Social media: roles, joint controllership, transparency
(SMPs) collect data users provide, observe, and infer/predict. The SMP is a controller. The pivotal case is Wirtschaftsakademie (the 'Facebook Fan Page' case): a fan-page administrator was a joint controller with the SMP for visitor data - even though it never processed the data itself. The EDPB extends this to advertisers and other . Joint responsibility need not be equal. Transparency: 'advertising' alone is not enough - users must be told what profiling happens.
| Actor | Likely role |
|---|---|
| SMP provider | Controller (communications platform + advertising use) |
| Third party offering services via the SMP | May also be a controller |
| Fan-page administrator / targeter | Joint controller with the SMP (Wirtschaftsakademie) |
| SMP user posting for personal reasons | Exempt under the household exemption |
| SMP user acting for an organisation / sharing too widely | Controller - household exemption does NOT apply |
A fan-page administrator was a joint controller with the SMP for visitor data, even though it did not itself process the data - because it set parameters and gave the SMP the chance to place cookies. But joint responsibility does not imply equal responsibility; the SMP likely has primary responsibility.
- Saying merely 'advertising' is not enough - explain the processing and its practical meaning
- Tell users if a profile will be built and used for targeting by third parties, and what data feeds it
- Provide info directly on screen, interactively, with layered notices where appropriate
- The essence of a joint-controller arrangement must be made available (Art 26(2))