Ref. Ares(2022)4936226 - 06/07/2022
CONFIDENTIAL
Revisions to A icle 5(a)
1. We understand that the Commission’s proposed edits to A icle 5(a) seek to combine
A icle 6(1)(aa) and A icle 5(a).
■ We understand the purpose of A icle 5(a) is to address a contestability issue
that arises from gatekeepers combining personal data across services without
user consents. 5(a) addresses this concern by requiring that consumers
consent to that practice and are therefore aware of cross-service combinations
with the personal data that they are providing to a CPS.
■ A icle 6(1)(aa) appears to address a speci c concern regarding the
combination of personal data, including within a given service, to enable ad
targeting.
2. The new edits to the text, however, introduce requirements that appear unrelated to
these two objectives, create considerable ambiguity for us as to the scope of the
obligation, and are liable to present signi cant di culties for implementation. In
pa icular, we are concerned that this new language wil lead to counter-productive
outcomes by creating duplicative and confusing consent layers and may unintentional y
preclude legitimate and bene cial conduct. At this stage, we believe that clarity and
legal ce ainty are impo ant, pa icularly in the context of A 5.
3. We see in pa icular the fol owing two problems with the new language:
4.
Restriction on processing of personal data even if there is no combination. T he
compromise text introduces language at the beginning of A . 5(a) stipulating that
gatekeepers must not “
process personal data sourced from third-pa y services ”.
5. This addition is problematic because it does not address data combinations and is
therefore inconsistent with the objectives of both A icle 5(a) and 6(1)aa. Instead, the
new language extends A icle 5(a) by introducing restrictions for data uses beyond
combinations that are neither wel de ned nor explained by reference to a
contestability concern. The new language therefore overshoots.
6. Extending A . 5a beyond data combination to cover other uses of data is liable to
preclude us from o ering third pa ies bene cial services, including where the
gatekeeper acts as a mere host and processor of the third pa y’s data.
7. For example, the new language could be read to cover a scenario where a European
Cloud customer relies on a gatekeeper to host data, such as spreadsheets that list its
suppliers’ names, even though the cloud provider is acting purely as a processor on
1 /4
CONFIDENTIAL
behalf of that customer and does not combine the data with data from other services.
This may render such services impracticable because it would not be realistic for either
the gatekeeper or the third-pa y to secure consent from al the individuals involved.
The added language would therefore in e ect preclude legitimate and bene cial
hosting and processing services.
8. Similarly the addition of a reference to “
cross-use ” alongside “
combination ” goes
beyond the stated objective of A icle 5(a) and risks obstructing bene cial services.
Any entity can have another entity process their data as a data processor without
securing user consent. Yet the reference to “cross-use” could, if read broadly, preclude
this possibility for gatekeepers without good reason. Since this option is open to al
third pa ies, it is not clear what concern is resolved by precluding gatekeepers from
engaging in this type of standard processing. This edit therefore does not improve
contestability since it does not relate to any possible advantage a gatekeeper could
obtain via a CPS.
9.
Duplication of consent processes. The compromise text introduces new language
stipulating that a user must be given “
speci c choice ” for “
each processing purpose ”.
This language appears to have been introduced out of a concern to ensure that A .
5(a) should not override consent requirements under the GDPR. But the new language
risks doing the opposite.
■ The DMA already makes clear that the DMA obligations must be implemented
consistently with GDPR in A icle 7(1) and A icle 5(a) speci cal y refers to the
GDPR as the benchmark for choice and consent. We ful y intend to abide by our
GDPR obligations in paral el to any new obligations required under the DMA.
■ The new reference to processing purposes now comes on top of these clear
rules on the primacy of the GDPR and therefore creates a material risk of
inconsistency, duplication, and confusion.
■ The original version of 5(a) required consent for the combination of data across
services. It was therefore complementary to the GDPR, which focuses on
consent for processing purposes.
■ By introducing a reference to processing purposes in A icle 5(a), the DMA
suggests that we must o er additional consent options for processing purposes
on top of those that we already o er under GDPR and on top of the consent
options for data combinations that they wil have to o er under A icle 5(a). This
2 /4
CONFIDENTIAL
would go against the goal of ensuring alignment with the GDPR and is liable to
confront users with duplicative and confusing controls. 1
10. In practice, this would mean that European consumers would now be seeing numerous,
repeated consent moments when they try to use their pro le across di erent services.
These consents would be duplicative since, in the new text, they wil relate to
processing purposes – a concept already covered by the GDPR. It would be
burdensome and confusing to users to need to make overlapping and potential y
inconsistent privacy choices under both the DMA and the GDPR.
11. We therefore believe the new edits wil make life much more di cult for end users,
business users, and gatekeepers, without meaningful y improving users’ control over
their data or increasing contestability. The changes also make it unclear precisely what
so of consent is required for what purpose. This blurs the purpose of A icle 5(a) and
dilutes its core goal of creating a consent gate on the cross-service combination of
data.
Proposed Wording
12. Given the concerns set out above, we believe it would be preferable to maintain a
clear-cut provision that is focused on cross-service data combination and the
contestability issues the DMA sets out to resolve.
13. In our view, the original Commission text did this e ectively, although we welcome the
clari cation that gatekeepers can rely on points (c), (d), and (e) of A icle 6(1) GDPR as
we understand this wil enable us to use personal data to prevent spam and fraud.
14. Any conceivable residual concern regarding the relationship between the GDPR and
A icle 5(a) can be addressed with language that makes clear that the consent
requirement for data combinations under A icle 5(a) is without prejudice to additional
requirements under GDPR. Our proposed language below is meant to make clear that
the consent requirement under A icle 5(a) relates to cross-service data combinations
and is without prejudice to additional requirements under the GDPR:
“. .not combine personal data sourced from the relevant core pla orm
service with personal data sourced from any fu her core pla orm
services, other services o ered by the gatekeeper, or third-pa y
services; and not sign in end users to other services of the gatekeeper in
order to combine personal data, unless the end user has been presented
with the speci c choice to consent to such data combinations and has
1
We discussed the downsides of excessive consent moments in the white paper we provided to
the Commission on November 10, 2021.
3 /4
CONFIDENTIAL
consented in the sense of A icle 6(1) point (a) and A icle 7 of Regulation
(EU) 2016/679. This is without prejudice to the requirements of the
GDPR or the possibility of the gatekeeper to rely on A icle 6(1) points (c),
(d) and (e) of Regulation (EU) 2016/679, where applicable;”
15. As to A icle 6(1)(aa), the po ion of this provision that pe ains to contestability – by
covering
cross-service combination – overlaps with A icle 5(a), which requires consent
for such combinations. A icle 5(a) therefore already integrates the contestability
aspects of A icle 6(1)(aa). While A icle 6(1)(aa) would also require gatekeepers to
secure consent for combinations of personal data for adve ising purposes even where
the data points that are being combined were sourced from a single CPS, this does not
pe ain to contestability since al rival services can col ect and combine data in this way.
In addition, this requirement is already subject to regulation by the GDPR. It is therefore
not appropriate to integrate that overlap into A icle 5(a).
16. Nonetheless, we suggest text below that integrates the requirement of A . 6(1)(aa):
“. .not combine personal data sourced from the relevant core pla orm
service with personal data sourced from any fu her core pla orm
services, other services o ered by the gatekeeper, or third-pa y
services; not sign in end users to other services of the gatekeeper in
order to combine personal data; and not combine personal data for the
purpose of placing behavioural adve ising on its own services,
unless the end user has been presented with the choice to consent to
such data combinations and has consented in the sense of A icle 6(1)
point (a) and A icle 7 of Regulation (EU) 2016/679. This is without
prejudice to the requirements of the GDPR or the possibility of the
gatekeeper to rely on A icle 6(1) points (c), (d) and (e) of Regulation (EU)
2016/679, where applicable;”
17. We believe that, with the language above, we can address the concerns the DMA raises
and nd practical and innovative ways of providing consumers with new information so
that they are aware of how we combine CPS sourced personal data with non-CPS
services. We hope this note is helpful and that we can discuss those ideas with the
Commission sho ly.
4 /4