On November 18, 2021, the European Data Protection Board (“EDPB”) released a statement on the Digital Services Package and Data Strategy (the “Statement”). The Digital Services Package and Data Strategy is a package composed of several legislative proposals, including the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), the Data Governance Act (“DGA”), the Regulation on a European approach for Artificial Intelligence (“AIR”) and the upcoming Data Act (expected to be presented shortly). The proposals aim to facilitate the further use and sharing of personal data between more public and private parties; support the use of specific technologies, such as Big Data and artificial intelligence (“AI”); and regulate online platforms and gatekeepers.

The EDPB’s Statement draws attention on several concerns related to the proposals, including (1) lack of protection of individuals’ fundamental rights and freedoms, (2) fragmented supervision, and (3) risks of inconsistencies.

With respect to the lack of protection of individuals’ fundamental rights and freedoms, the EDPB highlights specific issues and makes recommendations directed toward the European co-legislator, including, notably:

  • that the AIR must prohibit the use of AI systems that categorize individuals based on biometrics (such as facial recognition) according to ethnicity, gender, political or sexual orientation, or other prohibited grounds of discrimination, and must prohibit any other AI systems whose scientific validity is not proven or that conflict with essential EU values. In addition, the AIR should include a ban on the use of AI to infer emotions of individuals or for the automated recognition of human features in publicly accessible areas.
  • that the DSA should regulate online targeted advertising more strictly and push for less intrusive forms of advertising that do not require any tracking of user interaction with content. Particularly, the EDPB recommends a phase-out of targeted advertising, leading to a prohibition of targeted advertising based on pervasive tracking. The EDPB also advocates for a general prohibition of the profiling of children.

In addition, the EDPB highlights the risk of parallel supervision structures as a result of these proposals and recommends that each proposal clearly set out how the new supervisory body called for in the proposal should cooperate with other authorities, including with existing data protection supervisory authorities.

Finally, the EDPB calls on the European co-legislature to resolve any ambiguities and inconsistencies with the existing data protection framework created by the proposals. The EDPB requests further clarification to ensure that existing data protection rules are not affected or undermined by the various proposals and that data protection rules will prevail where personal data is processed.