At the recent IAPP Data Protection Congress 2021 in Brussels, Editorial Director Jedidiah Bracy, CIPP, reported on pending data-related legislation. He noted the EU General Data Protection Regulation is not the only statute privacy professionals dealing with the EU need to be familiar with. Many of us are aware of the ePrivacy Directive, currently updated to become the ePrivacy Regulation, the draft Data Governance Act, the draft Act on Artificial Intelligence and the (postponed) Data Act, but few privacy professionals have the Digital Markets Act or the Digital Services Act on their radar.
All too often, the DMA is categorized as an additional competition law tool meant to address distortions in digital marketplaces, while the DSA is reduced to content moderation and liability of online intermediaries. Privacy professionals may think these statutes have no bearing on their day-to-day privacy work. The reality is more complex: both pieces of legislation, and especially the DMA, have provisions privacy professionals need to be aware of.
At the time this article goes to press, neither the DMA nor DSA are final. The European Commission proposals date from December 2020. Following the normal legislative procedure in the EU, both the Council of the European Union (representing the EU Member States) and the European Parliament independently review the proposals and agree on a series of amendments. Differences in the text agreed on by the Council and the EP are then reconciled in the so-called trilogue procedure. The DMA is the furthest along, with a Council sign-off Nov. 25 and a near final EP version. The DSA is a little behind schedule with a final Council version agreed on Nov. 25, but an ongoing review of the EC’s proposal in the EP. Still, the discussions have progressed sufficiently to draw some first conclusions.
The DMA applies to designated gatekeepers, i.e., providers of core platform services — exhaustively listed in Article 2 as being online intermediation, search engines, social networks, video sharing, operating systems, cloud computing and advertising — that meet the criteria set out in Article 3 of the European Commission proposal. There is not yet a list of gatekeepers, and while the exact scope of the DMA has been and likely will remain the subject of heated debate, the GAFAM companies (Google, Amazon, Facebook/Meta, Apple, and Microsoft) would seem to be in scope, as well most likely a limited number of other large providers of digital marketplaces.
These gatekeepers are deeply entrenched in all aspects of today’s economy, whether it be business-to-consumer, business-to-business, platform-to-business, or platform-to-consumer. Therefore, Articles 5 and 6 of the European Commission proposal contain a number of obligations and prohibitions gatekeepers will need to comply with. While the purpose of these is to prevent distortion of competition, some of these obligations and prohibitions will sound very familiar to privacy professionals. Others explicitly refer to the GDPR. Here are some examples of provisions in the proposal with privacy implications:
- An obligation to “refrain from combining personal data sourced from these core platform services with personal data from any other services offered by the gatekeeper or with personal data from third-party services, and from signing in end-users to other services … in order to combine personal data, unless the end-user has been presented with the specific choice and provide consent in the sense of Reg.2016/679 (i.e., the GDPR) …” Article 5(a). Growing concerns about targeted advertising based on tracking online behavior are at the heart of this provision.
- A prohibition to require “business and end users to subscribe to or register with any other core platform services …” offered by the gatekeeper, thereby obviously limiting the amount of personal data that gatekeepers can accumulate –Article 5(f).
- An obligation to “allow end-users to un-install any preinstalled software applications” on the platform- Article 6(1)(b).
- An obligation to “provide effective portability of data generated through the activity of a business user or end user … and in particular to provide tools for end-users to facilitate the exercise of data portability” Article 6(1) (h).
- An obligation to provide “real-time access and use to aggregated and non-aggregated data “with a specific reference to the need to comply with the GDPR and its consent requirements for access to personal data – Article 6(1)(i).
- An obligation for gatekeepers to provide third-party providers of online search engines with access to “query, click and view data,” subject to anonymization for personal data – Article 6(1)(j). The EDPS already remarked in its opinion 2/2021 that query, click and view data in relation to searches generated by individuals are personal data.
- A requirement for gatekeepers to “take the necessary steps to either enable business users to obtain (any) required consent to their processing (of personal data) where required by Reg. 2016/79 … or to ‘provide duly anonymized data where appropriate” – Article 11(2).
The above examples show competition and data protection laws are increasingly intertwined in the world of digital marketplaces. Privacy professionals need to be aware of these developments. They will need to cooperate with their competition law colleagues to ensure that companies comply with these requirements in a manner that satisfies the DMA but also the GDPR where applicable.
These examples show that an act or omission by a gatekeeper may constitute a violation of the DMA and, simultaneously, the GDPR. This could create issues because both statutes have different enforcement mechanisms, different regulators and different sanctions. While the DMA indicates its provisions are “without prejudice” to the GDPR, nothing indicates how these situations need to be addressed. The EDPS and EDPB have both expressed concern over potential conflicts and escalations in their respective opinion 2/2021 and statement on the DSA and Data Strategy package. The EDPS initiative to organize a stakeholders meeting in June 2022 on effective enforcement in the digital world is a very welcome initiative and one that does not come a day too soon.
There was much speculation if the European Commission would restrict targeted advertising in the DMA or, more likely, the DSA. The answer is that it does not, with the possible – indirect – exception of the prohibition in the DMA for gatekeepers to combine databases without consent – Article 5(a). Both the DMA and DSA require greater transparency from gatekeepers and online intermediaries on their adverting business.
Under the DMA proposal, gatekeepers must provide advertisers, and publishers access to the gatekeeper's performance measurement tools and to the information (e.g., on prices) necessary to enable advertisers and publishers to conduct an independent review of their advertising portfolio on the gatekeeper service. Articles 6(g) and 5(g). Under the DSA proposal, online intermediaries are required to divulge a series of information on a sliding scale: the larger the intermediary, the more information is required – Articles 24 and 30 of the DSA proposal. The proposal also encourages the European Commission to draw up EU-wide codes of conduct for online advertising – Article 36 DSA proposal.
In a recent discussion shortly before the Council vote on the DMA and the DSA, Commissioner Margrethe Vestager indicated targeted advertising is important for small- and medium-sized enterprises to reach their customers, and the European Commission therefore prefers to impose greater transparency requirements rather than a ban. It remains to be seen whether this will satisfy the European Parliament or the national privacy regulators where the request for a ban or phase-out, especially concerning targeted advertising for minors, is very much alive.
The DMA and DSA are nearing an important milestone in their legislative track. Both will soon be put in trilogue. We should expect heated discussions on the scope of the DMA – how to define a gatekeeper – the best enforcement mechanism for both proposals, centralized or more local, and whether targeted advertising needs to be addressed over and above the transparency requirements outlined in the proposals.
There is an overall optimism that the trilogue will go smoothly but as we know from prior experience – think ePrivacy – this is not a given. It may be a while before we see any of these requirements go into effect, but the writing is on the wall.
Photo by Guillaume Périgois on Unsplash