Privacy data protection targeting of social media users – public consultation version

Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
Date September 26, 2020

Guidelines 08/2020 on the targeting of social media users – version for public consultation

Section 8.2 The Article 9(2) exception of special categories of data made manifestly public

120 Article 9 (2) (e) of the GDPR allows processing of special category of data in cases where the data have been manifestly made public by the data subject. The word “manifestly” implies that there must be a high threshold for relying on this exemption. The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice, a combination of the following or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public, and a case-by-case assessment is needed. The following elements may be relevant to help inform this assessment:

(i) the default settings of the social media platform (i.e. whether the data subject took a specific action to change these default private settings into public ones); or
(ii) the nature of the social media platform (i.e. whether this platform is intrinsically linked with the idea of connecting with close acquaintances of the data subject or creating intimate relations (such as online dating platforms), or if it is meant to provide a wider scope of interpersonal relations, such as professional relations, or microblogging, media sharing, socia platforms to share online reviews, etc… ; or
(iii) the accessibility of the page where the sensitive data is published (i.e. whether the information is publically accessible or if, for instance, the creation of an account is necessary before accessing the information); or
(iv) the visibility of the information where the data subject is informed of the public nature of the information that they publish (i.e. whether there is for example a continuous banner on the page, or whether the button for publishing informs the data subject that the informationwill be made public…); or
(v) if the data subject has published the sensitive data himself/herself, or whether instead the data has been published by a third party (e.g. a photo published by a friend which reveals sensitive data) or inferred.

The EDPB notes that the presence of a single element may not always be sufficient to establish that the data have been “manifestly” made public by the data subject. In practice, a combination of these or other elements may need to be considered for controllers to demonstrate that the data subject has clearly manifested the intention to make the data public.

Example 15:
Mr. Jansen has opened an account on a microblogging social media platform. While completing his profile, he indicated that he is homosexual. Being a conservative, he chose to join conservative groups, knowing that he has been informed while subscribing that the messages he exchanges on the platform are public. A conservative political party wishes to target people who share the same political affiliations and sexual orientation as Mr. Jansen using the social media targeting tools.

121 Because members’ sexual orientation is by default “private” and that Mr. Jansen has not taken any step to make it public, it cannot be considered as having been manifestly made public. In addition, the data relating to his political affiliation has not been made manifestly public, despite of (i) the nature of the microblogging social media platform, which is meant to share information with the wide public, and (ii) the fact that he has been informed of the public nature of the messages he publishes on the forums. In addition, although he has joined public forums relating to conservatism, he cannot be targeted on the basis of this sensitive data, because it is the social media platform that makes a deduction on Mr. Janssen’s political affiliation, and it was not the specific intention of the data subject to make this data manifestly public, all the more that this deduction may turn out to be false. He cannot therefore be targeted on the basis of political affiliation data. In other words, the circumstances in each specific case have to be taken into account when assessing whether the data have manifestly been made public by the data subject.