Analyzing your audience to communicate better... what are the rules?

Legal Watch No. 49 – July 2022

Analyzing your audience to communicate better... what are the rules? Today, media and social networks allow businesses to analyze their audience in order to better target them, improve their image and adapt their marketing strategy.

It is therefore possible, and increasingly common, to call upon a "social media monitoring" company which will comb the web, follow the most relevant conversations on social networks and provide its clients with reports and analyses adapted to their needs.

Although public, the data thus analyzed is often personal data that remains protected by the GDPR, whether it concerns influencers, journalists or other people active on social networks.

Who must comply with these obligations?

When contracting with an external partner to assess how it is perceived on social media, the client company is considered the data controller for the contracted service, and the media monitoring company is the subcontractor.

The implications are significant, as it involves liability for how social media data is collected, processed and stored.

It is therefore advisable to check several elements when concluding such a contract, in order to ensure that the practices of the company carrying out the “media monitoring” comply with the GDPR:

• Where is the company located?

If the company is established outside the EU, it is important to check the applicable law, particularly if the company is not located in a country offering an adequate level of protection.

In this case, it will have to use specific guarantees to ensure data protection, most often standard contractual clauses.

• Does the company provide the name and contact details of its DPO?

• Does it publish its data protection privacy policy on its website, or can it be made available upon request?

Please note that a distinction must be made here between the data protection policy for the website and the data processing policy for media monitoring services.

• Are the following details included in this document and/or the contract?

• Respective roles as subcontractor or data controller, scope of each person’s responsibilities;

• Conditions for collecting personal data, source of data, types of data collected and place of storage, manner in which this data is aggregated or pseudonymized where applicable;

• Legal basis;

• Data retention period;

• Security and confidentiality measures;

• Transfer of data outside the EU;

• Information for the persons concerned and methods of exercising their rights.

It is best to trust companies that provide the greatest level of detail regarding these various elements.

This does not exempt the client company from taking additional measures itself as data controller.

With regard in particular to informing the persons concerned, it may be considered that direct information involves disproportionate efforts.

An information notice may, however, be added to the website's data protection policy, informing the public in general about the audience analyses carried out, specifying the various responsibilities and rights, and referring to the external partner's website for more details.

And also

France:

The CNIL published its position on augmented cameras on July 19 and calls for an overall reflection on the proper use of these tools in public spaces.

The Commission points to a risk of widespread surveillance and analysis that could, in response, modify the behavior of people walking in the street or going to shops.

She points out that French law does not authorise the use of augmented cameras by public authorities for the detection and prosecution of offences and believes that it is necessary to set red lines to never use these cameras for the purpose of "rating" people.

On July 26, the CNIL published recommendations regarding age control on websites: It calls for the development of more effective and privacy-friendly solutions, with reference to the use of bank cards and facial recognition.

It also supports the development of the role of trusted third parties.

The CNIL also imposed a fine of 175,000 euros on the company Ubeeqo International on July 21. car rental company, in particular for having caused a disproportionate invasion of its customers' privacy by geolocating them almost permanently.

Europe:

The two European regulations on digital markets and digital services (DMA and DSA) were adopted by the European Parliament on July 5 by a very large majority.

The DMA was also finally approved by the Council in July, while the DSA is expected to be approved in November.

The Commission is already considering the creation of a specialized division to ensure compliance with the DMA by digital giants.

The European Data Protection Board (EDPB) responded to TikTok's collection of personal data in a July 28 letter to several NGOs.

It highlights the swift action taken by the Irish, Italian, and Spanish supervisory authorities following TikTok's announcement that it would no longer request users' consent to send personalized ads (the legal basis becoming the legitimate interest of TikTok and its partners).

Following these actions, TikTok announced that it was suspending this change of legal basis.

The Committee also took a position with the European Data Protection Supervisor (EDPS) on the proposed regulation to prevent and combat child sexual abuse.

The proposal aims to impose obligations on various web services related to the detection, reporting, removal and blocking of online child sexual abuse material (CSAM) and child solicitation.

While recalling that they consider these crimes to be particularly serious and heinous, the supervisory authorities note that the intrusive nature of the proposal, in its current form, may present more risks for individuals, and, by extension, for society as a whole, than for the criminals prosecuted by the CSAM.

The EDPB and the EDPS have issued their opinion on the European Commission's proposal for the European Health Data Space (EHDS).

The proposal aims to create a "European Health Union" by "fully utilizing the potential offered by safe and secure exchange, use and reuse of health data."

The opinion highlights in particular the risks associated with the secondary use of electronic health data, which may generate benefits for the public good, but is not without risk to the rights and freedoms of individuals.

The EDPB published its position on transfers to Russia on July 12.

The Committee does not comment on the evolution of the level of data protection in this country since the start of the war, but points out that transfers must be subject to an impact analysis on a case-by-case basis.

The Court of Justice of the European Union published an important judgment on August 1 concerning the scope of the protection of sensitive data.

The concept of “special categories” of personal data should be interpreted broadly, in particular to ensure that the objective of Art. 9(1) GDPR is achieved.

The Lithuanian law in question, concerning the prevention of conflicts of interest and corruption, required the publication of the name of the public official's partner.

The Court found that this information could reveal information about the sexual life or orientation of the officer and his partner.

In Norway, the data protection authority has started cooperation with trade unions on monitoring camera surveillance in the workplace.

The Authority's Appeals Committee further agreed that an acquiring company assumes responsibility for the pre-acquisition data controller, and confirmed the decision to fine it approximately €12,000 for unlawful credit scoring in breach of Article 6(1) GDPR (via GDPRhub)

The Lower Saxony Data Protection Authority has fined Volkswagen one million euros for data protection violations in the use of a test vehicle with cameras. intended to improve driver assistance and accident prevention systems.

The test car was driven without any visible information in the cameras' surveillance field.

The Danish DPA has reprimanded the Health Data Authority for failing to test its medicines database. to detect service architecture errors, which led to a data breach affecting 267 individuals (via GDPRhub).

The DPA also reprimanded Helsingør Municipality for using Google Chromebooks and "Google Workspace for Education" in primary schools.

It has prohibited this processing until it is brought into compliance with the GDPR, and has suspended any related data transfers to the United States (via GDPRhub).

On a related note, in the Netherlands, students and staff are now being directed to DuckDuckGo for their internet searches rather than Google Search.

The Slovenian Data Protection Authority has reclassified an agreement between a cloud service provider and its customers: it found that there was no controller/processor relationship but rather shared responsibilities., as both parties made decisions on the purposes and means of processing (via GDPRhub)

The Baden-Württemberg Chamber of Public Procurement notes that the transfer of personal data to a third country (outside the EU) is inadmissible under the GDPR., even if the corresponding server is operated by a company based in the EU, as long as it is part of an American group.

International :

The NGO Data Rights and its Kenyan partner organizations, the Kenya Human Rights Commission and the Nubian Rights Forum, are suing IDEMIA, a leading French biometric technology company, in the Paris court..

These organizations accuse IDEMIA of not having taken human rights into account in its vigilance plan concerning the capture of biometric data from the population for the development of a national digital identification system in Kenya.

The Daily Mail of July 13th discusses China's use of artificial intelligence to "improve" the functioning of its courts: Computers would correct perceived human errors in a verdict, requiring judges to submit a written explanation to the machine if they disagree with the AI's corrections.

Britain and the United States will begin sharing data related to law enforcement investigations in October, as part of a CLOUD agreement between the two countries.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.