Personal Information in the context of the Digital Markets Act

“GDPR – General Data Protection Regulation” image by Descrier licensed under CC BY

The General Data Protection Regulation (GDPR) led to significant breakthroughs in the protection of personal data. This Regulation establishes that natural persons, as data subjects, must provide their free, specific, informed, and unambiguous consent to the storage and processing of their personal data for a specific purpose by a data processor, and sets out their rights to request and, in its case, obtain access, rectify, erase their data to the data controller, require portability of their data, and be notified of data breaches, among others. Even though there is still a lot of work to to ensure the compliance with the GDPR and to increase the awareness of consumers [3], most data controllers on the Internet have significantly improved in their duty of informing users about the processing of their personal data, and obtaining their consent to do so. However, they sometimes resort to deceptive practices, which the recent Digital Services Act has recently tackled and, in some cases, banned, at the time of obtaining such consent [6]. Leveraging data protection legislation, Personal Information Management Systems (PIMS) have entered the market aiming to empower individuals to take control of their data. For that purpose, PIMS allow users to import their personal data from major data controllers on the Internet, to exercise their rights as stated in the GDPR, and to generally improve their control over their online data. Moreover, some of them offer users the possibility of monetizing data, upon their consent as data subjects, by joining and filling out market surveys, by allowing donations of data for public good or research, or even by selling their personal information to third parties through their own marketplaces.

According to the European Data Protection Supervisor such actors, which remarkably aim to contribute to the effective implementation of the principles stated in the GDPR, and more generally to the transparency in data usage, “deserve consideration, support and further research” [5]. In a recent survey paper, we listed 20 different PIMS in the market, and found five other similar initiatives currently out of service [1]. Businesswise, PIMS are start-ups that face important challenges, such as increasing people’s privacy awareness, building trust in their brand and services, and persuading more and more users to join so that their customer base becomes more attractive, and their business model proves feasible. Recently, the Digital Markets Act (DMA) is proposing to impose a number of obligations on firms providing core platform services with significant impact on European markets, the so-called gatekeepers as specified in Articles 5 and 6. Such obligations include:

5(a) informing end users and obtaining their consent for combining their personal data in the platform with that of third parties or from other services of the gatekeeper,

6(h) providing the end user with effective tools to manage data portability, and

6(i) providing business users with free access to data generated by end users “in the context of the use of the relevant core platform services by those business users and the end users engaging with the products or services provided by those business users”.

In essence, the DMA imposes obligations on leading platforms to host management processes for end users to manage their consent to allow them to share data with third parties, and to enable portability of their personal data to other platforms. Due to the variety of purposes for which data can be processed and to the variety of stakeholders intending to use data from service platforms, implementing effective and user-friendly consent management is far from obvious, and hence an opportunity to reuse already-existing PIMS components. Who and how these obligations will be implemented is still unclear.

A first alternative is that gatekeepers integrate this functionality in their platforms. One may argue whether just complying with regulations is a strong enough incentive for them to provide users with a satisfactory solution or, on the contrary, the resulting implementation would be merely regulatory-compliant rather than functional and user-oriented. In this scenario, similar to what is happening with data sharing and marketplaces, personal data management would become a built-in functionality of online platforms rather than a standalone platform itself.

Some authors have compared data to labor instead of oil or a property asset [2][7]. Similar to workers joining labor unions to defend their interests, a second alternative is that users defend their rights on the exploitation of their personal data by associating to a “digital union” of “passive data workers”. Such unions would necessarily be imposed by regulation, and likely act as a fiduciary to gain the trust of end users [4]. They have both advantages and disadvantages. On the one hand, they would definitely play a crucial role in monitoring the compliance with digital legislation, and hence contributing to improving the transparency of the data economy. On the other hand, they may end up accumulating and abusing their power as granted by the law.

In conclusion, the DMA opens the door for the data of gatekeepers to be shared with third parties always with the end users’ consent. Regardless who takes the lead and the responsibility to implement its obligations, this regulation, as the GDPR before, represents an opportunity for PIMS, data marketplaces and exchange platforms, and perhaps new players developing novel business models to enter the data market.

Thanks for reading!

[1] Andrés Azcoitia S., Laoutaris N. 2022. A Survey of Data Marketplaces and Their Business Models. arXiv preprint. arXiv:2201.04561

[2] Arrieta-Ibarra, L. Goff, D. Jiménez-Hernández, J. Lanier, and E. G. Weyl. 2018. Should We Treat Data as Labor? Moving beyond “Free”. AEA Papers and Proceedings 108 (2018)

[3] Cisco Secure Building Consumer Confidence Through Transparency and Control (2021) https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-cybersecurity-series-2021-cps.pdf

[4] S. Delacroix and N. D. Lawrence. 2019. Bottom-up data Trusts: disturbing the ‘one size fits all’ approach to data governance. International Data Privacy Law 9, 4 (10 2019), 236–252.

[5] European Data Protection Supervisor (EDPS) Opinion 9/2016 EDPS Opinion on Personal Information Management Systems. Towards more user empowerment in managing and processing personal data (September 2016)

[6] Mathur A., Acar G, Friedman M. J., Lucherini E., Mayer J., Chetty M., and Narayanan A… 2019. Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites. Proc. ACM Hum.-Comput. Interact. 3, CSCW, Article 81 (November 2019). https://doi.org/10.1145/3359183

[7] E. Posner and G. Weyl. 2018. Radical Markets. Uprooting Capitalism and Democracy for a Just Society. Princeton Univ. Press.