Open Access
User consent at the interface of the DMA and the GDPR : a privacy-setting solution to ensure compliance with ART. 5(2) DMA
Loading...
Files
RSC_WP_2023_68.pdf (561.73 KB)
Full text in Open Access
License
Attribution 4.0 International
Cadmus Permanent Link
Full-text via DOI
ISBN
ISSN
1028-3625
Issue Date
Type of Publication
LC Subject Heading
Other Topic(s)
EUI Research Cluster(s)
Initial version
Published version
Succeeding version
Preceding version
Published version part
Earlier different version
Initial format
Citation
EUI; RSC; Working Paper; 2023/68; Centre for a Digital Society
Cite
BOTTA, Marco, DA COSTA LEITE BORGES, Danielle, User consent at the interface of the DMA and the GDPR : a privacy-setting solution to ensure compliance with ART. 5(2) DMA, EUI, RSC, Working Paper, 2023/68, Centre for a Digital Society - https://hdl.handle.net/1814/76134
Abstract
The Digital Markets Act (DMA) is fully applicable since 2nd May 2023; the EU Commission has recently designated six firms having the status of ‘digital gatekeepers’ and thus subject to the DMA obligations. By imposing asymmetric regulation on ‘large’ digital platforms (i.e., gatekeepers), the new EU Regulation aims at improving the ‘fairness’ and ‘contestability’ of digital markets. In line with its goals, Art. 5(2) DMA prohibits gatekeepers from combining and cross using the end user’s data collected from different sources within its own eco-system. However, Art. 5(2) DMA offers some exceptions to this general prohibition: data combination, in fact, is possible if the end-user provides his/her ‘consent’ to such data combination, to benefit from more personalized services/advertisement from the gatekeeper. In particular, the users’ consent should comply with the requirements of Article 7 of the General Data Protection Regulation (GDPR). The paper discusses the relationship between the DMA and the GDPR, focusing on the users’ consent as a lawful basis to the processing activities of data combination and cross-use under Art. 5(2) DMA. The paper argues in favor of a ‘privacy setting’ solution, introduced by the gatekeeper within its platform service: at the first log in, the user would face on her/his screen a cookie wall, asking her/him to opt-in to specific types of data combination activities by the gatekeeper. Cookie walls have generally been considered not compatible with the GDPR requirement in terms of ‘free’ consent. However, in the online world, the emphasis on repeated, individual consent requests for every data processing has generated the so-called ‘consent fatigue’. In the paper, we argue that the DMA anti-circumvention provision addresses the consent fatigue issue: in our view, if the gatekeeper had to ask for the user’s consent every time before engaging in a data combination activity, this would represent a breach of Art. 13(6) DMA. Secondly, the paper argues that the DMA represents a lex specialis in comparison to the GDPR. Therefore, while respecting the general criteria indicated by Art. 7 GDPR, the user’s consent under Art. 5(2) DMA should be ‘adjusted’ to the peculiarities of the Digital Markets Act.