« 欧州データ保護委員会 (EDPB)が「GPDRにおけるコントローラとプロセッサーの概念に関するガイドライン」について意見募集をしていますね。。。 | Main | ドイツBSIが、船舶に関連するサイバーセキュリティの強制力のあるガイドを出していますね。。。 »

2020.09.09

欧州データ保護委員会 (EDPB)が「ソーシャルメディアユーザーのターゲティングに関するガイドライン」について意見募集をしていますね。。。

こんにちは、丸山満彦です。

先日、このブログで、

・2020.09.05 欧州データ保護委員会 (EDPB) 第37回総会でコントローラ・プロセッサーに関するガイドライン、ソーシャルメディアユーザに関するガイドラインを可決したようですね、

を書きましたが、「ソーシャルメディアユーザーのターゲティングに関するガイドライン」が公表されていますね。。。

 

European Data Protection Board (EDPB)

・2020.09.07 Guidelines 08/2020 on the targeting of social media users

・[PDF] Guidelines 8/2020 on the targeting of social media users Version 1.0

意見募集は2020.10.19までです。

ソーシャルメディアが知らず知らずに個人(本人およびその家族、友人等)に関する情報を時間と共に徐々に蓄積していく場となってしまうので、事業者に対して何らかのガイドは必要なんでしょうね。。。

 

Edpb 

 


 

1 Introduction

2 Scope

3 Risks to the rights and freedoms of users posed by the processing of personal data

4 Actors and Roles

4.1 Users
4.2 Social media providers
4.3 Targeters
4.4 Other relevant actors
4.5 Roles and responsibilities

5 Analysis of different targeting mechanisms

5.1 Overview
5.2 Targeting on the basis of provided data

5.2.1 Data provided by the user to the social media provider
5.2.2 Data provided by the user of the social media platform to the targeter

5.3 Targeting on the basis of observed data

5.3.1 Roles
5.3.2 Legal basis

5.4 Targeting on the basis of inferred data

5.4.1 Roles
5.4.2 Legal basis

6 Transparency and right of access

6.1 Essence of the arrangement and information to provide (Article 26 (2) GDPR)
6.2 Right of access (Article 15)

7 Data protection impact assessments (DPIA)

8 Special categories of data

8.1 What constitutes a special category of data

8.1.1 Explicit special categories of data
8.1.2 Inferred and combined special categories of data

8.2 The Article 9(2) exception of special categories of data made manifestly public

9 Joint controllership and responsibility

9.1 Joint controller arrangement and determination of responsibilities (Art. 26 GDPR)
9.2 Levels of responsibility


 

1 INTRODUCTION

 

  1. A significant development in the online environment over the past decade has been the rise of social media. More and more individuals use social media to stay in touch with family and friends, to engage in professional networking or to connect around shared interests and ideas. For the purposes of these guidelines, social media are understood as online platforms that enable the development of networks and communities of users, among which information and content is shared.1 Key characteristics of social media include the ability for individuals to register in order to create “accounts” or “profiles” for themselves, to interact with one another by sharing user-generated or other content and to develop connections and networks with other users.2

  2. As part of their business model, many social media providers offer targeting services. Targeting services make it possible for natural or legal persons (“targeters”) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. 3 A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered. The underlying assumption is that the better the fit, the higher the reception rate (conversion) and thus the more effective the targeting campaign (return on investment).

  3. Mechanisms to target social media users have increased in sophistication over time. Organisations now have the ability to target individuals on the basis of a wide range of criteria. Such criteria may have been developed on the basis of personal data which users have actively provided or shared, such as their relationship status. Increasingly, however, targeting criteria are also developed on the basis of personal data which has been observed or inferred, either by the social media provider or by third parties, and collected (aggregated) by the platform or by other actors (e.g., data brokers) to support ad-targeting options. In other words, the targeting of social media users involves not just the act of “selecting” the individuals or groups of individuals that are the intended recipients of a particular\ message (the ‘target audience’), but rather it involves an entire process carried out by a set of stakeholders which results in the delivery of specific messages to individuals with social media accounts.4

  4. The combination and analysis of data originating from different sources, together with the potentially sensitive nature of personal data processed in the context of social media 5 , creates risks to the fundamental rights and freedoms of individuals. From a data protection perspective, many risks relate to the possible lack of transparency and user control. For the individuals concerned, the underlying processing of personal data which results in the delivery of a targeted message is often opaque. Moreover, it may involve unanticipated or undesired uses of personal data, which raise questions not only concerning data protection law, but also in relation to other fundamental rights and freedoms. Recently, social media targeting has gained increased public interest and regulatory scrutiny in the context of democratic decision making and electoral processes.6

 

1 Additional functions provided by social media may include, for example, personalization, application integration, social plug-ins, user authentication, analytics and publishing. Social media functions may be a standalone offering of controllers or they may be integrated as part of a wider service offering.

2 In addition to “traditional” social media platforms, other examples of social media include: dating platforms where registered users present themselves to find partners they can date in real life; platforms where registered users can upload their own videos, comment on and link to other’s videos; or computer games where registered users may play together in groups, exchange information or share their experiences and successes within the game.

3 Targeting has been defined as “the act of directing or aiming something at a particular group of people” and “the act of attempting to appeal to a person or group or to influence them in some way”. https://www.collinsdictionary.com/dictionary/english/targeting.

4 The messages delivered typically consist of images and text, but may also involve video and/or audio formats.

5 Personal data processed in the context of social media may constitute ‘special categories of personal data’ pursuant to Article 9 GDPR, relate to vulnerable individuals, or otherwise be of a highly personal nature. See also Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248 rev. 01, p. 9.

6 See, for example: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-03-13-statement-on- elections_en.pdf;
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/07/findings- recommendations-and-actions-from-ico-investigation-into-data-analytics-in-political-campaigns/;
https://ec.europa.eu/commission/sites/beta-political/files/soteu2018-data-protection-law-electoral-guidance- 638_en.pdf;
https://www.personuvernd.is/information-in-english/greinar/nr/2880 .

 

|

« 欧州データ保護委員会 (EDPB)が「GPDRにおけるコントローラとプロセッサーの概念に関するガイドライン」について意見募集をしていますね。。。 | Main | ドイツBSIが、船舶に関連するサイバーセキュリティの強制力のあるガイドを出していますね。。。 »

Comments

Post a comment



(Not displayed with comment.)


Comments are moderated, and will not appear on this weblog until the author has approved them.



« 欧州データ保護委員会 (EDPB)が「GPDRにおけるコントローラとプロセッサーの概念に関するガイドライン」について意見募集をしていますね。。。 | Main | ドイツBSIが、船舶に関連するサイバーセキュリティの強制力のあるガイドを出していますね。。。 »