Belgian data protection authority sanctions a referral feature used by a social media platform

coauthor: Isabel Rosendor

This decision is particularly relevant because:

• The decision was made based on the one-stop-shop mechanism and all the national authorities involved confirmed the reasoning of the Belgian data protection authority;

• The DPA confirms that a "refer/invite a friend" feature used by a social media platform cannot fall under the "personal or household activities" exception;

• The DPA also confirms, following an opinion from the EDPB, that the fact that part of the processing (namely, the sending of marketing emails), falls within the scope of the Privacy Directive does not affect the jurisdiction of a data protection authority under the GDPR; and

• An extensive study by the DPA into the possible legal basis for referral functions on social media platforms shows that "consent" from users cannot serve as a basis.

On this last point, the facts were as follows. The social media platform asked its users' permission to import their address book (from other social media platforms or software). After obtaining permission to import, the social media platform, on behalf of its users, invited their contacts ("to connect with each other" for contacts who are already members of the social media platform and, at least, "to become members" for non-members of the social media platform). The social media platform relies, to import and send these invitations, on consent from the users of the social media website. However, under the GDPR, only the data subject whose personal data is being processed can give valid consent, unless an exception is provided (e.g. parental consent). Consequently, the DPA ruled that the processing was carried out by the Social Media Platform without an appropriate legal basis.

A possible legal basis (for importing the address book and sending invitations) could be the "legitimate interest", at least if all conditions (in particular the "proportionality test" inherent to the legal basis of the "legitimate interest" and the principle of minimal data processing) are met. The DPA states that the processing would be considered legitimate if the following conditions are met:

• Only personal data strictly necessary for "inviting" are processed; and

• These personal data are processed for the purpose of a compare-and-forget action, in order to select existing users of the social media platform among the contact details, which makes it possible to send invitations only to them (provided they have given their prior consent).

More articles from AKD