The DMA-GDPR joint guidelines - new answers bring new questions
I am almost ready to hit send on DTI’s draft response to the EC and EDPB’s joint guidelines on the interplay between the Digital Markets Act and the General Data Protection Regulation. This newsletter gives you a flavour of the topics we have focused on, and why.
As an (entirely self-proclaimed) specialist in technology policy at the intersection of competition and data protection, the opportunity to feed into this document is as good as it gets for me. Strictly speaking in my view, at least for the data portability sections that I examined, the document goes a little beyond the stated scope of the interplay between the two regulations, also providing some useful detail on how the DMA provisions themselves should be interpreted by gatekeepers. This is a good thing, if not a little late in the day!
Stating the obvious, and helpfully so, the guidelines confirm that Article 20 of the GDPR and Article 6(9) of the DMA are complements to one another. They also clarify how compliance with Article 6(9) of the DMA fits within the framework of the legal responsibilities placed on gatekeepers by the GDPR. This is welcome and should provide additional confidence to all participants within the data portability ecosystem going forwards.
Beyond this, the guidelines also provide some additional practical detail on how the data portability provisions in DMA Article 6(9) should be implemented by gatekeepers, addressing several topics that have been the source of lengthy and sometimes polarised debates over the last two years.
Of these new details, there are many areas where the merits of the policy direction could (and may continue to) be hotly debated, even though the intent and meaning of the guidance itself is pretty clear. For example, the guidelines set out a fairly explicit position on the treatment of other users’ personal data in the context of a data portability transfer. Many will agree with the position, just as many won’t. But most will understand what the text means.
Then, there are a smaller number of areas where the policy issue itself need not be particularly controversial, but the intent of the guidance appears to be open to various interpretations. Rather than answering questions, some sections of the text appear to pose new ones.
Given the objective of the guidance to promote a “consistent and coherent interpretation of the DMA and the GDPR”, I have focused on this latter category of issues where further clarity is needed.
The first of these areas is the interplay between Article 20 of the GDPR and Article 6(9) of the DMA. The document spends several pages detailing how the DMA’s data portability provisions should be interpreted, but the equivalent provisions in the GDPR are almost entirely overlooked. This is a shame, and feels like a real missed opportunity to provide some much needed clarity around the circumstances where a data controller should support direct transfers under Article 20. In particular, a few sentences covering what “where technically feasible” means in practice could be a game changer for the prospects of widespread user-led data transfers. After all, the world of technology has moved on a fair bit since the GDPR was drafted, so perhaps a refresh of thinking is needed beyond the gatekeeper seven.
The second issue we have highlighted is the guidance on the meaning of “continuous and real time”. There is some new detail on how to interpret this requirement, but I’m not convinced the new words are any less open to interpretation than the ones we already had.
In our response, we have encouraged an approach that is context specific and keeps user needs central, which could draw from the recent research by DTI Summer Fellow Thomas Carey-Wilson that presented a Functional Real-Time framework to help conceptualise latency and speed in data portability.
The third issue we are drawing attention to is Trust. As anyone that has followed my writing on this topic will know, this is an area where DTI has skin in the game. I have previously highlighted the fact that the DMA was unhelpfully silent on Trust, so it is welcome that the guidelines now explicitly recognise the need for gatekeepers to onboard third parties. This includes by requesting identity documents, and also through robust authentication processes integrated into each data transfer request. However, they don’t go any further than that, appearing to rule out the placement of any other guardrails, and completely omitting any reference to the two big ‘C words’:
- Criminals: the guidelines state that “Gatekeepers can therefore not restrict, in any way, the data portability use cases and business purposes that authorised third parties can pursue with the data they receive under Article 6(9) DMA.” While I firmly agree with the spirit (and what I believe to be the intent) of this sentence, it oversimplifies the issue. What about use cases that are illegal? What about third parties that are suspected to be criminal enterprises, or even state actors? If the European Commission wants this guidance to be useful and credible, it needs to be more exhaustive about acceptable vetting procedures, and more explicit that blocking such applications is necessary, and that some basic checks to identify them are expected.
- Consent: the guidance seems to suggest that gatekeepers must not do any checks in the onboarding process to validate that third parties intend to obtain valid consent, or even consent of any kind at all. Such checks can be very straightforward and light touch, by comparing the organisation’s privacy policy with an image or mock up of their consent screen. The benefits of doing this are immediately obvious – blatantly dishonest and deceptive businesses can be blocked, while the standard of consent is nudged upwards as third parties try harder in the knowledge that someone is checking their homework.
As DTI is finalising the processes and documentation for our Data Trust Registry, you can be absolutely certain that a proportionate review of third-parties’ approach to consent will be a core component, as will the aim of blocking criminals’ access to user data. I’d suggest this is fully aligned with the complementary goals of data protection and market contestability. Don’t you agree?
The consultation closes in two days, so you still have time to get involved and offer up your own views to these questions.