On Thursday 11 September, the European Data Protection Board (EDPB) adopted its guidelines on the relationship between the Digital Services Act (DSA) and the European Data Protection Regulation (GDPR).
While the published guidelines recognise that “efforts to detect, identify, and address (...) illegal content under (...) DSA may involve processing of personal data”, they ensure that they “clarify under which conditions Article 6 (...) GDPR may serve as a lawful basis for [these] measures”.
The EDPB specifies that alert and notification mechanisms, as well as “internal complaint-handling systems required by the DSA may also require the processing of personal data. Hosting providers [of these mechanisms] should only collect necessary personal data”, says the Board.
The guidelines also tackle deceptive interfaces, which are prohibited under the DSA, but some of which are already covered by the GDPR. They detail the “key elements to consider when assessing whether a deceptive design pattern is covered by the GDPR” and, in particular, whether the processing of personal data is “influencing” changes in user behaviour.
On the issue of the data collected by platforms to provide their recommender systems, the EDPB considers that these practices “raise concerns about (...) transparency (...) and potential risks associated with large-scale and/or sensitive personal data processing”.
According to the Board, these recommender systems may represent a “decision” within the meaning of Article 22 of the GDPR. Providers of online platforms “should not nudge users to select the option for a recommender system that is based on profiling”.
If the user refuses the “targeted” options, the EDPB considers that the online platform “should not continue to collect and process personal data”.
Finally, the EDPB considers it import to “clarify” the codes of conduct drawn up under the two Regulations.
See the guidelines: https://aeur.eu/f/ify (Original version in French by Isalia Stieffatre)