Personalisation of digital audiovisual service + use of social media logins: Belgian DPA follows our arguments that contract can be a valid legal ground for personalised services and that terms of use of an online service can be a valid contract to that end, and it recognises that provided there is transparency & data minimisation, social media logins can be used to facilitate account creation.
The case concerned Auvio, an audiovisual service provided by the French-speaking public broadcaster in Belgium, and the Belgian DPA explicitly took into account the fact that there was no legal obligation even for that broadcaster to make its media content freely available online to anyone.
1) On contract as a legal ground under GDPR
The Belgian DPA found that there was a contract and that there was sufficient justification regarding the contractual necessity of many data items, even regarding the personalised nature of the service. For some, it found that it did not have sufficient elements to conclude to objective necessity, however, emphasising the importance of documenting necessity for each data item. (The Belgian DPA quotes the CJEU’s Mousse judgment, for instance, re gender.)
A few relevant excerpts hereunder, but read in particular paras. 63, 70, 73-74 (examples of what the Litigation Chamber found to be objectively necessary and what not) and 75.
2) On the use of social media logins:
The Belgian DPA recognised that the use of social media logins to facilitate account creation can be permitted, provided transparency obligations are met. The Belgian DPA balanced the fact that there is a “conscious choice” by the controller to “[allow] future users to create an account from the data of a social network on which they are already registered” with the fact that “creating an […] account “from scratch” or via a social network is a choice that belongs to the user” – but in that case the user must “be informed of the data processing that will take place in this case to enable him to make a conscious choice”.
It also emphasised that “Any creation of an account without the user’s knowledge during the latter’s connection via a social network (excluding the registration procedure) is prohibited”, recognising ultimately that “at the hearing, the defendant sufficiently demonstrated that, as far as the registration process was concerned, there was no confusion between connection on the one hand and registration on the other”.
A few relevant excerpts hereunder (mainly paras. 88-90), but paras. 92 and following are also worth the read to see which factual circumstances led to the conclusion that “the registration procedure was presented in clear steps, and one of the steps involved connecting to a social network to create an […] account”.
Link to the decision (in French)
Excerpts:
1/ On contract as a legal ground:
Para 63: “the Litigation Chamber is of the opinion that a contract has indeed been concluded between the user on the one hand, here the plaintiff, and the defendant on the other, by means of the subscription to the Auvio service (adherence to the [T&Cs] and provision of personal data). There is nothing to call into question the validity of this contract under the applicable Belgian law. As to the question of whether a contract was indispensable, the Litigation Chamber notes the defendant’s management contract and the absence of any obligation on the part of the latter to provide free access to its media content via the Internet. In the present case, the Litigation Chamber has no grounds, in the exercise of its powers, to contest the applicability of this management contract, its content or the consequences drawn from it in casu.”
70: “In short, the processing in question must be “objectively indispensable” to the performance of the contract (i.e. to achieve a purpose that is an integral part of the contractual service intended for users), such that the main purpose of the contract could not be achieved in the absence of the processing. Necessity is not determined solely by the formalization of the contract and its content. If there are realistic and less intrusive alternatives, processing is not necessary. The data controller should be able to justify the necessity of his data processing in relation to the fundamental and mutually understood contractual purpose. In this respect, it should finally be possible for an ordinary user to know the “fundamental and mutually understood” purpose on the basis of the information presented by the data controller.”
75: “In conclusion, insofar as it can demonstrate that all this data is essential to the variable personalization of the “Auvio” service (service as presented under the terms of the various information documents brought to the attention of users of the service), the defendant is entitled to rely on Article 6.1. b) of the GDPR. Where this data is optional, it is important that this is made very clear to the user, as well as the resulting personalization of the service; this is so that the subscriber can make an informed choice.”
2/ On the use of social media logins to facilitate account creation:
88: “Allowing future users to create an account from the data of a social network on which they are already registered is a conscious choice on the part of the defendant. During the hearing, the defendant emphasized that this choice had been made to facilitate its users’ access to Auvio content. This does not mean, however, that whoever makes this choice is completely free of responsibility for the way in which the social network communicates data to its service. Creating an Auvio account “from scratch” or via a social network is a choice that belongs to the user. The latter must nevertheless be informed of the data processing that will take place in this case to enable him to make a conscious choice.”
89: “The information provided to this effect must be perfectly explicit – both in text and visual form – so that the user understands that he or she has the choice of either (1) creating an account by communicating data to the defendant directly from the “Auvio” registration page, or (2) creating an account by connecting to his or her favorite social network, whose available data necessary for the performance of the Auvio contract (see below) will be reused for the creation of the Auvio account. As for the creation of an account via a social network connector, it must also be clear that the connection to the said social network is part of the registration process and is intended to create an account on Auvio based on the data available on the said social network which is necessary for this service. It must be clear that, as already mentioned, this is not a simple direct connection to Auvio via the social network. Any creation of an account without the user’s knowledge during the latter’s connection via a social network (excluding the registration procedure) is prohibited.”
90: “Information on the data processing involved in this account creation must be available (if necessary via an active hyperlink that refers to the relevant information document(s)) at the time the account is created.”
92: “The Litigation Chamber is of the opinion that, at the hearing, the defendant sufficiently demonstrated that, as far as the registration process was concerned, there was no confusion between connection on the one hand and registration on the other.”