With the increased use of social media and developing targeting techniques offered by social media providers, the European Data Protection Board (EDPB) has updated its guidelines on the targeting of social media users issued in 2020. This article briefly analyses the key points of the Guidelines.
What do the Guidelines say?
As part of their business model, many social media providers offer targeting services which make it possible for natural or legal persons (the Targeters) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. By enabling targeters to use sophisticated mechanisms, social media providers enable the targeting of individuals on the basis of a wide range of criteria which are determined/developed on the basis of personal data which users have actively provided or shared on their profile.
With the above in mind, the EDPB had issued 2020 guidelines on this targeting of social media users, aiming to clarify the roles and responsibilities of social media providers and targeted individuals. These Guidelines have recently been amended during the 48th plenary session of the EDPB in April 2021.[1]
The updated Guidelines reflect the increased sophistication of targeting methods. The EDPB indicates that the combination and analysis of data originating from different sources, along with Targeters having access to personal data which could potentially be considered, creates risks to the fundamental rights and freedoms of individuals/social media users. The guidelines indicate that Social media users can be targeted on the basis of four types of data:
- Data provided by users to a platform. This may include data such as gender, date of birth or employment on their social media account.
- Data provided by user to a Targeter. This may include data from a platform which matches pre-existing list data, such as email address or phone number, from the Targeter with data from the user's social media account.
- Data based on observed data. This can be provided by the social media service itself or other external websites.
- Data based on inferred data by the platform or the Targeter.
For each category of the personal data collected, the Guidelines provide and discuss the responsibilities and roles of platforms and the Targeters, whether they act as controllers, joint controllers or processors. The Guidelines also discuss relevant legal basis platforms and the Targeters could rely upon to process users' personal data.
What are the potential risks to social media users’ fundamental rights?
Such risks to the fundamental rights and freedoms of individuals may include lack of transparency and loss of user control over personal data. This is specially in regard to personal data that have not been collected directly from the individual. This may come around as a result of personal data being used beyond their initial purpose and in ways the individual could not reasonably anticipate.
Furthermore, the possibility of discrimination or exclusion due to bias is increased by diminishing visibility of opportunities to certain individuals if their personal data deem them to fall outside the scope of certain categories (such as certain individuals not receiving certain advertisements related to housing or job offers or credit).
Finally, the risk of manipulation or undue influence is increased. This is specially in regard to young social media users who might receive messages/advertisements and even misinformation, specific to their particular needs, interests and values. Such targeting mechanisms to individuals with no or limited contextualisation or exposure to other viewpoints, can have the effect of undermining the democratic electoral process. This may lead to or have the effect of increasing political and ideological polarization.
Conclusion
The underlying processing made to the personal data of an individual user of social media in regard to targeting is not yet clear enough to enable the user to understand what assumptions are made for him/her based on his/her profile and can lead to the use of personal data in ways that is definitely unanticipated and very likely undesired by the individual.
The Guidelines provide some clarity and insight in relation to the roles and responsibilities of the social media providers and what they need to do to comply with GDPR.
[1] Full guidelines of EDPB on targeting of social media users can be found here.
For more information please visit our website microsite on Data Protection & Cyber Law or contact Ms. Munevver Kasif at This email address is being protected from spambots. You need JavaScript enabled to view it..
Back to News
