29 January 2021
Download – EU and UK digital policy – 5 of 6 Insights
The EU and the UK have published plans and draft legislation to regulate digital service providers in terms of both content and competition. These include data strategies published in 2020, but beyond plans specific to data, elements of wider digital initiatives will also impact the use of data, whether personal or not.
At least three proposals published towards the end of 2020, have data implications:
These developments will have repercussions for the use of personal and non-personal data, including around data sharing, portability, collection, aggregation and the use of data to gain a competitive advantage.
There will be an impact on the use of data by online platforms, intermediary service providers and gatekeepers as a result of draft EU legislation and the UK government's plans, including in relation to digital advertising.
If you are an in-scope online platform, particularly a very large one, or may acquire "gatekeeper" status for EU purposes, then you should monitor the progression of the DSA and DMA and begin considering your compliance as the draft legislation progresses.
If you are an in-scope online platform funded by digital advertising for UK purposes, then it is likely that you will be subject to a new code and the oversight of the Digital Markets Unit within the CMA. This will impact how you interact with consumers' personal data and may require you to permit greater access to data sets.
More broadly, all players in the digital advertising market stand to be impacted.
The DSA will inevitably touch on personal data, even if governance of the data protection regime is not explicitly the target. The following aspects of the draft legislation will be relevant:
Traders on an online platform (for example, sellers using a marketplace) need to be traceable. Online platforms are required to collect specified information from traders before permitting them to offer their products or services on the platform (such as name, contact details and public registry information).
Where the trader is a natural person or is identifiable from information provided, this information will be personal data. GDPR-compliant controls will need to be put in place around such data collection and management.
"Very large" online platforms will be subject to the most stringent obligations under the DSA. Among these are systemic risk assessments, mitigation measures for identified risks and independent audits.
Personal data will inevitably be processed as part of such assessments and particular interactions with personal data may form part of risks identified. Very large online platforms must therefore be clear about their data governance, including data flows, decisions taken about personal data and they will need to conduct rigorous data protection impact assessments.
Subject to certain exceptions, very large online platforms will also be required to comply with requests from relevant regulators to grant access to data sets to assess compliance with the DSA. There will be privacy implications where that data is personal.
Very large online platforms will need to ensure that they are able to comply with requests but also that the appropriate security controls are in place to minimise the risk of breaches. The data minimisation principle will also be important – where possible, personal data will need to be pseudonymised or preferably anonymised.
Having said that, there should be no issue in terms of a lawful basis for the processing where there is a legal requirement to disclose the data.
The DSA contains transparency obligations in relation to the identity of advertisers placing digital ads, and parameters used to target them at individuals. This is likely to involve processing of personal data. Businesses will need to ensure they comply with the data protection principles, in particular, purpose limitation and data minimisation, when complying with these requirements.
Online platforms, particularly very large ones, should begin to consider their compliance against the draft legislation and engage with EU legislators.
Control and use of data are considered key competitive advantages of large platform service providers. As a result, the draft DMA, while not specifically targeted at data governance, will impact the use of data by organisations designated as "gatekeepers".
Unless end users (eg customers) have been presented with the specific choice and have provided GDPR-standard consent, gatekeepers will be prohibited from:
Gatekeepers will be prohibited from using any non-public data generated by their business users and/or their end users for competitive advantage, for example, to sell competing products.
Relevant gatekeepers will therefore need to ensure that they either ring-fence third party seller data so that it is not used to compete, or make such data publicly available in anonymised form.
The GDPR already provides data subjects with the right to data portability which means they may request their personal data from organisations to be used for their own purposes or with other services. The reiteration of this point in the DMA, and specification of continuous and real time access, suggest that regulators believe gatekeepers can do more to make people's personal data available to them.
The requirement to provide real time and continuous access will be onerous and will require effective use of technology. This also ties into new interoperability requirements to allow data subjects to be able to move their personal data between products and services.
Gatekeepers will also be required to provide business users with free, effective, high-quality, continuous and real-time access and use of aggregated and non-aggregated data, generated in the use of the core platform services by those business users and the end users engaging with the products or services provided by those business users.
For example, this means that the provider of an app store would have to share data generated in the use of a developer's app with that developer, where generated by the developer themselves or by end users who have downloaded that app.
If the relevant data is personal data, this applies where that end user has consented to such provision in accordance with GDPR. Gatekeepers will have to ensure that their consent processes are robust and that it is technically possible to provide such data on a continuous and real time basis.
If requested by third party providers of search engines, gatekeepers will be required to provide access to ranking, query, click and view data for free and paid searches generated by end users on that gatekeeper's search engines. Where it is personal data, it must first be anonymised. The terms of such access should be fair, reasonable and non-discriminatory.
Gatekeepers providing search engines will therefore be required to share data gathered from use of that search engine with other search engine providers. Such gatekeepers will need to ensure they maintain controls to anonymise any data to be shared and that the data can be ring-fenced in order to share it on a segmented basis.
Gatekeepers, or those who may constitute gatekeepers, should begin to consider their compliance against the draft legislation and engage where relevant with EU legislators.
The study looked at three main issues:
The CMA made four recommendations to address these concerns:
The government largely agrees with the study and its recommendations, noting in particular the enhancement of user control over their personal data.
It also highlights the regulatory position of a new DMU in a landscape where the CMA regulates competition, Ofcom has a role in related markets and, critically, the Information Commissioner's Office (the ICO, the UK data protection regulator) oversees the data protection regime.
It was already clear that these regulators were increasingly cooperating in respect of digital markets through the Digital Regulation Cooperation Forum. The introduction of the DMU into this equation signifies tighter ties, especially as digital advertising and adtech which supports it, rely heavily on the use of personal data.
However, the government has not yet accepted the suggestions for pro-competitive interventions. It responded that these are complex and could have significant risks. As a result, it calls for more work to understand potential repercussions. It will take into account advice from the Digital Markets Taskforce, findings from the National Data Strategy consultation and stakeholder views before reaching a final conclusion.
Empowering users to control their personal data is a key objective and as such, online platforms funded by digital advertising should expect that the code of conduct and any specific powers of intervention will attempt to achieve this end. Requirements may include:
The government is still taking advice, particularly on the pro-competitive interventions.
The DMU is likely to be established from April 2021 and work is expected to begin on the code of conduct. However, it is unlikely that any powers to make pro-competitive interventions will come into force soon. Nonetheless, businesses should be aware that the direction of travel is plainly towards greater regulation.
To discuss any of the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Telecommunications team.
by Alex Walton
by multiple authors