Not a gatekeeper? No matter – the DMA-GDPR Guidelines of the EDPB & European Commission are important: the EDPB’s input aims to ensure consistency in the interpretation of the GDPR.
I’ll go through all 55 pages before next week’s great CEDPO panel with the EDPB’s own Gwendal Le Grand, Borja Martínez Corral and our moderator Natascha Gerlach (don’t miss it!), but the first 20 pages already reveal a lot.
The worst part for non-gatekeepers? Even “pure DMA” issues might taint the Digital Fairness Act.
Para. 20 for instance states that the prohibition to rely on contract and legitimate interests under Art. 6(1) GDPR in Art. 5(2) DMA scenarios aims at “ensuring a high level of protection of personal data”. This dangerous comment could lead to a hierarchy within Art. 6(1) GDPR, with broader consequences.
Next, para. 26 repeats the (misguided) perspective from the Commission’s DMA decision against Meta that “[t]o ensure equivalence, the alternative service should not differ, in terms of performance, experience and conditions of access compared to the service offered to consenting end users”. “Not differ” = “identical”, though, not “equivalent”. Yet experience & conditions for access *are necessarily different* if a service is less personalised. By not accepting that differences are objectively necessary re experience and conditions of access, the Commission’s perspective adds legal uncertainty & subjectivity to the equivalence test.
Para. 27 then prohibits the “less personalised but otherwise equivalent version of the service for nonconsenting users” from being based on consent – even though equivalent alternatives might require consent anyway under other laws such as the ePrivacy Directive (as interpreted by the EDPB).
Para. 31, on what constitutes a “purpose” under the GDPR, highlights service development as requiring consent. Data protection regulators & the Commission clearly still refuse to see service improvement as an inherent part of services.
Para. 45 says that even design choices that may “mislead or nudge end users into providing unintended and thus invalid consent” are prohibited under the DMA. Yet what is “(un)intended” is subjective, and the reference to nudging could be used to attack any form of influence, not just *true* dark patterns. Saying that “[a] user interface consent flow should not be designed in a way that leads end users to […] not think about all or some of the implications of providing their consent” is equally problematic: it would make it easy to attack any UI that repeats common UI patterns.
And there is the remainder of the document.
[I do note however that nothing seems at first glance to contradict my analysis of what the word “combine” means under Art.5(2) DMA (https://lnkd.in/dmtzKX2E) – in fact, the examples given on para. 59 on page 19 all appear to be in line with it.]
In short: take part in the consultation process. Even non-gatekeepers should be worried.
EDIT: submission: https://lnkd.in/eGjji6Ux
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗