EDSV publishes place paper on the legislation on digital providers and the legislation on digital markets
On February 10, 2021, the European Data Protection Supervisor (“EDPS”) published two opinions on the European Commission’s proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). The proposed DSA and DMA are part of a series of actions announced in the European Data Strategy 2020 and have two main objectives: (1) to create a more secure digital space that protects the fundamental rights of all users of digital services, and (2) Creating a level playing field to promote innovation, growth and competitiveness in the European single market and worldwide.
The DSA introduces new rules and responsibilities for providers of online intermediation services (including hosting services, online platforms and network infrastructure). Among other things, the DSA stipulates:
- Improved transparency requirements for online advertising for online platforms;
- The obligation to put in place notification and action mechanisms to combat illegal online content;
- New obligations on business user traceability on online marketplaces to combat the sale of illegal goods;
- Specific rules for very large online platforms designed to prevent the spread of illegal content and damage to society;
- Requirements for protective measures that must be made available to users, e.g. B. the ability to question decisions about content moderation on platforms;
- A framework for data from key platforms to be made available to researchers for audit and risk assessment purposes; and
- An obligation for online intermediaries based outside the EU to appoint a legal representative.
EU Member States will play an important role in overseeing the DSA and will need to appoint a digital services coordinator who will be responsible for compliance with the DSA. In terms of enforcement, the DSA is imposing fines of up to 6% of the global sales of online intermediary service providers.
The EDPS Opinion on the DSA
The EDPS welcomes the DSA proposal but recommends additional measures to better protect individuals, in particular with regard to content moderation, online targeting and recommendation systems used by online platforms (including social media and marketplaces).
The main recommendations of the EDPS include:
- The moderation of content must be in accordance with the law and the creation of profiles for the purpose of moderation of content should be prohibited, unless the online service provider can demonstrate that it is absolutely necessary to address the systemic risks explicitly stated in the DSA . The EDPS also urges the legislator to further specify the information that needs to be made available to individuals, especially when automated means are used to moderate content.
- Taking into account the number of risks associated with online targeted advertising, the EDPS urges the legislator to lay down additional rules that go beyond transparency, including (1) the gradual introduction of a ban on targeted online advertising extensive tracking and restrictions on the types of data that can be processed for this purpose; (2) the types of data or criteria that may be used to serve or target ads; and (3) the types of data that may be shared with advertisers or third parties to enable or enable targeted advertising.
- Recommendation systems (I.“fully or partially automated system[s] Used by an online platform to propose specific information to the recipients of the service in its online interface, including as a result of a search initiated by the recipient or otherwise to determine the relative order or level of awareness of the information displayed. This shouldn’t be the case by default based on profiling. The EDPS also recommends clearly informing online users about the use of a recommendation system and implementing user controls that allow individuals to conveniently choose between the available options (e.g. to delete profiles that are used to curate displayed content) .
- Introduction of minimum requirements for interoperability for very large online platforms and promotion of the development of technical standards at EU level.
- A clear legal basis and structured cooperation to ensure complementarity between the competent authorities responsible for monitoring compliance with the DSA (including data protection, consumer protection and competition authorities).
The DMA introduces new rules for certain core platform services that act as gatekeepers (including search engines, social networks, messaging services, operating systems and online intermediation services) in the digital sector, and aims to prevent them from imposing unfair conditions on businesses and consumers to ensure the openness of important digital services.
There are three main cumulative criteria to consider when determining whether an organization falls within the scope of the DMA. These criteria relate to (1) the size of the organization; (2) whether it controls an important gateway for business users to the end user; and (3) whether it has an (expected) stable and lasting position in the marketplace. Organizations that qualify as gatekeepers under the DMA must proactively implement certain measures, e.g.
- Enable third parties to collaborate with their own services;
- Providing advertisers with performance measurement tools to enable them to fulfill their own independent review obligations;
- Providing business users with access to data generated by their activities on the Gatekeeper Platform; and
- Enable business users to promote their offerings and enter into contracts with their customers outside of the Gatekeeper platform.
The DMA will also require gatekeepers not to engage in unfair behavior such as:
- Block users from uninstalling pre-installed software or apps;
- Using data obtained from business users to compete with those business users; and
- Restricting users’ access to services that may have been purchased outside of the Gatekeeper platform.
Violations of the rules imposed by the DMA are punishable by fines of up to 10% of the worldwide total annual turnover of the organization as well as regular fines of up to 5% of the worldwide annual turnover of the organization. Additional legal remedies can be imposed for systematic violations. To ensure compliance with the DMA, the European Commission will be empowered to conduct market research.
The EDPS Opinion on the DMA
The EDPS welcomes the DMA proposal and underlines the importance of giving users better control over their data in order to be more competitive in digital markets. The EDPS also emphasizes the importance of improved interoperability in order to improve user engagement and create opportunities for services that offer better data protection. The EDPS also makes specific recommendations to ensure that the DMA is an effective complement to the EU General Data Protection Regulation (“GDPR”).
The main EDPS recommendations include:
- Determine that gatekeepers must provide end users with an easy-to-use and accessible consent management solution;
- Clarification of the scope of the data portability obligation provided for in the proposed DMA. In particular, the provision on data portability should be reviewed to ensure consistency with the definition of personal data by the GDPR.
- Greater consideration should be given to the need for effective anonymization and re-identification tests when exchanging queries, clicks, and displaying data related to free and paid searches created by end users in online search engines by gatekeepers.
- Introducing minimum interoperability requirements for gatekeepers and promoting the development of technical standards at EU level; and
- Clarification that the Advisory Committee on Digital Markets will include representatives of the European Data Protection Board and, more generally, an institutionalized and structured cooperation between the competent authorities responsible for monitoring compliance with the DMA.
Read the EDPS Opinion on the Digital Services Act and the Opinion on the Digital Markets Act.