On April 13, 2021, at the 48th plenary meeting of the EDPB, the “Guidelines for Social Media Users” were adopted, clarifying the relevant requirements for the protection of personal user data on social media platforms.
The past decade has seen a rapid rise in social media on the web. More and more people are using social media to keep in touch with family and friends. In this guide, social media is understood as an online platform capable of building a community of web users, where information and content are shared. The main feature of social media is the ability for individuals to register, create “accounts” or generate “personal data” for themselves, communicate with each other by sharing user-generated or other content, and connect with other users.
As part of their business model, many social media providers offer targeting services. Targeting services enable natural or legal persons to communicate specific information to social media users in order to facilitate the acquisition of commercial, political or other interests. The distinguishing feature of providing targeting services is the perceived fit between the individual or group being targeted and the message being conveyed, the better the fit, the higher the acceptance rate (conversion rate) and therefore the more effective the targeting campaign (return on investment).
Combining and analysing data from different sources, coupled with the potential sensitivity of personal data processed in social media, poses risks to the fundamental rights and freedoms of individuals. From a data protection perspective, many risks arise from a lack of transparency and a lack of user control.
2. Scope of application
Social media services may involve different subjects, which for the purpose of this guide should be grouped into four categories: social media service providers, users, target groups and other actors who may be involved in the targeting process.
The main purpose of this guide is to clarify the roles and responsibilities between social media service providers and target groups. In order to do this, the guidelines also point out the potential risks to individual rights and freedoms, the main subjects and their roles, and explain the relevant requirements for personal data protection (such as legality and transparency, data protection impact assessment DPIA, etc.) , and key elements of correlation between social media providers and targets.
3. Risks posed by the processing of personal data to the rights and freedoms of users
The GDPR emphasizes that any risks to the rights and freedoms of individuals arising from the processing of personal data must be properly assessed and mitigated. The mechanisms that can be used to target social media users and the basic data processing activities that can target them can pose significant risks to individuals. The EDPB considers it necessary to identify certain types of risks in this guidance and provides some detailed examples of these risks. details as follows:
First, for social media users, it may involve the use of personal data that violates or exceeds the reasonable expectations of individuals, thereby violating data protection principles and rules.
Second, concerning the potential for discrimination and exclusion, tags identified against social media users may directly or indirectly relate to, and have discriminatory effects on, an individual’s race or ethnicity, health status, sexual orientation, or other protected characteristics of the individual concerned.
Third, because the use of personal data is in some cases used to influence the behavior and choices of individuals, it also involves potential manipulation of users, whether to influence consumers’ purchasing decisions or to influence citizens’ political decisions. Potential manipulation is there.
Fourth, there is a risk of surveillance, and the personal data collected by social media service providers is not limited to individuals’ interactions on social media platforms, but may also relate to individuals’ browsing behavior or other activities outside of social media platforms. information, through which social media users are targeted, there is a risk of systematic monitoring of individual behavior.
Fifth, in the case of vulnerable groups such as children, the potential adverse effects of targeting may be much greater. Targeting affects the formation of children’s personal preferences and interests, ultimately affecting their autonomy and developmental rights.
4. Restrictions on Target Objects
“User” generally refers to an individual who is registered with the Service, i.e. an individual who has an “Account” or “Profile”. However many social media services can also be accessed by unregistered individuals. Even in the absence of a real-name policy, it is still possible to lock out the user in question, as most types of lockout do not rely on usernames, but on other types of personal data.
Social media service providers have the opportunity to collect vast amounts of personal data related to the behavior and interactions of users and unregistered users, which enables them to gain insight into users’ social characteristics, interests and preferences. This guide uses the term “target audience” to refer to natural or legal persons who use social media services. Service providers can send specific messages to a group of social media users based on specific parameters or criteria. Target users can use targeting mechanisms provided by social media providers directly, or they can use the services of other providers such as data brokers and data management providers are also relevant actors that play an important role in targeting social media users.
V. Analysis of Different Targeting Mechanisms
Targeting mechanisms refer to targeting based on data provided, including data provided by users to social media providers, data provided by users of social media platforms to target parties, and targeting based on observed data. Data service providers build targeting mechanisms based on inferences from these data.
First, lock down individuals based on the data provided. “Provided data” means information that the data subject proactively provides to the social media provider and/or target party.
Second, targeting based on observed data. Service providers can also target social media users based on observed data. Observed data is data generated by the data subject through the use of the service or device.
Third, target localization based on inferred data. “Inferred data” or “derived data” is created by the data controller based on data provided by the data subject or observed by the controller.
6. Transparency and Access
Article 5(1)(a) GDPR states that personal data relating to data subjects shall be processed lawfully, fairly and transparently. Article 5(1)(b) GDPR also stipulates that personal data shall be collected for specific, explicit and lawful purposes. Articles 12, 13, 14 of the GDPR contain specific provisions on the data controller’s transparency obligations.
The EDPB cautions that using the word “advertising” alone is not enough to inform users that their activity is being monitored by targeted advertising. Data service providers’ rules should be transparent to individuals about what types of processing activities take place. If social platforms create profiles based on the online behavior of target users on the platform or on the website, respectively, they should inform data subjects in understandable language, provide users with information on the types of personal data collected for the establishment of such profiles, and ultimately obtain Target users agree to target and send advertisements. Social platforms should provide relevant information to users interactively directly on the screen and through layered notifications when appropriate or necessary.
7. Data Protection Impact Assessment (DPIA)
In some cases, the nature of the advertised product or service, the content of the information or the way the advertisement is delivered may have an impact on the individual and require further evaluation. This may be the case, for example, for products aimed at vulnerable populations. Depending on the purpose of the advertising campaign and its intrusiveness, or if additional risks may arise if the processing of observed, inferred or derived personal data is involved, DPIA should be undertaken.
In addition to the obligations specifically mentioned in Article 26(1) GDPR, joint data controllers should define their respective obligations precisely when determining their respective obligations.
8. Special categories of data
The GDPR provides enhanced protection for particularly sensitive personal data involving fundamental rights and freedoms of individuals. Article 9 of the GDPR defines such data as special categories of personal data, including data about an individual’s health, racial or ethnic origin, biometrics, religious or philosophical beliefs, political opinions, trade union membership, sex life or sexual orientation.
In the context of targeting services provided by social media, it is necessary to determine whether the processing of personal data involves “special categories of data” and whether these are processed by the social media service provider, the target party or both. In the case of processing special categories of personal data, it must be determined whether and under what conditions the social media service provider and target party can lawfully process such data. If the social media provider processes special categories of data for targeting purposes, the legal basis for the processing must be found in Article 6 GDPR and can be exempted under Article 9(2) GDPR. Section 9(2)(e) allows special categories of data to be processed where the data subject has clearly made the data public, and the word “obvious” means that there must be a high threshold for reliance on this exemption.
In practice, controllers may need to consider the following factors to demonstrate that the data subject has clearly demonstrated the intention to disclose:
● default settings for social media platforms;
● the nature of the social media platform;
● the accessibility of pages that publish sensitive data;
● visibility of information, where data subjects are informed of the public nature of the information they publish;
● Whether the data subject has published their own sensitive data, or whether the data has been published or inferred by a third party.
9. Joint Data Controllers and Responsibilities
Article 26(1) GDPR requires joint data controllers to determine in a transparent manner their respective responsibilities for compliance with the GDPR in the agreement, including the transparency requirements described above. In order to develop a comprehensive arrangement, both the social media provider and the target party must know and have detailed information about the specific data processing operations that are taking place.
The EDPB observed that targets wishing to use targeting tools offered by social media providers may be required to adhere to pre-determined arrangements, with no possibility of negotiation or modification. This circumstance does not negate the shared responsibility of the social media provider and the target party, nor does it relieve either party of their obligations under the GDPR. The parties under the mutual agreement are also obliged to ensure that the assignment of responsibilities appropriately reflects their respective roles and relationships with respect to data subjects in a practical, truthful and transparent manner.