EU Council / Parliament reach agreement on Digital Services Act

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

EU Council / Parliament Reach Agreement on Digital Services Act

16 months after the European Commission’s original proposal, EU Member States and Parliament have reached a provisional political agreement on the Digital Services Act (DSA), the second pillar of a digital services framework designed to balance user protection and innovation in the digital economy.

Provisional agreement on the first pillar, the Digital Markets Act, was reached March 24, 2022.

The provisional agreement is subject to formal approval and adoption by the Council and Parliament. 

WHY IT MATTERS

The obligations under the DSA apply differently to different types and sizes of companie, with the most stringent obligations imposed online platforms and search engines with over 45 million monthly active users in the EU, including an obligation to carry out an annual risk reduction analysis and offer users a content recommendation system without profiling.

Smaller online platforms providing services in the EU will still be subject to other provisions, however, including prohibitions on use of minors’ personal data for targeted advertising and use of dark patterns.   

CJEU Opens the Door for Objective Actions by Consumer Protection Associations

The EU Court of Justice (CJEU) ruled that the GDPR does not preclude national legislation allowing for objective legal proceedings by consumer protection associations, even in the absence of a mandate from, or infringement of specific rights of, a data subject.

The ruling was in response to a question from the German Federal Court of Justice as to whether the Federation of German Consumer Organisations had standing to bring an action for an injunction against Facebook in German civil court based on violations of German data protection law, without a mandate from or infringement of the rights of a specific data subject.

The EU Court of Justice (CJEU) answered “yes”, since German legislation confers on associations a right to bring proceedings on an objective basis, and GDPR gives Member States the discretion to do so.

Although Article 80(2) of the GDPR only allows Member States to provide for this right “if it considers that the rights of a data subject under [GDPR] have been infringed as a result of the processing”, the CJEU interpreted the language not to require individual identification of the person specifically concerned by the infringing data processing, but rather that it is sufficient to designate a category or group of persons affected by the treatment.

WHY IT MATTERS

In essence, this ruling allows not-for-profit bodies, organizations and associations to bring actions, where Member State allows, based on a general infringement of the GDPR or local data protection law, without naming specific harmed plaintiffs.

This ruling may spur an increase in actions brought at the national level by consumer advocacy groups under the GDPR. 

EDPB to Enhance Cooperation Among DPAs

The European Data Protection Board (EDPB) announced that, going forward, it will implement certain new measures to foster cooperation among DPAs in their application of the GDPR.

Specifically, it will yearly identify a number of cross-border cases of strategic importance to which it will apply an action plan with a fixed timeline for cooperation among impacted DPAs and identify annual enforcement priorities for reflection in national enforcement programmes and a list of administrative procedural aspects that could be further harmonised. 

WHY IT MATTERS

The GDPR contains various cooperation and consistency mechanisms to harmonize the level of protection offered by the GDPR across Member States.

For example, supervisory authorities must cooperate with other interested supervisory authorities before issuing a decision that impacts data subjects across multiple Member States.

The EDPB is tasked with ensuring the consistent application of the Regulation, which has previously resulted, for example, in the creation of a task force to allow supervisory authorities to exchange views and coordinate responses to cookie banner complaints.

USA

Connecticut passes privacy legislation

Connecticut SB 6, An Act Concerning Personal Data Privacy and Online Monitoring, was passed by both the state’s Senate and House.

The Act will be enacted unless the governor vetoes it before the legislative session adjourns on May 4.

Most of the law would go into effect July 1, 2023, the same day as the Colorado Privacy Act.

WHY IT MATTERS

Although most of the law borrows elements from Colorado, Virginia or California privacy laws, it introduces some new aspects, including a requirement that revoking consent for the processing of sensitive data be at least as easy as providing it, a concept borrowed from Europe’s GDPR. 

INDUSTRY

Google Play Launches Data Safety Section

Google Play for Android devices now includes a Data Safety section in app listings, displaying to users information about whether the app collects data, for what purposes, whether data is shared with third parties, whether such data collection is necessary for the app to function, and information about the app’s security practices.

App developers will be required to complete the information by July 20, 2022.

WHY IT MATTERS

Although all apps (including the data safety section) will go through a review process, Google notes on a developer help page that the review process “is not designed to verify the accuracy and completeness of your data safety declarations”.

Therefore, it is up to each app developer to ensure declarations  accurately disclose data collection practices on the app, including any data collected through third-party code embedded in the app.   

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.