European Data Protection Supervisor shares his position on the Digital Services Act Package

EDPS Opinion 1/2021 on the proposal for a Digital Services Act and Opinion 2/2021 on the proposal for Digital Markets Act

The European Data Protection Supervisor (“EDPS”), the EU independent data protection authority, recently published two non-binding opinions on the legislative proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). These two proposals were presented by the European Commission on 15th December 2020 as part of the Commission’s communication “Shaping Europe’s digital future”.

Overall, the EDPS welcomed both proposals, but nevertheless highlighted the need to introduce additional requirements to ensure an effective complementarity of Digital Services Act with the GDPR and the e-Privacy Directive. This note focuses on some of the main recommendations of the EDPS in these two opinions.

I.               Digital Services Act

Considering the “endemic monitoring of individuals’ behaviour” the EDPS makes specific recommendations on content moderation, online targeted advertising and recommender systems used by online platforms such as social medias or marketplaces.

Regarding content moderation: The DSA does not impose a general monitoring obligation nor an obligation for providers to take proactive measures in relation to illegal content. It rather tends to eliminate existing disincentives towards voluntary own-initiative investigations of providers. To achieve this goal, several provisions of the DSA make clear that the detection and removal of illegal content can involve processing of personal data by automated means. However, the EDPS observes that not all form of content moderations require attribution to a specific data-subject and that, as a result, “content moderation should, insofar as possible, not involve any processing of personal data”. The EDPS therefore recommends that the DSA specifies in which circumstances the processing of personal data may prove legitimate to detect, identify and address illegal content. For online platforms using automated means for content moderation or decision-making, the EDPS considers that the DSA should specify the minimum set of information to provide to individuals (procedure followed, technology used, criterion and reasoning) in addition to those required by the GDPR. Furthermore, the EDPS recommends specifying that content monitoring must not involve the monitoring or profiling of the individual’s behaviour unless the provider can demonstrate, based on a risk assessment that such measures are strictly necessary to address systemic risks such as the dissemination of illegal content. Last, it recommends defining the endemic risks which justify the use of automated content monitoring.

Regarding online advertising: The EDPS supports the proposal imposing an obligation on online platforms to provide the identity of the legal entity on whose behalf the ad is displayed as well as information on the main parameters used to display this ad. According to the EDPS, this proposal remains insufficient. and it strongly invites the European Parliament and the Council “to consider a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking”. This already echoes with the European Parliament’s resolution on the DSA.

Regarding recommender systems: Recommender systems are based on algorithms that suggest the ranking and the prioritization of the information displayed to the user. The DSA provides that very large online platform using recommender systems should provide the user with the option to opt for a system which is not based on profiling. The EDPS takes the position that these recommender systems should not be based by default on profiling and that, as a result, the DSA should instead provide for an opt-in of the user instead of an opt-out. The EDPS also calls for more transparency as to the use of personal data through these automated systems.

II.            Digital Markets Act

The aim of the proposed DMA is to ensure a fair and competitive digital market as well as the fair processing of personal data. It introduces the notion of “gatekeepers” defined as the large online platforms who either (i) have a strong economic position, significant impact on the EU market, (ii) have a strong intermediation position (meaning it links a large number of users to a large number of businesses) or (iii) have an entrenched and durable position in the market.

The EDPS points out “how competition, consumer protection and data protection law are three inextricably linked policy areas” and that “… the relationship between these three areas should be of complementarity, not a relationship where one area replaces or enters into friction with another”(page 3, Opinion 2/2021).

To ensure consistency of these different policy areas and the contestability of the digital market the EDPS recommends implementing additional safeguards stemming from the GDPR so that end-users be provided with effective control on their personal data (for example with consent management solutions, data portability, or anonymization.)

Regarding the interoperability requirements, the EDPS proposes to introduce minimum technical standards on interoperability supported by the gatekeepers, to promote the development of technical standards at the European level reminding that these future European standards must comply with data protection laws.

In both opinions, the EDPS also reminds the need for a close cooperation between the relevant authorities, including data protection authorities, consumer protection authorities and competition authorities in order for the Digital Services Act Package to be efficiently implemented and enforced.

DSA and DMA proposals are currently discussed at the European Parliament, their final adoption will occur in the coming months.