The French EU Council Presidency should focus its work on major EU digital legislation to lead to greater clarity and legal certainty in an increasingly fragmented digital landscape, argues Yann Padova.
Yann Padova is an attorney at Baker McKenzie and former secretary-general of CNIL, France’s data protection authority.
President Emmanuel Macron says that he intends to prioritise rapid adoption of the Digital Markets Act (DMA) during the French EU presidency. This legislation forms part of the European Commission’s intention to make Europe a “digital superpower”.
This aim, shared by all committed Europeans, involves introducing new obligations intended to promote competition in a market where technology firms, often foreign, are perceived as dominant and accused of stifling innovation.
According to the European Commission, the market power of these firms – described as “gatekeepers” – is based on large-scale data collection. Therefore, the DMA will require them to share their data, to ensure that it circulates more freely and in order to stimulate innovation.
This focus on the volume of data favours a quantitative approach, instead of looking at the systemic and legal frameworks in which innovation can thrive. There are also many questions about the DMA’s consistency and compatibility with other European legislation, including GDPR.
For example, the DMA requires platforms to give companies using their services “continuous and real-time access” to their “aggregated and non-aggregated data”, free of charge.
A platform will therefore have to make its data accessible to companies, even where it does not know how secure those companies’ technologies are or what their plans to use the data are.
According to GDPR, however, when users’ personal data is shared, a company must tell them exactly who the “recipients” of their data are. But how can this happen if the recipients are unknown at the time the platform initially collects the data?
Similarly, GDPR rules state that personal data must be collected for a specific use, and must not be processed subsequently for another “incompatible” purpose. Breaching this obligation is a criminal offence under French law. So how can a company receiving data from a platform ensure that its use remains “compatible”?
Not all SMEs, for which the DMA is designed, have the legal resources to carry out this complex compatibility analysis. And if a recipient of data uses it for an incompatible purpose, will the platform be held liable as an accomplice?
Finally, GDPR requires all companies that collect personal data to ensure the security of that data throughout its entire lifecycle. Platforms must build data protection into their services and interfaces by design. However, this does not fit well with their obligation to give access to their data “in real time” to all third-party companies that use their services.
Again, a failure to incorporate data protection by design into a service represents a breach of GDPR and a criminal offence. So what will happen when a security breach caused by a cyberattack affects a data recipient? Will that recipient company be the only one held liable, or will the platform be held jointly liable?
These legal uncertainties damage trust, which is critical for both data sharing and innovation. Without trust, there can be no data sharing, innovation or growth.
Paradoxically, these uncertainties increase the risk that SMEs receiving data, the very ones that the DMA aims to support, will fail to comply with the rules and commit criminal offences.
Let us hope, therefore, that the French Presidency will lead to greater clarity and legal certainty in an increasingly fragmented digital landscape.