Introduction: Context
The now in force Digital Services Act (‘DSA’), enacted as ‘Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC’, revamps the regime established by the e-Commerce Directive over two decades ago (i.e. Directive 2000/31/EC).
Apart from increasing online intermediary liability and obligations in the context of content moderation, the DSA also adds specific protection for consumers in the area of privacy and data protection, where processing of personal data is concerned in the context of personalised advertising activity.
Prohibition on Profiling using Sensitive Data
Under the DSA, online platforms are prohibited from presenting users with targeted advertising where the profiling carried out is based on processing of sensitive data - or ‘special categories of data’ - which pertains to the user, in terms of the GDPR.
Targeted advertising to users therefore, which would be based on profiling, and able to infer information such as a user’s ethnicity, religious beliefs, health data or sexual orientation, is rendered unlawful in the context of certain online platforms, such as for instance META (Facebook) or Instagram.
Prohibition on Profiling of minors
The DSA also prohibits targeted advertising on online platforms directed to minors which is based on the profiling of their personal data.
In this respect - and reflecting the underlying principles of EU data protection law - the DSA states that compliance with this obligation shall not put an obligation on online platforms to process additional personal data to assess whether or not the user is a minor. This ensures that the provision on protection of minors is not counterintuitive in the sphere of privacy and data protection.
The DSA clarifies therefore that the onus of determining whether the end user is a child, for the purposes of targeted advertising regulation under the DSA, is to the degree that platforms are aware with ‘reasonable certainty’, that the recipient of the service is a minor.
The DSA therefore balances the furtherance of its objectives with the privacy of a minor and their personal data.
How can platforms comply with the DSA, to know when the user is a child?
Consequently, the law is vague as to how platforms are expected to know, or be in a position to determine, that a user is a minor. Especially since the DSA does not entertain the prospect that additional processing of a potential minor’s data may be conjugated to provide another legal basis for processing in addition to those enshrined under the EU data protection law (notable the GDPR).
Therefore for instance, where the online platform ordinarily requests information such as a user’s date of birth, which may be in accordance with its own age-related policies - for which the user may have originally agreed - such informs the platform from the beginning where a minor is concerned, without the need accordingly, to enter into the further processing ambit which is clearly proscribed under the DSA.
Accordingly, the DSA’s provision which states that minor age verification shall not imply an obligation for further processing, is not an unequivocal processing prohibition. It in fact assists online platforms to conform with the principle of data minimisation, and hence consequently demonstrate compliance with the GDPR.
Recommender systems in the spotlight
Nowadays, online platforms such as META (Facebook) and Instagram have the functionality to show certain third-party ads with more priority over others where these are more likely to appease users. These advertising practices which algorithmically curate the most relevant ads on a ranked basis, are also referred to as a recommender system. Whilst techniques and practices have advanced, these remain captured under EU privacy law’s regulation of third-party cookies, consent manipulation, monitoring of users’ behaviour and profiling which produces legal effects concerning an individual or which similarly significantly affects them.
In industry practice, recommender systems have been coupled with profiling of users’ data to ensure the most personalised and prioritised ads.
Whilst more familiar ads may lead to a more pleasant browsing experience, an opaque recommender system based on profiling may have negative effects ultimately, as acknowledged in the DSA, and originally sanctioned under the GDPR regime.
Prioritised and targeted advertising no longer guaranteed
Under the DSA in fact, very large online platforms and search engines (‘VLOPs’, and ‘VLOEs’, respectively) bear the obligation to render the parameters used in the profiling pursuant to targeted advertising to be clear to users, with the ability to modify or influence those main parameters.
EU law now also mandates that online platforms must provide users at least one option of a recommender system which is not based on profiling.
In a nutshell, the DSA not only resonates the GDPR principles, but also amplifies the sentiment under the GDPR. Each of the two above requirements in effect reduces the prospect that personalised advertising may be targeted on users.
Takeaway for businesses
The DSA effectively levels the playing field whereby prevalent and big data based advertisers are rendered akin to less comprehensive advertising proponents, since users may, effectively, disable ranked based and targeted ads shown to them on online platforms.
This will render the displayed ads to be based on more conventional marketing practices, rather than on profiling of users, which may have a significant impact on users’ experience on the platform and the way they interact with marketing information on such.
Article provided by INPLP members: Dr. Gege Gatt and Dr. Franklin Cachia (MALTA IT LAW ASSOCIATION, Malta)
co-author: Dr. Mark E. Zammit
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)