Deloitte Internet Regulation Updater

What: On 12 December, the European Commission (EC) published its template relating to the description of profiling techniques of consumers and the independent audit and reporting of such descriptions by gatekeepers under Article 15 (Art 15) of the DMA. The draft was released previously for consultation on 31 July 2023.

Recap: Designated gatekeepers have six months, from designation, to submit their independently audited report describing any techniques for profiling of consumers they apply on or across their core platform services listed in the designation decision. For the six gatekeepers that were designated on 6 September 2023, the deadline is 7 March 2024. Going forward such descriptions will need to be reviewed and updated at least once a year. 

Theme: The Art 15 requirement is rooted in transparency. The Art 15 reporting requirement addresses the concern that, as a result of the large amount of user data collected by the gatekeepers, new entrants and start-ups may find it difficult to compete with them. Requiring transparency on profiling techniques is intended to help ensure that deep consumer profiling does not become an industry standard and allow competitors to differentiate themselves by offering superior privacy guarantees. 

First look - key points to note:

1. We’re not done yet: the EC may update the template in future to identify further information which gatekeepers should provide or to set out further details on the auditing procedures. There is also the potential for a delegated act.
2. For the first audited description, the observed period subject to audit into profiling techniques is ‘point in time’ and two months prior to the first audit being due. For example, for the six designated gatekeepers the observed period would be 6 January 2024.
3. The template now expressly requires a description of the specific purpose pursued by each profiling technique.
4. The template extends the requirements to provide details on consumer consent obtained by third parties, including describing any steps taken to seek consumer consent to profiling, including visual representations (click-by-click) on how consumers can refuse or withdraw consent, any consequences of such refusal or withdrawal, and how any such consequences are notified to the consumer.
5. The template also requires further breakdown of data including the provision of further detail on each category of personal data and data originating from third parties distinguishing between types of third parties, eg, advertisers, publishers, developers. Further information is to be provided on data derived from user activity on third parties' services distinguishing data and personal data categories actively provided by consumers from observed data and inferred data originating from third parties.
6. The template requires further breakdown of the legal grounds relied upon for processing of personal data. In addition to considering the legal grounds relied upon under Articles 9(2) and 6(1) of GDPR, gatekeepers will also need to distinguish the legal ground relied on for the processing of personal data collected directly by the gatekeeper from the legal ground relied for the processing of personal data originating from third parties.
7. The template no longer expressly requires detailed information on technical safeguards in place to avoid advertisements being presented to minors, or how user data may be collected that would allow gatekeepers to identify a user as minor.

Considering the deadlines, platforms in scope for both Digital Services Act (DSA) and the DMA face a challenging few months as they prepare in parallel for the DMA Article 15 audit and the DSA audit. Further, it is clearly the intent for the data privacy regulator to rely on the profiling descriptions to determine the gatekeepers’ compliance with EU privacy law (the GDPR), which highlights the interconnectedness of the different regulatory domains.

Your contacts

Joey Conway, Internet Regulation Partner, Legal Lead 

Nick Seeber, Partner, Global Internet Regulation Lead

Mark Cankett, Regulatory Assurance Partner, Global Lead for Algorithm and AI Assurance, Deloitte

Curtis Barnes, Manager, Regulatory Assurance, Deloitte

Nia Thomas, Associate, Deloitte Legal

Ashmeet Wadwa, Consultant, Deloitte Legal

Content from Deloitte's Internet Regulation blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here and selecting Internet Regulation.