The European Data Protection Board (‘EDPB’) has drawn up two new guidelines. The first deals with the privacy role of parties, the second with targeting on social media.
Guidelines: a more detailed interpretation of the GDPR
Within the EDPB, all national EU data protection authorities work together to monitor compliance with the General Data Protection Regulation (‘GDPR’). The GDPR contains many open standards that may be interpreted differently in different countries. The EDPB regularly draws up guidelines explaining how certain rules should be worked out in practice. This way, the guidelines give a more detailed interpretation of the GDPR and are of great importance. Often a draft version is issued first, to which everyone is allowed to respond in a public consultation. After that a final version is determined. The new guidelines are still open for consultation until 19 October 2020.
Determining the role of privacy law: ‘responsible’ and ‘processor’ guidelines
Most obligations under European privacy legislation do not rest on the data processor, but on the controller. It is therefore important to carefully determine the role of the different parties at stake. In practice, it is often not clear whether a party qualifies as a controller or processor. See also this blog by Lora Mourcous (in Dutch).
In 2010, the predecessor of the EDPB (the Art. 29 Working Group) drew up guidelines on determining whether a party qualifies as a controller or a processor. Since the arrival of the GDPR, there have been many questions as to whether the role should be determined in a different way. The EDPB describes in the new guidelines how parties can determine for which services they qualify as a controller, processor or joint controller. The guidelines also contain an extensive explanation of the consequences of the different role(s).
Key points of the guidelines
First of all, the guidelines show that the role of processor or controller has not changed substantially since the arrival of the GDPR. Interestingly, the EDPB addresses the question of which elements a processor can control, without qualifying itself as a processor (non-essential means). The EDPB also addresses the question of how the requirements from the GDPR should be elaborated in detail in a data processing agreement. Finally, the EDPB devotes a great deal of attention to the question of whether two cooperating parties can be regarded as joint controllers.
Advertising on social media: guidelines targeting on social media users
As the possibilities to target users on social media have strongly increased, new guidelines have been drawn up on this subject as well. By means of the targeting services of social media platforms, parties can display targeted advertisements to (groups of) users of social media platforms. The more additional data a social media platform has, the better the advertisements can be tailored to (groups of) users.
Key points guidelines
The guidelines describe the roles and responsibilities of ‘social media providers’, ‘users’ and ‘targeters’. Targeters are those parties that use social media services to target their specific advertising messages to (groups of) users based on specific characteristics. The guidelines deal with (i) targeting based on information provided by the user itself (for example adding the date of birth to a LinkedIn profile), (ii) targeting based on ‘observed data’ – i.e. data provided by the user as part of a service or device (for example based on GPS location, because a mobile application is used) and (iii) targeting based on derived data. These are, for example, data observed through web browsing and network connections.
The EDPB discusses the role of the parties and the legal grounds on which parties can base the processing of personal data. The responsible party (controller) must have a legal ground for each data processing activity. It is striking that the guidelines show that the social media platform and the targeter can often be qualified as ‘joint controllers’. Furthermore, it is noteworthy that the EDPB confirms that the relevant legal grounds in this situation are ‘consent’ and the ‘legitimate interest’, since the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has previously expressed its opinion on the basis of legitimate interest for direct marketing purposes. According to the Dutch Data Protection Authority, purely commercial interests cannot qualify as a legitimate interest and should therefore be based on another legal ground.
Conclusion
Anyone can respond to these new guidelines, as the guidelines are not yet final. We will of course keep you informed about the developments around these guidelines. If you would like to react or if you want to receive more information, we will be happy to help you.