And the text fo the long awaited #DigitalServicesAct Proposal is here! One day early, thanks to @SamuelStolton and his sources. One key thing to note is that the DSA is clearly without prejudice to both the GDPR and the ePrivacy Directive... euractiv.com/wp-content/upl… 1/n #DSA
which technically means that it applies on top of them and in case of conflict, the provisions in the #GDPR and the ePrivacy Directive prevail. There are 2 areas of interaction that immediately pop-up. First, the rules on recommender systems and online advertising 2/n #DSA
Both of these certainly rely on processing of personal data. But it seems there is broad convergence between the existing #EUDataP regime and the proposed #DSA, especially in relation to transparency and rights to explanation 3/n #DSA
Second, there are the rules on data sharing by "very large online platforms" - well, providing access to data rather than data sharing (see Art. 31 of the Proposal). This is where things may get interesting, even thorny, between the two regimes. 4/n #DSA
Providing access to data held by VLOPs (oh wow incredible entry into the world of data policy abbreviations) may be compulsory, following a reasoned request from national competent authorities, which are to be designated by Member States. There is due diligence around it 5/n #DSA
The Commission may also request access to data held by VLOPs. This is where it becomes interesting: it seems that access shall be granted to researchers and not the authorities themselves. The researchers need to be vetted and here are the conditions:... 6/n
... Affiliated w academic institutions, be independent from commercial interests, have proven records of expertise & shall commit to preserve the specific data security & confidentiality. I wonder if Cambridge Uni's Alexander Kogan would have met these requirements? Prob yes🤔7/n
Other aspects I would note about the #DSA proposal is that I didn't see yet data localization requirements sneaking in (I am still reading though). And the governance structure. Interestingly, Member States are left the option to appoint one or more competent authorities 8/n
So we might get a mix of DPAs and other national regulators being involved in this. And... yes there will be another Board on the map! The European Board for Digital Services (EBDS? oh the confusion that will follow 😅) which is an Advisory group, to be Chaired by the COM 9/n
This EBDS will be composed of nationally appointed Digital Coordinators, which are the leads among the several national authorities that may be competent to enforce this in each MS. Oh, and the penalties are to be established by each MS, too 10/n #DSA
Still reading thrgh this w a Data Protection and Privacy lens. Keep in mind this is a Proposal, only the first in a long and convoluted process. But my guess is that it will go much quicker through it than the ePrivacy Reg, for example. To b continued & join the insights 🧵!END
One important amendment to this one (6/n in my thread) upon re-reading Art. 31: access seems to be possible to be requested by authorities for themselves, per para 1, and separately for researchers, per para 2. #DSA
One important amendment upon re-reading, which I hope won't get lost as a subtweet below 6/n above: data access by VLOPs is available to authorities too, not only to vetted researchers. And gosh there are so many more interesting things to look at!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I see a bit more interesting interaction between data protection rules and the #DigitalMarketsAct. Two points: (1) the obligation for gatekeepers to refrain from combining personal data from any other services offered by the gatekeeper or w PD from 3rd-party services, unless 1/
"unless the end user has been presented with the specific choice and provided consent in the sense of the GDPR" (Art. 5(a) of the proposal). And 2) the obligation for gatekeepers to submit to COM an annual independent audit w a description of the user profiling techniques 2/ #DMA
There are also data sharing obligations with third parties, including personal data, which are quite interesting. In fact, one of them speaks of "continuous and real time access" offered to business users (Art. 6(1)(i)) #DSA 3/
Momentous development in EU law for the digital market: the EU Commission is expected to publish today the #DataGovernanceAct proposal for a Regulation. From a new European Board, to fiduciary duties, to data intermediaries, data cooperatives (!) and data altruism… 1/
There are plenty of things to look out for! Here is my top list of hot topics, based on the leaked version that circulated among Brussels tech media a couple of weeks back. First: lots of “data sovereignty” undertones to key rules, sometimes sliding into data localization … 2/n
Exhibit A: The title regulating the re-use of data held by public sector bodies allows such re-use by different actors “within the Union”, with an additional specification that “the processing of such data shall be limited to the European Union” 3/
... within the federalized legal system, where consumer protection agencies, big and small, have a strong tradition of enforcing consumer rights, where Prosecutors from the Public Ministry - federal and regional, have the power to bring #LGPD breaches to Court ... 2/n
... where there is a long tradition of class actions, with actually very few barriers to proceed in Court from an admissibility and costs perspective, where the Supreme Constitutional Court recognized this year an autonomous fundamental right to data protection... 3/n
The CJEU clearly upheld its string of serious data protection cases against gov access to personal data, starting with Digital Rights Ireland, then Schrems I, then Tele2Sverige, EU-Canada PNR Opinion. If you knew those decisions, the outcome of the PS assessment is no surprise.
The surprise was that the Court decided to go full strength on in this particular case, after the AG has given it a way out to postpone the assessment of the PS and focus on SCCs. Clearly, the Court saw an inextricable link between the two. The other option would have been...
to show the weaknesses of the Privacy Shield and give the Commission and the US government time to act/react, while sharpening Commission's attention to the rest of the world too, with Chinese-based apps taking more and more of the European market very recently.
Worrying news from Brazil 🇧🇷 The Fake News bill being discussed by Congress imposes mandatory social media account ID registration (!) and seems to be aiming to strict data localization and data retention obligations. 1/5 #LGPD#GDPR#privacy
If you thought mandatory SIM card registration is bad, this is worse. All social media users would have to provide valid Brazilian ID or passports if they’re foreigners & a Brazilian phone number to be able to open a user account. 2/5
It also aims to impose data retention obligations for internet connection logs (!) for 1 year by ISPs and 6 months by online applications. Plans for EU Adequacy post-LGPD may be … problematic. See CJEU in Digital Rights Ireland curia.europa.eu/juris/document… 3/5 #dataretention#GDPR
Andrea Jelinek, Chair of @EU_EDPB, said there are currently 70 cross-border cases w final decisions, proving that OSS works; ‘these are not spectacular cases in terms of fines’ though #CPDP2020#OneStopShop#GDPR
Most of these +70 cases are related to the rights of the data subject (erasure & access), followwd by cases related to data breach notifications.
One of the main challenges for smooth functioning of OSS are differences in national peocedural laws. ‘Resolution of cross border cases is time & resource consuming & intensive’ #CPDP2020