Consultation on Joint Guidelines on the Interplay Between DMA and GDPR

Portability and Security

It is important that the guidelines particularly regarding data portability, respect the interlinkages of the DMA and GDPR, and in providing for obligations on designated companies, do not undermine the intention of either piece of legislation. GDPR provides for comprehensive data protection and security standards and should remain a core principle of policy development.

The guidelines proposal to establish ‘continuous and real time access’ would benefit from further clarity and engagement with stakeholders. The potential of these measures to encompass significant datasets creates difficulties in implementation at a technical level, while also raising potential security concerns as it expands the access and scope of data collection.

This issue is compounded by the inclusion of ‘indefinite access’ which, as with continuous access, is a potential cause of major risk and requires adequate data security. This would require designated businesses to provide significant resources to overcome these challenges, reducing time that could be spent on driving other efficiencies within the organisation.

Furthermore, the possible inclusion of other individuals’ data as part of a user data request also presents significant challenges with regard to privacy, as well as operational challenges regarding the segregation of data, as well as in obtaining consent. Moreover, requirements that gatekeepers maintain dashboards to track all recipients of third-party data would introduce a significant challenge on an operational level, while also
increasing the amount of data being processed for administrative purposes only, creating a further tension with data minimisation goals.

By introducing changes to continuous real time access, and indefinite access, designated companies can ensure that they are providing the best security standards, while also collecting only the data that is necessary, a key aim of data minimisation goals under GDPR and the Data Act. These changes would be strengthened by periodic consent processes relating to data access, the introduction of customisable reminders regarding contest timelines and expiries as defined by the end user, or options to include consent
until withdrawn by the user.

Further, with regard to presentation of portability risk notifications, the guidelines outline that this should be achieved in a neutral, objective method that does not infer nudging of the user’s behaviour or choice. The guidelines lack clear outlines of what is defined as nudging in this context. Clarity on this issue must be brought forward as to the role companies can play in line with the requirement to remain neutral but also flag legitimate concerns of privacy and data security. Risk disclosure is an important step in meeting the
obligations as set out in GDPR transparency requirements.

Read AmCham's full Submission here