Introduction
In today’s digital landscape, consumer profiling techniques have become a central aspect of core platform services offered by tech giants. Recognizing the importance of safeguarding user privacy and promoting fair competition, Article 15 of the Digital Markets Act has introduced a key obligation:
- an audit of these profiling techniques
This pivotal regulation mandates that within six months of being designated as a gatekeeper, tech companies must submit an independently audited description of their consumer profiling methods to the Commission. This audit is a significant step towards ensuring transparency and accountability in the realm of consumer data processing. The Commission, recognizing the evolving nature of technology, has the authority to develop the methodology and procedure of the audit through implementing acts.
To further enhance transparency, gatekeepers are required to make an overview of their audited description publicly available, with due consideration for protecting their business secrets. Moreover, this overview must be updated annually, reflecting the dynamic nature of consumer profiling techniques. In parallel, the Commission has introduced a Template relating to the Audited Description of Consumer Profiling Techniques. This template is rooted in the principle that transparency is essential in preventing deep consumer profiling from becoming the industry standard, thus empowering competitors to distinguish themselves through superior privacy guarantees.
On July 31, 2023, the European Commission initiated a Public Consultation, extending a formal invitation to the European Data Protection Board (‘EDPB’) and the European Data Protection Supervisor (‘EDPS’) to contribute their insights.
Within the confines of this blog, we embark on a journey that unravels the intricacies of the template crafted in response to this consultation.
Our mission is to closely scrutinize the feedback and comments provided by EDPB and EDPS, offering us profound insights into the obligations that gatekeepers face concerning the submission of audits of consumer profiling techniques under Article 15 of the DMA.
Audited Description Of Consumer Profiling Techniques & Recommendations
Section 1: General information on profiling description | Name and point of contact of the gatekeeper submitting the independently audited description of applied consumer profiling techniques.
| Replace the title of Section 1 with “Information on the identity and corporate structure of the gatekeeper.”
Provide information about the function and role of individuals involved in drafting the description.
Ensure clarity about the contributions made by all relevant persons involved in preparing the audited description. |
Section 2: Information about the profiling techniques of consumers | Detailed description of all consumer profiling techniques applied within the core platform service and across multiple core platform services. | Focus on specific purposes and outcomes expected from profiling, not generic references. Provide examples of purpose descriptions via an explanatory footnote. |
Specific purposes pursued by profiling techniques and the legal ground relied upon. | Gatekeepers should demonstrate exceptions to the prohibition to process special categories of personal data when applicable. Consider limitations on relying on Article 6(1)(d) or (e) GDPR. Add a new point considering the use of legitimate interests under Article 6(1)(f) GDPR. | |
Detailed description of categories of personal data and data sources for profiling. | Clarify the distinction between personal data actively provided by consumers and data derived or inferred by the gatekeeper. | |
Retention duration for data and profiling. | Define “duration of profiling” as the time from data collection to the application of a profile, with a justification required. | |
Technical safeguards to avoid profiling of minors | Inquire about technical safeguards for protecting user rights when displaying advertisements, especially for minors or vulnerable users. | |
Description of processing applied and data lifecycle. | Provide a complete description of the data lifecycle and profiling techniques applied, covering all stages of the consumer profiling process. | |
Automated decision-making, its legal effects, and algorithms description | Include information on automated decision-making and its impact, even beyond “legal” effects. | |
Impact or importance of profiling techniques for business operations. | Clarify the specific information sought regarding the impact or importance of profiling techniques for the gatekeeper’s business operations. | |
Actions taken to make consumers aware of profiling. | Request information on what gatekeepers provide to consumers regarding profiling awareness and its format and timing | |
Description of steps taken to seek and manage consumer consent for profiling | Inquire about the availability of a profiling-free version of core platform services and its conditions. Consider it when assessing the validity of consent. | |
Statistics on consumer choices regarding profiling. | Include information on whether gatekeepers provide consumers with additional profiling controls and reasons behind such decisions. | |
Data protection impact assessment and conclusion. | Seek information on why gatekeepers have or haven’t provided additional profiling controls to consumers. | |
Alternative measures to profiling are implemented and considered. | Include specific points related to ensuring data subject rights, data transfers to third countries, special categories of data processed, and the involvement of third parties in the processing. | |
Section 3: General information on the audit | Name of the auditor(s) or auditing organization(s) which verified and audited the submitted description.
Overview of the professional qualifications, certifications, and descriptions of responsibilities of auditing team members.
Declaration of interests by each auditing organization.
Names of consulted third parties and their contact points (if applicable).
Names and contact information for all previously appointed auditor(s) or auditing organizations (if there was a change). | Include an explanatory footnote referencing existing standards for auditors’ professional qualifications.
Add an explanatory footnote referring to applicable EU law on the prevention of conflicts of interests in statutory audits to emphasize auditor independence. |
Section 4: Information about audit procedure | Description of audit procedures and methodologies used by the auditor or auditing organization.
Overview and description of audit evidence.
Detailed description of data sources not included in the audit scope and reasons for non-inclusion.
Any circumstances preventing the audit organization from performing the audit with a reasonable level of assurance. | Emphasize that this template does not replace the implementing act the Commission may adopt to develop audit methodology and procedure.
Include an explanatory footnote illustrating the degree of independence expected from gatekeepers’ auditors.
Address the absence of specific Commission-vetted quality standards for gatekeeper audit methodologies by providing examples of well-known audit methodologies. |
Section 5: Audit conclusions | Assessment of whether the gatekeeper’s provided description is complete and accurate.
Justifications for assessment and comments on potential misstatements, omissions, misrepresentations, or errors. | Replace the reference to ‘sufficient information’ with ‘complete and accurate information.’ |
Furthermore, Section 6 requires gatekeepers to provide a non-confidential overview of the audited description of each profiling technique applied to core platform services. This transparency measure ensures that the public can gain insights into the methods used for consumer profiling, fostering trust and enabling informed choices.
Section 7 is a final declaration that signifies the gatekeeper’s commitment to complying with the audit process and the provision of accurate information.
While there are no specific recommendations provided by EDPB and EDPS for these sections, their inclusion underscores the need for gatekeepers to take responsibility for their profiling practices and demonstrate their commitment to data protection standards.
Author: Kosha Doshi, Final Year Student at Symbiosis Law School, Pune and Legal Intern Data Privacy and Digital Law at EU Digital Partners