Among the strict prohibitions in the Digital Markets Act, Article 5(2) DMA, which regulates the aggregation of personal data by the gatekeeper, stands out. The full text now reads as follows:
“The gatekeeper shall not do any of the following:Art. 5 (2) DMA
(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
© cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
(d) sign in end users to other services of the gatekeeper in order to combine personal data,
unless the end user has been presented with the specific choice and has given consent within the meaning of Article 4, point
(11), and Article 7 of Regulation (EU) 2016/679.
Where the consent given for the purposes of the first subparagraph has been refused or withdrawn by the end user, the gatekeeper shall not repeat its request for consent for the same purpose more than once within a period of one year.
This paragraph is without prejudice to the possibility for the gatekeeper to rely on Article 6(1), points ©, (d) and (e) of Regulation (EU) 2016/679, where applicable.”
In summary, the regulation provides for an explicit stipulation on the combination of personal data by gatekeepers. In doing so, it also takes up the experiences from the Facebook proceedings of the Federal Cartel Office, which are currently not yet concluded. This follows from recitals 36 and 37 of the regulation. According to these, the processing of personal data creates potential advantages for gatekeepers through their accumulation, which can create barriers to market entry. This is already due to the fact that gatekeepers can take advantage of economies of scale.
In addition, these competitive advantages would be strengthened by the aggregation of personal data of end-users from different services or their reuse in other services and, finally, the registration of end-users in different services of the gatekeeper in order to aggregate personal data. The prevention of such barriers to entry is again the object of contestable competition. The prohibition of comprehensive data aggregation also serves this purpose.
On the basis of these clarifications, it becomes clear that the legislator does not yet see the competition issues as being sufficiently safeguarded by the GDPR. The gatekeepers should therefore initially leave the end users free to decide which data processing and login practices they agree to.
The regulation contains several individual prohibitions, which all fit into the prohibition not to keep personal data together. Here is an overview of what the gatekeeper is not allowed to do:
- No processing of personal data of end-users that accrue when using the services of third parties that make use of central platform services of the gatekeeper for the purpose of operating online advertising services. The gatekeepers are thus only allowed to process the accruing personal data for advertising purposes if the end users have agreed and consented. End-users are thus freed from the wholesale obligation as data providers and it becomes more difficult for the platform to cross-subsidise in connection with the sale of advertising opportunities based on personal data. Cross-subsidisation through other platform services and also through advertising will nevertheless remain possible as long as this is done without processing the personal data.
- No aggregation of personal data from the relevant central platform service with personal data from a) other central platform services, b) other services provided by the gatekeeper or c) third party services. This provision is intended to capture the competitive advantages that a platform obtains through extensive data aggregation. Third party services are also covered, which includes the mere possibility of access. This corresponds to the finding, for example, in connection with Section 18 (3) no. 3 GWB in the criterion “its access to competitively relevant data” for determining the market power of an undertaking. In this context, it is also not a matter of individual ownership, but rather the mere possibility of access is sufficient.
- No further use of personal data in other services provided separately from the gatekeeper, including other central platform services. In relation to the predecessor provision, this is the more general provision supporting the broad scope of application.
- No registration of end users in other services of the gatekeeper for the purpose of aggregating personal data. Due to privacy autonomy and in the context of the second half-sentence, this should only concern those logins that are automated and without the will of the end-user. The end user therefore has the choice of using several services separately and independently of each other, without the gatekeeper performing a merge.
Ensuring freedom of choice for end users
Art. 5 para. 2 subpara. 1 second sentence of the DMA provides as an exception to the prohibition provisions that the end user has been given the specific choice and has consented in accordance with the requirements of the GDPR. Consent is therefore required and, in addition, consent under data protection law. Whether this also applies to consent for persons who are not capable of giving consent is not clarified here. Since Article 5 (2) DMA contains the stricter prohibition here, it could be concluded that there is a complete prohibition without the possibility of consent. The provision of a specifically granted freedom of choice goes beyond the provisions of data protection law in this respect, as it provides for the offer of an alternative in addition to consent, which the user can use without having to merge his or her personal data.
The gatekeeper may ask the respective end user for consent again. However, according to Art. 5 para. 2 subpara. 2 DMA, this is limited to once within one year. The refusal must not be more onerous than the granting of consent. In addition, the gatekeeper should, according to recital 37 p. 3 DMA, the gatekeeper should offer a less personalised but equivalent alternative. In other words, they must not undermine the requirements in order to obtain consent through poor quality or restrictions. The only exception would be if the restriction is a direct consequence of the personal data not being available. However, such a statement is only possible if the gatekeeper no longer has the possibility to terminate the business relationship with the end user in the event of refusal of consent and assent. The gatekeeper must therefore continue to provide and maintain its services unchanged.