by the EDPB is the possible manipulation of users, either in terms of influencing their purchasing decisions as consumers, or their political decisions as citizens. The EDPB considers that certain targeting could go so far as to undermine individual autonomy and freedom, for example when individualised messages are designed to exploit or accentuate certain vulnerabilities or concerns. When it comes to political discourse and democratic electoral processes, targeting can be used to unduly influence individuals, by providing messages tailored to particular interests and values of the target audience, which might even involve disinformation or polarising messages. In the same vein, targeting used to augment visibility of certain messages can impact on pluralism of public debate and access to information.
Use of data collected outside the social media platform (such as browsing data and offline data) in order to target users, can make individuals feel that they are systematically monitored and this can impact on their freedom of expression and access to information.
The above risks are particularly accentuated when the targeting is directed towards vulnerable categories of individuals, such as children: targeting can influence children’s preferences and interests, and ultimately affect their autonomy and development.
Another risk factor is the increase in concentration in the social media market: this can result in concentrating large and diverse datasets that can be used for more advanced targeting and can thus have an effect from both data protection and competition law perspective.
2. Actors and roles
The main actors in the social media targeting context are: users, social media providers, targeters, other adtech actors and data brokers. The Guidelines focus on social media providers and targeters only; the Guidelines do not cover other parties (such as ad-tech companies) and EDPB mentions only in passing that analogous considerations may apply depending on their role.
Users are the individuals who have an account or profile on a social media platform. Whether users use their real name in their account would not be relevant, as targeting mainly relies on other identifiers or interests and behaviours. The EDPB recognises that social media may also be available -with limited functionality- to non-registered individuals, who will also be considered data subjects as long as they are identifiable.
Social media providers offer online platforms that enable creating networks and communities of users, among which information and content is shared. This covers not only “traditional” social media platforms, but also includes data sharing platforms, video sharing platforms or computer games which allow playing with other users, exchanging information or sharing experiences within the game. Social media providers have the opportunity to gather large amounts of data within their platform about individuals’ behaviour and interactions and get insights into individuals’ socio-demographic characteristics, interests and preferences; they also increasingly enrich that data with data from other online and offline sources.
Targeters are individuals or businesses that use social media services to direct their specific messages at a group of social media users selected on the basis of specific parameters or criteria. Brands, political parties, charities and non-profit organisations that use social media to show targeted messages to a specific audience based on perceived characteristics, interests or preferences are covered by the term “targeters” under the Guidelines.
In examining the role and responsibilities of social media providers and targeters, the EDPB relies heavily on recent CJEU case law:
- In Wirtschaftsakademie, a company administering a Facebook “fan page” was regarded as taking part in the determination of the purposes and means of the processing carried out by Facebook through using cookies, by setting the parameters for the purpose of producing statistics based on visits to the fan page. On this basis, the administrator was categorised as joint controller together with Facebook, even though it only received anonymous statistics from Facebook. However, the Court clarified that the existence of joint responsibility does not necessarily amount to equal responsibility of the parties; the level of responsibility must be assessed having regard to all relevant circumstances. EDPB reiterates this point in the Guidelines.
- In Fashion ID, a website operator was considered a joint controller when embedding a Facebook social plugin on its website which allowed the collection of personal data by Facebook. The Court identified that joint control was limited to those operations in respect of which the website could actually determine the purposes and means, i.e. the collection and transmission by disclosure of website visitors’ data to Facebook. By contrast, the Court found that the website operator was not in a position to determine the purposes and means of subsequent operations carried out by Facebook.
- In Jehovah Witnesses, the Court clarified that actual access to data is not a pre-condition for being a controller.
3. Targeting mechanisms
The EDPB describes different targeting mechanisms, depending on whether the targeting is based on provided, observed or inferred data and examines the roles of the parties and the relevant legal bases in different scenarios.
Following CJEU case law, the EDPB finds that in the scenarios it examines both social media providers and targeters participate in determining the purposes and means of processing; therefore, it treats their relationship as joint controllership. From EDPB’s analysis, it appears that joint controllership will be the rule and it will be difficult for targeters and social media platforms to deviate from this.
When joint control applies, both parties must be able to demonstrate the existence of a legal basis. Unsurprisingly, the EDPB takes the view that the legal bases that would be likely to apply -depending on the circumstances- in the targeting context are consent (Art. 6(1)(a) GDPR) and legitimate interests (Art. 6(1)(f) GDPR). The Guidelines state that contractual necessity would not apply in social media targeting scenarios.
The EDPB reiterates the conditions for legitimate interests to apply: (i) the existence of a legitimate interest pursued by the controller or a third party, (ii) necessity (and considering whether less invasive means are available), and (iii) proportionality (assessing whether the legitimate interest is overridden by the individual’s fundamental rights and freedoms). This balancing exercise should consider the purposes of targeting, the level of detail of the targeting criteria, the type and combination of the targeting criteria and the sensitivity, volume and source of data used to develop the targeting criteria. In addition, individuals should be given the opportunity to object, before the processing is initiated: this should include the possibility to object to targeting advertising when accessing the platform, but also controls to ensure that users’ data is not processed for targeting after they have objected.
Consent is a more appropriate legal basis when it comes to more intrusive profiling and tracking for advertising purposes, for example, tracking across multiple websites, locations, devices, services or data brokering. The EDPB reiterates the high standard for valid consent under the GDPR and points out that even if consent is obtained, this would not legitimise any targeting that is disproportionate or unfair.
The EDPB points out that consent needs to be obtained prior to the processing and explains that the question as to which of the joint controllers will be in charge of collecting consent comes down to determining which of them is involved first with the data subject. Where multiple joint controllers wish to rely on consent, all of these need to be named. If for example, a social media provider seeks consent for using social media plugins and the joint controller is not known at the point of collecting consent, this will need to be complemented by further information and consent collected by the website operator acting as joint controller.
The EDPB emphasises that the collection of consent by a website operator does not negate or diminish the obligation of the social media provider to ensure that the individual has provided valid consent for the joint activity as well as for any subsequent or further processing which the website operator does not control.
- Targeting based on data provided to the social media provider: this covers information actively provided by the individual to the social media provider, for example, when creating their social media profile. Such data can be used by social media providers to develop criteria and create targeted audiences.
- Targeting based on data provided to the targeter: The EDPB examines here the standard custom audience scenario (“list-based” targeting), where the targeter uploads a list of email addresses, phone numbers (or other identifiable information) of its customers or prospects for the social media provider to match against the information on the platform and target (or exclude from targeting) the matched audience.
- Targeting based on observed data: this is information provided by the individual by virtue of using a service or device. For example, the individual’s activity on the social media platform (such as the content they share or like), their use of devices, data collected through other websites which have embedded social plugins or pixels, etc.
|Pixel based targeting: an online retailer places a pixel on its website so it can re-target on social media website visitors who have not made a purchase.
Role: The retailer and social media provider are joint controllers in respect of the collection of personal data and transmission through pixels to the social media provider, in addition to the matching and subsequent display of advertising, and ad reporting.
According to the EDPB, reflecting CJEU’s judgment in Fashion ID, “by embedding the pixel into its website, [the retailer] exerts a decisive influence over the means of processing”.
Legal basis: Because the use of pixels is subject to cookie rules, consent will be required under the ePrivacy directive.
Consent is likely to be the appropriate legal basis also for the subsequent processing of personal data collected through the pixels.
- Targeting based on inferred data: “Inferred” or “derived” data is created on the basis of provided or observed data. For example, a social media provider may infer that a person has a specific interest based on their browsing behaviour and their activity on the social media platform.
|Social Media “likes”: A museum with an upcoming exhibition of impressionists’ paintings wants to advertise the exhibition on social media. It targets social media users who “like” posts of impressionist paintings and events, and also uses criteria such as age, gender and place of residency.
Role: Joint controllership exists between the museum and the social media provider for the targeted advertising: this includes the collection of the data via the “like” button on the social media network, the analysis undertaken by the social media network to offer the targeted advertising within the parameters specified by the museum and the display of the advertisement.
Legal basis: Targeting on the basis of inferred data typically involves profiling. The EDPB considers that cookie rules will apply here (insofar as the ad display requires a read/write operation to match the user’s “likes” to information previously held by the social media provider about that user).
4. Other data protection considerations
Transparency: Social media providers and targeters need to provide clear and meaningful information to individuals: a mere reference to “advertising” would not be sufficient to explain that individuals’ activity is monitored for targeted advertising purposes. Individuals need to be informed on the processing activities, whether a profile is built based on their online behaviour and the types of data used for such profile.
Joint controllers may agree that one of them is tasked with providing all relevant information to individuals – with the assistance of the other joint controller so as to ensure the information is complete - especially where one of them interacts with the individuals prior to the processing.
The EDPB clarifies that controllers are not directly responsible for providing information on further processing which does not fall under the scope of the joint controllership: it is the responsibility of the controller who exercises the further processing to provide information as well as to ensure the compatibility of such further processing – even if the parties agree that one of them provides this information on behalf of the other.
Right of access: Individuals must be able to easily exercise data subject rights, including their right of access. The EDPB suggests that controllers implement a mechanism for individuals to check their profile, including the sources used to develop it, the identity of the targeter, the targeting criteria used and all other information set out in Art. 15 GDPR, including the recipients or categories of recipients of their personal data. The EDPB considers that remote access to a secure system through which the individual can access their data is the most “appropriate measure” to satisfy the right of access. The social media provider and the targeter may designate a single point of contact for individuals but this does not preclude individuals exercising their rights in respect of and against each of them. Hence, they both need to ensure that a suitable mechanism is in place for individuals to get access to their data in a user-friendly manner.
DPIA: The Guidelines remind to social media providers and targeters that they need to assess whether a Data Protection Impact Assessment (DPIA) is required, taking into account the criteria set out in EDPB’s guidelines on DPIAs as well as the DPIA lists issued by national supervisory authorities. The EDPB points out that the risks to individuals and therefore the need to carry out a DPIA depend on the nature of the product or service advertised, the content of the message or the way the advert is delivered (e.g. targeting of vulnerable individuals), the purposes of the advertising campaign and its intrusiveness, as well as whether the targeting involves processing of observed, inferred or derived data.
Both controllers are responsible for assessing whether a DPIA is required and if so, for carrying out one. The DPIA should cover the entire processing carried out by both controllers; however, the joint controllers may agree for one of them to be tasked with completing the DPIA. For example, this could be the party with the higher degree of control and knowledge of the targeting process, in particular the back-end of the deployed system, or the means of processing.
Special category data
If special categories of personal data are processed in the context of targeting, then along with a legal basis under Art. 6 GDPR, a condition under Art.9(2) GDPR also needs to be established: the most relevant conditions in this context are (i) explicit consent and (ii) data manifestly made public by the data subject.
Data manifestly made public by the data subject: the EDPB clarifies that there must be a high threshold for this condition to apply. A case-by-case assessment will be needed, taking into account the following criteria:
- The default settings of the social media platform (whether the user took action to change these settings from private to public);
- The nature of the social media platform;
- The accessibility of the page where the sensitive data is published (incl. whether an account is required to access this information);
- How visible it is to the user that the information will be public;
- Whether the user has themselves published the sensitive data or this information is published by a third party (e.g. a user’s friend) or is inferred.
Controllers need to consider a combination of these or other elements to demonstrate that the data subject has clearly manifested the intention to make the data public.
The EDPB distinguishes between explicit and inferred/combined special categories of personal data. Assumptions or inferences regarding special category data would also constitute special category data. If the social media platform or the targeter categorise users as having certain religious, philosophical or political beliefs based on observed data, then this categorisation will constitute special category data, even if it is inaccurate.
Click here to view examples and analysis >
Joint controllership and responsibility
Joint control arrangement: The GDPR requires joint controllers to determine their respective data protection responsibilities in an arrangement. The EDPB clarifies that the joint control arrangement between targeters and social media providers should encompass all joint activities and each party should provide to the other sufficient information to allow it to comply with its GDPR obligations. The EDPB further suggests that the joint arrangement should reflect the purposes of processing and the corresponding legal basis: although the parties are not legally required to use the same legal basis, the EDPB recommends doing so, to allow individuals to easily exercise their rights. Finally, the parties need to include specific information in their arrangement on how they will fulfil their GDPR obligations in practice: failing to do so, would be in breach of the accountability principle.
Level of responsibility: the EDPB observes that the targeting may be subject to “take it or leave it” joint control arrangements; however, this cannot serve to exempt either party from its GDPR obligations and both parties are bound to ensure that the allocation of responsibilities in the arrangement duly reflects their respective roles and relationships vis-à-vis the data subjects.
The EDPB further points out that the degree of the responsibility of the targeter and the social media provider in relation to specific obligations may vary. Quoting the Wirtschaftsakademie case, the EDPB notes that joint responsibility does not necessarily imply equal responsibility of the parties; their level of responsibility must be assessed on their actual role in the processing, including their ability to influence the processing on a practical level and the actual or constructive knowledge of each joint controller. Ultimately, supervisory authorities may exercise their powers in relation to either joint controller, as long as such joint controller is subject to the authority’s competence.
For further analysis on the concept of joint controller, see our article on EDPB’s guidelines on the concept of controller and processor, available here.
 Guidelines 8/2020 on the targeting of social media users, Version 1.0, Adopted on 2 September 2020 (available here).
 C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (“Wirtschaftsakademie”), C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (“Fashion ID”), C-25/17 - Jehovan todistajat (“Jehovah Witnesses”).