Introduction
The European Fee and the European Knowledge Safety Board (EDPB) have just lately launched Joint Pointers on the interaction between the Common Knowledge Safety Regulation (GDPR) and the Digital Markets Act (DMA) for public session. Though known as “joint” pointers, the doc is the truth is closely pushed by the DMA’s construction and obligations. This weblog reframes the rules by means of a GDPR‑targeted perspective, highlighting how the DMA heightens gatekeepers’ information safety obligations.
My observations unfold in three components. Half 1 outlines Gatekeepers’ restricted discretion in selecting GDPR’s lawful grounds and the improved consent mechanism within the GDPR-DMA interaction. Half 2 then touches on imprecise boundaries of DMA’s limitations, illustrated by a stunning exception launched by the joint pointers. Half 3 situates these regulatory developments inside the broader context of the Fee’s proposed digital omnibus bundle, suggesting that EU information safety regulation is transferring towards a extra nuanced, market‑energy‑delicate strategy.
Total, the interaction between GDPR and DMA reveals not solely technical coordination but in addition alerts a strategic shift of EU information safety regulation. The obligations imposed on gatekeepers more and more differ from these relevant to abnormal controllers, elevating vital questions on proportionality and the longer term structure of EU information safety regulation.
Half 1 Gatekeepers’ restricted discretion in selecting GDPR’s lawful grounds
EU information safety regulation contains a legitimising regime, that means {that a} controller who intends to course of private information should exhibit a lawful floor for doing so. There are six lawful grounds, set out in Article 6(1) of the GDPR exhaustively, referred to as legitimate consent, contractual necessity, authorized obligations, very important pursuits, public pursuits, and legit pursuits. It has lengthy been stated that there isn’t any hierarchy among the many six lawful grounds (most up-to-date see, e.g., AG opinion in C‑394/23, para 28; EDPB’s Pointers 1/2024 and Opinion 28/2024).
Now, one should strategy this place with warning making an allowance for DMA. DMA applies to core platform providers (CPSs) supplied by gatekeepers – particular undertakings which can be designated by the European Fee pursuant to Article 3 of DMA. DMA lays down particular guidelines on private information safety for gatekeepers to handle their data-driven market benefits. Amongst different personal-data-related measures, notably, gatekeepers’ capability to decide on a GDPR’s lawful floor for sure processing actions is restricted.
1.1 Article 5(2) of DMA’s Alternative of Consent
Codifying earlier regulatory efforts, Article 5(2) of the DMA imposes a normal prohibition on gatekeepers concerning a set of non-public information processing actions: processing sure private information for promoting, combining and cross-using private information from totally different sources, and signing in end-users for mixture functions.
The subparagraphs of Article 5(2) open up the opportunity of exemptions, nevertheless. Gatekeepers could justify these processing actions inside the scope of Article 5(2) of DMA, supplied that:
1) finish customers have been introduced with ‘particular selection’ and have consented to those otherwise-prohibited processing actions, or
2) any of the opposite three GDPR’s lawful grounds, that are authorized obligation, very important pursuits, public pursuits, could be applicable.
Recital 36 of the DMA excludes the opportunity of counting on Article 6(1) (b) and (f) of the GDPR (contractual necessity and legit pursuits) to hold out the prohibited processing actions, which has been confirmed by the joint pointers (para 18).
Moreover, the joint pointers make clear that reliance on Article 6(1), factors (d) or (e) (very important pursuits, or public pursuits) of the GDPR could be attainable in very restricted circumstances (para 80), given the financial and industrial nature of gatekeepers’ processing actions. Likewise, Article 6(1)(c) of GDPR (compliance with a authorized obligation), which has been scrutinised according to the proportionality precept (e.g., Case C-184/20, paras 71-116), can’t be invoked to justify processing actions that transcend what’s required by regulation.
Consequently, legitimate consent turns into the sensible centrepiece, if gatekeepers determine to hold out these types of processing regulated by Article 5(2) of DMA.
Additional, the gatekeepers’ restricted selection is compounded by the stricter circumstances for acquiring legitimate consent beneath Article 5(2) of the DMA. To make this case, we begin with the idea of equal options and its hyperlink to consent. Beneath the GDPR, offering an equal different – a model that doesn’t contain pointless private information processing – is a extremely really useful apply to exhibit that real decisions have been introduced to information topics (EDPB’s Pointers 05/2020, para 37); subsequently, information topics’ consent is more likely to be freely given, and legitimate if different cumulative circumstances are additionally met. The linkage between equal options, real selection for information topics, and freely given consent is subsequently traceable beneath GDPR. However, offering equal options is neither crucial nor enough to fulfil the GDPR’s consent necessities for controllers.
In contrast, for gatekeepers, the joint pointers make clear that offering a much less personalised however equal different is a requirement to exhibit that the top person has been introduced with ‘particular selection’ – a precondition of acquiring GDPR’s legitimate consent beneath Article 5(2) of DMA (Joint pointers, paras 15, 23-28).
It follows that Article 5(2) of DMA not solely funnels Gatekeepers to depend on GDPR’s legitimate consent for processing actions that fall inside its scope but in addition expresses its personal logic: no equal different, no legitimate consent.
1.2 The Regulators’ Alternative of Authorized Obligations
Article 6 of the DMA is one other substantial provision that imposes particular obligations on designated gatekeepers. Amongst different issues, Article 6(10) of the DMA confers the proper to information entry on enterprise customers, and gatekeepers bear the duty to grant entry to such information. When information entry entails private information, the events involved (the gatekeeper, enterprise customers, and authorised third events) are certain by the GDPR and should subsequently depend on applicable lawful grounds to allow such private information sharing.
Though Article 6(10) of DMA explicitly requires ‘the top customers decide in to such sharing by giving their consent,’ the joint pointers make a vital distinction: solely enterprise customers’ entry to non-public information is conditional on acquiring consent (para 163), whereas gatekeepers are directed to depend on Article 6(1), level (c) of the GDPR (authorized obligations) to execute the info sharing (para 159).
The joint pointers have framed this distinction as a approach of rendering the consent mechanism simpler. By designating ‘authorized obligations’ as the idea upon which gatekeepers may share private information, the regulators spotlight gatekeepers’ obligations beneath Article 13, paragraph 5 of DMA (paras 161-163). This anti-circumvention provision takes under consideration the market energy imbalance between gatekeepers and enterprise customers – each are separate controllers inside the that means of GDPR, requiring the previous to take crucial steps to allow the latter to acquire consent or in any other case adjust to information safety legal guidelines.
Subsequently, the regulators highlight gatekeepers’ bolstered obligations beneath DMA to advertise systemic compliance with information safety guidelines that activate the validity of consent. As a result of the GDPR itself tends to evaluate the lawfulness of every controller’s processing actions independently (e.g., Google Spain, para 86; Trend ID, para 96), its consent mechanism can not simply accommodate such institutional preparations by itself. Conceivably, Article 6(1), level (c) of the GDPRis chosen to bridge gatekeepers’ particular duty to the info safety framework.
Half 2 Imprecise Boundaries of DMA’s Limitations
Whereas Article 5(2) of DMA, as talked about, precludes gatekeepers from counting on contractual necessity and legit pursuits to justify prohibited processing actions that fall inside its scope, the joint pointers introduce a stunning exception beneath Article 5(2)(c) of DMA.
The joint pointers firstly make clear that Article 5(2)(c) of DMA doesn’t prohibit the cross-use of non-public information between a CPS and the gatekeeper’s different providers which can be ‘supplied along with or in help of’ the CPS (para 67). Constructing on this, the joint pointers boldly recognise gatekeepers’ internet marketing as a service ‘supporting’ their CPS (para 68), and moreover, counsel that gatekeepers could depend on their reliable pursuits to cross-use private information from their CPSs of their promoting service (para 75).
Part 2.1 questions the joint pointers’ categorisation of internet marketing as a supporting service, and Part 2.2 evaluates how this reasoning could pave the way in which for gatekeepers to make analogous arguments for his or her AI coaching.
2.1 The ‘Supporting Service’ Exception: Conceptual Tensions within the GDPR-DMA Interaction
The popularity of internet marketing as a supporting service beneath Article 5(2), level (c) of DMA, in my view, generates tensions between the 2 regulatory frameworks.
Firstly, beneath EU information safety regulation, promoting has been persistently handled as a standalone processing goal, not a supporting one. Recital 47 of the GDPR enumerates direct advertising as a definite processing goal; the CJEU has thought of on-line personalised promoting to be a type of direct advertising and examined its lawfulness individually from different processing functions (e.g., C‑252/21, paras 115-118). Furthermore, the sending of communications for direct advertising functions has been a definite material comprehensively regulated beneath Article 13 of the e-Privateness Directive, a lex specialis of the GDPR (C‑654/23, paras 64-69). It appears elusive to suit the understanding of internet marketing as a supporting service to CPSs into the present information safety narrative.
Secondly, the understanding of internet marketing as a supporting service additionally appears to be at odds with Article 2(2), level (j) of the DMA, which defines internet marketing providers as an impartial class of CPS. The joint pointers try and reconcile this by distinguishing promoting as a part of the internet marketing CPS or the opposite CPS on which promoting is displayed (see footnote 71). But this conceptual distinction is skinny, and appreciable effort is required to make sense of it.
This ill-founded exception exemplifies the imprecise boundaries of the DMA’s limitations, demonstrating how particular interpretative avenues threaten to undermine its strictness.
2.2 AI as A Supporting Service?
The joint pointers, which recognise gatekeepers’ reliable pursuits in cross-use of on-platform private information of their promoting providers, may open the door to creating an identical argument concerning the processing of on-platform private information for AI coaching functions. In apply, gatekeepers, e.g., Meta, already determine to make use of private information from their CPS to coach AI fashions, resorting to their reliable pursuits to take action.
On this context, EDPB has reaffirmed that GDPR doesn’t impose a hierarchy among the many six lawful grounds, and that reliable curiosity could also be applicable for coaching and deploying AI fashions involving private information, supplied that it’s strictly crucial and proportionate (Opinion 28/2024, second and third questions).
As soon as once more, the no-hierarchy narrative needs to be approached with warning on the subject of the gatekeepers’ AI-related processing actions. It raises the very first query beneath Article 5(2) of the DMA: whether or not the AI-empowered service is supplied as a separate service or as a supporting operate of CPSs. The previous requires legitimate consent from finish customers, whereas the latter could arguably depend on reliable pursuits as a foundation. These determinations are extremely contextual andnecessitate granular authorized and factual evaluation; it appears to me that framing all coaching actions as ‘service enchancment’ could be legally inadequate.
Admittedly, gatekeepers at present face fewer specific restrictions on processing private information for coaching AI fashions, in contrast with their processing for promoting functions, which has been exhaustively scrutinised beneath numerous frameworks, e.g., GDPR, e-Privateness, DMA, and the Digital Service Act (DSA). Nonetheless, fewer prohibitions don’t imply better freedom to course of extra private information. The GDPR’s core rules, together with the AI Act’s risk-based necessities, proceed to use. Trying ahead, parallel lawful grounds, notably consent and legit pursuits, are more likely to coexist to construction accountable AI use.
Half 3 The Broader Image: Differentiated information safety obligations
My previous observations on the interaction between GDPR and DMA spotlight the extra information safety obligations imposed on gatekeepers beneath DMA, that are arguably extra stringent than these of abnormal controllers.
In parallel with the stricter information safety obligations for gatekeepers, the Fee is proposing a digital omnibus bundle to simplify its digital laws, notably in information safety regulation. The stated goal is to cut back administrative burdens and compliance prices for firms, notably small and medium-sized enterprises (SMEs).
Thought of collectively, the 2 ostensibly reverse developments—the tightening of guidelines for gatekeepers and the easing of obligations for SMEs—reveal a broader image: the EU information safety framework is being reformed to ascertain differentiated information safety obligations tied to market energy.
An inexpensive differentiation of information safety obligations wouldn’t essentially contradict the basic nature of the proper to the safety of non-public information. Whereas Article 8 of the EU Constitution entails a excessive degree of information safety, it is usually true that this proper just isn’t absolute and is topic to limitation according to the proportionality precept beneath Article 52(1) of the EU Constitution. The differentiation as such could also be justified by a fragile proportionality take a look at weighing the safety of elementary rights in opposition to financial freedoms, which have been equally helpful within the Union.
But the route just isn’t with out pitfalls. The proposal of the Digital Omnibus Regulation reveals extra substantial modifications to the core GDPR parts than initially anticipated, elevating issues about potential deregulation. With out clear calibration, simplification dangers undermining the very foundations of the EU information safety regulation.
In sum, the interaction between GDPR and DMA reveals greater than a technical coordination train; it might sign the early contours of a extra stratified information safety framework. The EU stands at a pivotal second to replace its information safety framework amid a quickly remodeling digital market. Essentially the most debated points within the coming years would seemingly be whether or not this reform strengthens or undermines the EU’s information safety regime.
Aolan Li is a PhD candidate in Legislation at Queen Mary College of London specialising in EU information privateness regulation.
