We have all seen it happen. Open up your browser, go to a random site and straight away there are ads all over the place. And these ads are far from random, most of them neatly promoting products that fit our specific or current interests. If you have recently searched the internet for shoes for instance, there is a good chance that the ads you will be presented with are related to footwear. So how does this work and what are the privacy implications? Is it okay for our preferences to be monitored for the purpose of advertisement selection and are there any conditions?
In December 2020, the European Commission submitted a proposal for regulation of digital services, the Digital Services Act, to which the European Parliament, on January 20 2022, implemented a number of amendments further restricting the use of personalised ads. In this blog, we will discuss the existing legal framework in relation to personalised or ‘targeted’ advertising, with specific focus on the changes about to be introduced as a result of the EP amendments.
Personalised advertising under the GDPRPersonalised ads appear on numerous web pages, including those of social media and search engines. For the tech companies running these sites to be able to personalise the ads accompanying their content, they need personal data. Your name, for instance, your age or the city you live in. But they also need information on the websites you regularly visit and the people you associate and possibly share interests with. Under the General Data Protection Regulation, collecting and processing personal data requires legitimate justification, a ‘legal basis’. One of these general foundations of lawful processing is consent from the data subject as specified in Article 6(1)(a) GDPR. For such consent to be valid, it must be:
– freely given. What this means is that the availability of the service being offered must not be dependent on the applicability of consent. In practical terms: Google does not have the right to refuse its services to users who choose not to consent to the processing of their personal data.
– specific. It must be clear to the data subjects for what purpose their data are being processed.
– informed. It must be clear to the data subjects how their data are being processed.
– unambiguous. The giving of consent must be based on an active, deliberate act on the part of the data subject. If, for instance, a checkbox is used for indication of consent, the box may not be pre-checked.
In October 2021, the DPC (Data Protection Commission, the Irish supervisory authority) ruled that Facebook, in terms of the processing of personal data for the purpose of targeted advertising, does not need consent from the data subject in view of the applicability of another valid basis for lawful processing, which is the performance of a contract as specified in Article 6(1)(b) GDPR. Here, the key issue is that in deciding as it did, the DPC is in fact saying that the service offered by Facebook is not primarily in building social networks and that providing the user with relevant advertising is an integral part of Facebook’s business model. In this line of thought then, supplying the service is impossible without processing personal data in order to establish the relevancy of specific advertisements to individual users.
The general rule in processing so-called special categories of personal data is that, based on Article 9 GDPR, the performance of a contract cannot be claimed as a legal basis. Which means that where special categories of personal data are being processed in order to facilitate the presentation of personalised advertising, consent from the data subject is required. The sort of personal data involved in this context include data allowing the identification of race, ethnic origin, political views, religion or sexual orientation. Genetic and biometrical data also qualify as ‘special’ personal data.
It is hard to say who exactly is processing special categories of personal data to what extent for the purpose of personalising ads. First of all, there is no readily available research on the subject which is also not transparently communicated by advertisers and tech companies. Apart from that, there is – so far – no clear argumentation for the amendments made by the EP to the provisional Digital Services Act.
What is going to change?Currently, regulation of the online market is covered by the E-Commerce Directive and national legislations based on it. This directive however, which came into force as early as 2000, is seriously obsolescent. By now, online fraud, incitement to hatred and digital disinformation have become much more significant social challenges, calling for new legislative frameworks. Which is the rationale behind the two bills now being proposed, the Digital Services Act and the Digital Markets Act, submitted in December 2020 by the European Commission, with the former having been amended by the European Parliament on January 20 2022.
One effect of these EP amendments is that processing of special categories of personal data for the purpose of targeted advertising will in the future be banned altogether. Processing, for the same purpose, of personal data related to minors will also be generally prohibited. As is apparent from Article 24(1)(b) of the proposed Digital Services Act which, in its current form, reads:
“Targeting or amplification techniques that process, reveal or infer personal data of minors or personal data referred to in Article 9(1) of Regulation (EU) 2016/679 for the purpose of displaying advertisements are prohibited.”
This means that many tech companies will have to review their privacy policies when the new regulation will be officially introduced.
ConclusionThere are currently two legal bases tech companies claim for the lawfulness of processing personal data in the context of targeted online advertising. The first one being consent given by the data subjects, the individuals whose personal data are being processed. Also, personal data may lawfully be processed if necessary for the performance of a contract with the data subject. Under the GDPR, processing special categories of personal data for the purpose of targeted advertising always requires consent.
This is about to change as a result of EP amendments made to the proposed Digital Services Act on January 20 2022. These amendments, from the moment the act enters into force, will have the effect of making it illegal to process special categories of personal data or ‘normal’ personal data related to minors for the purpose of personalised advertising.