Digital Markets Act: Prohibition of data aggregation

Among the strict pro­hi­bi­ti­ons in the Digi­tal Mar­kets Act, Artic­le 5(2) DMA, which regu­la­tes the aggre­ga­ti­on of per­so­nal data by the gate­kee­per, stands out. The full text now reads as follows:

“The gate­kee­per shall not do any of the fol­lo­wing:
(a) pro­cess, for the pur­po­se of pro­vi­ding online adver­ti­sing ser­vices, per­so­nal data of end users using ser­vices of third par­ties that make use of core plat­form ser­vices of the gate­kee­per;
(b) com­bi­ne per­so­nal data from the rele­vant core plat­form ser­vice with per­so­nal data from any fur­ther core plat­form ser­vices or from any other ser­vices pro­vi­ded by the gate­kee­per or with per­so­nal data from third-par­ty ser­vices;
© cross-use per­so­nal data from the rele­vant core plat­form ser­vice in other ser­vices pro­vi­ded sepa­ra­te­ly by the gate­kee­per, inclu­ding other core plat­form ser­vices, and vice ver­sa; and
(d) sign in end users to other ser­vices of the gate­kee­per in order to com­bi­ne per­so­nal data,
unless the end user has been pre­sen­ted with the spe­ci­fic choice and has given con­sent within the mea­ning of Artic­le 4, point
(11), and Artic­le 7 of Regu­la­ti­on (EU) 2016/679.
Whe­re the con­sent given for the pur­po­ses of the first sub­pa­ra­graph has been refu­sed or with­drawn by the end user, the gate­kee­per shall not repeat its request for con­sent for the same pur­po­se more than once within a peri­od of one year.
This para­graph is wit­hout pre­ju­di­ce to the pos­si­bi­li­ty for the gate­kee­per to rely on Artic­le 6(1), points ©, (d) and (e) of Regu­la­ti­on (EU) 2016/679, whe­re applicable.”

Art. 5 (2) DMA

Object

In sum­ma­ry, the regu­la­ti­on pro­vi­des for an expli­cit sti­pu­la­ti­on on the com­bi­na­ti­on of per­so­nal data by gate­kee­pers. In doing so, it also takes up the expe­ri­en­ces from the Face­book pro­cee­dings of the Fede­ral Car­tel Office, which are curr­ent­ly not yet con­cluded. This fol­lows from reci­tals 36 and 37 of the regu­la­ti­on. Accor­ding to the­se, the pro­ces­sing of per­so­nal data crea­tes poten­ti­al advan­ta­ges for gate­kee­pers through their accu­mu­la­ti­on, which can crea­te bar­riers to mar­ket ent­ry. This is alre­a­dy due to the fact that gate­kee­pers can take advan­ta­ge of eco­no­mies of scale.

In addi­ti­on, the­se com­pe­ti­ti­ve advan­ta­ges would be streng­the­ned by the aggre­ga­ti­on of per­so­nal data of end-users from dif­fe­rent ser­vices or their reu­se in other ser­vices and, final­ly, the regis­tra­ti­on of end-users in dif­fe­rent ser­vices of the gate­kee­per in order to aggre­ga­te per­so­nal data. The pre­ven­ti­on of such bar­riers to ent­ry is again the object of con­test­a­ble com­pe­ti­ti­on. The pro­hi­bi­ti­on of com­pre­hen­si­ve data aggre­ga­ti­on also ser­ves this purpose.

On the basis of the­se cla­ri­fi­ca­ti­ons, it beco­mes clear that the legis­la­tor does not yet see the com­pe­ti­ti­on issues as being suf­fi­ci­ent­ly safe­guard­ed by the GDPR. The gate­kee­pers should the­r­e­fo­re initi­al­ly lea­ve the end users free to deci­de which data pro­ces­sing and log­in prac­ti­ces they agree to.

Overview

The regu­la­ti­on con­ta­ins seve­ral indi­vi­du­al pro­hi­bi­ti­ons, which all fit into the pro­hi­bi­ti­on not to keep per­so­nal data tog­e­ther. Here is an over­view of what the gate­kee­per is not allo­wed to do:

1. No pro­ces­sing of per­so­nal data of end-users that accrue when using the ser­vices of third par­ties that make use of cen­tral plat­form ser­vices of the gate­kee­per for the pur­po­se of ope­ra­ting online adver­ti­sing ser­vices. The gate­kee­pers are thus only allo­wed to pro­cess the acc­ruing per­so­nal data for adver­ti­sing pur­po­ses if the end users have agreed and con­sen­ted. End-users are thus freed from the who­le­sa­le obli­ga­ti­on as data pro­vi­ders and it beco­mes more dif­fi­cult for the plat­form to cross-sub­si­di­se in con­nec­tion with the sale of adver­ti­sing oppor­tu­ni­ties based on per­so­nal data. Cross-sub­si­di­s­a­ti­on through other plat­form ser­vices and also through adver­ti­sing will nevert­hel­ess remain pos­si­ble as long as this is done wit­hout pro­ces­sing the per­so­nal data.
2. No aggre­ga­ti­on of per­so­nal data from the rele­vant cen­tral plat­form ser­vice with per­so­nal data from a) other cen­tral plat­form ser­vices, b) other ser­vices pro­vi­ded by the gate­kee­per or c) third par­ty ser­vices. This pro­vi­si­on is inten­ded to cap­tu­re the com­pe­ti­ti­ve advan­ta­ges that a plat­form obta­ins through exten­si­ve data aggre­ga­ti­on. Third par­ty ser­vices are also cover­ed, which includes the mere pos­si­bi­li­ty of access. This cor­re­sponds to the fin­ding, for exam­p­le, in con­nec­tion with Sec­tion 18 (3) no. 3 GWB in the cri­ter­ion “its access to com­pe­ti­tively rele­vant data” for deter­mi­ning the mar­ket power of an under­ta­king. In this con­text, it is also not a mat­ter of indi­vi­du­al owner­ship, but rather the mere pos­si­bi­li­ty of access is sufficient.
3. No fur­ther use of per­so­nal data in other ser­vices pro­vi­ded sepa­ra­te­ly from the gate­kee­per, inclu­ding other cen­tral plat­form ser­vices. In rela­ti­on to the pre­de­ces­sor pro­vi­si­on, this is the more gene­ral pro­vi­si­on sup­port­ing the broad scope of application.
4. No regis­tra­ti­on of end users in other ser­vices of the gate­kee­per for the pur­po­se of aggre­ga­ting per­so­nal data. Due to pri­va­cy auto­no­my and in the con­text of the second half-sen­tence, this should only con­cern tho­se log­ins that are auto­ma­ted and wit­hout the will of the end-user. The end user the­r­e­fo­re has the choice of using seve­ral ser­vices sepa­ra­te­ly and inde­pendent­ly of each other, wit­hout the gate­kee­per per­forming a merge.

Ensuring freedom of choice for end users

Art. 5 para. 2 sub­pa­ra. 1 second sen­tence of the DMA pro­vi­des as an excep­ti­on to the pro­hi­bi­ti­on pro­vi­si­ons that the end user has been given the spe­ci­fic choice and has con­sen­ted in accordance with the requi­re­ments of the GDPR. Con­sent is the­r­e­fo­re requi­red and, in addi­ti­on, con­sent under data pro­tec­tion law. Whe­ther this also appli­es to con­sent for per­sons who are not capa­ble of giving con­sent is not cla­ri­fied here. Sin­ce Artic­le 5 (2) DMA con­ta­ins the stric­ter pro­hi­bi­ti­on here, it could be con­cluded that the­re is a com­ple­te pro­hi­bi­ti­on wit­hout the pos­si­bi­li­ty of con­sent. The pro­vi­si­on of a spe­ci­fi­cal­ly gran­ted free­dom of choice goes bey­ond the pro­vi­si­ons of data pro­tec­tion law in this respect, as it pro­vi­des for the offer of an alter­na­ti­ve in addi­ti­on to con­sent, which the user can use wit­hout having to mer­ge his or her per­so­nal data.

The gate­kee­per may ask the respec­ti­ve end user for con­sent again. Howe­ver, accor­ding to Art. 5 para. 2 sub­pa­ra. 2 DMA, this is limi­t­ed to once within one year. The refu­sal must not be more one­r­ous than the gran­ting of con­sent. In addi­ti­on, the gate­kee­per should, accor­ding to reci­tal 37 p. 3 DMA, the gate­kee­per should offer a less per­so­na­li­sed but equi­va­lent alter­na­ti­ve. In other words, they must not under­mi­ne the requi­re­ments in order to obtain con­sent through poor qua­li­ty or rest­ric­tions. The only excep­ti­on would be if the rest­ric­tion is a direct con­se­quence of the per­so­nal data not being available. Howe­ver, such a state­ment is only pos­si­ble if the gate­kee­per no lon­ger has the pos­si­bi­li­ty to ter­mi­na­te the busi­ness rela­ti­onship with the end user in the event of refu­sal of con­sent and assent. The gate­kee­per must the­r­e­fo­re con­ti­nue to pro­vi­de and main­tain its ser­vices unchanged.