Guidelines 08/2020 on the targeting of social media users – version for public consultation
Subparagraph 5.2.1. B Legal basis
As joint controllers, both parties (the social media provider and the targeter) must be able to demonstrate the existence of a legal basis (Article 6 GDPR) to justify the processing of personal data for which each of the joint controllers is responsible. The EDPB recalls that no specific hierarchy is made between the different lawful basis of the GDPR: the controller needs to ensure that the selected lawful basis matches the objective and context of the processing operation in question. The identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation.
43 Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6 (1) (a) GDPR) or legitimate interests (Article 6 (1) (f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.
44 For what concerns the legitimate interest lawful basis, the EDPB recalls that in Fashion ID, the CJEU reiterated that in order for a processing to rely on the legitimate interest, three cumulative conditions should be met, namely (i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed, (ii) the need to process personal data for the purposes of the legitimate interests pursued, and (iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence. The CJEU also specified that in a situation of joint controllership “it is necessary that each of those controllers should pursue alegitimate interest […] through those processing operations in order for those operations to be justifiedin respect of each of them”.
45 The EDPB recalls that in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration. Data subjects should be given the opportunity to object to the processing of their data for targeted purposes before the processing is initiated.Users of social media should not only be provided with the possibility to object to the display of targeted advertising when accessing the platform, but also be provided with controls that ensure the underlying processing of his or her personal data for the targeting purpose no longer takes placeafter he or she has objected.
46 With regard to Example 1 in paragraph 5.2.1, the targeter might consider its legitimate interest to be the economic interest of having an increased publicity for its goods through social media targeting. The social mediaprovider could consider that its legitimate interest consists ofmaking the social media service profitable by selling advertising space. Whether the targeter and the social media provider can rely upon Article 6 (1) (f) GDPR as legal basis depends on whether all three cumulative conditions are met, as recently reiterated by the CJEU. Even if the targeter and the social media provider consider their economic interests to be legitimate, it does not necessarily mean that they will be able to actually rely on Article 6 (1) (f) GDPR.
47 The second part of the balancing test entails that the joint controllers will need to establish that the processing is necessary to achieve those legitimate interests. “Necessary” requires a connection between the processing and the interests pursued. The ‘necessity’ requirement is particularly relevant in the context of the application of Article 6 (1) f, in order to ensure that processing of data based on legitimate interests does not lead to an unduly broad interpretation of the necessity to process data. As in other cases, this means that it should be considered whether other less invasive means are available to serve the same end.
48 The third step in assessing whether the targeter and the social media provider can rely upon Article 6 (1) (f) GDPR as legal basis for the processing of personal data, is the balancing exercise necessary to determine whether the legitimate interest at stake is overridden by the data subject’s interests or fundamental rights and freedoms.
49 The outcome of the balancing exercise will also depend on the presence of additional controls and safeguards. The targeter seeking to rely on legitimate interest should, for its part, make it easy for individuals to express a prior objection to its use of social media for targeting purposes. However, insofar as the targeter does not have any direct interaction with the data subject, the targeter should at least ensure that the social media platform provide the data subject with means to efficiently express their right to prior objection. As joint controllers, the targeter and social media provider should clarify how the individuals’ right to object (as well as other rights) will be accommodated in the contextof the joint arrangement (see section 6). If the balancing exercise points out that data subject’s interests or fundamental rights and freedoms override the legitimate interest of the social media provider and the targeter, the use of Article 6 (1) (f) is not possible.
50 For what concerns the consent lawful basis, the controller needs to keep in mind that there are clearly situations in which the processing would not be lawful without the valid consent of the individuals concerned (Article 6 (1) (a) GDPR). For example, the WP29 has previously considered that it would be difficult for controllers to justify using legitimate interests as a legal basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.
51 To be valid, the consent collected for the processing needs to fulfil the conditions laid out in Articles 4 (11) and 7 GDPR. Generally speaking, consent can only be an appropriate legal basis if a data subject is offered control and genuine choice. If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given. Consent must also be specific, informed and unambiguous and the data subject must be able to refuse or withdraw consent without detriment.
52 Consent (Article 6 (1) (a) GDPR) couldbe envisaged, provided that all the requirements for valid consentare met. The EDPB recalls that obtaining consent also does not negate or in any way diminish thecontroller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimize targeting which is disproportionate or unfair.
53 Finally, the EDPB is of the opinion that the processing of personal data described in the Example 1 in paragraph 5.2.1 cannot be justified on the basis of Article 6 (1) (b) by neither the social platform nor the targeter.