Miguel Recio Gayo, PhD 1
Member of the Network of researchers, South EU Google Data Governance Chair
Abstract: The EU wants to lead the transition to a “new digital world”, but proposals such as the Digital Market Act (“DMA”) and the Digital Services Act (“DSA”) require avoiding overlapping and gaps on data protection and other subjects. Achieving a better digital society and economy in the EU means that measures such as the DMA and DSA should be only adopted after carefully consider all the potential implications for all stakeholders and all the maters.
Keywords: Data protection, European Union, digital strategy, digital society, digital economy.
Summary: 1. The transition to a “new digital world” in the EU. 2. Overlapping and gaps on data protection in the EU digital strategy. 3. Towards a better digital society and economy.
1. THE TRANSITION TO A “NEW DIGITAL WORLD” IN THE EU
The European Union (“EU”) wants to lead the transition to a “new digital world”2. This goal requires not to act at first sight but considering all the implications of any potential measures from a public policy perspective to ensure the better conditions for the future of a robust and beneficial digital society and economy.
As part of the EU Digital Services and Data Package strategies, on 15 December 2020, the European Commission adopted two relevant proposals for the future of the EU digital strategy. These proposals are, on the one hand, the Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the
digital sector (Digital Markets Act)3 and, on the other hand, the Proposal for a Regulation of the European Parliament and of the Council on Single Market for Digital Services (Digital Services Act) and amending Directive 2000/31/EC (“DSA”)4.
The mentioned Proposals, in particular the DSA, might have been adopted without considering all the implications on data protection as there are several overlapping and gaps. It could be a risk for a buoyant digital strategy that is based, among others, on personal data.
Therefore, any risk that could hamper the future of the EU Digital Services and Data Package strategies should be carefully assessed and addressed. Overlapping and gaps on data protection are one of the main concerns of all stakeholders, including the supervisory authorities.
2. OVERLAPPING AND GAPS ON DATA PROTECTION IN THE EU DIGITAL STRATEGY?
The EPDS5 and the European Data Protection Board (“EDPB”)6 have both expressed their concern over potential overlapping and gaps in the EU Digital Services and Data Package strategies. And linked to this, it should be taken into consideration as well that the European Data Protection Supervisor (“EDPS”) has recalled that “the right to data protection is not an absolute right and interferences may be justified, provided such measures remain limited to what is necessary and proportionate”7.
The initial version of the proposal on the DMA includes a pertinent example of overlapping and gaps on data protection. Among others, the proposal includes the obligation of gatekeepers to provide business users, third parties authorised by business users, or any third party provider of online search engine, depending on the specific case, with (i) “continuous and real-time access and use of” aggregated or non-aggregated personal data (Art. 6(1)(i)), (ii) personal data “when the end user opts in to such sharing with a consent in the sense of the GDPR” Art. 6(1)(i)), and (iii) for specific personal data (“query, click and view data”) “subject to anonymisation” (Art. 6(1)(j)).
On these provisions, the EDPS has raised several questions derived from the doubts and risks on data protection. In its Opinion 2/20218 points out that “the current wording of Article 6(1)(i) may cause confusion that could lead to inconsistency with the GDPR” as “aggregated or non-aggregated data might include personal data” and that the “query, click and view data in relation to searches generated by individuals constitute personal data”.
Even though the EPDS makes several proposals, approaches such as use the term “non-personal data” referred to information “that is provided for or generated in the context of the use of the relevant core platform services” or “that the gatekeeper shall be able to demonstrate that anonymised query, click and view data have been adequately tested against possible re-identification risks”, may require further analysis before regulation on this subject.
In the first case, the broad scope of the concept of personal that the GDPR9 has adopted 9 following the repealed Directive 95/46/EC10 and the opinion of the EDPB on the 10 concept of personal data11 may not help to answer all the doubts that the application of 11 the DMA will raise. And there is still a risk of confusion or doubts on the interpretation of non-personal data when referred to information “that is provided for or generated in the context of the use of the relevant core platform services” as there could be personal data involved.
In the second case, the Article 29 Working Group pointed out that “an anonymised dataset can still present residual risks to data subjects”12. It means that approaches based on obligations imposed to gatekeepers are not the solution taking into consideration the technological evolution and the use of the information by third parties.
And alongside these issues, Baines also highlights that “key EU data governance instruments are undergoing or are set for reform” and that “lessons learned from interactions between earlier iterations and other instruments will inform a ‘joined-up’ approach to drafting and review that seeks to minimise unwanted consequences for privacy, safety and security”13.
3. TOWARDS A BETTER DIGITAL SOCIETY AND ECONOMY
There are some concerns on data protection and other matters (e.g. intellectual property regarding some contents or information, costs derived from the management of information to comply with the imposed obligations, cybersecurity risks, etc.) with these proposals that need to be addressed to avoid to adopt rules that may hamper, more than boost, the future of the digital society and economy that are globally interconnected.
The EU digital strategy should focus on a framework that answers to the several concerns raised and that is innovative. Otherwise, there is a risk to lose a relevant opportunity to enact a data governance package that is a driver for the future of the EU digital society and economy based on (personal) data. Overlapping and gaps on data
protection in the EU digital strategy are a serious threat that require action from the several stakeholders, including the data protection regulators.
Some of the obligations on sharing personal data included in the proposals should be carefully reassessed to avoid obstacles on the way to a true digital society and economy as consequence of regulations that are not considering all the factors. These factors go beyond personal data and data protection as data and other information may be protected under intellectual property, be generated thanks to a relevant investment or be essential for a law enforcement investigation.
It would be recommendable considering as well that “[r]ecent high-level developments in EU-US relations may yet prove fruitful in coordinating policy imperatives and balancing rights across continents”14.
In conclusion, achieving a better digital society and economy in the EU means that measures such as the DMA and DSA should be only adopted after clarifying several concepts, provisions and concerns (e.g. gatekeeper, the legal basis for the processing of personal data or cybersecurity when personal data are shared with third parties that might be target of cyberattacks). And overall, providing a solution to overlapping and gaps on (personal) data.
1 Associate professor at the Law School of the CEU San Pablo University of Madrid, as well as lawyer in the area of TMC and Data Protection Officer at CMS Albiñana y Suárez de Lezo. PhD in Law from the CEU San Pablo University of Madrid. International Master ́s Degree in Data Protection, Transparency and Access to Information from the CEU San Pablo University of Madrid and LLM in Intellectual Property Law from The George Washington University Law School. Bachelor in Law from the Faculty of Law of the Universidad Carlos III de Madrid (Spain). Winner of the II edition (2015) of the Annual Research Award granted by the Google Chair in Privacy, Society and Innovation at CEU San Pablo University. Academic researcher. Frequent speaker in Spain and other countries on data protection. Lecturer as well in training courses for Data Protection Officers in Spain and courses on data protection for professionals. Author and co-author of several books, chapters of books, papers and articles on data protection and digital law in Spain, as well in Latin America. Among other publications, Recio has published on the General Data Protection Regulation (GDPR), the Data Protection Officer (DPO), cybersecurity or data protection and privacy.
2 European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Shaping Europe’s digital future, COM(2020) 67 final, Brussels 19 February 2020, p. 1. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0067&qid=1641223331126
4 Available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=COM%3A2020%3A825%3AFIN
5 European Data Protection Supervisor, Opinion 2/2021 on the Proposal for a Digital Markets Act, 10 February 2021. Available at https://edps.europa.eu/system/files/2021-02/21-02-10-opinion_on_digital_markets_act_en.pdf
6 European Data Protection Board, Statement on the Digital Services Package and Data Strategy, adopted on 18 November 2021. Available at https://edpb.europa.eu/system/files/2021-11/edpb_statement_on_the_digital_services_package_and_data_strategy_en.pdf
7 European Data Protection Supervisor, Opinion 1/2021 on the Proposal for a Digital Services Act, 10 February 2021.
Available at https://edps.europa.eu/system/files/2021-02/21-02-10-opinion_on_digital_services_act_en.pdf
8 Op. cit., pp. 11 and 12.
9 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
10 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
11 Article 29 Working Party, Opinion 4/2007 on the concept of personal data (WP 136), adopted on 20 June 2007, p. 4. Available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf
12 Article 29 Working Group, Opinion 5/2014 on Anonymisation Techniques (WP 216), adopted on 10 April 2014, p.4. Available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/index_en.htm
13 Baines, Victoria, On joined up law-making: the privacy/safety/security dynamic, and what this means for data governance (November 28, 2021), p.4. Available at http://dx.doi.org/10.2139/ssrn.3958982
14 Baines, op- cit., p.8.