European Data Protection Supervisor (EDPS) Wojciech Wiewiorówski has issued his opinions on two of the centerpieces for the European Commission’s (EC) digital strategy: the Digital Services Act and a Digital Markets Act. The EDPS is fulfilling its statutory role in reviewing draft legislation and informing the EC of his opinion, especially any needed changes to ensure the legislation comports with European Union (EU) law. Not surprisingly, the EDPS is calling on the EC to make significant changes, and it is unclear how far the EC will go in redrafting the two major bills to meet the EDPS.
In February 2020, the new EC leadership issued a digital strategy, Shaping Europe’s Digital Future, along with two components of this strategy: a “European strategy for data” and a white paper on artificial intelligence. In the digital strategy, the EC explained “[i]n her political guidelines, [new EC] President [Ursula] von der Leyen stressed the need for Europe to lead the transition to a healthy planet and a new digital world.” The EC stated that over the next five years, it “will focus on three key objectives to ensure that digital solutions help Europe to pursue its own way towards a digital transformation that works for the benefit of people through respecting our values…[and] will also put Europe in a position to be a trendsetter in the global debate:
- Technology that works for people: Development, deployment and uptake of technology that makes a real difference to people’s daily lives. A strong and competitive economy that masters and shapes technology in a way that respects European values.
- A fair and competitive economy: A frictionless single market, where companies of all sizes and in any sector can compete on equal terms, and can develop, market and use digital technologies, products and services at a scale that boosts their productivity and global competitiveness, and consumers can be con dent that their rights are respected.
- An open, democratic and sustainable society: A trustworthy environment in which citizens are empowered in how they act and interact, and of the data they provide both online and offline. A European way to digital transformation which enhances our democratic values, respects our fundamental rights, and contributes to a sustainable, climate-neutral and resource-efficient economy.
Among the “Key Actions” listed in “Shaping Europe’s Digital Future” was:
- New and revised rules to deepen the Internal Market for Digital Services, by increasing and harmonising the responsibilities of online platforms and information service providers and reinforce the oversight over platforms’ content policies in the EU. (Q4 2020, as part of the Digital Services Act package).
In December 2020, the EC issued the drafts the Digital Services Act and a Digital Markets Act and stated “[t]he two proposals are at the core of the Commission’s ambition to make this Europe’s Digital Decade” in its press release. (see here for more analysis.)
In his press release, the EDPS stated:
- The EDPS welcomes the proposal for a Digital Services Act that seeks to promote a transparent and safe online environment. In his Opinion, the EDPS recommends additional measures to better protect individuals when it comes to content moderation, online targeted advertising and recommender systems used by online platforms, such as social media and marketplaces.
- The EDPS highlights that any form of content moderation should take place in accordance with the rule of law. Profiling for the purpose of content moderation should be prohibited unless the online service provider can demonstrate that such measures are strictly necessary to address the systemic risks explicitly identified in the Digital Services Act. Furthermore, the European legislators should consider a ban on online targeted advertising based on pervasive tracking and restrict the categories of data that can be processed for such advertising methods.
- In his Opinion on the Digital Markets Act, the EDPS welcomes the European Commission’s proposal that seeks to promote fair and open digital markets and the fair processing of personal data by regulating large online platforms acting as gatekeepers.
- The EDPS highlights the importance of fostering competitive digital markets so that individuals have a bigger choice of online platforms and services that they can use. Giving users better control over their personal data can reinforce contestability in digital markets. Increased interoperability can help to address user lock-in and ultimately create opportunities for services to offer better data protection.
- To guarantee the successful implementation of the European Commission’s Digital Services Act package, the EDPS calls for a clear legal basis and structure for closer cooperation between the relevant oversight authorities, including data protection authorities, consumer protection authorities and competition authorities.
In its opinion, the EDPS summarized the Digital Markets Act:
The objective of the Proposal is to address at EU level the most salient incidences of unfair practices and weak contestability in relation to so-called “core platform services”. To this end, the Proposal:
- establishes the conditions under which providers of core platform services should be designated as “gatekeepers” (Chapter II);
- sets out the practices of gatekeepers that limit contestability and that are unfair, laying down obligations that the designated gatekeepers should comply with, some of which are susceptible to further specification (Chapter III);
- provides rules for carrying out market investigations (Chapter IV); and
- contains provisions concerning the implementation and enforcement of this Regulation (Chapter V).
The EDPS made clear its “Opinion contains specific recommendation to help ensure that the Proposal complements the GDPR effectively and increases protection for the fundamental rights and freedoms of the persons concerned and avoids frictions with current data protection rules.” The EDPS summarized its detailed recommendations to the EC on how to improve the Digital Markets Act:
- In this Opinion the EDPS welcomes the Proposal, as it seeks to promote fair and open markets and the fair processing of personal data. Already in 2014, the EDPS pointed out how competition, consumer protection and data protection law are three inextricably linked policy areas in the context of the online platform economy. The EDPS considers that the relationship between these three areas should be a relationship of complementarity, not a relationship where one area replaces or enters into friction with another.
- The EDPS highlights in this Opinion those provisions of the Proposal which produce the effect of mutually reinforcing contestability of the market and ultimately also control by the person concerned on her or his personal data. This is the case for instance of Article 5(f), prohibiting the mandatory subscription by the end-users to other core platforms services offered by the gatekeeper; Article 6(1)(b), allowing the end-user to un-install pre-installed software applications on the core platform service; Article 6(1)(e), prohibiting the gatekeeper from restricting the ability of end-users to switch between different software applications and services; and Article 13, laying down the obligation for the gatekeeper to submit to the Commission an independently audited description of any techniques for profiling of consumers that the gatekeeper applies to or across its core platform services.
- At the same time, the EDPS provides specific recommendations to help ensure that the Proposal complements the GDPR effectively, increasing protection for the fundamental rights and freedoms of the persons concerned, and avoiding frictions with current data protection rules. In this regard, the EDPS recommends in particular specifying in Article 5(a) of the Proposal that the gatekeeper shall provide end-users with a solution of easy and prompt accessibility for consent management; clarifying the scope of the data portability envisaged in Article 6(1)(h) of the Proposal; and rewording Article 6(1)(i) of the Proposal to ensure full consistency with the GDPR; and raising the attention on the need for effective anonymisation and re-identification tests when sharing query, click and view data in relation to free and paid search generated by end users on online search engines of the gatekeeper.
- Moreover, the EDPS invites the co-legislators to consider introducing minimum interoperability requirements for gatekeepers and to promote the development of technical standards at European level, in accordance with the applicable Union legislation on European standardisation.
- Finally, building among others on the experience of the Digital Clearinghouse, the EDPS recommends specifying under Article 32(1) that the Digital Markets Advisory Committee shall include representatives of the EDPB, and calls, more broadly, for an institutionalised and structured cooperation between the relevant competent oversight authorities, including data protection authorities. This cooperation should ensure in particular that all relevant information can be exchanged with the relevant authorities so they can fulfil their complementary role, while acting in accordance with their respective institutional mandates.
Regarding the “Digital Services Act,” in his opinion, the EDPS summarized the draft law:
The aim of the Proposal is to ensure the best conditions for the provision of innovative digital services in the internal market, to contribute to online safety and the protection of fundamental rights, and to set a robust and durable governance structure for the effective supervision of providers of intermediary services . To this end, the Proposal:
- contains provisions on the exemption of liability of providers of intermediary services (Chapter II);
- sets out “due diligence obligations”, adapted to the type and nature of the intermediary service concerned (Chapter III); and
- contains provisions concerning the implementation and enforcement of the proposed Regulation (Chapter IV).
The EDPS laid out its position on the legislation and the problems it is designed to solve regarding online content and its harms:
- The EDPS welcomes the recognition that certain online activities, in particular in the context of online platforms, present increasing risks not only for the fundamental rights of individuals, but for society as a whole . This is all the more evident for providers of very online large platforms and well reflected in the consideration that providers of very large platforms should bear the highest standard of due diligence obligations, proportionate to their societal impact
- In his Opinion on online manipulation and personal data, the EDPS identified several risks and harms resulting from how personal data is used to determine the online experience. The Opinion also highlighted how the existing business models behind many online services has contributed to increased political and ideological polarisation, disinformation and manipulation. Similar risks have also been highlighted by the European Data Protection Board (EDPB) in its Guidelines on the targeting of social media users .
- The EDPS welcomes the recognition that the design of digital services provided by very large online platforms is generally optimised to benefit their often advertising-driven business models and can cause societal concerns . The Proposal also recognises the potential harms resulting from the use of algorithmic systems, in particular as regards their potential for amplifying certain content, including disinformation. The EDPS considers both phenomena and harms are intrinsically linked to the so-called “attention economy”, with services and applications being designed to maximise attention and engagement in order to gather more data on customers, to better target advertising and increase returns.
- While the Proposal includes a set of risk mitigation measures, most provisions are designed to promote transparency and accountability, without directly addressing the root cause by way of ex ante rules. To be clear, the EDPS fully supports measures seeking to enhance transparency and accountability of platforms. At the same time, additional measures are warranted to properly address the systemic risks identified above, in particular in relation to very large online platforms. In this regard, the Proposal must be seen also in light of the Proposal for a Digital Markets Act, which includes additional rules to promote fair and open markets and the fair processing of personal data. The present Opinion will also recommend further measures in this regard, including in relation to online advertising.
Again, the EDPS summarized what it liked and did not in the Digital Services Act (DSA):
- The EDPS welcomes that the Proposal seeks to complement rather than replace existing protections under Regulation (EU) 2016/679 and Directive 2002/58/EC. That being said, the Proposal will clearly have an impact on processing of personal data. The EDPS considers it necessary to ensure complementarity in the supervision and oversight of online platforms and other providers of hosting services.
- Certain activities in the context of online platforms present increasing risks not only for the rights of individuals, but for society as a whole. While the Proposal includes a set of risk mitigation measures, additional safeguards are warranted, in particular in relation to content moderation, online advertising and recommender systems.
- Content moderation should take place in accordance with the rule of law. Given the already endemic monitoring of individuals’ behaviour, particularly in the context of online platforms, the DSA should delineate when efforts to combat “illegal content” legitimise the use of automated means to detect, identify and address illegal content. Profiling for purposes of content moderation should be prohibited unless the provider can demonstrate that such measures are strictly necessary to address the systemic risks explicitly identified by the DSA.
- Given the multitude of risks associated with online targeted advertising, the EDPS urges the co-legislators to consider additional rules going beyond transparency. Such measures should include a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking, as well as restrictions in relation to the categories of data that can be processed for targeting purposes and the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.
- In accordance with the requirements of data protection by design and by default, recommender systems should by default not be based on profiling. Given their significant impact, the EDPS also recommends additional measures to further promote transparency and user control in relation to recommender systems.
- More generally, the EDPS recommends introducing minimum interoperability requirements for very large online platforms and to promote the development of technical standards at European level, in accordance with the applicable Union legislation on European standardisation.
- Having regard to the experience and developments related to the Digital Clearinghouse, the EDPS strongly recommends providing for an explicit and comprehensive legal basis for the cooperation and exchange of relevant information among supervisory authorities, each acting within their respective areas of competence. The Digital Services Act should ensure institutionalised and structured cooperation between the competent oversight authorities, including data protection authorities, consumer protection authorities and competition authorities.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.