Relation of RODO to the Digital Services Act

1. DSA and RODO -relationship status: “it’s complicated”.

Recent months have seen many e-commerce businesses implementing the EU regulation, the Digital Services Act (DSA), in their organisations. 

It is important to remember that the DSA does not operate in a vacuum. In addition to it, e-commerce entrepreneurs need to be aware of other regulations that they must comply with in order to be fully compliant. One of these is precisely RODO. One can even venture to say that DSA will not be properly implemented if RODO has not been implemented in the organisation beforehand. 

The DSA Regulation in its wording indicates how it relates to the RODO. In general, the DSA is unaffected by the EU data protection regulations (i.e. primarily the RODO). At this point, a lawyer will use the expression that the RODO is lex specialis to the DSA. This means that the provisions of RODO are specific to those of the DSA. The Digital Services Act is only complementary to the RODO regulations. 

Below are a few areas where you should be mindful of RODO when implementing DSA in your organisation.

2. RODO and dark patterns 

One example is the prohibition of dark patterns -‘deceptive interfaces’. Under Article 25(1) of the DSA, online platform providers may not design, organise or operate their online interfaces in a way that misleads or manipulates the recipients of the service or otherwise materially interferes with or impairs the ability of the recipients of their service to make free and informed decisions.Importantly, this regulation applies when the provisions of the RODO and the Unfair Market Practices Directive will not apply. What does this mean? Even if an online platform provider uses dark patterns, it must first be established whether they are not related to the collection or processing of personal data or whether they are targeted at consumers. If neither of theseis the case, then the DSA regulation should be used. 

Thus, the RODO remains more relevant than the DSA when combating dark patterns. It is important in this context to pay attention to, among others, the European Data Protection Board’s Guidelines 3/2022 (Guidelines 3/2022 on Deceptive design patterns in social media platform interfaces: How to recognise and avoid them, adopted 14.2.2023 (version 2.0)).

3. RODO and profiling

One area that the DSA has paid particular attention to is the issue of the presentation of advertising based on profiling using personal data.

What is profiling? Under the RODO, it is any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyse or predict aspects relating to that individual’s performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The DSA Regulation primarily refers to profiling in the case of online platform providers.

Firstly, online platform providers are not allowed to present profiling-based advertisements to service recipients using special categories of personal data.What are these ‘special categories of data’, which are also referred to as ‘sensitive data’? The RODO indicates that they are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person.

Secondly, online platform providers are not allowed to present profiling-based advertising on their interface using the personal (not only sensitive!) data of the service recipient if they know with sufficient certainty that the service recipient is a minor.

Thirdly, providers of very large online platforms and very large search engines that use recommender systems (more at this link) provide at least one option for each of their recommender systems that is not based on profiling.

4. RODO and the protection of minors

Another area of the DSA where knowledge of the RODO is necessary for implementation is the issue of the protection of minors (from the perspective of the DSA of those under 18). Above, I mentioned the prohibition on presenting profiling-based advertising to minors using personal data. Below is another obligation.

Providers of online platforms accessible to minors shall put in place appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors in the services they provide. This is a similar approach to the privacy by design and privacy by default model introduced in the RODO. In other words, when putting in place appropriate measures to ensure the privacy, safety and protection of minors, it is necessary to draw on the acquis of the RODO in this respect, particularly in the context of Articles 25 and 34 of that Regulation. It is also important to make use of guidance developed both by the EROD (e.g. 5/2020 on consent under Regulation 2016/679) or by the supervisory authorities of individual EU Member States (e.g. ‘The Fundamentals for a Child-Oriented Approach to Data Processing’, developed by the Irish Data Protection Commission).

1. Summary

These are just a few examples that show how important RODO is from an DSA perspective. The implementation of the Digital Services Act in an organisation will not be complete if proper implementation of RODO has not taken place in advance. This means that it is already worthwhile for each e-commerce business to check the validity of its data protection solutions.