Is it the end of relying on balance of interests as a legal basis for profiling and profile sharing for the purpose of targeted advertising in joint controller relationships?

The opportunities and risks with targeted advertising – or rather the online tracking technologies employed to achieve it – has, for several years, been debated and subjected to an expanding regulatory landscape due to privacy concerns. By now, most of our readers are probably aware that, for the EU/EEA area, the GDPR and ePrivacy directive form the fundamental legal frameworks in this regard. Unfortunately for European and other subjected businesses, however, the relationship between these frameworks and their application are still clouded by a level of uncertainty, leading to what might appear as unpredictable outcomes in supervisory procedures. In a recent decision^[1] by the Swedish Data Protection Authority Integritetskyddsmyndigheten ("IMY"), the Swedish company Bonnier News AB ("BN") was imposed with an administrative fine of 13 MSEK (ca. 1,1 MEUR) for, inter alia, profiling website visitors and customers of associated group companies for the purpose of targeted advertising online without legal basis under the GDPR. Although the ePrivacy directive was not applicable to BN's processing activities, IMY still concluded that it plays a major part in the assessment of legal basis under article 6.1 f of the GDPR (balance of interests) in joint controller relationships. 

IMY's supervision of BN, including local inspection and subsequent written correspondence with BN, took place between November 2019 and April 2023. In short, the relevant facts were as follows: BN formed, together with several other associated companies ("AC"), a company group. The group had set up two joint databases: a behavior database and a customer database. The behavior database contained behavioral browsing data, such as time spent on different webpages, collected from the AC's website visitors' terminal equipment using cookies (simple behavior profile). The customer database consisted mainly of data such as the AC customers' contact information, purchase history and buying power. In some cases, however, the customer database also contained behavioral browsing data, where such data could be tied to a specific customer because the customer had been logged in to their website accounts while browsing the AC website (expanded behavior profile). The ACs collected the different data points and then transferred them to the joint databases, where BN would utilize the data to profile the AC's respective website visitors and customers. The ACs could then request segments of data from these profiles from BN for the purpose of targeted advertising e.g., online.

In assessing the legal implications of the facts, IMY first determined that BN's processing activities did not fall within the scope of the ePrivacy directive and its mandatory rules on using consent as a legal basis for storing and collecting information from users' terminal equipment, since BN's processing activities began at a later stage. Therefore, BN was in principle free to rely on any adequate legal basis under the GDPR. In this case, BN relied on the legal basis of balance of interests under the GDPR article 6.1 f.

However, IMY also determined that BN and the ACs were joint controllers of the processing activities in the two joint databases, and that data subjects should not be granted less protection than if the profiling etc. was performed by the ACs (i.e., the joint controller who collected the information from the data subjects' terminal equipment). Since the ACs were required to rely on consent for the data collection under the ePrivacy directive, IMY reasoned that the data subjects' protection risked being undermined if BN then at a later stage could rely on a different legal basis, such as balance of interest under the GDPR article 6.1 f.

Taking this into account, IMY reasoned that although BN was not prohibited per se to rely on balance of interests for the processing activities under review, it had in principle very little room to do so in practice.^[2] In this particular case, IMY ultimately assessed that BN's legitimate commercial interest did not override the privacy interest of the data subjects' (the "Balance"), and so BN lacked legal basis for the processing activities in question.

Our interpretation of IMY's opinion is that IMY, when conducting the Balance, put significant weight on to the fact that consent grants data subjects a lot of control over their personal data relative to when other legal bases are relied on - and probably rightly so. However, IMY made an interesting statement when considering the importance of data subjects' expectations. IMY stated that "the nature of the profiling is not something a data subject can expect without having consented to it"^[3]. For us, this statement raises at least two questions: i) to what extent should the type of legal basis be considered to affect data subjects' expectations? And ii) to what extent should providing information be considered to affect data subjects' expectations?

In our view, IMY does not give an informative answer to the first question. Regarding the second question, we note that IMY did not consider provided information in e.g., available privacy notices, which implies that it did not consider this an important factor. If this implication reflects IMY's actual opinion and is not just a mistake, IMY's statement above is contradictory since a data subject cannot give a valid consent under the GDPR and ePrivacy directive unless he or she is properly informed.^[4] According to the European Data Protection Board, one purpose of this information requirement is (unsurprisingly) so that data subjects can understand what they are agreeing to.^[5]

IMY's decision has been appealed and it will be interesting to see what arguments are presented to the court. Will this be the end of relying on balance of interest as legal basis for profiling and profile sharing for the purpose of targeted advertising in joint controller relationships? Schjødt will monitor any future developments closely and update our readers accordingly.

^{[1] Integritetskyddsmyndighetens beslut 2023-06-26, dnr. DI-2019-11737 (the "BN-decision").
[2] BN-decision, page 18
[3] BN-decision, page 20.
[4] GDPR article 4.11 and ePrivacy directive article 2 f read together with GDPR article 94.2.
[5] European Data Protection Board guidelines 05/ 2020 on consent (p. 62).}