Overview
The European Data Protection Board (EDPB) published on September 7, 2020, its draft guidelines on the targeting of social media users (the Guidelines).
The Guidelines are the latest episode of the European Union (EU) (privacy) trilogy around social media, following the introduction of the General Data Protection Regulation (GDPR) and the jurisprudence of the Court of Justice of the European Union (CJEU) on joint controllership in Wirtschaftsakademie, Jehovah’s Witnesses, and Fashion ID.
Clap 1: The Pitch of the New Episode
The scenario of the Guidelines is straightforward (and far less complicated than the actual Leone’s spaghetti western); the social media business model (the Ugly) lies in the offering of targeting services, i.e., allowing “targeters” (the Bad) to communicate specific messages to users of social media in order to advance commercial, political or other interests. The increased sophistication of targeting allowed by the use of inferred data creates, according to the Guidelines, risks to the fundamental rights and freedoms of individuals (the Good). The Guidelines identify four types of (potential) risks; (i) the use of data against reasonable expectations or beyond their initial purposes; (ii) a potential for discrimination coming from the ability for advertisers to leverage the extensive quantity and variety of personal data gathered on users; (iii) potential for manipulation of users; and (iv) self-censorship by users of the content they post.
Clap 2: The EU Joint Controllership Weapon
The Guidelines seek to address those risks by focusing on the distribution of roles and data protection obligations of social media providers and targeters, leaving aside the other characters of the AdTech ecosystem. The Guidelines’ main answer comes down to two words; “joint controllership.”
We think this answer is wrong. It is wrong, as one should continue to challenge the spread of the joint controllership’s smoke after the CJEU’s gunfire in Wirtschaftsakademie, Jehovah’s Witnesses, and Fashion ID. In the use case contemplated by the Guidelines, namely the ex-ante collection of data by social media providers, there is no joint determination of the purposes (and/or means) of processing; providers do not decide why someone is willing to advertise through social media channels or what it is seeking to achieve by getting in front of segments of users’ population; it provides an audience. The targeter is neither interested nor incentivized in further feeding the social media provider with data; it solely considers its own return. Each of them is a controller in its own right; this differentiates “targeted” services (such as an advertisement) from social plugins embedded on websites.
Clap 3: What Is the Bounty Hunt Really about?
Whilst one might agree that some of those risks identified by the Guidelines are real, the way the EU is seeking to address them is not appropriate. Indeed, existing GDPR provisions, e.g., on the legal basis of processing, accountability, and transparency requirements should be capable of addressing most if not all of them, without having to go as far as extended joint controllership situations. AdTech - as a whole ecosystem - needs legal certainty that joint controllership situations are unlikely to provide. The Guidelines recognize that “targeters” that are willing to use social media providers may be confronted with the need to adhere to pre-defined arrangements, with limited bargaining powers, and practical difficulties in assessing the exact degree of responsibility between each party (but would nevertheless be held accountable).
As it is the case with removing or re-engineering social media plugins, making it uncertain for organizations to promote their products and services on social media wouldn’t change much to the rights and freedom of data subjects. It will merely increase the pressure on social media providers themselves. Is the EU engaged in a duel to enhance privacy rights of data subjects or in a bounty hunt against non-EU social media and/or AdTech as a whole, realizing that it failed to incubate regional champions?
Like in Leone’s film, let’s ensure that each actor is following its own script; this would probably work best than a vendetta; EU privacy (gold) standards are worth it. If you want to write your own script, engage with the EDPB. The consultation’ process for the Guidelines ends on October 19.