EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 52021XX0427(01)

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Digital Services Act (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu) 2021/C 149/03

OJ C 149, 27.4.2021, p. 3–7 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

27.4.2021   

EN

Official Journal of the European Union

C 149/3


Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Digital Services Act

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 149/03)

On 15 December 2020, the Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on Single Market for Digital Services (Digital Services Act) and amending Directive 2000/31/EC (‘DSA’).

The EDPS supports the Commission’s aim to promote a transparent and safe online environment, by defining responsibilities and accountability for intermediary services, in particular online platforms such as social media and marketplaces.

The EDPS welcomes that the Proposal seeks to complement rather than replace existing protections under Regulation (EU) 2016/679 and Directive 2002/58/EC. That being said, the Proposal will clearly have an impact on processing of personal data. The EDPS considers it necessary to ensure complementarity in the supervision and oversight of online platforms and other providers of hosting services.

Certain activities in the context of online platforms present increasing risks not only for the rights of individuals, but for society as a whole. While the Proposal includes a set of risk mitigation measures, additional safeguards are warranted, in particular in relation to content moderation, online advertising and recommender systems.

Content moderation should take place in accordance with the rule of law. Given the already endemic monitoring of individuals’ behaviour, particularly in the context of online platforms, the DSA should delineate when efforts to combat ‘illegal content’ legitimise the use of automated means to detect, identify and address illegal content. Profiling for purposes of content moderation should be prohibited unless the provider can demonstrate that such measures are strictly necessary to address the systemic risks explicitly identified by the DSA.

Given the multitude of risks associated with online targeted advertising, the EDPS urges the co-legislators to consider additional rules going beyond transparency. Such measures should include a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking, as well as restrictions in relation to the categories of data that can be processed for targeting purposes and the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.

In accordance with the requirements of data protection by design and by default, recommender systems should by default not be based on profiling. Given their significant impact, the EDPS also recommends additional measures to further promote transparency and user control in relation to recommender systems.

More generally, the EDPS recommends introducing minimum interoperability requirements for very large online platforms and to promote the development of technical standards at European level, in accordance with the applicable Union legislation on European standardisation.

Having regard to the experience and developments related to the Digital Clearinghouse, the EDPS strongly recommends providing for an explicit and comprehensive legal basis for the cooperation and exchange of relevant information among supervisory authorities, each acting within their respective areas of competence. The Digital Services Act should ensure institutionalised and structured cooperation between the competent oversight authorities, including data protection authorities, consumer protection authorities and competition authorities.

1.   INTRODUCTION AND BACKGROUND

1.

On 15 December 2020, the Commission adopted a Proposal for a Regulation of the European Parliament and of the Council on Single Market for Digital Services (Digital Services Act) and amending Directive 2000/31/EC (1).

2.

The Proposal follows the Communication Shaping Europe’s Digital Future, in which the Commission confirmed its intention to develop new and revised rules to deepen the Internal Market for Digital Services, by increasing and harmonising the responsibilities of online platforms and information service providers and reinforce the oversight over platforms’ content policies in the EU (2).

3.

According to the Explanatory Memorandum, new and innovative digital services have contributed deeply to societal and economic transformations in the Union and across the world. At the same time, the use of those services has also become the source of new risks and challenges, both for society as a whole and individuals using such services (3).

4.

The aim of the Proposal is to ensure the best conditions for the provision of innovative digital services in the internal market, to contribute to online safety and the protection of fundamental rights, and to set a robust and durable governance structure for the effective supervision of providers of intermediary services (4). To this end, the Proposal:

contains provisions on the exemption of liability of providers of intermediary services (Chapter II);

sets out ‘due diligence obligations’, adapted to the type and nature of the intermediary service concerned (Chapter III); and

contains provisions concerning the implementation and enforcement of the proposed Regulation (Chapter IV).

5.

The EDPS was consulted informally on the draft Proposal for a Digital Services Act on 27 November 2020. The EDPS welcomes the fact that he has been consulted at this early stage of the procedure.

6.

In addition to the Proposal for a Digital Services Act, the Commission has also adopted a Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act) (5). In accordance with Article 42(1) of Regulation 2018/1725, the EDPS has also been consulted on the Proposal for a Digital Markets Act, which is the subject matter of a separate Opinion.

3.   CONCLUSIONS

93.

In light of the above, the EDPS makes the following recommendations:

Concerning the relationship to Regulation (EU) 2016/679 and Directive 2002/58/EC:

to align the wording of Article 1(5)i of the Proposal with the current wording of Article 1(5) b) of Directive 2000/31/EC; and

to clarify that the Proposal does not apply to questions relating to the liability of controllers and processors;

Concerning content moderation and notification of suspicions of criminal offences:

to clarify that not all forms of content moderation require attribution to a specific data subject and that in accordance with the requirements of data minimisation and data protection by design and by default, content moderation should, insofar as possible, not involve any processing of personal data;

to ensure content moderation takes place in accordance with the rule of law, by delineating when efforts to combat ‘illegal content’ legitimise the use of automated means and processing of personal data to detect, identify and address illegal content;

to specify that profiling for purposes of content moderation should be prohibited unless the provider can demonstrate that such measures are strictly necessary to address the systemic risks explicitly identified by the Proposal;

to clarify whether, and if so, to what extent, providers of intermediary services are authorised to voluntarily notify suspicions of criminal offences to law enforcement or judicial authorities, outside the case envisaged by Article 21 of the Proposal;

to specify that any provider of hosting services using automated means of content moderation should ensure that such means do not produce discriminatory or unjustified results;

to extend the requirement of Article 12(2) of the Proposal to all forms of content moderation, regardless of whether such moderation takes place pursuant to the terms and conditions of the provider or any other basis; and to specify that the measures must be ‘necessary’ in addition to being ‘proportionate’ to the aims pursued;

to strengthen the transparency requirements set out in Article 14(6) and 15(2)(c) of the Proposal, by further detailing the information to be provided to the individuals concerned, in particular in case of use of automated means for that content moderation, without prejudice to the duty to inform and the rights of data subjects under Regulation (EU) 2016/679;

to modify Article 15(2) of the Proposal to state unambiguously that information should in any event be provided on the automated means used for detection and identification of illegal content, regardless of whether the subsequent decision involved use of automated means or not;

to require all providers of hosting services, not just online platforms, to provide easily accessible complaint mechanism as envisaged by Article 17 of the Proposal;

to insert a deadline in Article 17 of the Proposal for the platform decision on the complaint, as well as the indication that the complaint mechanism to be established is without prejudice the rights and remedies available to data subjects in accordance with Regulation (EU) 2016/679 and Directive 2002/58/EC;

to further specify, by listing in an Annex, any other criminal offences (other than child sexual abuse) that meets the threshold of Article 21 of the Proposal and may give rise to a notification obligation;

to consider introducing additional measures to ensure transparency and exercise of data subject rights, subject, where strictly necessary, to narrowly defined restrictions (e.g., where necessary to protect the confidentiality of an ongoing investigation)in compliance with the requirements set out in Article 23(1) and (2) of Regulation (EU) 2016/679; and

to clearly define the term ‘relevant information’, referred to in Article 21 of the Proposal, by providing an exhaustive list of data categories that should be communicated, as well as any categories of data that should be preserved with a view of supporting further investigations by the relevant law enforcement authorities, if necessary.

Concerning online advertising:

to consider additional rules going beyond transparency, including a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking;

to consider restrictions in relation to (a) the categories of data that can be processed for targeting purposes; (b) categories of data or criteria on the basis of which ads may be targeted or served; and (c) the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising; and

to further clarify the reference to natural or legal person on whose behalf the advertisement is displayed in Articles 24 and 30 of the Proposal;

to add to the requirements of Article 24 a new item that requires the platform provider to inform data subjects whether the advertisement was selected using an automated system (e.g., ad exchange or platform) and, in that case, the identity of the natural or legal person(s) responsible for the system(s);

to specify in Article 30(2)(d) specifying that the register should also include information whether one or more particular groups of recipients of the service were excluded from the advertisement target group;

replacing the reference to ‘the main parameters’ by ‘parameters’ and to provide further clarification as to what parameters would need to be disclosed at a minimum to constitute ‘meaningful information’ within the meaning of Article 24 and 30of the Proposal; and

to consider similar requirements that apply to ensure traceability of traders (Article 22 of the Proposal) in relation to the users of online advertisement services (Articles 24 and 30 of the Proposal).

Concerning recommender systems:

to clarify that that, in accordance with the requirements of data protection by design and by default, recommender systems should by default not be based on ‘profiling’ within the meaning Article 4(4) of Regulation (EU) 2016/679;

to provide that information concerning the role and functioning of recommender systems to be presented separately, in a manner that should be easily accessible, clear for layman and concise;

to provide that, in accordance with the requirements of data protection by design and by default, recommender systems should by default not be based on ‘profiling’ within the meaning Article 4(4) of Regulation (EU) 2016/679; and

to include the following additional requirements in Article 29 of the Proposal:

to indicate in a prominent part of the platform the fact that the platform uses a recommender system and a control with the available options in a user-friendly manner;

to inform the platform user whether the recommender system is an automated decision-making system and, in that case, the identity of the natural or legal person liable for the decision.

to enable data subjects to view, in a user-friendly manner, any profile or profiles relating used to curate the platform content for the recipient of the service;

to allow the recipients of the service to customise the recommender systems based at least on basic natural criteria (e.g., time, topics of interest, ...); and

to provide users with an easily accessible option to delete any profile or profiles used to curate the content they see.

Concerning access by vetted researchers:

to provide that, in accordance with the requirements of data protection by design and by default, recommender systems should by default not be based on ‘profiling’ within the meaning Article 4(4) of Regulation (EU) 2016/679;

to rephrase Article 26(1)(c) of the Proposal paragraph to make reference to actual or foreseeable systemic negative effect on the protection of public health, minors, civic discourse, or actual or foreseeable effects related to electoral processes and public security, in particular in relation to the risk of the intentional manipulation of their service, including by means of inauthentic use or automated exploitation of the service;

to expand Article 31 to at least enable verification of the effectiveness and proportionality of the mitigation measures; and

to consider way to facilitate public interest research more generally, including outside the context of monitoring compliance with the Proposal;

Concerning platform interoperability:

to consider introducing minimum interoperability requirements for very large online platforms and to promote the development of technical standards at European level, in accordance with the applicable Union legislation on European standardisation.

Concerning implementation, cooperation, sanctions and enforcement:

to ensure complementarity in the oversight in the supervision of online platforms and other providers of hosting services, in particular by

providing for an explicit legal basis for cooperation among the relevant authorities, each acting within their respective areas of competence;

requiring an institutionalised and structured cooperation between the competent oversight authorities, including data protection authorities; and

making explicit reference to the competent authorities that involved in the cooperation and identify the circumstances in which cooperation should take place.

to make reference to competent authorities in the area of competition law, as well as the European Data Protection Board in the recitals of the Proposal;

to ensure that the Digital Services Coordinators, competent authorities Commission should also have the power and duty to consult with relevant competent authorities, including data protection authorities, in the context of their investigations and assessments of compliance with the Proposal;

to clarify that competent supervisory authorities under the Proposal should be able provide, upon request of competent supervisory authorities under the Regulation (EU) 2016/679 or on their own initiative, any information obtained in the context of any audits and investigations that relate to the processing of personal data and to include an explicit legal basis to that this effect;

to ensure greater consistency among the criteria included in Article 41(5), Article 42(2) and Article 59 of the Proposal; and

to allow the European Digital Services Board to issue own-initiative opinions and to enable the Board to issue opinions on matters other than the measures taken by the Commission.

Brussels, 10 February 2021.

Wojciech Rafał WIEWIÓROWSKI


(1)  COM (2020) 825 final.

(2)  COM(2020) 67 final, p. 12.

(3)  COM (2020) 825 final, p. 1.

(4)  COM (2020) 825 final, p. 2.

(5)  COM(2020) 842 final.


Top