Data Protection Insider, Issue 41

EDPS Releases Opinion on the Draft Digital Services Act

On 10th February, the EDPS issued his Opinion on the Commission’s Proposal for a Digital Services Act (DSA). In short, the Proposal seeks to regulate a broad range of aspects related to online service providers, e.g. platforms. In his Opinion, the EDPS notes that the DSA Proposal seeks to complement the GDPR and the e-Privacy Directive. In that respect, his recommendations aim to ensure that their provisions do not get “watered down” in the DSA.  He then proceeds to make suggestion as to how to ensure greater compliance by the concerned platforms with data protection law by discussing numerous provisions of the Proposal from a data protection perspective. Three issues stand out in particular. First, the EDPS pays special attention to the need for transparency and comprehensibility towards the users, e.g. of targeted advertising or of removing “illegal content” and the rights of the concerned persons whose content has been removed. As to targeted advertising, the EDPS goes further in advocating the phasing out of targeted advertising “on the basis of pervasive tracking”. Second, he supports the Commission in its desire to provide “vetted researchers” access to the online platforms for the purposes of scientific research “for the sole purpose of conducting research that contributes to the identification and understanding of systemic risks”. In that respect he warns that “data   protection   should   not   be misappropriated  as  a  means  for  powerful  players  to  escape  transparency  and accountability.” Third, the EDPS emphasizes the need for coordinated supervision between the different regulatory authorities, including the independent supervisory authorities under the GDRP and other enforcement authorities. We note that it remains to be seen how the ambitious proposals put forward by the EDPS will be taken on board by the other stakeholders, e.g. the concerned industries. Especially the topic of targeted advertising has been very contentious in the past years and no consensus seems to have emerged as to the future of the industry.

 

– EDPS Releases Opinion on the Draft Digital Markets Act

On 10th February, the EDPS also issued his Opinion on the Commission’s Draft Digital Markets Act (DMA). The Proposal concerns the data protection, consumer protection and competition law measures that should be taken to ensure that “gatekeepers”, i.e. “large platforms with significant network effects” in the digital market remain fair and contestable. Similarly to the DSA Opinion, the EDPS underlines the complementarity between the Proposal, the GDPR and the e-Privacy Directive when it comes to the data protection aspects, makes recommendations to ensure this complementarity and supports the cooperation between data protection, consumer and competition law supervisory authorities in regulating the said “gatekeepers”. Amongst the specific data protection comments he makes, the EDPS notes how competition and data protection law reinforce each other, e.g. by prohibiting the bundling of services and users’ lock-in, and seeking to restore the informational imbalance between the gatekeepers, on one hand, and consumers and other business users, on the other hand. Furthermore, the EDPS supports enhancing data portability, including of personal data resulting from the profiling carried out by the large platforms, and ensuring the interoperability between platforms. This is to ensure fair and open markets in relation to both the consumers and other business operators who are dependent on the gatekeepers. We note that the DMA Proposal and the EDPS comments seem to rely on and support the separation between “personal data” and “non-personal data”. This approach is understandable as concerns the EDPS Opinion in the sense that the EDPS’s mission is to ensure the protection of our personal data. However, in how far can this delineation realistically be sustained in the future bearing in mind the power which search engines and online platforms derive from the processing of anonymized and non-personal data?

 

– BEUC Submits a Complaint against TikTok

On 16th February, BEUC filed a complaint with the European Commission and the Member State consumer and data protection authorities against TikTok, an app used by children, for a series of consumer and data protection law breaches. On the consumer law side, the compliant concerns three main issues: (1) the Terms and Conditions, including the copyright provisions, as they are “unclear, ambiguous and favour TikTok to the detriment of its users”; (2) the “unfair terms and misleading practices” related to the exchange of coins and gifts on the platform and (3) the hidden advertising and inappropriate content to which TikTok might be exposing its users. On the data protection side, the compliant focuses on the lack of informed and comprehensible information for the target audience. Furthermore, the complaint refers to the potentially illegal consent policy of the platform; the doubts concerning the choice of the legal basis of the processing; its alleged breach of the core data protection principles, which could make it difficult for the users, amongst others, to exercise their data subject rights; the lack of appropriate privacy by design and security measures; and the alleged lack of specific measures to protect children. We note that the approach taken by BEUC demonstrates the interplay between consumer and data protection law, which is acknowledged also by the Commission and the EDPS in relation to the DMA and DSA Proposals discussed above.

 

– Commission Adopts Draft UK Adequacy Decisions

On 19th February, the European Commission published two draft adequacy decisions on the free flow of personal data from the EU to the UK. The first decision concerns transfers under the GDPR. The second decision concerns transfers under the LED. With the publication of the decisions, the Commission confirms that it believes the UK to offer an essentially equivalent standard of data protection to that offered in the EU. The publication begins the process for the final adoption of the decisions. This process “involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States.” Currently, transfers to the UK, without additional safeguards, are legitimated by an interim agreement under the EU-UK Trade and Cooperation Agreement. This interim agreement remains valid for four months from 1st January 2021 – with the option of extension by two months – or until the adoption of adequacy agreements. The publication of draft agreements should come as no surprise. There is undoubtedly considerable political pressure on the Commission to facilitate seamless personal data exchange with the UK. It is highly likely, however, that the eventual adoption of the draft agreements will face opposition moving forward. Sceptical opinions had already been issued as to the standard of UK data protection – in particular concerning the UK’s security and law enforcement frameworks– during post-Brexit negotiations. Even if the decisions are eventually adopted, there is still the possibility of intervention by the CJEU. The Court has already demonstrated its willingness to disagree with Commission evaluations of third-country data protection standards – see, for example, the recent Schrems II decision.

 

– Council Agrees Position on ePrivacy

On 10th February, the Council, under the Portuguese Presidency, agreed a new position on the proposal for an ePrivacy Regulation. The agreement grants a mandate to the Portuguese Presidency to begin discussions with the European Parliament regarding the adoption of a new Regulation. The Council’s press release highlights that: ‘As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy Regulation.’ The proposed text, however, does include several exceptions which would allow processing of communications data by third parties without an individual’s consent. For example, the text foresees that: ‘Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.’ The text also foresees that: ‘In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user’s consent or certain provisions on legislative measures under EU or member state law. This processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.’ On the one hand, it is welcome news that ePrivacy negotiations are once again moving ahead. On the other hand, prior efforts to secure updates to ePrivacy law have met with considerable obstructions. It will be interesting to see how current efforts progress.

 

– German Constitutional Court, Minimum Damage, and Data Protection Claims

The German Constitutional Court has highlighted that a lower court needed to have made a request to the CJEU concerning the position of EU law as to whether the GDPR foresees a relevance threshold for damage supporting compensation claims. The facts of the case concern the receipt of a marketing e-mail, sent without legitimation. In relation to this mail, the plaintiff sued for compensation. The Amtsgericht Goslar, according to Article 82 of the GDPR, decided that no damage had been incurred which would warrant provision of compensation. In relation to this decision, the plaintiff complained to the Constitutional Court that the Amtsgericht had failed to fulfil its legal obligation to seek advice from the CJEU as to the legal situation concerning minimum levels of damage and compensation claims under the GDPR – as the situation is not explicitly clear from the GDPR itself nor from prior CJEU jurisprudence. The Constitutional Court followed this argumentation and upheld the plaintiff’s complaint. The Constitutional Court’s decision is interesting for several reasons. We highlight the decision here in DPI, however, owing to the high significance a ruling by the CJEU on the issue of a relevance threshold for compensation claims under the GDPR could have on the ability for data subjects to realise their rights under the GDPR.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply