The European Data Protection Board (“EDPB“) has adopted two new guidelines, one on targeting of social media users and the other on the concept of controllers and processors in the General Data Protection Regulation (“GDPR“). Both guidelines are open for public consultation until 19 October 2020.
Guidelines on the Concepts of Controllers and Processors in the GPDR:
These guidelines aim to clarify the concepts of processors and controllers, including joint controllers, and other third parties. The guidelines replace the previous opinion of Working Party 29 on these concepts (WP169).
As clarified in the guidelines, the concepts of controllers, joint controller and processors are functional in their nature and crucial to the application of the GDPR. The classification of an entity as any of the above determines its scope of responsibility for compliance with various data protection rules.
Per the general observation of the EPDB, the concepts of controller and processors in the GDPR have not changed compared to the Directive 95/45/EC (replaced by the GDPR in 2018). The goal of the guidelines is increase the certainty and consistency of the interpretation of these concepts through the European Economic Area. The EPDB emphasizes that the concepts are autonomous in their nature, in the sense that the source of their interpretation should be the European data protection law. Therefore, the concepts should not be prejudiced by other overlapping fields of law.
The new guidelines provide various helpful examples and scenarios in order to practically illustrate the concepts.
The guidelines also elaborate on the relationship among joint controllers. In this regard, the EPDB recommends that the arrangement between the controllers will be made in the form of a binding contract. The arrangement should clearly determine the respective responsibility of each party with respect to the obligations as set out in the GDPR and in the guidelines. Under certain circumstances, for example in various cases of targeting of social media users, the joint controller would need to conduct a data protection impact assessment (“DPIA“).
The new guidelines (as well as the guidelines further discussed below) elaborate on the importance of transparency and user control in a joint controllership. A further expression of the transparency principle is the joint controllers’ obligation to make available the essence of their arrangement to the data subjects. Although both controllers are subject to this duty, they can mutually agree that only one of them shall be tasked with providing the initial information, especially in cases when only one of them interacts with the users prior to processing. The guidelines also highlight that data subjects are not bound by the terms of the arrangement and may exercise their right under the GDPR against each of the controllers.
Guidelines on Targeting of Social Media Users:
The new guidelines on targeting of social media analyses the various actors which are involved in targeting, which are divided to four categories: social media providers, social media users, targeters and other actors, such as data brokers and ad exchanges, which may be involved in the targeting process.
The main purpose of the guidelines is to clarify the roles and responsibilities of the social media providers and the targeters. In many cases both parties would be defined as joint controllers. The importance of correctly identifying these roles and responsibilities has been emphasized in judgements of the European Union’s Court of Justice, for example in the case of Fashion ID.
Three different mechanisms of targeting are addressed by the guidelines. The first is targeting on the basis of data provided by the user. The second mechanism is targeting based on the basis of observed data, which includes data that is provided by the user through the use of a service or device, or data that is collected by third parties. This category includes the use of technical measures such as pixels. The third mechanism is targeting based on inferred data. Profiling is typically involved in this mechanism, and assessment of automated decision making must be conducted to define whether it leads to legal or similarly significant effects.
The guidelines highlight several data protection risks related to targeting of social media users. Such activity could contradict certain data protection principles and rules. For example, when a social media combines personal data that was provided by the user with data from other sources, it might be used beyond its initial purpose and therefore may also exceed the data subjects’ reasonable expectations. Targeting of social media users could also have discriminatory effects, for example in relation to the data subject’s racial or ethnic origin.
Prior to initiating the targeting operation, both joint controllers should determine if the designated targeting matches the types of operations that are subject to the requirements to conduct a DPIA. The parties should consider whether special categories of data are involved, while taking into consideration that that profiling may create special categories of data by inference from data which isn’t a special category on its own. The guideline also highlights that although under the GDPR special categories may be processed where data have been made manifestly public by the user, the threshold for relying on this exemption would be high.