Last month, the Bavarian State Office for Data Protection Supervision published a comprehensive checklist on how companies must handle Facebook’s “Custom Audiences” advertising tool in order to use it in compliance with the GDPR.
However, the state office considered the use of this function, in the form of uploading one’s own customer list, to be a data protection violation and obliged companies to delete their own lists. The Administrative Court ruled that.
1. the transmission of hashed e-mail addresses to a social network for the purpose of playing out targeted advertising does not take place within the scope of commissioned data processing if the data recipient has its own scope for decision-making and discretion in determining the customer base to be advertised. (para. 11 ff.)(2) Unless the data subject has given his or her express consent, the lawfulness of disclosing e-mail addresses for advertising purposes shall be determined in accordance with Section 28 (2) of the German Data Protection Act. 1 No. 2 BDGS a.F. is to be decided by weighing interests in an interpretation in conformity with Union law. (para. 26 ff.)
It can therefore now be assumed that numerous companies, marketers, agencies and the like will have to quickly revise the way they handle Facebook ads and how they target specific ads to specific groups of people.
The following passage in the decision is particularly relevant:
bb) Facebook does not act as a commissioned processor (Section 11 BDSG a.F.) within the scope of the “Custom Audience” service. With reference to the statements in the contested decision, the Administrative Court correctly determined that there is no commissioned data processing relationship in the present case constellation and that the forwarding of the hashed e-mail addresses to Facebook is to be regarded as the transfer of data to a third party (Section 3 (8) sentence 2 BDSG old version).
For classification as commissioned data processing, the decisive factor is who is responsible for processing the data. Only complete subordination in the collection, processing and use of the data to the client’s specifications regarding the means and purpose of the data processing entitles the data transfer to a commissioned data processor to be exempted from the legal justification requirements for the transfer of personal data. The inclusion of further work steps in the processing operation does not preclude commissioned data processing if the algorithms involved are simple and clearly defined by the client (Spoerr in Wolff/Brink, loc. cit., Section 11, marginal no. 38). The degree of control actually exercised by a party, the impression conveyed to the data subjects and their legitimate expectations based on the external effect must also be included in the assessment (Working Paper 169 of the Art. 29 Data Protection Working Party, op. cit., p. 14). In general, commissioned data processing can be assumed if the client reserves the decision-making authority, if necessary by specifying differentiated criteria, and does not grant the service provider any scope for evaluation and discretion with regard to content (Gola/Schomerus, Bundesdatenschutzgesetz, 12th ed. 2015, § 11 marginal no. 9). However, the case is different if the contracted company decides on the technical and organizational means of data processing independently and without specifications (Working Paper 169 of the Art. 29 Data Protection Working Party, loc. cit. p. 19).
That is the case here. As the applicant itself states in the statement of grounds for appeal, Facebook decides independently, by evaluating the usage behavior of its members, which users correspond to the applicant’s target group definition and are consequently advertised to. Facebook selects the customers to be advertised to on the basis of the profile data known and available only to Facebook and is alone able to determine the customers to be advertised to and to play out the advertising. Facebook is – according to the applicant – completely free in the implementation of the service and the evaluation of the behavior of its users. It declares itself to have no influence on the data collection and processing procedures. The applicant bases the assessment that Facebook is acting as a commissioned data processor exclusively on the breakdown of the individual action steps of the service offered by Facebook. However, since, as explained, the service “Facebook Custom Audience via the customer list” forms a uniform process from a data protection point of view, which cannot be broken down into different parts that can be assessed independently from a legal point of view, this cannot justify the commissioned data relationship alleged by the applicant.