‘Rigid’ guidelines impact online platform advertising

The point was emphasised by the European Data Protection Board (EDPB) in new guidelines it has produced (39-page / 685KB PDF) on the interplay between two major pieces of EU legislation – the General Data Protection Regulation (GDPR) and the Digital Services Act (DSA).

The GDPR governs the processing of personal data, with the strictest conditions applicable to the processing of special categories of data – which include data about a person’s race or ethnicity, health, political opinions, or religious beliefs, among other examples. One basis for processing special category data is where an organisation has obtained the explicit consent of the data subject to do so.

The DSA, for its part, provides for a tiered system of regulation affecting online intermediaries falling into various categories. Among other things, the DSA contains provisions relevant to online advertising, including rules that ban online platform providers presenting ads to users if the ads are set with reference to user profiling using special category data.

In its guidelines, the EDPB confirmed that this prohibition stands, even if online platform providers have a lawful basis for processing the data under the GDPR – like explicit consent.

“There is a web of EU regulation relevant to companies operating in the digital market, which can be challenging for them to navigate holistically when seeking to operate compliant commercial solutions,” said Dr Nils Rauer, a Frankfurt-based technology law expert at Pinsent Masons. “On this basis, the aim of the EDPB to provide guidance on the interplay of two important frameworks that somewhat overlap – the GDPR and the DSA – is to be welcomed.”

“However, the EDPB has arguably adopted a rigid interpretation of the DSA’s advertising provisions. By foreclosing the possibility of relying on explicit consent for profiling based on special categories of data, the EDPB risks undermining the principle of proportionality and may constrain legitimate, rights-respecting data uses in specialised sectors,” he said.

Rauer said restrictive measures are needed in some specific areas. As an example, he said the rules on the protection for children as provided for in both the GDPR and the DSA need to be interpreted and applied broadly to ensure adequate safeguarding.

A recital to the GDPR states that protections should apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles, which is to be read in the context of the regulation’s more general rules, including on transparency and regarding the lawful bases for processing personal data. The DSA requires providers of online profiles accessible to minors to put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service, while all online platform providers are expressly prohibited from serving targeted advertising to children based on personal data processing, whether special category data or not.

“The prohibition of targeted advertising based on profiling of minors under the DSA, irrespective of consent under the GDPR, and the requirement that age assurance mechanisms be privacy-preserving and non-intrusive, represent a significant strengthening of child data protection standards in the EU digital regulatory framework,” said Rauer.

London-based Meghan Higgins, also of Pinsent Masons, said the EDPB’s guidelines reflect a broader push across jurisdictions to recognise and address the potential harms children face online.

“There have been a number of significant new regulatory developments requiring online platforms to consider and address the specific needs of children over the last few months alone,” said Higgins. “The European Commission published its guidelines on the protection of minors under the DSA in early July, and platforms in scope of the UK’s Online Safety Act that are likely to be accessed by children were required to implement measures to protect child users from 25 July. The compliance obligations on services vary both within and across jurisdictions, so efforts to explain how these measures can be harmonised will be very welcome.”

The EDPB’s new guidelines, while reflective of its interpretation of EU rules, are not binding, as they have not yet been tested in court. The guidelines are also subject to potential update – the EDPB is inviting comment on them until 31 October 2025.

The EDPB said it is working on further guidelines addressing the interplay between the GDPR and other legislation relevant to digital businesses. Those guidelines will address the link between the GDPR and the EU Digital Markets Act (DMA), on the one hand, and the GDPR and the AI Act, on the other. It is developing those guidelines in tandem with the European Commission.