Now that we have the text of the #DMA published, let me point out a couple of outstanding provisions that have data protection implications & that show why this Regulation concerns all businesses & platform users, not only gatekeepers. Let's go 🧵 1/?
consilium.europa.eu/media/56086/st…
First of all, check out the list of Core Platform Services that may pull a business into the gatekeeper class (Art 2). Notably including web browsers, virtual assistants, & *online advertising services*, e.g. Exchanges, as long as they are provided by a business offering a CPS 2/
But this is not a thread about the threshold to become a gatekeeper (check Art 3). It just points out data protection implications of the #DMA. Of note, "consent", "profiling" in the #DMA are defined as in the #GDPR. Bonus: "non-personal" data & "data" are also defined 3/
This means that whenever the enforcer of the DMA (i.e. the European Commission) will enforce the DMA & these concepts play a role, it will need to interpret and apply definitions from the #GDPR. DPAs only have a loose consultative role, maybe. Spells trouble 4/
The rules on consent for processing personal data actually play a very big role, since the first key obligation gatekeepers have is to NOT combine personal data across their different services if they do not first obtain valid *GDPR* consent (Art 5(1)). Let's untangle this: 5/
Technically, gatekeepers will be forced to obtain GDPR consent if they wish to:
1) process, *for the purpose of providing online advertising services*, personal data of their end-users using *services of 3rd parties* that make use of core platform services of the gatekeeper; 6/
2) combine personal data across all of their services, CPS or not, or *with personal data from third-party services*;
This one is quite big & it is also not limited by specific purposes. Regardless of the purposes for which this combination occurs, it can only occur on consent 7/
3) "cross-use" personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice-versa;
This one goes beyond "combining". Could cross-use mean "inform"? "be added to?" Maybe 8/
4) sign in end users to other services of the gatekeeper *in order to combine personal data*.
So all of these 4 things can only happen if #GDPR consent is obtained - withdrawable, freely given, informed, specific!
See how COM & DPA competences overlap? 9/
Interestingly, there is also an obligation that when this consent "has been refused or withdrawn by the end user, the gatekeeper *shall not repeat its request for consent for the same purpose more than once within a period of one year*" 🤯 Quite a big one. 10/
Also interestingly, the provision adds that when the gatekeepers can rely on a legal obligation, vital interest of the data subject and processing data for the performance of task in the public interest, they can do so (Arts 6(1)(c),(d),(e)) GDPR. So in almost no situation 11/
Recital 36 specifically clarifies that GDPR Contract and Legitimate Interests cannot justify the combination of personal data.
Another big one, and relevant for the debate on what lawful ground to use for some processing of personal data by social media platforms 12/
Why does the #DMA include these rules? Because "the processing for the purpose of providing online advertising services of personal data from 3rd parties using CPS gives gatekeepers potential advantages in terms of accumulation of data, thereby raising barriers to entry"(R36)13/
And because "Gatekeepers process personal data from a significantly larger number of third parties than other undertakings" (R36 too).
The #DMA also tries to solve the "take it by giving all data or leave it" approach to using core platform services, per R36: 14/
See that detail here, technically requesting that gatekeepers give access to their services even if end users don't consent to the combination and cross-use of their personal data across services and from 3rd parties: 15/
But as with all EU law, there is an oddity following in the next Recital, 37, which says that access to the same level quality of service can be denied if the degradation of quality is a direct consequence of not being able to combine or cross-use personal data 🤔 🤷‍♀️ 16/
There is an anti-#darkpatterns Article as well, saying that all these obligations cannot be circumvented by offering choices in a non-neutral manner, or by subverting users' autonomy, decision-making via the structure, design, function of a user interface or a part thereof 17/
Other obligations that gatekeepers have and that will have immediate intersection & overlap with data protection law are two of the obligations in Article 6 on *data portability* and *real time access to personal data for business users*. Why? Here: 18/
Article 6(9) is truly outstanding for the #DataPortability aficionados and close followers of the #GDPR:
Gatekeepers are under an obligation to provide this super broad portability of "data provided by the end user or generated through the activity of the end user" 19/
You'll observe, I hope, how this portability is not framed as a "right" like in the GDPR, but as a matter of technical fact.
Also that it clearly covers data generated (inferred from?) the activity of the end users on the Core Platform Service, no negotiation here. 20/
This portability can also be exercised through "third parties authorised by an end user" - if you were wondering why the #DGA Data Governance Act went on and on about intermediation services. It all makes sense now 😅👀 21/
The other Article 6 stunner re: data protection overlap is Art 6(10). No kidding: it obliges gatekeepers to give access in real time (!) to *aggregated and non-aggregated data, including personal data, that is provided for or generated in the context of the CPS* 🤯 22/
This includes access for business users to the personal data generated by end-users (e.g. you and me) when engaging with a business user on a gatekeeper's platform providing a Core Platform Service, "when the end user opts in to such sharing by giving their consent". /23
This, again, means GDPR consent. So, again, the enforced of the #DMA will interpret and apply what #GDPR consent means in this context, a competence that the lead DPA of a gatekeeper would also have. Enforcement battles in sight! /24
I have a couple more things to get off my chest after reading the whole text, but I need to stop for now. I hope to add another thread later, at least on the full centralization of enforcement of the DMA under the EU COM. Thanks for joining my complete geek out. 24/24

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dr. Gabriela Zanfir-Fortuna

Dr. Gabriela Zanfir-Fortuna Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @gabrielazanfir

Apr 21, 2021
And it dropped! Here it is, the official proposal of the @EU_Commission for an AI Regulation:
#AIRegulation
#EUAIReg
1/
digital-strategy.ec.europa.eu/en/library/pro…
Per art. 1 the draft reg covers:
- placing on the market
- putting into service
- use of AI systems in the Union
Does this leave out training of AI? Possibly. But when they're trained w personal data, no worries. The GDPR applies.
2/
Other rules in scope of the regulation:
- prohibitions of certain AI systems (!)
- requirements for high-risk AI systems
- transparency rules for AI intended to interact w people
- rules on market monitoring and surveillance. 3/
Read 47 tweets
Apr 20, 2021
Time to pay close attention to #China & #India's comprehensive #DataProtection bills. Why? Because they are coming probably by the end of 2021, they are giving 'data subject' rights to app 2.7 billion people & they legislate DP where the US is absent: 1/ linkedin.com/posts/iapp---i…
In this panel that opened the #GPS2021 online sessions for @PrivacyPros, I explore with Barbara Li and Malavika Raghavan @teninthemorning some of the context & background leading to these two legislative developments in China and India, as well as the burning topics of ... 2/
...data localization, international data transfers, private rights of action and enforcement. There was so much more to talk about - we promise to be back with a follow-up and a deeper dive into individual data subject rights and other practical topics. Why the time pressure? 3/
Read 5 tweets
Apr 18, 2021
A couple of things I would keep in mind on this saga:
1) The 1st Constitutional Courts which declared unconstitutional the data retention laws transposing the defunct directive, did so in 2009, 2010 & 2011: 1st, the Romanian Const Court ❤️, then the German and Czech Const Courts.
2) Before them, the Bulgarian Supreme Administrative Court annulled a provision of the data retention national law in 2008.
What do these countries have in common? A history of suffering under surveillance states & no rule of law. Maybe they know this leads to bad stuff?
3) The ECJ tried to avoid the problem in a couple of cases, looking at formal issues & competence of the EU to act, when 1st looking at the 2006 Directive.
It couldn’t avoid it any longer when 2 other Constitutional-level tribunals sent it Qs : Austria & Ireland.
Read 10 tweets
Dec 15, 2020
I see a bit more interesting interaction between data protection rules and the #DigitalMarketsAct. Two points: (1) the obligation for gatekeepers to refrain from combining personal data from any other services offered by the gatekeeper or w PD from 3rd-party services, unless 1/
"unless the end user has been presented with the specific choice and provided consent in the sense of the GDPR" (Art. 5(a) of the proposal). And 2) the obligation for gatekeepers to submit to COM an annual independent audit w a description of the user profiling techniques 2/ #DMA
There are also data sharing obligations with third parties, including personal data, which are quite interesting. In fact, one of them speaks of "continuous and real time access" offered to business users (Art. 6(1)(i)) #DSA 3/
Read 5 tweets
Dec 14, 2020
And the text fo the long awaited #DigitalServicesAct Proposal is here! One day early, thanks to @SamuelStolton and his sources. One key thing to note is that the DSA is clearly without prejudice to both the GDPR and the ePrivacy Directive... euractiv.com/wp-content/upl… 1/n #DSA
which technically means that it applies on top of them and in case of conflict, the provisions in the #GDPR and the ePrivacy Directive prevail. There are 2 areas of interaction that immediately pop-up. First, the rules on recommender systems and online advertising 2/n #DSA
Both of these certainly rely on processing of personal data. But it seems there is broad convergence between the existing #EUDataP regime and the proposed #DSA, especially in relation to transparency and rights to explanation 3/n #DSA
Read 13 tweets
Nov 25, 2020
Momentous development in EU law for the digital market: the EU Commission is expected to publish today the #DataGovernanceAct proposal for a Regulation. From a new European Board, to fiduciary duties, to data intermediaries, data cooperatives (!) and data altruism… 1/
There are plenty of things to look out for! Here is my top list of hot topics, based on the leaked version that circulated among Brussels tech media a couple of weeks back. First: lots of “data sovereignty” undertones to key rules, sometimes sliding into data localization … 2/n
Exhibit A: The title regulating the re-use of data held by public sector bodies allows such re-use by different actors “within the Union”, with an additional specification that “the processing of such data shall be limited to the European Union” 3/
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(