Digital Markets Act agreement reached between EU Council and Parliament

An agreement has been reached between the EU Council and European Parliament on the Digital Markets Act.

The Digital Markets Act was provisionally agreed upon by the European Parliament and the European Council after several hours of negotiation which involved three-way talks between the Council, Commission and Parliament. Last week, the European Parliament released a statement that the lawmakers had come to an agreement. The agreed upon text focuses on “gatekeepers”, which are very large companies which provide core platform services, like social media platforms and search engines. This Act could result in these gatekeepers being fined up to 10% of its total worldwide turnover or 20% of that, in cases of repeat offences. 

This Act will impose prohibitions on companies acting as “gatekeepers.” 

Gatekeepers are considered to be companies such as social media platforms  and search engines, which have a market capitalisation of minimum €75 billion, or an annual turnover of 7.5 billion, which provide its services to at least 45 million monthly users within the EU, and 10,000 business users. Gatekeepers providing messaging and social media services will be forced to interoperate with smaller messaging platforms. Users would have more choices available , when big or small, users would be able to use these apps to send messages, send files or make video calls across different apps, giving end users more choice. 

This agreement represents a major step in the application of this regulatory framework, which helps avoid any form of overregulation of small businesses. 

Once this legal text has been finalised, consumers should be able to use the core services of Big Tech companies, without losing control of their data. This Digital Markets Act  will be finalised 20 days after it has been published in the EU Official Journal, with the rules themselves coming into force 6 months later. Overall, the news will be a huge step in ensuring that the business practices of these “gatekeepers” also allow for fair competition. A press conference was held on March 25th, by a representative from the European Parliament, the French Secretary of State for Digital Transition, on behalf of the Council, as well as Margrethe Vestager, the Commission Executive Vice-President and the Commissioner for the Internal Market, Thierry Breton to commemorate the historic news. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EDPS reprimands European Parliament for use of Google Analytics

Illegal EU-US data transfers by the European Parliament lead to sanction from EDPS 

 

Due to a complaint made approximately one year prior, the European Parliament has been sanctioned by the EDPS over illegal EU-US data transfers, among other violations. On a COVID-19 testing site, the use of Google Analytics and Stripe (both US companies) by the European Parliament was a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. In the complaint, filed in January 2021 by noyb, several issues were raised, including deceptive cookie banners, vague and unclear data protection notices, and of course.  the illegal transfer of data to the US. The European Parliament did not incur a fine, but was reprimanded and ordered to come into compliance and address its data protection notice and other transparency issues within a month. 

 

Personal data transferred from the EU to the US is subject to very strict conditions, and must ensure an adequate level of protection.

 

Since the Schrems II ruling, Data transfers to the US have, under much scrutiny. This is because personal data transferred from the EU to the US in most cases do not ensure adequate protection for the data. The COVID-19 testing website provided by the European Parliament was no different. According to the EDPS, “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.” The data stored included health data, for example symptoms and results of a COVID-19 test. This is considered special category personal data, and therefore particularly sensitive. 

 

The EDPS found the European Parliament to be in violation of several articles of the GDPR and therefore issued a reprimand.

 

The placement of cookies by a US provider without having appropriate measures in place is a violation of EU privacy law. This leaves the site open to possible surveillance by US bodies. The complaint from noyb also highlighted the fact that the site’s cookie banners were unclear and deceptive. The banner did not list all the cookies, and there were also differences between the language versions. As a result users were unable to give valid consent. The European Parliament removed all cookies from the website during the investigation. 

 

There were also several issues of transparency noted in the complaint filed by noyb. It stated that the privacy policy was not clear and transparent and referred to a wrong legal basis. The privacy policy was also changed during the course of the investigation, however the changes made may have worsened the situation. The EDPS concluded that the European Parliament was violating the obligation of transparency under the GDPR. In addition it was found that the Parliament did not adequately reply to the access request of the complainants. The EDPS found the European Parliament To be in violation of several articles of the GDPR, and therefore issued a reprimand in accordance with article 58(2)(b) of the Regulation.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.