The European Commission and European Data Protection Board have released joint guidelines clarifying the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These guidelines provide clarity for large online platforms regarding consent requirements and data sharing, potentially reshaping how gatekeepers operate within the European Union.
Understanding the Regulatory Framework
The guidelines provide a framework for understanding how the DMA and GDPR interact, particularly concerning data usage by major online platforms designated as “gatekeepers.” The DMA focuses on preventing anti-competitive practices by large online platforms, while the GDPR safeguards individuals’ data protection and privacy rights. The new guidelines harmonize these objectives, creating a more consistent regulatory landscape.
Stricter Consent Requirements
A key announcement is the stricter interpretation of consent requirements. Gatekeepers must now obtain explicit and separate consent when combining user data across different services, including for AI training purposes. This closes a debated loophole, preventing reliance on legitimate interest or contractual necessity for such data processing.
Platforms can no longer assume consent based on general terms of service. Instead, they must provide users with clear, specific choices about how their data is used across different services. For example, a social media platform offering messaging and e-commerce services would need separate consent for combining data from these services.
Critical Issues Addressed
- “Pay or Accept” Models: Platforms offering users the choice between consenting to tracking or paying a fee will rarely qualify as freely given consent due to power imbalances
- Business Model Disruption: Stricter requirements could significantly impact platforms relying on combined user data for targeted advertising
Enhanced Anonymization Standards
The guidance introduces practical standards for anonymization, requiring platforms to implement technical and organizational safeguards to prevent re-identification of users. This includes data masking, aggregation, and differential privacy measures that must be regularly reviewed and updated. The guidelines also emphasize data minimization, ensuring platforms only collect data strictly necessary for their purposes.
These guidelines mark a significant step toward stricter data protection enforcement in the EU, requiring platforms to fundamentally rethink their data practices and user consent mechanisms.
