Documents adopted by the EDPB in April 2021
By Mugurel Olariu, RPD protectie date
At its 48th plenary session, held on 13 April, the European Specialized Body – EDPB, adopted the following documents*1:
· Opinion 14/2021 on the draft implementing decision in accordance with Regulation (EU) 2016/679 (GDPR) on the adequate protection of personal data in the United Kingdom.
· Opinion 15/2021 on the draft implementing decision in accordance with Directive (EU) 2016/680 (LED) on the adequate protection of personal data in the United Kingdom.
· Guidelines 3/2021 on the application of Article 65 (1) (a) GDPR.
· Guidelines 8/2020 on targeting social media users version 2.0 (after public consultation).
· Statement 4/2021 on international agreements, including transfers.
The first two opinions mentioned, no. 14 and 15/2021, concern the general framework for cooperation on data protection for EU Member States in the bilateral relationship with the United Kingdom, which is regulated by the Implementing Decisions of the European Commission. The two opinions cover both civil matters, regulated by the RGPD, and those specialized in the field of law enforcement – the processing of personal data by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting crimes, or execution of penalties, as well as the free movement of such data, regulated by EU Directive 680/2016.
Through Guidelines 3/2021, the European Board regulates procedural and content issues, aiming at the mechanism to ensure the coherence of the application of the GDPR by the national supervisory authorities, respectively the settlement of the dispute between the national supervisory authorities – main and targeted by the Board, by making a binding decision.
Guidelines 8/2020 on targeting social media users is adopted in version 2.0 by the European Board, after public consultation. Below, we present some important issues addressed in the guide for controllers operating in the online area, as follows:
A significant development in the online environment over the past decade has been the rise of social media. More and more individuals use social media to stay in touch with family and friends, to engage in professional networking or to connect around shared interests and ideas.
For the purposes of these guidelines, social media are understood as online platforms that enable the development of networks and communities of users, among which information and content is shared.1 Additional functions provided by social media may include, for example, personalization, application integration, social plug-ins, user authentication, analytics and publishing. Social media functions may be a standalone offering of controllers or they may be integrated as part of a wider service offering.
Key characteristics of social media include the ability for individuals to register in order to create “accounts” or “profiles” for themselves, to interact with one another by sharing user-generated or other content and to develop connections and networks with other users.2 In addition to “traditional” social media platforms, other examples of social media include: dating platforms where registered users present themselves to find partners they can date in real life; platforms where registered users can upload their own videos, comment on and link to other’s videos; or computer games where registered users may play together in groups, exchange information or share their experiences and successes within the game.
As part of their business model, many social media providers offer targeting services. Targeting services make it possible for natural or legal persons (“targeters”) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. 3 Targeting has been defined as “the act of directing or aiming something at a particular group of people” and “the act of attempting to appeal to a person or group or to influence them in some way”. A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered. The underlying assumption is that the better the fit, the higher the reception rate (conversion) and thus the more effective the targeting campaign (return on investment).
Mechanisms to target social media users have increased in sophistication over time. Organisations now have the ability to target individuals on the basis of a wide range of criteria. Such criteria may have been developed on the basis of personal data which users have actively provided or shared, such as their relationship status. Increasingly, however, targeting criteria are also developed on the basis of personal data which has been observed or inferred, either by the social media provider or by third parties, and collected (aggregated) by the platform or by other actors (e.g. data brokers) to support ad-targeting options. In other words, the targeting of social media users involves not just the act of “selecting” the individuals or groups of individuals that are the intended recipients of a particular message (the ‘target audience’), but rather it involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts.The messages delivered typically consist of images and text, but may also involve video and/or audio formats.
The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media, creates risks to the fundamental rights and freedoms of individuals. Personal data processed in the context of social media may constitute ‘special categories of personal data’ pursuant to Article 9 GDPR, relate to vulnerable individuals, or otherwise be of a highly personal nature. See also Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248 rev. 01, p. 9. From a data protection perspective, many risks relate to the possible lack of transparency and user control. For the individuals concerned, the underlying processing of personal data which results in the delivery of a targeted message is often opaque. Moreover, it may involve unanticipated or undesired uses of personal data, which raise questions not only concerning data protection law, but also in relation to other fundamental rights and freedoms. Recently, social media targeting has gained increased public interest and regulatory scrutiny in the context of democratic decision making and electoral processes.*2
The Committee also states at the end of the guidelines: When it comes to assessing the level of responsibility of social media provider, the EDPB observes that several targeting mechanisms rely on profiling and/or other processing activities previously undertaken by the social media provider. It is the social media provider who decides to process personal data of its users in such a manner to develop the targeting criteria which it makes available to targeters. In order to do so, the social media provider has independently made certain decisions regarding the processing, such as which categories of data shall be processed, which targeting criteria shall be offered and who shall have access (to what types of) personal data that is processed in the context of a particular targeting campaign. Such processing activities must also comply with the GDPR, prior to the offering of any targeting services.
The examples mentioned in the preceding paragraphs indicate the importance of clearly allocating responsibilities in the joint controller arrangement between social media providers and targeters. Even though the terms of the arrangement should in any case mirror the level of responsibility of each actor, a comprehensive arrangement which duly reflects the role and capabilities of each party is necessary not only to comply with Article 26 of the GDPR, but also for complying with other rules and principles of the GDPR.
Finally, the EDPB notes that insofar as the terms of the joint arrangement between the social media provider and the targeter do not bind supervisory authorities, supervisory authorities may exercise their competences and powers in relation to either joint controller, as long as the joint controller in question is subject to the competence of that supervisory authority.*3
By Statement 4/2021, the EDPB invites EU Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data, such as those relating to taxation (e.g. to the automatic exchange of personal data for tax purposes), social security, mutual legal assistance, police cooperation, etc. which were concluded prior to 24 May 2016 (for the agreements relevant to the GDPR) or 6 May 2016 (for the agreements relevant to the LED). This review should be done in order to determine whether, while pursuing the important public interests covered by the agreements, further alignment with current Union legislation and case law on data protection, as well as EDPB guidance might be needed.
————————————————————————-
1. See at https://edpb.europa.eu/news/news/2021/edpb-adopted-documents-48th-plenary_ro
2. EDPB – Guidelines 8/2020, p 4-5.
3. EDPB – Guidelines 8/2020, p 39-40.
