|The EDPB tries to clear up who is and is not a controller or processor and wades into the world of social media and targeting.|
The European Data Protection Board (EDPB) has released for comment two sets of guidelines for input to elucidate portions of the General Data Protection Regulation (GDPR).
In the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR, the EDPB is looking to update guidance issued by its forerunner body on the predecessor data protection regime regarding who is a controller, joint controller, and processor. Any clarification of these definitions would obviously change how entities will be regulated under the GDPR, and ideally, harmonize data protection and processing regulation across the EU. There is the suggestion in the document that there is not currently standard construction of these definitions, causing the same entity to be regulated differently depending on the jurisdiction within the European Economic Area (EEA). The EDPB noted the guidelines were put together with the input of stakeholders, and it is possible that more input from a broader audience will result in a modified product.
This draft guidance is built on the principle of accountability as enshrined in the GDPR, meaning controllers and processors must not only comply with the GDPR but be able to demonstrate compliance with the GDPR. In fact, the EDPB asserts “[t]he aim of incorporating the accountability principle into the GDPR and making it a central principle was to emphasize that data controllers must implement appropriate and effective measures and be able to demonstrate compliance.” Both this emphasis and statement might mean that the EU encountered challenges with respect to entities accepting accountability in data protection under the GDPR’s forerunner, Directive 95/46/EC. Moreover, the need to precisely, or as precisely as possible, define who is and is not a controller, joint controller, or processor is crucial to apportioning responsibility and culpability for noncompliance. Therefore, these guidelines will be a crucial starting point for both data protection authorities (DPA) and the entities collecting and processing the personal data of EU persons. Moreover, the EDPB proposes to go beyond labels in determining who is a controller or processor by looking at what an entity is actually doing. By the same token, the Board makes clear the term controller should not be confused with this term in other legal contexts and should be interpreted broadly to ensure the greatest possible data protection.
The EDPB claimed “[t]he main aim is to clarify the meaning of the concepts and to clarify the different roles and the distribution of responsibilities between these actors.” The EDPB stated
The Article 29 Working Party issued guidance on the concepts of controller/processor in its opinion 1/2010 (WP169) in order to provide clarifications and concrete examples with respect to these concepts. Since the entry into force of the GDPR, many questions have been raised regarding to what extent the GDPR brought changes to the concepts of controller and processor and their respective roles. Questions were raised in particular to the substance and implications of the concept of joint controllership (e.g. as laid down in Article 26 GDPR) and to the specific obligations for processors laid down in Chapter IV (e.g. as laid down in Article 28 GDPR). Therefore, and as the EDPB recognizes that the concrete application of the concepts needs further clarification, the EDPB now deems it necessary to give more developed and specific guidance in order to ensure a consistent and harmonised approach throughout the EU and the EEA. The present guidelines replace the previous opinion of Working Party 29 on these concepts (WP169).
The EDPB summarized the concepts of these terms and the interplay between entities:
- In principle, there is no limitation as to the type of entity that may assume the role of a controller but in practice it is usually the organisation as such, and not an individual within the organisation (such as the CEO, an employee or a member of the board), that acts as a controller.
- A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances.
- A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.
- Joint controllers
- The qualification as joint controllers may arise where more than one actor is involved in the processing. The GDPR introduces specific rules for joint controllers and sets a framework to govern their relationship. The overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand.
- A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf.
- The processor must not process the data otherwise than according to the controller’s instructions. The controller’s instructions may still leave a certain degree of discretion about how to best serve the controller’s interests, allowing the processor to choose the most suitable technical and organisational means. A processor infringes the GDPR, however, if it goes beyond the controller’s instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller’s instructions.
- Relationship between controller and processor
- A controller must only use processors providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Elements to be taken into account could be the processor’s expert knowledge (e.g. technical expertise with regard to security measures and data breaches); the processor’s reliability; the processor’s resources and the processor’s adherence to an approved code of conduct or certification mechanism.
- Any processing of personal data by a processor must be governed by a contract or other legal act which shall be in writing, including in electronic form, and be binding. The controller and the processor may choose to negotiate their own contract including all the compulsory elements or to rely, in whole or in part, on standard contractual clauses.
- The GDPR lists the elements that have to be set out in the processing agreement. The processing agreement should not, however, merely restate the provisions of the GDPR; rather, it should include more specific, concrete information as to how the requirements will be met and which level of security is required for the personal data processing that is the object of the processing agreement.
- Relationship among joint controllers
- Joint controllers shall in a transparent manner determine and agree on their respective responsibilities for compliance with the obligations under the GDPR. The determination of their respective responsibilities must in particular regard the exercise of data subjects’ rights and the duties to provide information. In addition to this, the distribution of responsibilities should cover other controller obligations such as regarding the general data protection principles, legal basis, security measures, data breach notification obligation, data protection impact assessments, the use of processors, third country transfers and contacts with data subjects and supervisory authorities.
- Each joint controller has the duty to ensure that they have a legal basis for the processing and that the data are not further processed in a manner that is incompatible with the purposes for which they were originally collected by the controller sharing the data.
- The legal form of the arrangement among joint controllers is not specified by the GDPR. For the sake of legal certainty, and in order to provide for transparency and accountability, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.
- The arrangement shall duly reflect the respective roles and relationships of the joint controllers vis-à- vis the data subjects and the essence of the arrangement shall be made available to the data subject.
- Irrespective of the terms of the arrangement, data subjects may exercise their rights in respect of and against each of the joint controllers. Supervisory authorities are not bound by the terms of the arrangement whether on the issue of the qualification of the parties as joint controllers or the designated contact point.
In the Guidelines 08/2020 on the targeting of social media users, the Board explained that the genesis of this guidance came from the EDPB itself. These guidelines are, in a sense, a more targeted version of the other draft guidelines the EDPB has issued for comment in that they seek to clarify the responsibilities, joint and otherwise, of social media companies and others operating in the targeted advertising universe. Consequently, these would apply to companies like Facebook, Twitter, and other social media platforms and virtually any entity using such a platform to send a targeted advertisement to a user or group of users. However, the EDPB makes clear its concern with respect to these practices is not confined to the commercial world and explains at some length its concern that EU persons could be targeted with political materials, a common practice of the Russian Federation in a number of countries, including the EU in all likelihood. The Board stated “[t]he main aim of these guidelines is therefore to clarify the roles and responsibilities among the social media provider and the targeter, a term defined as those “that use social media services in order to direct specific messages at a set of social media users on the basis of specific parameters or criteria.”
The EDPB asserted
- As part of their business model, many social media providers offer targeting services. Targeting services make it possible for natural or legal persons (“targeters”) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered. The underlying assumption is that the better the fit, the higher the reception rate (conversion) and thus the more effective the targeting campaign (return on investment).
- Mechanisms to target social media users have increased in sophistication over time. Organisations now have the ability to target individuals on the basis of a wide range of criteria. Such criteria may have been developed on the basis of personal data which users have actively provided or shared, such as their relationship status. Increasingly, however, targeting criteria are also developed on the basis of personal data which has been observed or inferred, either by the social media provider or by third parties, and collected (aggregated) by the platform or by other actors (e.g., data brokers) to support ad-targeting options. In other words, the targeting of social media users involves not just the act of “selecting” the individuals or groups of individuals that are the intended recipients of a particular message (the ‘target audience’), but rather it involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts.
- The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media, creates risks to the fundamental rights and freedoms of individuals. From a data protection perspective, many risks relate to the possible lack of transparency and user control. For the individuals concerned, the underlying processing of personal data which results in the delivery of a targeted message is often opaque. Moreover, it may involve unanticipated or undesired uses of personal data, which raise questions not only concerning data protection law, but also in relation to other fundamental rights and freedoms. Recently, social media targeting has gained increased public interest and regulatory scrutiny in the context of democratic decision making and electoral processes.
The EDPB added
- Taking into account the case law of the CJEU, as well as the provisions of the GDPR regarding joint controllers and accountability, the present guidelines offer guidance concerning the targeting of social media users, in particular as regards the responsibilities of targeters and social media providers. Where joint responsibility exists, the guidelines will seek to clarify what the distribution of responsibilities might look like between targeters and social media providers on the basis of practical examples.
- The main aim of these guidelines is therefore to clarify the roles and responsibilities among the social media provider and the targeter. In order to do so, the guidelines also identify the potential risks for the rights and freedoms of individuals (section 3), the main actors and their roles (section 4), and tackles the application of key data protection requirements (such as lawfulness and transparency, DPIA, etc.) as well as key elements of arrangements between social media providers and the targeters.
The EDPB explained the main two means by which targeting occurs: “[s]ocial media users may be targeted on the basis of provided, observed or inferred data, as well as a combination thereof:
- a) Targeting individuals on the basis of provided data – “Provided data” refers to information actively provided by the data subject to the social media provider and/or the targeter. For example:
- A social media user might indicate his or her age in the description of his or her user profile. The social media provider, in turn, might enable targeting on the basis of this criterion.
- A targeter might use information provided by the data subject to the targeter in order to target that individual specifically, for example by means of customer data (such as an e- mail address list), to be matched with data already held on the social media platform, leading to all those users who match being targeted with advertising.
- b) Targeting on the basis of observed data – Targeting of social media users can also take place on the basis of observed data. Observed data are data provided by the data subject by virtue of using a service or device. For example, a particular social media user might be targeted on the basis of:
- his or her activity on the social media platform itself (for instance the content that the user has shared, consulted or liked);
- the use of devices on which the social media’s application is executed (for instance GPS coordinates, mobile telephone number);
- data obtained by a third-party application developer by using the application programming interfaces (APIs) or software development kits (SDKs) offered by social media providers;
- data collected through third-party websites that have incorporated social plugins or pixels;
- data collected through other third parties (e.g. parties with whom the data subject has interacted, purchased a product, subscribed to loyalty cards, …); or
- data collected through services offered by companies owned or operated by the social media provider.
The EDPB added
Targeting on the basis of inferred data – “Inferred data” or “derived data” are created by the data controller on the basis of the data provided by the data subject or as observed by the controller. For example, a social media provider or a targeter might infer that an individual is likely to be interested in a certain activity or product on the basis of his or her web browsing behaviour and/or network connections.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.