On December 6, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a white paper on “Bridging the DMA and the GDPR – Comments by the Centre for Information Policy Leadership on the Data Protection Implications of the Draft Digital Markets Act” (the “White Paper”).
The European Commission’s draft Digital Markets Act (“DMA”) is a proposal for a regulation on “contestable and fair markets” in the digital sector, setting forth obligations for digital platforms acting as gatekeepers, including with respect to data sharing.
The European Parliament’s Internal Market and Consumer Protection Committee recently voted and upheld the DMA with amendments. The text was presented to a plenary vote before the European Parliament on December 13, followed by negotiations with member state governments before the EU Council in early 2022. CIPL’s White Paper seeks to provide input into this process by highlighting a number of important issues raised by the DMA that have not otherwise been widely discussed.
Specifically, the White Paper analyzes the relationship between the DMA’s data sharing obligations and the GDPR’s data protection requirements, identifying areas that require further consideration and clarification to ensure consistency and to enable effective and appropriate implementation of the DMA’s goals. More broadly, the White Paper seeks to encourage law and policy makers in the EU to take a holistic approach to the development of new data-related laws and to consider the interplay between such new laws and all existing data-related laws.
The White Paper makes the following recommendations:
- Encourage and enable informed, cross-disciplinary, constructive regulatory dialogue and exchanges with experts and stakeholders on the interplay between the DMA’s obligations and the GDPR, both during the legislative process and during the ongoing implementation and development of interpretations and guidance;
- Consider the interplay between the DMA’s obligations and the GDPR, including data protection principles, data subjects’ rights, and responsibilities of gatekeepers and data recipients;
- Build consensus on risk assessment, as well as factors and safeguards to be considered by gatekeepers before engaging in data sharing under the DMA;
- Ascertain the categories of data not subject to the data sharing obligations;
- Clarify the GDPR legal basis for processing for mandatory data sharing under the DMA, especially with respect to Article 6(1)(c) of the GDPR (processing necessary for compliance with a legal obligation);
- Develop co-regulatory codes of conduct and data sharing frameworks;
- Encourage the voluntary release of useful, anonymized datasets and overall data mobility within the EU;
- Provide incentives or endorsements to companies that practice data openness and responsible data sharing;
- Promote existing collaborative practices and tools, such as open data agreements, and facilitate cooperation among smaller digital players with respect to data pooling practices;
- Encourage innovative regulatory tools, such as regulatory sandboxes and policy prototyping, including across the different regulators (e.g., data protection and competition);
- Develop EU Commission guidelines on the DMA’s prohibitions and obligations through a process of regulatory dialogue to obtain stakeholders’ views and expertise; and
- Establish formalized cooperation between data protection and competition regulators to enable both a well-functioning data economy and effective data protection.
Read more details about these recommendations in the White Paper.