Out-Law News 2 min. read

Data aggregation rules clarified for EU ‘gatekeepers’

Online ‘gatekeepers’ will be unable to rely on user consent to aggregate data about those users under the Digital Markets Act (DMA), according to text agreed on by EU law makers.

The restriction will apply to the combination of personal data about users of the gatekeepers’ “core platform services” with personal data collected from the other platform services the gatekeepers provide or which they source from third parties.

Gatekeepers will also be unable to rely on user consent to “cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice-versa” or to “sign in end users to other services of the gatekeeper in order to combine personal data”.

The agreed wording under revised Article 5 of the proposed DMA also prohibits gatekeepers from citing their ‘legitimate interests’ as a lawful basis for combining or cross-using personal data, or signing-in users.

The DMA was proposed by the European Commission in late 2020 and, once implemented, would regulate business practices around the core platform services that gatekeepers provide which fall within the scope of the DMA.

Gatekeepers are businesses that provide a platform through which other businesses can provide products or services to consumers. These gatekeepers commonly offer their own products or services via their platform too.

One of the major advantages gatekeepers have over rival businesses that rely on their platform is access to data. Significant data is generated from the use of their platforms. The DMA envisages opening up others’ access to that data and curbing what gatekeepers can do with the information themselves.

The European Commission’s original proposals on combining personal data were similar but different from the text that the European Parliament and Council of Ministers have now agreed on. They stated that while gatekeepers would have had to refrain from combining personal data from their core platform services with personal data from their other services or sourced from third parties, gatekeepers could aggregate the data if “the end user has been presented with the specific choice and provided consent in the sense of” the General Data Protection Regulation (GDPR).

Those original proposals prompted uncertainty, and specific queries to the Commission from bodies such as the Irish Council for Civil Liberties, as to whether gatekeepers could combine the data on the basis of a single opt-in. In a recent response to Jonny Ryan, a senior fellow at the Irish Council for Civil Liberties, Commission officials said that the GDPR is “fully applicable” to the DMA and that the GDPR’s provisions on consent are not modified by the DMA’s rules on combining data.

In their letter to Ryan, the Commission officials said: “In order to be valid a consent must be freely given, specific, informed and unambiguous, must clearly indicate the data subject’s wishes and must be expressed by a statement or by a clear affirmative action… Obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity. Gatekeepers must adhere to these concepts and principles as defined in the GDPR and interpreted in that context.”

However, clarification on the application of the GDPR’s consent rules to the DMA’s rules on gatekeepers combining personal data appears moot following recent publication of the revised DMA text that the European Parliament and Council of Ministers reached provisional agreement on earlier this spring.

Under the revised text, the ability of gatekeepers to rely on user consent to use personal data has been restricted to the processing of personal data of end users using services of third-parties that make use of core platform services of the gatekeeper for the purpose of providing online advertising services. In that scenario, the end user must also be “presented with the specific choice” prior to giving consent.

While both the Parliament and Council have yet to formally adopt the DMA, the European Commission told Out-Law recently that it hopes the new legislation will come into force later this year and take effect in spring 2023

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.