Guidelines 08/2020 on the targeting of social media users – version for public consultation

Paragraph 8.1.2  Inferred and combined special categories of data

114 Assumptions or inferences regarding special category data, for instance that a person is likely to vote for a certain party after visiting a page preaching liberal opinions, would also constitute a special category of personal data. Likewise, as previously stated by the EDPB, “profiling can create special category of data by inference from data which is not special category of data in its own right, but becomes so when combined with other data. For example, it may be possible to infer someone’s state of health from the records of their food shopping combined with data on the quality and energy content of foods”.

115 For instance, the processing of a mere statement, or a single piece of location data or similar, which reveals that a user has (either once or on a few occasions) visited a place typically visited by people with certain religious beliefs will generally not in and of itself be considered as processing of special categories of data. However, it may be considered as processing of special categories of data if these data are combined with other data or because of the context in which the data are processed or the purposes for which they are being used.

• Example 11:

• The profile on Mr.Novak’s social media account only reveals general information such as his name and domicile, but a status update reveals that he has visited the City Church frequently where he attended a religious service. Later on, the City Church wants to target its visitors with religious messages in order to encourage Christian people to join the congregation. In such circumstances, the use of personal data in Mr. Novak’s status update for such a targeting purposes amounts to the processing of special categories of personal data.

116 If a social media provider or a targeter uses observed data to categorise users as having certain religious, philosophical or political beliefs – regardless of whether the categorization is correct/true or not – this categorisation of the user must obviously be seen as processing of special category of personal data in this context. As long as the categorisation enables targeting based on special category data, it does not matter how the category is labelled.

• Example 12:

• Mr.Sifuentes provides information in his social media profile in the shape of regular status updates, check-ins, etc., which indicate that he regularly takes part in activities arranged by the “Mind, Bodyand Spirit Movement”. Even though no explicit statement on philosophical belief is provided, all updates, likes, check-ins and similar data provided by the user when collated, strongly indicate that Mr. Sifuentes has a certain philosophical belief.

• Example 13:

• A social media provider uses information actively provided by Ms. Allgrove on her social media profile page about her age, interests and address and combines it with observed data about the websites visited by her and her “likes” on the social media platform. The social media provider uses the data to infer that Ms. Allgrove is a supporter of left-wing liberal politics and places her in the “interested in leftwing liberal politics” targeting category, and makes this category available to targeters for targeted advertising.

117 In Example 12, the vast information and the absence of measures to prevent targeting based on special category data implies that a processing of special categories of data is taking place. However, the mere fact that a social media provider processes large amounts of data which potentially could be used to infer special categories of data does not automatically mean that the processing falls under Article 9 GDPR. Article 9 will not be triggered if the social media provider’s processing does not result in inference of special categories of data and the social media provider has taken measures to prevent that such data can be inferred or used for targeting. In any case, processing of a large amount of personal data about users may entail specific risks for the rights and freedoms of natural persons,which have to be addressed by implementing appropriate security measures, as prescribed under Article 32, and also by taking into account the outcome of the DPIA to be performed pursuant to Article 35 of the GDPR.

118 In Example 13, the offering as well as use of the targeting category “interested in left-wing liberal politics” amounts to processing of special categories of data, as this category could easily be used as aproxy to target individuals who have left-wing liberal political beliefs. By assigning an inferred political opinion to a user, the social media provider processes special categories of data. For the purpose of Article 9 GDPR, it is not relevant whether the user in fact is a supporter of left-wing liberal politics. Nor is it relevant that the targeting category is named “interested in…” and not “supporter of…”, since the user is placed in the targeting category based on inferred political interests.

• Example14:

• Mr. Svenson takes a career aptitude test developed, containing a psychological evaluation, by the company “YourPerfectJob” which is made available on a social media platform and makes use of the Application Programming Interface (API) provided by the social media provider. YourPerfectJobcollects data about Mr. Svenson‘s education, employment status, age, hobbies, posts, email-addressand connections. YourPerfectJob obtains the data through the API in accordance with the “permissions” granted by Mr. Svenson through his social media account. The stated purpose of the application is to predict what would be the best career path for a specific user.

• Without the knowledge or approval of the social media provider, YourPerfectJob uses this information to infer a number of personal aspects, including his personality traits, psychological profile and politicalbeliefs. YourPerfectJob later decides to use this information to target Mr. Svenson on behalf of apolitical party, using of the email-based targeting feature of the social media provider, without adding any other targeting criteria offered by the social media provider.

In Example 14, the targeter processes special categories of personal data, whereas the social media provider does not. Indeed, the assessment and identification of Mr. Svenson’s political belief occurs without the involvement of the social media provider. In addition to triggering the general prohibition of Article 9 GDPR, the targeting mentioned in Example 14 also constitutes an infringement of the requirements concerning fairness, transparency and purpose limitation. Indeed, Mr. Svenson is not properly informed of the fact that the personal relating to him will be processed for political targeting, which in addition, does not seem compatible with a career aptitude test.

119 While processing activities of the social media provider in Example 14 do not amount to processing of special categories of data within the meaning of Article 9 GDPR, the social media provider is responsible for integrating the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects in accordance with Article 24 and 25 GDPR.