Facebook CA – Controversy Alert!

Back in April 2018 we published an insight piece on the lawful basis for using Facebook’s Custom Audiences tool, in which we concluded that relying on legitimate interests as a lawful basis for the use of this feature was unlikely to be suitable, and that consent was a more appropriate basis.

Well, it seemed we were channelling some psychic powers there, as not long afterwards, the Bavarian Data Protection Authority (BayLDA) ordered an online shop to delete its Custom Audiences data and made a finding that CA could only be used if explicit consent had been obtained from the data subject.

The shop organisation appealed to the Higher Administrative court for the state of Bavaria, challenging BayLDA on a number of points.

At the end of 2018, the official finding of the court upheld BayLDA’s original enforcement decisions (link in original German)  and set the precedent that use of the Custom Audiences tool is only lawful if it is done on the basis of explicit consent.

Unpicking the decision

The court considered the following points:

  1. whether personal data was being processed,
  2. whether Facebook’s assertion of being only a Data Processor was accurate, and
  3. whether legitimate interests was a valid lawful basis.

1. Personal data

When an organisation uploads email address or phone number lists to Facebook, that information is mathematically scrambled (“hashed”) so that the original contact info can’t be deciphered, and the hash values are compared to those of existing  Facebook user contact details.

Where there is a match between the Facebook user info and the customer info, that person will be included in the target group for the advertising, and Facebook updates the matched profiles to record that the individual is a customer of that organisation (as well as whatever inferences can be drawn from that).

Although the hashed contact info is said to be unreadable by Facebook, it is still ‘personal data’ by the GDPR definition, because it can be used by Facebook to ‘single out’ and have an impact on unique living individuals, even if the original information is obscured. The data has been pseudonymised, rather than anonymised, and pseudonymised personal data is still personal data. Therefore, all of the processing which is done to the hashed contact details is ‘processing of personal data’.

2. Data Processor

In the terms of use for Custom Audiences (and Lookalike Audiences), Facebook claim to be a Data Processor only, on the basis that they don’t have access to the contact information that is uploaded, except to turn it into the hash values.

However, that hash is still ‘personal data’ and Facebook logs any match with an existing user and uses it to infer additional information about them, (such as their buying habits, hobbies, interests, profession (etc)), which will be used for its own internal commercial purposes. Facebook is therefore partly ‘determining the purpose and means’ for processing personal data, which what a Data Controller does. In fact, Facebook and the organisation using Custom Audiences are Joint Controllers for the hash-matching activity because they are relying on each other for the processing, and have a shared interest in the outcomes.

The GDPR requires Joint Controllers to have a written agreement which sets out the purpose and lawful basis for processing, each party’s responsibilities, standards all must meet, and how liability is distributed. Currently, the terms of use for Custom Audiences does not meet this requirement.

3. Lawful basis

The court found that for the following reasons, legitimate interests was not a suitable basis for the disclosure of customer details to Facebook:

  • There would be no reasonable expectation that personal data would be disclosed to a 3rd party which is not involved in the sale or fulfilment of the goods or services which were procured.
  • The customer has a legitimate interest that their personal data is not disclosed to another Data Controller, for a different purpose than for which it was obtained.
  • Where an organisation is seeking to process personal data on the basis of legitimate interests, the interest of the Data Controller must be necessary and adequate in comparison to the interest of the data subject. If an alternative measure which provides more robust privacy protection for the individual (i.e. asking for their consent) is available; then it is therefore not ‘necessary’ to process on the basis of legitimate interests.

Bottom Line: you can’t use legitimate interests as a way of avoiding asking for consent, because then it’s no longer ‘legitimate’)

What does this mean for everyone else?

Now, it is important to note that this ruling only applies in Bavaria at the moment, but the other German Data Protection Authorities co-ordinated with BayLDA on this decision, and are likely to adopt the same position in other parts of Germany.

Additionally, BayLDA has been approached by other EU regulators, expressing their support for this decision. The ‘consistency mechanism’ of the GDPR hasn’t really been sent into action yet, but if anything causes these provisions to be tested, it’s likely to be the fallout from this case.

As far as we know, the ICO has not yet expressed an opinion on whether they will be adopting BayLDA’s position, so the enforcement risk of continuing to use ‘legitimate interests’ as a lawful basis for Custom Audiences in the UK remains low.

However, enforcement risk is not the only factor that must be considered here.

There is also a reputational risk, especially now that Facebook users have access to information about which organisations have uploaded their email address or phone number to Custom Audiences.

If your organisation relies on public goodwill and trust to be able to operate, then at the very least, you need to make sure that you are being robustly transparent about this use of customer or supporter data. It is unlikely that pointing to a brief mention of Custom Audiences within a large privacy policy will meet transparency requirements, particularly if no mention is made of the way that Facebook uses the data after a match is made.

There is also an ethical risk, especially if the nature of your organisation allows your customers’ and supporters’ health, religion, sexuality, ethnicity, trade union membership, or political opinions to be inferred by Facebook from their association with you, and added to their user profile for future targeting. In strictly legal terms, the processing of special category personal data in this way would require explicit consent anyway; but in the absence of UK enforcement on this point, the decision whether to expose these aspects of individuals’ lives to Facebook and their advertising partners must take your organisation’s values into consideration alongside the legal finding.

Action points

1. Review your use of Custom Audiences to determine whether your risk/benefit position has changed following this ruling. Your options are:

  • Continue using Custom Audiences without consent.
  • Only upload the contact details of data subjects who have consented to have their information shared with Facebook for targeted advertising and profiling.
  • Discontinue the use of Custom Audiences.

2. Consider surveying customers/supporters/beneficiaries to ask for their views on whether they would consider use of their contact information for Facebook’s targeted advertising and profiling, to be reasonable.

3. Analyse whether the benefits to your organisation from using this tool without consent, outweigh the impact to data subjects’ rights and freedoms. Document your reasoning.

4. Explain the processing clearly and prominently in a privacy notice at the time of data collection. A link to a generic privacy policy is unlikely to be enough, considering that the use of their data for profiling and targeted advertising will probably not be within the data subject’s reasonable expectations.

5. Put in place processes for handling objections to the use of personal data: even if you decide not to move this to a consent basis, you must be able to honour any objections to this use of personal data.

Call us on 01743 636 562 or email help@protecture.co.uk to discuss how we can help you with all your data protection and privacy needs.