29/03/2023
Briefing

Separate to this, in January 2023, the decisions of the Data Protection Commission (“DPC”) in its inquiries into processing of personal data for personalised commercial content on Facebook and Instagram were published, resulting in a €390 million total fine for Meta and new regulatory guidance on the interpretation of the contractual necessity legal basis under the GDPR. Both mark a changing landscape for digital advertising through enhanced obligations and increased scrutiny of the legality of processing operations involving personal data. In this briefing, the third in our series on the DSA, we look at this changing landscape for digital advertising.

What does the DSA do to advertising and who does it apply to?

One of the DSA’s main objectives is establishing a safe, predictable, and trusted online environment in which the rights enshrined in the Charter of Fundamental Rights of the European Union (“Charter”) are duly protected. Advertising rules under the DSA serve this objective by providing users with more information about why advertisements are presented to them and increasing risk mitigation and transparency requirements.

The DSA defines an ‘advertisement’ as information that is designed to promote the message of a legal or natural person, whether to achieve commercial or non-commercial purposes and is presented by an online platform on its website or app for remuneration. Rules under the DSA on advertisements will apply to the following types of entities:

  • Online platforms: hosting services that, at the request of a recipient of the service, store and disseminate information to the public, unless that activity is a minor and ancillary feature of another service or the main service;
  • Very large online platforms (“VLOPs”): an online platform with 45 million average monthly active recipients or more, which is designated by the European Commission;
  • Very large online search engines: (“VLOSEs”): a search engine within the meaning of the DSA with 45 million average monthly active recipients or more, which is designated by the European Commission

Key considerations for digital advertising under the DSA

The DSA takes a tiered approach to digital advertising.

  • For online platforms there are transparency rules along with restrictions on the use of certain data types for advertising based on profiling (i.e., for targeted advertising).
  • For VLOPs and VLOSEs, there are enhanced transparency obligations and risk mitigation obligations related to advertising systems.

The new regulations introduced by the DSA include:

For Online Platforms:

Transparency Rules: Article 26 of the DSA introduces minimum transparency requirements for digital advertising. Providers of online platforms must inform each individual recipient of an advert of the following:

  • that the information is an ad;
  • the natural or legal person on whose behalf the ad is presented;
  • the natural or legal person who paid for the ad, if different to the natural or legal person on whose behalf the ad is presented;
  • meaningful information, “that is directly and easily accessible” from the advert, about the main parameters used to target recipients;
  • where applicable, how the recipient can change those parameters.

These requirements align with one of the main purposes of the DSA, which is to ensure that the service recipients are made aware that they have been presented with a targeted ad. Essentially, this means ensuring that recipients are aware that the advertisement is intended to be more effective as it is specifically addressed to them, and making them aware of the main profiling criteria used for that.

Although it is not possible to fully determine the consequences of these new obligations, there will likely be a disruptive effect on the digital advertising market. For instance, in the case of “Real-time bidding” advertising, which allows buying and selling of adverts in real time through an instant auction, a re-shaping of the RTB advertising chain is expected.

Profiling Prohibitions: The DSA prohibits online platforms from presenting advertisements to adult service recipients that are based on profiling using special category data, such as racial or ethnic origin or political opinions, as defined in the GDPR. It also prohibits the use of profiling to present advertising to minors (where the online platform is reasonably certain the individual is a minor). These prohibitions limit the ability of online platforms to serve targeted advertising to minors and the categories of personal data that can be used to serve targeted advertising to adults.

For VLOPs and VLOSEs:

Obligation to mitigate risk related to advertising systems
Article 34(1) DSA requires VLOPs and VLOSEs to conduct assessments to identify and analyse systemic risks in the EU stemming from the design or functioning of their services. Article 35(1) DSA requires VLOPs and VLOSEs to put in place “reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks…” that they have identified. Examples of these measures are listed in the sub-paragraphs of Article 35(1) DSA. Notably, they include adapting advertising systems and adopting targeted measures “aimed at limiting or adjusting the presentation of advertisements in association with the service they provide”.

Enhanced transparency and “repositories of advertisements
VLOPs and VLOSEs will be required to create repositories of all ads presented on their platform for the period during which they present the advertisement and at least one year after the advertisement’s final exposure.

For each ad presented to service recipients, the information about transparency mentioned above must be made available as well as:

  • the period during which the ad was displayed;
  • the targeting parameters used in serving the ad; and 
  • the total number of people who were exposed to the ad, broken out by the groups of recipients specifically targeted.

All this information must be made available in a searchable and reliable tool in a specific section of the VLOP’s or VLOSE’s online interface, i.e. its website or app.

DPC decisions in Meta inquiries under the GDPR

As well as the countdown to the effective date of the DSA, which includes this enhanced framework for advertising transparency, recent DPC decisions also force controllers to take another look at the legal basis under the GDPR for targeted advertising.

In January 2023, the DPC adopted its final decisions on two inquiries into the processing of personal data in the context of Meta’s advertising practices on Facebook and Instagram (DPC Inquiry References: IN-18-5-5 and IN-18-5-7). These decisions, fining Meta a total of €390 million, looked at Meta’s reliance on the contractual necessity legal basis in Article 6(1)(b) GDPR to process personal data for the personalisation of commercial content on its Facebook service and its Instagram service.

In its Terms of Use for both platforms, Meta provided that personalisation of commercial content was part of its service, which it argued enabled it to rely on necessity for the performance of a contract as the legal basis for processing personal data to serve targeted advertising. While the DPC accepted this argument, it was contested by other concerned supervisory authorities and ultimately was overruled by the EDPB under the Article 65 GDPR procedure. In line with its Guidelines 02/2019, the EDPB took the view in both decisions that necessity for performance of a contract should be interpreted as “impossible to perform the contract without”. In both Binding Decisions (3/2022 and 4/2022) the EDPB considered that the main purpose for which users, called service recipients under the DSA, use Instagram and Facebook and accept their respective terms of use “is to share content and communicate with others, not to receive personalised advertisements”.

As the EDPB considered that the contracts with users could be performed without personalisation of commercial content and that behavioural advertising was not an “essential or core element” of either service, it determined that neither the Facebook nor Instagram service could rely on contractual necessity as the legal basis for these processing activities.

Meta must update its Terms of Use and Privacy Policy and to identify an alternative legal basis to contractual necessity to ground its processing operations relating to targeted advertising if it wishes to continue these activities. Meta has three months from the date of service of the decisions to make these changes, a timeline that will likely expire at the end of March this year.

Conclusion

The character Don Draper, advertising guru of “Mad Men” fame, once noted “our worst fears lie in anticipation”. With the recent developments discussed in this briefing, the digital advertising landscape is certainly changing, much to the anticipation of both online platforms and the recipients of their services. However, for online platforms who have gone through growing pains since GDPR and its enhanced transparency requirements came into force in May 2018, there is an existing toolkit to draw from to manage this next generation of transparency and risk mitigation requirements.

The authors wish to thank Ian Coleman for his contribution.