During its September plenary meeting, the European Data Protection Board (EDPB) adopted guidelines on the relationship between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). This the first EDPB guidance on the relationship between these two pieces of legislation.
The DSA aims to complement the rules of the GDPR to ensure a high level of protection of fundamental rights in the digital sector. Its main goal is to create a safer online environment in which the fundamental rights of all users, including the right to freedom of expression, are protected. It applies to online intermediary services, such as search engines and platforms.
Several provisions of the DSA involve intermediary service providers processing personal data. The EDPB guidance aims to contribute to the consistent application of the DSA and of the GDPR, to the extent that some provisions of the DSA concern the processing of personal data by intermediary service providers and include references to GDPR concepts and definitions.
Although it is up to national regulators, with the support of the European Board for Digital Services and EU courts, to interpret the DSA, there are several provisions which relate to the GDPR. These include:
- notice-and-action systems that help individuals or entities report illegal content;
- recommender systems used by online platforms to automatically present specific content to the users of the platform with a certain relative order or prominence;
- the provisions to ensure a high level of privacy, safety, and security of minors and prohibiting that profile-based advertising using their data is presented to them;
- transparency of advertising by online platforms; and
- prohibition of profiling-based advertising using special categories of data.
The EDPB guidelines are aimed at helping organisations to understand how the GDPR should be applied in the context of DSA obligations.
The EDPB also provides practical guidance relating to the cross-regulatory cooperation between authorities to coordinate enforcement which aims to provide more legal certainty for intermediary service providers and ultimately to protect the rights and freedoms of individuals.
The guidelines will be subject to public consultation.
Following this guidance, further work is underway with other regulators to clarify the new cross-regulatory landscape and maintain coherent and consistent safeguards for the protection of personal data. The EDPB is working on joint guidelines with the European Commission on the Digital Markets Act and the GDPR, as well as on joint guidelines on the AI Act and EU data protection laws.
