The Committee of European Privacy Supervisors (European Data Protection Board, 'EDPB') has issued two new guidelines. The first deals with the privacy role of parties, the second with targeting on social media.
In the Committee of European Privacy Supervisors, all EU regulators work together to oversee compliance with the General Data Protection Regulation ("AVG"). The AVG contains many open standards that may be interpreted differently in different countries. The Committee regularly issues guidelines explaining how certain rules should be worked out. In doing so, the guidelines provide further interpretation of the AVG and are of great significance. Often a draft version is issued first, to which everyone is allowed to react. Then a final version is adopted. The new guidelines are still open for consultation until Oct. 19, 2020.
Most obligations under European privacy laws do not rest on the processor, but on the controller. It is therefore important to carefully define the privacy law role. In practice, it is often not clear whether a party is a controller or processor. See also this blog by Lora Mourcous on this subject.
Previously, guidelines on determining the privacy role were developed by the EDPB's predecessor (the Art. 29 Working Group), but they date back to 2010. Since the advent of the AVG, there were many questions about whether the privacy role determination should be done differently. In the new guidelines, European privacy regulators describe how parties can determine for which services they are controllers, processors or joint controllers. The guidelines also contain a detailed explanation of the consequences of the privacy law role(s).
Key points of guidelines
First of all, the guidelines show that the role of processor or data controller has not substantially changed since the advent of the AVG. Interestingly, the EDPB elaborates on the question of what components a processor can control without itself qualifying as a data controller (means). The EDPB also addresses the question of how comprehensively the requirements of the AVG should be elaborated in a processor agreement. Finally, the EDPB devotes considerable attention to the question of whether two cooperating parties may qualify as "joint controllers of processing.
As the possibilities of targeting social media users on social media have greatly increased, new guidelines have also been established on this topic. Through the targeting services of social media platforms, parties can show targeted ads to (groups of) users thereof. The more additional data a social media platform has, the better the ads can match the (groups of) users.
Key points guidelines
The guidelines describe the roles and responsibilities of social media platforms, users and 'targeters'. By 'targeters' are meant the parties that use social media services to target their specific advertisements to (groups of) users based on specific characteristics. The guidelines deal with targeting (i) based on information provided by the user/visitor himself (e.g., adding the date of birth to the LinkedIn profile), targeting based on 'observed data' - that is, data provided by the user in the context of a service or device (e.g., based on GPS location because a mobile application is being used) and (iii) targeting based on derived data. These include data observed from web browsing and network connections.
For each method of targeting, the EDPB addresses the privacy role of the parties involved and the basis on which parties can base the processing of personal data. For any processing, the responsible party must have a basis. Remarkably, the guidelines reveal that the social media platform and the targeter can often be considered "joint controllers. It is also noteworthy that the EDPB confirms that the relevant bases in this situation are 'consent' and the 'legitimate interest', as the Autoriteit Persoonsgegevens has previously commented on the legitimate interest basis for direct marketing purposes. According to the Autoriteit Persoonsgegevens , purely commercial interests cannot qualify as legitimate interest.
More articles by SOLV Lawyers
