DSA and DMA: How Accountability and the Free Market Affect Your Data Rights

On July 5th, 2022, the EU Parliament passed its latest landmark laws in the digital space: the Digital Services Act and the Digital Markets Act. These laws update the EU's digital legal framework by imposing greater liability on online platforms for supporting illegal content and restricting the power of "gatekeepers" that exert monopolistic control over the digital market. The laws are expected to be formally adopted in September and will come fully into force either later this year or January 1st, 2024 depending on the rule.

In addition to the general effects these laws will have on the digital market, both of these new laws have potential privacy implications as well.

The Digital Services Act and its Privacy Implications

The goal of the DSA is to improve transparency and user safety by making platforms accountable for what they host. DSA applies to "intermediary service" providers--internet service providers, cloud storage, search engines, social media, and online platforms and marketplaces--and has additional rules for platforms with more that 45 million monthly users.

The DSA does not subject platforms to outside monitoring, nor does it impose an obligation on them to monitor users. Rather, it imposes legal liability when a platform is alerted to illegal content and fails to act. This means that the law will not require platforms to collect any more data on users than they already do.

The DSA mandates that platforms must provide real-time disclosures on online ads: whether a piece of content is an ad, who put out the ad, and why the user is seeing the ad. The last requirement--why the user is seeing the ad--gives users more knowledge of how their personal data is being used for targeted advertising. The fact that platforms are required to inform users about how their targeted advertising works means that platforms will need to exercise greater data responsibility about the data they collect and use.

The Digital Markets Act and its Privacy Implications

The Digital Markets Act limits large-scale service providers of core platforms, also known as gatekeepers, in order to promote competition and reduce monopolistic behavior. The DMA covers eight "core platform services" where monopolistic gatekeepers prevent fair competition: online intermediate markets, search engines, social media, advertising, video services, cloud services, communications, and operating systems.

While the intent of the DMA is economic, some of its provisions have clear effects on digital privacy. While only "gatekeepers" are significantly impacted by the law, their dominance over digital spaces means that the law will have a significant effect on personal data privacy in the EU. The criteria for being considered a gatekeeper are set forth in the law. While no companies have been officially labeled, the criteria encompass the Big Tech companies--Google/Alphabet, Apple, Amazon, Microsoft, Facebook/Meta--and similarly large corporations.

DMA imposes an obligation on gatekeepers to avoid mixing personal data they receive from the core platform services with data received from third parties or their other services, unless the user has been given the choice and consented as in GDPR. This requirement will put an additional strain on Big Tech's data management, requiring careful inventory of customer data to ensure that data is not mixed between subsidiaries. Since data collected from one of a gatekeeper's services can't be mixed with data from another--Facebook can't use data from WhatsApp to target advertising, for example--this creates another roadblock that disincentivizes targeted advertising. If targeted advertising become more complicated, gatekeepers have less incentive to collect large amounts of personal data, which reduces the privacy concerns from Big Tech holding too much data. This dovetails with other EU restrictions on targeted advertising like GDPR, aiding the enforcement of data subject rights.

Gatekeepers are also forbidden from requiring businesses and users of one of the gatekeeper's services to subscribe to other core platform services. Gatekeepers are also required to allow users to uninstall any pre-installed software applications that come with the platform. Pre-installed applications are often another venue for data collection, and in many cases cannot be uninstalled. By restricting these activities, DMA removes two of Big Tech's tools for gathering personal data from consumers and thereby reduces the amount of data they can collect.

All gatekeepers must provide portability of data, allowing users to obtain the data generated by their activity. Not only must the gatekeepers make portability accessible, but they must also provide users with tools to facilitate portability. This obligation makes specific reference to GDPR, which grants a similar right to data portability. An organization that fails to provide data portability could be in violation of both DMA and GDPR.

Upon request, gatekeepers must provide anonymized "ranking, query, click, and view data" from their search engines to third-party search engine providers. While other obligations on gatekeepers restrict their ability to collect and process data, this obligation promotes the spread of data to other entities. A Big Tech search engine collects a great deal of data from its users' searches but has the resources to keep that data secure. Mandating that gatekeeper search engines share certain query data with smaller search engines does not limit how consumer data is used; rather, it reduces the monopoly that gatekeepers have on data they can use to improve their search functions. The shared data is anonymized, but this obligation still amounts to a legal requirement to share data.

Gatekeepers are obligated to provide business users with real-time access to both aggregated and non-aggregated data generated using the gatekeeper's core platform services by the business user or its customers. In other words, if a business is using a gatekeeper's platform--like a digital marketplace or communications service--the gatekeeper must provide the business with the data that the business and its customers generated using the platform, like personal data, purchases, etc. This does not generate the same concerns about data sharing as the search engine requirement above, since this is an obligation to allow businesses to access information about their own business.

Noncompliance can result in fines of up to 10% of global turnover, or even structural separation in the case of systematic violations.

Conclusion

Since personal data and privacy concerns are intertwined with every part of the digital ecosystem, any law regulating digital activity or markets is likely to have some effect on privacy. With the DSA and DMA, the EU is performing market regulation with privacy rules. While DSA and DMA are not intended to be privacy laws on their own, they are explicitly designed to work alongside GDPR and reference it in their own texts. DMA and DSA support the responsible data principle of data minimization by both limiting gatekeepers' methods for data collection and reducing incentives for targeted advertising--if gatekeepers are less willing and less able to collect consumer data for advertising, then they will minimize the amount of data they collect.

The main lesson to be learned here is that even if a law does not deal with personal privacy at its core concept, it can still have an effect on consumers' privacy rights and protections. This is especially true of laws that affect business practices, because in the modern digital marketplace, data control and market power go hand in hand. The DSA and DMA are perfect examples of this concept. These laws increase legal liability and limit market power by controlling how data can be collected and used, and also control how data will be collected and used by increasing legal liability and limiting market power.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/ and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.