Legislators in the US, Japan and Australia have recently been publicly calling for tighter regulation of online platforms. About Bojana Bellamy Bojana Bellamy is the President of Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership (CIPL), a preeminent global privacy and data policy think tank located in Washington DC, London and Brussels. About Aaron Simpson Aaron Simpson is a partner at Hunton Andrews Kurth in the firm’s New York and London offices. He advises clients on a broad range of complex global privacy, data protection and cybersecurity matters, including with respect to existing and emerging requirements in the US and EU. • How will gatekeepers’ intellectual property, privacy and data security interests find application in the data sharing process? • What measures will be required to prevent re-identification of shared data that has been effectively anonymised or pseudonymised? Liability of gatekeepers and data recipients under GDPR data protection principles with regard to shared personal data • Who is responsible for carrying out data protection impact assessments? • Do gatekeepers have to perform privacy and security due diligence before or after sharing data with a recipient pursuant to the DMA? Can they refuse to share where the due diligence identifies risks? • Would gatekeepers’ responsibilities end for any subsequent misuse of personal data after sharing? For a more detailed analysis regarding the interplay between the DMA and the GDPR, please see the White Paper by Hunton Andrews Kurth’s Centre for Information Policy Leadership: ‘Bridging the DMA and the GDPR’. Next Steps The DMA will be published in the Official Journal, likely in October 2022, and come into force 20 days later with a six-month implementation period. Gatekeepers will have a maximum of six months after designation to comply with the new rules. Fines for violations of the DMA can reach up to an eye-watering 10% of their annual global turnover or up to 20% in case of repeat offenders, e.g. violating similar obligations relating to the same core platform service. Companies in scope for any of the DMA’s effects need to begin planning for its implementation. They will have to consider the practical challenges of appropriate security and GDPR-compliant processing created by the DMA’s provisions on data sharing, sideloading, data portability and data combination across platforms. The Commission has powers to issue further implementation guidance, which should be welcomed by impacted businesses. Gatekeepers also have the ability to request further guidance from the Commission regarding the appropriate level of security. That being said, only further, multistakeholder regulatory engagement and cooperation will ensure legal certainty and coherent application of GDPR in concert with the DMA’s requirements. National data protection authorities and the European Data Protection Board must develop consistent guidance across the Union with respect to the DMA. Cooperation with the competition authorities on the EU and national level also will be vital. As we have seen with the GDPR, given the hot button nature of the issues that triggered the creation of the DMA, the introduction of new digital legislation in the EU may well have a global knock-on effect. Legislators in the US, Japan and Australia have recently been publicly calling for tighter regulation of online platforms. As the DMA takes shape across the EU, global platforms will need to carefully monitor developments in the US (for instance, the proposed Open Acts Markets Act (S. 2710, H.R. 5017, H.R.7030), Japan and other countries. Contact 30 St Mary Axe, London EC3A 8EP Tel: +44 02072 205703 +44 02072 205612 E: bbellamy@HuntonAK.com asimpson@HuntonAK.com www.huntonak.com SPECIAL FEATURE 45
RkJQdWJsaXNoZXIy Mjk3Mzkz