DSA – DMA : deux piliers de la stratégie numérique européenne.

DSA – DMA: two pillars of the European digital strategy.

Legal Watch No. 46 – April 2022

DSA – DMA: two pillars of the European digital strategySince the conclusion of a political agreement on the night of April 22-23, the DSA or Digital Services Act has been the subject of much commentary in the digital world.

This legislation on digital services is in fact, along with the legislation on digital markets (Digital Markets Act), at the heart of the European system presented by the European Commission on December 15, 2020.

The aim of this strategy is to create a more level playing field and make online platforms more responsible for the content they publish.

The DSA, in particular, aims to make the digital environment more transparent and secure by defining the responsibilities of digital service providers.

It will complement the European directive on e-commerce and other texts such as the "platform to business" regulation as well as sector-specific provisions regulating, for example, the moderation of online hate speech, terrorism, discrimination, or copyright.

The DSA will apply to platforms such as search engines, social media or e-commerce platforms. 

This text was the subject of numerous debates and pressures, both from civil society, which demanded a sufficiently broad scope of application, and from digital economic players, whose requests went in the opposite direction.

In particular, the question arose of the scope of regulation of "dark patterns" and other mechanisms aimed at influencing visitor behavior (see our letter no. 45).

The political agreement that has been reached seems to strike a balance between controlling a hyper-centralized platform economy on the one hand and respecting fundamental rights, freedom of expression and non-discrimination of individuals on the other.

The following elements are particularly noteworthy:

  • A recourse mechanism should allow people who have identified potentially illegal content to obtain a response from the host, according to a transparent procedure and without turning the latter into police auxiliaries.
  • Targeted advertising will be limited, without the use of sensitive user data.
  • Dark patterns will also be banned – the inclusion of cookies in this ban is uncertain.
  • A crisis response mechanism, introduced in the context of the war in Ukraine, allows the Commission to declare a state of digital emergency in consultation with national regulators.

Note that these measures apply to platforms, and therefore leave the situation unchanged with regard to websites in general.

These nevertheless remain subject to the provisions of the GDPR and the European directive on electronic communications.

The DMA complements the digital strategy by specifically targeting the "access controllers" in digital markets, or "gatekeepers". which have a strong economic position in the European Union and which connect a large user base to a large number of businesses.

A political agreement was also reached on this text on March 25, which clarified the scope of the DMA: the concept covers digital marketplaces, application stores, search engines, social networks, cloud services, advertising services, voice assistants and web browsers.

The DMA aims to ensure that these platforms behave fairly online.

For example, they will have to ensure the interoperability of the basic functionalities of their instant messaging services.

Furthermore, they will no longer be able to:

  • Promoting their own products or services to the detriment of those of others (self-referencing)
  • Reuse private data collected during one service for the purposes of another service
  • Establish unfair conditions for professional users
  • Pre-install certain software applications
  • Requiring app developers to use certain services (e.g., payment systems or identity providers) to be listed in app stores

However, it is worth noting the concerns expressed since then by more than 40 representatives of the competition and data protection sector: during the week of April 21, they published a letter explaining their fears regarding a text that is too vague, which would allow the companies concerned to combine all the data in their possession using a single consent, whereas the GDPR requires a legal basis for each type of processing carried out.

The DMA, like the DSA, are not yet final: they must be approved in plenary session of the European Parliament before being adopted.

In the meantime, and given the stakes, Europe is wasting no time: it is reportedly planning to open an office in San Francisco to engage with the tech giants of Silicon Valley, the very same companies that will be subject to tight controls under the new digital rules.

And also

France:

  • A study published in mid-April by the Sciences Po journalism school indicates that 184 French public administration sites use Google Analytics, despite the implications highlighted by the CNIL and its counterparts regarding transfers to the United States.

These sites include those of the Council of State, customs, and the presidency.

  • The CNIL publishes resources on artificial intelligence for different audiences : for professionals, a reminder of the principles, the positions of the CNIL and a self-assessment guide; for the general public, resources to better understand the issue; finally for specialists, information and studies concerning the issues and the state of the art.
  • At the beginning of April, the CNIL modified its repressive procedures and created a simplified procedure for less complex cases: no meeting of the college or public session except at the request of the organization concerned.

The sanctions that may be imposed in this context are limited: warnings, fines of up to €20,000 and an injunction with a penalty payment capped at €100 per day of delay.

These sanctions are not made public.

  • On April 15, 2022, the CNIL's restricted committee issued a 1.5 million euro fine against Dedalus Biologie for security flaws that led to the leak of medical data of nearly 500,000 people.

Technical and organizational security deficiencies were identified during software migration operations.

Europe:

The European Commission launched its proposal for a European Health Data Space (EHDS).

The Proposal aims both to facilitate citizens' access to their health data in electronic form and to share them with other health professionals within the EU, while allowing access to this data under strict conditions to researchers, innovators, public institutions or companies.

Each Member State will have to designate a digital health authority which will participate in a cross-border digital infrastructure (MyHealth@EU).

European Data Protection Board (EDPB)

  • On April 6, 2022, the European Data Protection Board (EDPB) published a statement on the draft transatlantic data protection framework.

This statement follows the agreement in principle between the European Commission and the United States announced on March 25, 2022.

The EDPB points out that this announcement does not constitute a legal framework on which data exporters can base their transfers.

They must continue to implement the actions required to comply, in particular, with the Schrems II ruling of the Court of Justice of the European Union.

  • The EDPB also published a common position on 28 April concerning the cooperation between data protection authorities in matters of control compliance with the GDPR.

The document confirms the willingness of the DPAs to strengthen their cooperation by identifying cross-border issues of strategic importance, promoting joint investigations, information exchanges and improving certain procedural rules.

European Data Protection Supervisor (EDPS)

THE European Data Protection Supervisor (EDPS) is organizing a conference in Brussels on June 16 and 17 focused on compliance with the GDPR in the digital world.

CPDP

Also of note is the annual CPDP (Computers, Privacy and Data Protection) academic conference, postponed to May 23-25 this year. The program is structured around the theme “The age of intelligent machines”.

European Parliament

On April 19, the Pegasus Commission of Inquiry The European Parliament has started its work.

The commission has twelve months to prepare its report on spyware used by several governments to spy on numerous public figures, politicians, journalists and activists.

Court of Justice of the European Union

Two important stops of the Court of Justice of the European Union were published last month:

  • On 5 April, the Court confirmed its case law that electronic communications data (including location data) cannot be retained generally and indiscriminately to combat serious crimes.
  • On 28 April, the Court explicitly recognised that consumer protection associations can bring representative actions against breaches of personal data protection, regardless of the actual violation of a data subject's right to data protection and in the absence of a mandate to do so.

The Spanish Data Protection Authority imposed a fine of €1,500 on a person who installed a video surveillance camera facing the public highway and near private homes, without an information poster and in violation of Articles 5(1)(c) and 13 of the GDPR.

The Dutch DPA has fined the Ministry of Foreign Affairs €565,000 for insufficient security measures and lack of adequate information for the persons concerned in the context of visa applications.

The Hungarian data protection authority has fined a bank €670,000 for illegal use of artificial intelligence.The bank carried out automatic analyses of audio recordings of its customer service.

The Danish Data Protection Authority has fined Danske Bank €1,345,000 for failing to comply with data retention and deletion procedures. in more than 400 computer systems involving several million people. The case is also the subject of a police investigation.

In Belgium, the DPA imposed a fine of 200,000 euros on Brussels Airport Zaventem and 100,000 euros on Brussels South Charleroi Airport. for passenger temperature checks carried out as part of the fight against COVID-19 without a valid legal basis.

International :

There are concerns about the listening and recording capabilities of smart speakers.

An academic study published at the end of April details Amazon's use of data collected by Alexa for advertising targeting purposes, and the valuation of this data, which is resold for thirty times more than other data.

In mid-April, the Irish Human Rights Commissioner expressed the same reservations to the Minister of Justice, this time regarding the reuse of this data in the context of police investigations.

On April 21, U.S. Secretary of State Gina M. Raimondo issued a statement on the creation of the “Global CBPR Forum.”

This forum aims to facilitate the transfer of personal data and commercial activities between the United States, Canada, Japan, the Republic of Korea, the Philippines, Singapore and Taiwan.

Note that CBPRs (Cross Border Privacy Rules) have existed for around ten years, with certified companies mainly in the United States.

The OECD plans to develop a framework for trusted government access to private sector data.

This theme is one of the international organization's priorities for 2022, along with data localization and international transfers of personal data.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN