Data Protection and Privacy
Data Protection, privacy and technology developments continued to dominate the headlines last year. In this briefing, we consider some of the most noteworthy developments of which organisations should be aware, and look at what is coming down the tracks in 2023.
The importance of fair, transparent and lawful processing has been in the spotlight as the Irish Data Protection Commission ("DPC") recently imposed three significant fines on a leading technology company for unlawful reliance on contractual necessity as a lawful basis for certain processing activities. International transfers continues to be a hot topic, as the EU Parliament, EDPB and a Committee of EU Member States review the draft EU-US Data Privacy Framework ("DPF").
In addition, the extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny as a number of national court decisions concerning this matter are filtering up to the Court of Justice of the European Union ("CJEU"). All of these matters are considered in more detail in this commentary.
We also consider the CJEU decision in the case of X-Fab (Case C-453/21) which provides guidance on how to determine whether a conflict of interest could arise for an organisation's Data Protection Officer. In addition, the European Data Protection Board ("EDPB") has finalised a number of Guidelines to assist organisations to comply with their GDPR obligations including, amongst others, Guidelines on what constitutes an international transfer of data under Chapter V GDPR, and Guidelines on deceptive design patterns in social media platform interfaces.
Legislation surrounding data protection, privacy and technology continues to develop at a rapid pace. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 will undoubtedly be an exciting and busy year for all.
European Commission publishes Guidance on DSA requirement to publish user numbers
The Digital Services Act ("DSA") was published in the official journal on 27 October 2022, with the majority of its provisions taking effect from mid-February 2024. However, the DSA may kick in sooner for very large online platforms ("VLOPs") and very large online search engines ("VLOEs"), as it will apply to them four months after their designation by the European Commission (previously discussed here). VLOPs and VLOSEs are subject to enhanced obligations under the DSA, including in regard to the dissemination of illegal content, the exercise of fundamental rights, the integrity of electoral processes and the protection of minors.
The European Commission will designate VLOPs and VLOEs who reach the threshold of 45 million average monthly active recipients in the EU. Service providers have until 17 February 2023 to publish their user numbers, in a publicly available section of their online interface. This publication obligation is set out in particular, in Article 24(2) and recital 77 DSA, as well as Article 3(m), (p) and (q) DSA and Article 33 DSA. The figures reported are to be calculated as a six month average. There is a further obligation for this information to be updated at least every six months.
The European Commission has published a Q&A which aims to assist online platforms and online search engines with their publication obligation regarding active monthly user numbers. The Q&A is subject to review based on practical experience acquired in the months to come.
In this article, we discuss the key highlights from the Q&A.
Key Highlights from the Q&A
Although the DSA includes a definition of an "active recipient of an online platform" and "active recipient of an online search engine" in Article 3 (p) and (q) DSA, service providers have sought further clarity as to the precise scope of these definitions and the publication obligation. The Q&A helpfully provides some further guidance in this regard, whilst noting that only the Court of Justice of the European Union is competent to authoritatively interpret EU law.
The European Commission has confirmed that in order to be considered an "active recipient" in relation to:
1. Online search engine services:
- The user must have actually engaged with the service at least once in the previous six month period per Recital 77 DSA.
- Such engagement could be established once the recipient is exposed to content disseminated on the online interface of the platform or provides content for display on the platform.
- Article 3(b) DSA defines "a recipient of the service" as any natural or legal person who uses an intermediary service, in particular for the purpose of seeking information or making it accessible. This means that consumers, business users and traders all count for the purposes of calculating the number of average active recipients of the service.
- An active recipient does not necessarily have to be a registered user of a service or a user that has carried out a transaction on the online platform. For example, a user viewing listings displayed on an online platform allowing consumers to conclude distance contracts with traders has to be counted as an active recipient of the service, even where that user does not ultimately purchase a product or service on that online platform.
- Third party advertisers that request online platforms to advertise their products and services should also be counted as active recipients of their services.
- Inauthentic users, such as bots and scrapers, may be discounted if online service providers have the technical means to identify same.
2. Online search engine services:
- In light of the definition of "active recipient of an online search engine" provided by Art 3(q) DSA, the user must have submitted a query and been exposed to the content indexed and presented on the provider's online interface in order to count as an active recipient of the service.
Publication/Reporting obligation
There is no legal requirement for service providers to notify average monthly active recipients to the European Commission, or to the competent Digital Service Coordinator, unless they are specifically requested to do so pursuant to Article 24(3) DSA. However, they are encouraged to inform the European Commission of their average monthly active recipient numbers, along with the calculation method used (via the dedicated functional mailbox) and the competent Digital Services Coordinator. This will expedite the process of the European Commission designating relevant online platforms and search engines as VLOPs and VLOEs, and increase legal certainty.
The Q&A notes that online platforms and online search engines should also ensure the information on their average monthly active recipients is easily available and accessible on their online interfaces, to “facilitate the automated identification of published information and any updates to that information”.
Comment
Whilst the Q&A does not substantively expand on the text of the DSA, it provides helpful guidance to online platforms and online search engines when calculating the average monthly recipients of their services. Online platforms and online search engines will need to ensure that their policies and processes enable them to calculate the number of average monthly active recipients on an ongoing basis, as they have an obligation to update this information every six months.
Contact Us
If you would like to discuss this, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact any member of our Technology and Innovation Group.
Authors: Davinia Brennan, with thanks to trainee, Ciara Hayes, for her contribution.