EU and UK digital policy – what are the data implications?

The EU and the UK have published plans and draft legislation to regulate digital service providers in terms of both content and competition. These include data strategies published in 2020, but beyond plans specific to data, elements of wider digital initiatives will also impact the use of data, whether personal or not.

At least three proposals published towards the end of 2020, have data implications:

The EC's draft Digital Services Act (DSA) (which broadly regulates online intermediary services).
The EC's draft Digital Markets Act (DMA) (which broadly regulates online "gatekeepers" from a competition angle).
The UK government's response to the Competition and Markets Authority's (CMA) market study into online platforms and digital advertising and the creation of a Digital Markets Unit.

What does this mean for you?

These developments will have repercussions for the use of personal and non-personal data, including around data sharing, portability, collection, aggregation and the use of data to gain a competitive advantage.

There will be an impact on the use of data by online platforms, intermediary service providers and gatekeepers as a result of draft EU legislation and the UK government's plans, including in relation to digital advertising.

If you are an in-scope online platform, particularly a very large one, or may acquire "gatekeeper" status for EU purposes, then you should monitor the progression of the DSA and DMA and begin considering your compliance as the draft legislation progresses.

If you are an in-scope online platform funded by digital advertising for UK purposes, then it is likely that you will be subject to a new code and the oversight of the Digital Markets Unit within the CMA. This will impact how you interact with consumers' personal data and may require you to permit greater access to data sets.

More broadly, all players in the digital advertising market stand to be impacted.

EC Digital Services Act

The DSA will inevitably touch on personal data, even if governance of the data protection regime is not explicitly the target. The following aspects of the draft legislation will be relevant:

Trader information requirements

Traders on an online platform (for example, sellers using a marketplace) need to be traceable. Online platforms are required to collect specified information from traders before permitting them to offer their products or services on the platform (such as name, contact details and public registry information).

Where the trader is a natural person or is identifiable from information provided, this information will be personal data. GDPR-compliant controls will need to be put in place around such data collection and management.

Obligations on "very large" online platforms

"Very large" online platforms will be subject to the most stringent obligations under the DSA. Among these are systemic risk assessments, mitigation measures for identified risks and independent audits.

Personal data will inevitably be processed as part of such assessments and particular interactions with personal data may form part of risks identified. Very large online platforms must therefore be clear about their data governance, including data flows, decisions taken about personal data and they will need to conduct rigorous data protection impact assessments.

Subject to certain exceptions, very large online platforms will also be required to comply with requests from relevant regulators to grant access to data sets to assess compliance with the DSA. There will be privacy implications where that data is personal.

Very large online platforms will need to ensure that they are able to comply with requests but also that the appropriate security controls are in place to minimise the risk of breaches. The data minimisation principle will also be important – where possible, personal data will need to be pseudonymised or preferably anonymised.

Having said that, there should be no issue in terms of a lawful basis for the processing where there is a legal requirement to disclose the data.

Digital advertising

The DSA contains transparency obligations in relation to the identity of advertisers placing digital ads, and parameters used to target them at individuals. This is likely to involve processing of personal data. Businesses will need to ensure they comply with the data protection principles, in particular, purpose limitation and data minimisation, when complying with these requirements.

Next steps

Online platforms, particularly very large ones, should begin to consider their compliance against the draft legislation and engage with EU legislators.

EC Digital Markets Act

Control and use of data are considered key competitive advantages of large platform service providers. As a result, the draft DMA, while not specifically targeted at data governance, will impact the use of data by organisations designated as "gatekeepers".

Combination of personal data

Unless end users (eg customers) have been presented with the specific choice and have provided GDPR-standard consent, gatekeepers will be prohibited from:

Combining personal data sourced from their core platform services with personal data from their other services, or with personal data from third party services – this means that gatekeepers offering more than one service will not be able to combine personal data across multiple service offerings.
Signing in end users to other services of the gatekeeper in order to combine personal data.
Gatekeepers will need to ensure that their consent processes are GDPR-compliant and present end users with real choice. It is likely that strong controls will be needed to ring-fence different types of personal data gathered from different sources.

Use of data to compete

Gatekeepers will be prohibited from using any non-public data generated by their business users and/or their end users for competitive advantage, for example, to sell competing products.

Relevant gatekeepers will therefore need to ensure that they either ring-fence third party seller data so that it is not used to compete, or make such data publicly available in anonymised form.

Data portability

The GDPR already provides data subjects with the right to data portability which means they may request their personal data from organisations to be used for their own purposes or with other services. The reiteration of this point in the DMA, and specification of continuous and real time access, suggest that regulators believe gatekeepers can do more to make people's personal data available to them.

The requirement to provide real time and continuous access will be onerous and will require effective use of technology. This also ties into new interoperability requirements to allow data subjects to be able to move their personal data between products and services.

Data access

Gatekeepers will also be required to provide business users with free, effective, high-quality, continuous and real-time access and use of aggregated and non-aggregated data, generated in the use of the core platform services by those business users and the end users engaging with the products or services provided by those business users.

For example, this means that the provider of an app store would have to share data generated in the use of a developer's app with that developer, where generated by the developer themselves or by end users who have downloaded that app.

If the relevant data is personal data, this applies where that end user has consented to such provision in accordance with GDPR. Gatekeepers will have to ensure that their consent processes are robust and that it is technically possible to provide such data on a continuous and real time basis.

Search engine data access

If requested by third party providers of search engines, gatekeepers will be required to provide access to ranking, query, click and view data for free and paid searches generated by end users on that gatekeeper's search engines. Where it is personal data, it must first be anonymised. The terms of such access should be fair, reasonable and non-discriminatory.

Gatekeepers providing search engines will therefore be required to share data gathered from use of that search engine with other search engine providers. Such gatekeepers will need to ensure they maintain controls to anonymise any data to be shared and that the data can be ring-fenced in order to share it on a segmented basis.

Next steps

Gatekeepers, or those who may constitute gatekeepers, should begin to consider their compliance against the draft legislation and engage where relevant with EU legislators.

UK government response to the CMA

The CMA study

The study looked at three main issues:

The extent to which online platforms that are funded by digital advertising have market power in consumer-facing markets.
Whether consumers have adequate control over the use of their data by such platforms.
Whether a lack of transparency, conflicts of interest and the leveraging of market power undermine competition in digital advertising.

The CMA made four recommendations to address these concerns:

Establish an enforceable code of conduct for platforms funded by digital advertising that are designated as having strategic market status (SMS).
Establish a Digital Markets Unit (DMU) to undertake SMS designation, introduce and maintain the code, and produce supporting guidance.
Give the DMU powers to enforce and update the code.
Give the DMU powers to introduce a range of pro-competitive interventions, to include: data-related interventions (including consumer control over data, interoperability, mandatory data access and data separation powers); consumer choice and default interventions; and separation interventions.

The government's support

The government largely agrees with the study and its recommendations, noting in particular the enhancement of user control over their personal data.

It also highlights the regulatory position of a new DMU in a landscape where the CMA regulates competition, Ofcom has a role in related markets and, critically, the Information Commissioner's Office (the ICO, the UK data protection regulator) oversees the data protection regime.

It was already clear that these regulators were increasingly cooperating in respect of digital markets through the Digital Regulation Cooperation Forum. The introduction of the DMU into this equation signifies tighter ties, especially as digital advertising and adtech which supports it, rely heavily on the use of personal data.

However, the government has not yet accepted the suggestions for pro-competitive interventions. It responded that these are complex and could have significant risks. As a result, it calls for more work to understand potential repercussions. It will take into account advice from the Digital Markets Taskforce, findings from the National Data Strategy consultation and stakeholder views before reaching a final conclusion.

Repercussions for personal data

Empowering users to control their personal data is a key objective and as such, online platforms funded by digital advertising should expect that the code of conduct and any specific powers of intervention will attempt to achieve this end. Requirements may include:

Clearer terms and conditions and privacy notices.
The ability for consumers to access services in a way which limits the processing of their personal data (and not on a 'take it or leave it' basis where refusing to provide certain data means the services cannot be used).
More choices for consumers to select precisely which information they share.
Regulatory orders to facilitate market access to (presumably anonymised) data gathered by an organisation.
Regulatory orders to partition large sets of personal data.

Next steps

The government is still taking advice, particularly on the pro-competitive interventions.

The DMU is likely to be established from April 2021 and work is expected to begin on the code of conduct. However, it is unlikely that any powers to make pro-competitive interventions will come into force soon. Nonetheless, businesses should be aware that the direction of travel is plainly towards greater regulation.