September 18, 2021

Volume XI, Number 261


September 17, 2021

Subscribe to Latest Legal News and Analysis

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

European Data Protection Board Publishes Guidelines on Targeting Of Social Media Users, Emphasizes Joint-Controllership Arrangements

EU Privacy Alert

With close to one billion active users on social media, platforms and businesses are constantly rolling out new features, upgrading their ad tools and creating new ways to engage with users, moving away from traditional marketing strategies. Those emerging practices are also extensively relying on data analyses to gain insights and enhance more targeted opportunities, therefore shifting platforms and businesses’ focus on revenue. 

The evolution towards increasingly personalized marketing practices occurs in parallel with end-users’ awareness of data protection frameworks, which may lead to a rift between transparency expectations towards complex advertising solutions based not only on personal data provided by the users themselves, but also in conjunction with other data collected by social media providers or third parties. Recent headlines about the roles played by social media targeting on democratic decision-making and electoral processes reinforce such perceptions.

The European Data Protection Board (EDPB) published two sets of new guidelines on 2 September 2020, on the concepts of controller and processor (Guidelines 07/2020 - see our alert here) and on the targeting of social media users (Guidelines 08/2020, the Guidelines). The latter identifies potential risks for the rights and freedoms of individuals, the main stakeholders, and their roles, in order to clarify the key data protection requirements between social media providers and targeters. 


In the Guidelines, the EDPB points out that targeting social media users may involve the use of personal data, beyond individuals’ reasonable expectations, amounting to several data protection risks. Where such risks would not be accounted for and mitigated, they would lead to breaches of applicable data protection principles, in particular where combining personal data from different sources, as well as profiling activities by social media platforms for targeting purposes, which may exceed the initial purposes of the collection of personal data. The prominence of the associated risks also relies on the lack of means provided to individuals to reasonably anticipate such practices and their related purposes, and to exercise control over their personal data. Without effective control, the ever-expanding use of personal data may possibly pave the way to discrimination, exclusion, manipulation, and influencing, in turn causing a chilling effect on freedom of expression by fostering self-censorship.

As such, the EDPB analyses several types of targeting mechanisms, based on: 

  1. data actively provided by the user to the social media provider or the targeter; 

  2. observed data (data obtained via observation by virtue of social plug-ins or other tracking technologies); and 

  3. inferred data (data created by comparing the previous data set with existing models in order to predict or anticipate missing data). 

Depending on the context of the data usage, the EDPB acknowledges that legitimate interests and consent would be the two main legal bases for all types of social targeting, and dismisses the legitimacy of a legal basis relying on a "contractual necessity". 


Through its recent decisions (Wirtschaftsakademie - C‑210/16 and Fashion ID - C‑40/17), the Court of Justice of the European Union (CJEU) had already had the opportunity to detail the importance of identifying the interactions and the respective responsibilities of the various stakeholders involved in the chain of processing for targeting individuals, more often than not resolving in a characterization of joint-controllership relations under the EU’s General Data Protection Regulation 2016/679 (GDPR).

Continuing on that reflection, and also drawing on the companion Guidelines 07/2020 on the concept of controller and processor, the EDPB excludes the possibility for social media providers and targeters to be independent controllers (or “co-controllers”), instead considering them to be “joint controllers” and the ecosystem will need to adapt its terms and conditions accordingly.

Therefore, joint controllers should implement joint-controller agreements, addressing their respective obligations and responsibilities, all the while making the essence of this arrangement available to users. Moreover, prior to initiating the expected targeting operations, both joint controllers should check whether the processing operations would “likely result in a high risk” and determine whether the designated targeting could be subject to the requirement to conduct a data protection impact assessment (DPIA) to identify, address and mitigate such risks. However, the joint controllers remain free to decide that only one controller will carry out the DPIA as such (According to EDPB’s predecessor, the WP29, and its Guidelines WP248, the provider of the technology, regardless of its role, should be able to provide all required elements to its customers.) Such contractual arrangements should be specified in the joint-controllership agreement. Regardless of the wording of such agreement, all joint controllers will nevertheless remain jointly and severally liable toward the Supervisory Authorities and the data subjects alike. 


Social media providers and targeters alike will need to find ways to balance personalization of the advertising and privacy considerations, while empowering individuals with more control over their user experiences. While waiting for the revised and final Guidelines later this year, the following best practices should already be considered:

  • Allowing users to make informed choices about how their data will or will not be used by providing them clear information on the processing operations;

  • Enabling users to access, object/opt out, and exercise control over their personal data;

  • Providing users clear and transparent information about the origin of the data (especially when aggregated from publicly accessible sources), shared (with whom) and for what purposes;

  • Offering transparency proactively and managed, as the case may be, by adopting industry standards and codes of conduct (see our previous Alert here), as well as implementing Privacy by Design and Privacy by Default best practices users’ expectations; 

  • Minimizing data collection and refraining from extracting all public data available on third-party websites;

  • Obtaining users prior consent for targeted advertising purposes, the general requirements for consent being hereby applicable, i.e., (i) freely given, (ii) by an affirmative act (iii) specific, (iv) informed, and (v) unambiguous (see our previous Alert on consent here)

  • In case consent would not be required, making sure to have (documented) legitimate interests that could be the ground of data processing;

  • Establishing joint-controllership agreements encompassing all the respective obligations and responsibilities, and ensuring to make their essence easily available to users; and

  • Conducting a preliminary DPIA when required under Article 35 GDPR. 

The European Data Protection Board welcomes comments on the Guidelines before 19 October 2020, via this form. 

Copyright 2021 K & L GatesNational Law Review, Volume X, Number 280

About this Author

Natali Adison Corporate Attorney K&L Gates Brussels, Belgium
Junior Attorney

Natali Adison is an attorney at the firm’s Brussels office. She is a member of the corporate/M&A and commercial technology and sourcing practice group.

Her practice relies on extensive experience in understanding the fast moving environment of corporations and their technological and structural processes, allowing her to provide innovative advice on a wide range of complex commercial contracts and transactions of the firm’s clients, during all stages of their growth.

Natali is an experienced litigator, she advises clients active in the technology, retail, healthcare and...

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...