Back in April 2018 we published an insight piece on the lawful basis for using Facebook’s Custom Audiences tool, in which we concluded that relying on legitimate interests as a lawful basis for the use of this feature was unlikely to be suitable, and that consent was a more appropriate basis.
Well, it seemed we were channelling some psychic powers there, as not long afterwards, the Bavarian Data Protection Authority (BayLDA) ordered an online shop to delete its Custom Audiences data and made a finding that CA could only be used if explicit consent had been obtained from the data subject.
The shop organisation appealed to the Higher Administrative court for the state of Bavaria, challenging BayLDA on a number of points.
At the end of 2018, the official finding of the court upheld BayLDA’s original enforcement decisions (link in original German) and set the precedent that use of the Custom Audiences tool is only lawful if it is done on the basis of explicit consent.
Unpicking the decision
The court considered the following points:
- whether personal data was being processed,
- whether Facebook’s assertion of being only a Data Processor was accurate, and
- whether legitimate interests was a valid lawful basis.
1. Personal data
When an organisation uploads email address or phone number lists to Facebook, that information is mathematically scrambled (“hashed”) so that the original contact info can’t be deciphered, and the hash values are compared to those of existing Facebook user contact details.
Where there is a match between the Facebook user info and the customer info, that person will be included in the target group for the advertising, and Facebook updates the matched profiles to record that the individual is a customer of that organisation (as well as whatever inferences can be drawn from that).
Although the hashed contact info is said to be unreadable by Facebook, it is still ‘personal data’ by the GDPR definition, because it can be used by Facebook to ‘single out’ and have an impact on unique living individuals, even if the original information is obscured. The data has been pseudonymised, rather than anonymised, and pseudonymised personal data is still personal data. Therefore, all of the processing which is done to the hashed contact details is ‘processing of personal data’.
2. Data Processor
However, that hash is still ‘personal data’ and Facebook logs any match with an existing user and uses it to infer additional information about them, (such as their buying habits, hobbies, interests, profession (etc)), which will be used for its own internal commercial purposes. Facebook is therefore partly ‘determining the purpose and means’ for processing personal data, which what a Data Controller does. In fact, Facebook and the organisation using Custom Audiences are Joint Controllers for the hash-matching activity because they are relying on each other for the processing, and have a shared interest in the outcomes.
3. Lawful basis
The court found that for the following reasons, legitimate interests was not a suitable basis for the disclosure of customer details to Facebook:
- There would be no reasonable expectation that personal data would be disclosed to a 3rd party which is not involved in the sale or fulfilment of the goods or services which were procured.
- The customer has a legitimate interest that their personal data is not disclosed to another Data Controller, for a different purpose than for which it was obtained.
- Where an organisation is seeking to process personal data on the basis of legitimate interests, the interest of the Data Controller must be necessary and adequate in comparison to the interest of the data subject. If an alternative measure which provides more robust privacy protection for the individual (i.e. asking for their consent) is available; then it is therefore not ‘necessary’ to process on the basis of legitimate interests.
Bottom Line: you can’t use legitimate interests as a way of avoiding asking for consent, because then it’s no longer ‘legitimate’)
What does this mean for everyone else?
Now, it is important to note that this ruling only applies in Bavaria at the moment, but the other German Data Protection Authorities co-ordinated with BayLDA on this decision, and are likely to adopt the same position in other parts of Germany.
Additionally, BayLDA has been approached by other EU regulators, expressing their support for this decision. The ‘consistency mechanism’ of the GDPR hasn’t really been sent into action yet, but if anything causes these provisions to be tested, it’s likely to be the fallout from this case.
As far as we know, the ICO has not yet expressed an opinion on whether they will be adopting BayLDA’s position, so the enforcement risk of continuing to use ‘legitimate interests’ as a lawful basis for Custom Audiences in the UK remains low.
However, enforcement risk is not the only factor that must be considered here.
There is also a reputational risk, especially now that Facebook users have access to information about which organisations have uploaded their email address or phone number to Custom Audiences.
There is also an ethical risk, especially if the nature of your organisation allows your customers’ and supporters’ health, religion, sexuality, ethnicity, trade union membership, or political opinions to be inferred by Facebook from their association with you, and added to their user profile for future targeting. In strictly legal terms, the processing of special category personal data in this way would require explicit consent anyway; but in the absence of UK enforcement on this point, the decision whether to expose these aspects of individuals’ lives to Facebook and their advertising partners must take your organisation’s values into consideration alongside the legal finding.
1. Review your use of Custom Audiences to determine whether your risk/benefit position has changed following this ruling. Your options are:
- Continue using Custom Audiences without consent.
- Only upload the contact details of data subjects who have consented to have their information shared with Facebook for targeted advertising and profiling.
- Discontinue the use of Custom Audiences.
2. Consider surveying customers/supporters/beneficiaries to ask for their views on whether they would consider use of their contact information for Facebook’s targeted advertising and profiling, to be reasonable.
3. Analyse whether the benefits to your organisation from using this tool without consent, outweigh the impact to data subjects’ rights and freedoms. Document your reasoning.
5. Put in place processes for handling objections to the use of personal data: even if you decide not to move this to a consent basis, you must be able to honour any objections to this use of personal data.
Call us on 020 3691 5731 or email firstname.lastname@example.org to discuss how we can help you with all your data protection and privacy needs.