noyb – European Center for Digital Rights Goldschlagstraße 172/4/3/2 1140 Vienna AUSTRIA To: European Data Protection Board Vienna, 19.10. 2020 Subject: noyb’s comments on Guidelines 8/2020 on the targeting of social media users adopted on 2 September 2020 for public consultation Dear Members of the EDPB, noyb welcomes the opportunity to submit comments on the Guidelines 8/2020 published for consultation. We want to explicitly welcome the general approach the EDPB has taken in these guidelines and thank the members of the EDPB working groups for their work. We especially welcome: the clear position on the unlawful use of Article 6(1)(b) as a legal basis by some providers; the clear position that in most cases Article 6(1)(a) is the relevant legal basis; the clear position on the application of Article 9 when special categories of personal data are inferred or generated via the use of proxies and the highlight on the large footprint (from targeting of vulnerable groups to the use of micro-targeting for political manipulation) that GDPR violations in the area of social networks have. In order to focus these submissions, we will, however, mainly concentrate on the elements that we feel may benefit from further input. 1. Pending Litigation In the spirit of transparency, we want to highlight that noyb (or persons associated or supported by noyb) are currently engaged in litigation before the Irish DPC and before the Austrian Civil Courts that partly overlaps with issues raised in these Guidelines. At the same time, we invite the EDPB to request the documents in the cases before the Austrian, Belgian, German and Irish DPAs (DPC Case numbers C-18-5-5, C-18-5-6 and C-18-5-7) to get first hand input on the legal arguments put forward by some Social Media Providers. We are equally happy to provide the relevant documents in the case 3 Cg 52/14k - 91 before the Vienna Regional Civil Court (LGfZRS), which partly overlaps with the subject matter of these guidelines. noyb – European Center for Digital Rights | Goldschlagstr. 172/4/3/2, 1140 Vienna, AUSTRIA | ZVR N°: 1354838270 www.noyb.eu | General email: [email protected] | Legal communication: [email protected] | IBAN: AT21 2011 1837 8146 6600 Page 1 of 14 In light of experience derived from these pending cases, we hope to add helpful practical points to the work of the EDPB. Finally, for the avoidance of doubt and in light of arguments made in litigation in Ireland, Germany, Belgium and Austria, we want to mention that an omission to comment on individual parts of the Guidelines may not be interpreted as agreeance to these parts by noyb. 2. General Comments 2.1. Wording throughout the Guidelines As a general matter and being fully aware of the delicate process of drafting EDPB Guidelines, we would encourage the EDPB to take even clearer positions on some issues in order to arrive at guidelines that go beyond the first red lines set by the recent CJEU judgements on Facebook. This is especially in light of our experience that social media providers, in particular, have so far aggressively used even the slightest uncertainty in EDPB guidelines to depart from their obvious meaning. Lack of clear guidelines in practice opens the door to deliberate misinterpretation by controllers, which in turn leads to the abuse of data subject rights, to lengthy procedures before DPAs, or even costly litigation. In this regard , we want to highlight that many factual descriptions in the Guidelines (like “Personal data provided by social media users can be used by the social media provider…” in § 37) will likely be used out of context by controllers to claim that the EDPB takes the view that these practices are actually legal. While some factual descriptions are clearly found to be illegal in other parts of the Guidelines, other practices are not further analysed, but merely described. We therefore strongly encourage the EDPB to limit general factual descriptions of services and to use language that distinguishes between factual descriptions (of partly illegal practices) and the later legal analysis more clearly. 2.2. “Upstream” processing While we are aware that this may be outside of the scope of the Guidelines, it seems striking that processing operations that take place before any “upstream” operations (i.e. processing operations for advertisement) are not mentioned in the Guidelines. This seems to be relevant in at least two aspects: First, we wanted to draw attention to the fact that, under C-101/01 Lindqvist, users of social networks may themselves be controllers for the initial processing operations (such as public micro-blogging or their personal messages or emails). There is often no red line between consumers and active users of social media service and even private parties often run public pages on such platforms. In practice, the click of a button that makes others’ data public or the mere intent to use a page for commercial purposes can make a user a “controller” as in Lindqvist or C-210/16 Wirtschaftsakademie. Should the social media provider use data that it gathered as a processor (e.g. when Google provides Cloud Storage or Gmail) in violation of the instructions by the user, it would violate Articles 28 and 29 and other parts of the GDPR. Page 2 of 14 Second, Article 2(2)(c) GDPR and Recital 18 GDPR makes the, often unlimited, uploading, sharing and storing of personal data of others (“friends”) legal, only if these activities fall under the household exception. Limitless further processing of such “privileged” data for commercial purposes would make the household exception a backdoor that would allow commercial actors to outsource data gathering to private persons. Recital 18 explicitly mentions that social media providers are (in relation to these processing operations) processors that fall under the GDPR, even if the user can make use of the household exception and therefore does not fall under the GDPR. Some controllers may interpret the factual description of this process in the Guidelines as an accepting of this practice as legal. Third, the Guidelines mention, for example in §§ 9 and 18, that data is generated and shared for private (“household”) purposes. As these are clearly not compatible purposes with the purpose of commercial data gathering for advertisements, this begs the question of whether a social media provider may simply engage in “secondary use” of such (often very personal and private data) under Article 6(4) GDPR. It seems to noyb that such a “secondary use” of personal data would for example require the consent of the data subject under Article 6(4) GDPR – in addition to the requirement for consent under Article 6(1) GDPR, which the Guidelines already discuss in detail. While the EDPB may decide against including a legal analysis of these “upstream” processing operations as part of the Guidelines, we would strongly encourage to explicitly limit the Guidelines to processing operations from a certain point onwards and mention that the EDPB does at least not take a position on the legality of the described data gathering process. The current factual descriptions in the Guidelines, according to which data is taken from many sources (be it maps, email services or chat apps) and further used, could be misinterpreted to mean that the EDPB agrees that the massive and global harvesting and aggregation of data on every individual (euphemistically called “social graph”) is generally legal - independent of the purpose or controllership of the original processing operation. 2.3. Differentiation of “targeting mechanism” In general, we consider that all data, whether inferred, observed or actively provided by the users, should be processed under the same conditions by the social media providers, in compliance with all relevant data protection laws. Whereas we see the interest of the distinction made by the EDPB in its guidelines for didactic purposes, such categories may not be that easy to delineate in the context of social media. For example, the Guidelines consider that the “like” button would constitute inferred data, whereas one could easily argue that this data is merely observed because the “like” button clearly indicates a preference actively provided by the user. i) Transparency implications The requirement for transparent and informed consent1 relating to observed data and inferred data should be more clearly detailed. Users are not always aware that their personal data are collected even when they are merely, in their subjective opinion, “interacting” with the social media but not actively providing information to the social media or to a third party. For example, “liking” a post of a friend or “friending” someone provides information to the social media, but, in the subjective view of many users, this might be providing information to the friend but 1 See below on why consent under Article 6(1)(a) GDPR is usually the relevant legal basis. If the EDPB takes a different view, the same transparency considerations apply to Article 6(1)(f) GDPR. Page 3 of 14 not actively to the social media platform, unlike a user uploading their profile photo. Moreover, in such contexts, it can be difficult to prove that a social media provider actually processes observed or inferred data when there is a lack of information given by the social media provider and the targeters. Therefore, it is crucial that the EDPB clarifies that any new categorization of data resulting from observation or inference, such as “users interested in online betting”, “people likely to be impulsive”, “people likely to be betting heavily” and “people with lower income”, are made transparent and clear to the users. Without such transparency clarifications, the recommendations of the EDPB will remain a dead letter – any such categories will not be communicated to the users who will thus remain unaware of the various profiling types used by social media providers and targeters.