User Consent at the Interface of the DMA and the GDPR. A Privacy-setting Solution to Ensure Compliance with ART. 5(2) DMA

28 Pages Posted: 1 Dec 2023 Last revised: 5 Dec 2023

See all articles by Marco Botta

Marco Botta

European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS)

Danielle Borges

European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS)

Date Written: December 1, 2023

Abstract

The Digital Markets Act (DMA) is fully applicable since 2nd May 2023; the EU Commission has recently designated six firms having the status of ‘digital gatekeepers’ and thus subject to the DMA obligations. By imposing asymmetric regulation on ‘large’ digital platforms (i.e., gatekeepers), the new EU Regulation aims at improving the ‘fairness’ and ‘contestability’ of digital markets. In line with its goals, Art. 5(2) DMA prohibits gatekeepers from combining and cross using the end user’s data collected from different sources within its own eco-system. However, Art. 5(2) DMA offers some exceptions to this general prohibition: data combination, in fact, is possible if the end-user provides his/her ‘consent’ to such data combination, to benefit from more personalized services/advertisement from the gatekeeper. In particular, the users’ consent should comply with the requirements of Article 7 of the General Data Protection Regulation (GDPR).

The paper discusses the relationship between the DMA and the GDPR, focusing on the users’ consent as a lawful basis to the processing activities of data combination and cross-use under Art. 5(2) DMA. The paper argues in favor of a ‘privacy setting’ solution, introduced by the gatekeeper within its platform service: at the first log in, the user would face on her/his screen a cookie wall, asking her/him to opt-in to specific types of data combination activities by the gatekeeper. Cookie walls have generally been considered not compatible with the GDPR requirement in terms of ‘free’ consent. However, in the online world, the emphasis on repeated, individual consent requests for every data processing has generated the so-called ‘consent fatigue’. In the paper, we argue that the DMA anti-circumvention provision addresses the consent fatigue issue: in our view, if the gatekeeper had to ask for the user’s consent every time before engaging in a data combination activity, this would represent a breach of Art. 13(6) DMA. Secondly, the paper argues that the DMA represents a lex specialis in comparison to the GDPR. Therefore, while respecting the general criteria indicated by Art. 7 GDPR, the user’s consent under Art. 5(2) DMA should be ‘adjusted’ to the peculiarities of the Digital Markets Act.

Keywords: Digital Markets Act; General Data Protection Regulation; data combination; data cross-use; personal data; consent

Suggested Citation

Botta, Marco and Borges, Danielle, User Consent at the Interface of the DMA and the GDPR. A Privacy-setting Solution to Ensure Compliance with ART. 5(2) DMA (December 1, 2023). Robert Schuman Centre for Advanced Studies Research Paper No. 2023_68, Available at SSRN: https://ssrn.com/abstract=4650373 or http://dx.doi.org/10.2139/ssrn.4650373

Marco Botta (Contact Author)

European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS) ( email )

Villa Schifanoia
Via Boccaccio 121
Firenze, Florence 50133
Italy

Danielle Borges

European University Institute - Robert Schuman Centre for Advanced Studies (RSCAS) ( email )

Villa La Fonte, via delle Fontanelle 18
50016 San Domenico di Fiesole
Florence, Florence 50014
Italy

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
457
Abstract Views
1,343
Rank
127,452
PlumX Metrics