User consent at the interface of the DMA and the GDPR : a privacy-setting solution to ensure compliance with ART. 5(2) DMA

Abstract

The Digital Markets Act (DMA) is fully applicable since 2nd May 2023; the EU Commission has recently designated six firms having the status of ‘digital gatekeepers’ and thus subject to the DMA obligations. By imposing asymmetric regulation on ‘large’ digital platforms (i.e., gatekeepers), the new EU Regulation aims at improving the ‘fairness’ and ‘contestability’ of digital markets. In line with its goals, Art. 5(2) DMA prohibits gatekeepers from combining and cross using the end user’s data collected from different sources within its own eco-system. However, Art. 5(2) DMA offers some exceptions to this general prohibition: data combination, in fact, is possible if the end-user provides his/her ‘consent’ to such data combination, to benefit from more personalized services/advertisement from the gatekeeper. In particular, the users’ consent should comply with the requirements of Article 7 of the General Data Protection Regulation (GDPR). The paper discusses the relationship between the DMA and the GDPR, focusing on the users’ consent as a lawful basis to the processing activities of data combination and cross-use under Art. 5(2) DMA. The paper argues in favor of a ‘privacy setting’ solution, introduced by the gatekeeper within its platform service: at the first log in, the user would face on her/his screen a cookie wall, asking her/him to opt-in to specific types of data combination activities by the gatekeeper. Cookie walls have generally been considered not compatible with the GDPR requirement in terms of ‘free’ consent. However, in the online world, the emphasis on repeated, individual consent requests for every data processing has generated the so-called ‘consent fatigue’. In the paper, we argue that the DMA anti-circumvention provision addresses the consent fatigue issue: in our view, if the gatekeeper had to ask for the user’s consent every time before engaging in a data combination activity, this would represent a breach of Art. 13(6) DMA. Secondly, the paper argues that the DMA represents a lex specialis in comparison to the GDPR. Therefore, while respecting the general criteria indicated by Art. 7 GDPR, the user’s consent under Art. 5(2) DMA should be ‘adjusted’ to the peculiarities of the Digital Markets Act.