Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board (EDPB) issued its draft guidelines (for public comments) on the interplay between the Digital Services Act (DSA) and the GDPR. The guidelines underscore that the DSA is without prejudice to the GDPR and does not derogate from the general rules on personal data processing, requiring consistent and coherent application of both frameworks.
The draft guidelines focus on specific provisions where the DSA impacts personal data processing:
1. Content Moderation under the DSA. Voluntary investigations by intermediary service providers to detect illegal content generally rely on the GDPR’s legal basis of legitimate interests. The processing may also be justified to comply with legal obligations under EU or national law of EU member states. In all cases, providers must demonstrate that the processing is necessary and proportionate.
2. Advertising and Profiling under the DSA. The DSA requires real-time advertising transparency, complementing the GDPR’s requirement that information be provided at the time data is obtained. Critically, the DSA introduces a prohibition on online platforms presenting advertisements based on profiling using special categories of personal data under the GDPR, regardless of whether the provider relies on an otherwise appropriate legal basis or derogation under the GDPR.
3. Providers of very large online platforms (VLOPs; e.g., Facebook) and very large online search engines (VLOSEs; e.g., Google) often present content, results, or feeds based on their algorithmic recommendations. When they do so, they must offer users at least one option for these ‘recommender’ systems not based on user profiling. When presenting these options, providers must act equally and should not nudge users toward the profiling option. While the non-profiling option is active, the provider cannot lawfully collect or process personal data for the purpose of profiling the user.
4. Deceptive patterns that influence user behavior relating to personal data processing are covered by the GDPR and are generally unlawful as they violate the principle of fairness.
Finally, the EDPB stressed that effective enforcement requires authorities competent under the DSA and Data Protection Authorities (DPAs) to consult and cooperate sincerely when examining conduct that touches upon the other framework.
Click here to read the EDBP’s draft guidelines on the interplay between the DSA and the GDPR.
