ICCL writes to the European Parliament and to the European Commission to highlight loopholes in the proposed Digital Markets Act.
On 15 December 2020 the European Commission published a proposal for a Digital Markets Act, intended to correct digital market problems. These market problems have a consequence for the digital rights of all people in the European Economic Area.
This letter highlights three problems in one part of the proposal that would allow Big Tech firms to continue misuse people's personal data to cascade their monopolies across successive areas of business.
- It may undermine the GDPR’s “purpose limitation principle”.
- It may create a loophole for a Gatekeeper to cross-use personal data from across its business, if it avoids “combining” the data.
- Gatekeepers may challenge the reference to consent as the sole lawful basis.
This letter sets out these concerns, and proposes an amendment to remedy them. The full text of this letter is copied below. You can download the PDF here.
Alexandra Geese,
European Parliament,
Rue Wiertz 60, B-1047,
Brussels
25 January 2021
Greater protection in Article 5 (a) of the
Commission’s proposal for a Digital Markets Act
Dear Alexandra,
I write, as you know, on behalf of the Irish Council for Civil Liberties (ICCL). ICCL is a human and data rights organisation that has worked on human rights issues, including data protection, for decades.
I wish to draw your attention to three issues of concern in Article 5 (a) of the Commission’s proposal for a Digital Markets Act:
- It may undermine the GDPR’s “purpose limitation principle”.
- It may create a loophole for a Gatekeeper to cross-use personal data from across its business, if it avoids “combining” the data.
- Gatekeepers may challenge the reference to consent as the sole lawful basis.
This letter sets out these concerns, and proposes an amendment to remedy them.
The Commission’s proposed Article 5(a) says that Gatekeepers shall:
“refrain from combining personal data sourced from these core platform services with personal data from any other services offered by the Gatekeeper or with personal data from third-party services, and from signing in end users to other services of the Gatekeeper in order to combine personal data, unless the end user has been presented with the specific choice and provided consent in the sense of Regulation (EU) 2016/679.”
1. Change to make compatible with GDPR “purpose limitation” principle
We are concerned that Gatekeepers will use the proposed language of Article 5 (a) to undermine the “purpose limitation” principle of the GDPR. It says a Gatekeeper is exempted from the limit on data combination if it has presented the user with “the specific choice”, and received consent.
A problem arises because “the specific choice” as singular. Since the Gatekeeper is likely to be processing the user’s personal data for multiple processing purposes, a singular choice is likely to be contrary to Article 5(1)b of the GDPR, which provides that each “processing purpose” for which a data controller uses a person’s personal data must have its own lawful basis.
The European Data Protection Board, which brings together all Member State GDPR supervisory authorities, has stated that there should be “a separate opt-in for each purpose, to allow users to give specific consent for specific purposes”.[1] In addition, Recital 43 of the GDPR says that “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case”.
A person may expect a Gatekeeper to use their personal data where strictly technically necessary to provide a service that the person has requested. However, a person does not expect a Gatekeeper to use that personal data for many other purposes and operations, too.
The GDPR purpose limitation principle is not only an important element of a person’s fundamental right to data protection but also an important element of a well-functioning market.
The proposed DMA Article 5 (a) would allow Gatekeepers to undermine the purpose limitation principle. That text allows a Gatekeeper to obtain a single consent for “the specific choice”. They may thereby avoid their responsibility to obtain specific consent, or other lawful bases, for each processing purpose.
2. Loophole for cross-use of data
The first clause of Article 5(a) requires that a Gatekeeper “refrain from combining personal data sourced from these core platform services”. However, the word “combining” is not precise enough to prevent a Gatekeeper from misusing personal data by cross-using it from one service or processing purpose to another. A Gatekeeper may cross-use data from one core platform to any other product, without necessarily having combined it.
To remedy this, we propose that a definition of the term “combine” should be added to the definitions in Article 2. This definition should tightly define what activities are proscribed.
Alternatively, the words “or cross using” should be added to the first sentence of Article 5(a). Article 5(a) would then read “refrain from combing or cross-using personal data…”.
3. Vulnerable to challenge by Gatekeepers
The final part of Article 5(a) says that a Gatekeeper is prohibited from combining data “unless the end user has been presented with the specific choice and provided consent in the sense of Regulation (EU) 2016/679.” (emphasis added)
The words “provided consent” may be challenged by Gatekeepers because consent is not the only available lawful basis for data processing in Regulation 2016/679 (“the GDPR”). A Gatekeeper may claim to have an alternative GDPR lawful basis, such as contract or legitimate interest.
We suggest that the text should specify whether these alternative lawful bases are explicitly not permitted, or whether any lawful basis for processing personal data is permitted for purposes of Article 5(a) of the proposed Act.
Proposed amendment
We propose that to resolve these issues, and avoid lowering the level of protection of fundamental rights provided for in the GDPR, the text of Article 5 (a) should be amended as follows to resolve these three problems.
“refrain from combining and, or, cross-using personal data sourced from these core platform services with personal data from any other services offered by the Gatekeeper or with personal data from third-party services, and from signing in end users to other services of the Gatekeeper in order to combine personal data, unless the end user has been presented with the a specific choice in the case of each processing purpose and provided consent in the sense of Regulation (EU) 2016/679.”
(We have marked these changes in colour, with double strike out red text marking deletion, and green text marking insertion.)
I am at your disposal to discuss these matters.
Sincerely,
Dr Johnny Ryan FRHistS
Senior Fellow
Irish Council for Civil Liberties
Notes
[1] Guidelines 05/2020 on consent under Regulation 2016/679, European Data Protection board, adopted on 4 May 2020, p. 15.