• variaatio@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    35
    ·
    edit-2
    5 months ago

    Main issue comes from GDPR. When one uses the consent basis for collecting and using information it has to be a free choice. Thus one can’t offer “Pay us and we collect less information about you”. Hence “pay or consent” is blatantly illegal. Showing ads in generic? You don’t need consent. That consent is “I vote with my browser address bar”. Thing just is nobody anymore wants to use non tracked ads…

    So in this case DMA 5(2) is just basically re-enforcement and emphasis of previous GDPR principle. from verge

    “exercise their right to freely consent to the combination of their personal data.”

    from the regulation

    1. The gatekeeper shall not do any of the following:
      (a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
      (b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
      © cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
      (d) sign in end users to other services of the gatekeeper in order to combine personal data,

    unless the end user has been presented with the specific choice and has given consent within the meaning of Article 4, point (11), and Article 7 of Regulation (EU) 2016/679.

    surprise 2016/679 is… GDPR. So yeah it’s new violation, but pretty much it is “Gatekeepers are under extra additional scrutiny for GDPR stuff. You violate, we can charge you for both GDPR and DMA violation, plus with some extra rules and explicity for DMA”.

    I think technically already GDPR bans combining without permission, since GDPR demands permission for every use case for consent based processing. There must be consent for processing… combining is processing, needs consent. However this is interpretation of the general principle of GDPR. It’s just that DMA makes it explicit “oh these specific processing, yeah these are processing that need consent per GDPR”. Plus it also rules them out of trying to argue “justified interest” legal basis of processing case of the business. Explicitly ruling “these type of processing don’t fall under justified interest for these companies, these are only and explicitly per consent type actions”.