DSA's Platform Shift, 12 Authorities on Data Scraping & Irish GDPR Ruling

By Robert Bateman and Privado.ai

This week’s Privacy Corner Newsletter explores:

• What changes must be made by platforms now that the Digital Services Act (DSA) has taken effect.
• A joint letter from 12 data protection authorities addressing the privacy risks of data scraping.
• The Irish High Court’s decision on how far regulators must go to investigate GDPR complaints.
• What we’re reading: Three of this week’s privacy-related picks for your reading pleasure.

Platforms Implement Major Changes As EU Digital Services Act (DSA) Takes Effect

Several major social media platforms put new user controls in place as the EU’s Digital Services Act (DSA) took effect on Monday.

• The DSA represents a major legislative effort to regulate the web, described by France’s digital minister as “potentially the most important (law) in the history of digital regulation”.
• Almost all websites and apps allowing user-generated content are affected by the law, with “Very Large Online Platforms” (VLOPs) and “Very Large Online Search Engines” (VLSOEs) attracting the most obligations.
• The law will change how platforms approach targeted ads, content moderation, and illegal content, among other areas.

The most important law in the history of digital regulation!?

So say some European politicians and legislators. The DSA should certainly be significant, even if it doesn’t change the web as much as other laws like the GDPR.

We’ll look at how the DSA imposes new requirements in three key areas: targeted ads, terms and conditions, and content moderation.

What are the new targeted ads rules?

The DSA’s impact on ad-targeting is a good focal point for a privacy-focused newsletter, so here’s a summary of some of the new rules:

• No more targeted ads based on data about children or “special category data” (specific types of “sensitive” data under the GDPR). Such ads are now banned.
• New transparency obligations when serving targeted ads. A user must be able to see:Whether a given item of content is an ad,Which organization is promoted by the ad, and who paid for it,How the user can change their ad-related settings.

But this only applies to large platforms?

No—the above obligations apply to platforms of all sizes. In determining whether a service is covered by the DSA, the focus is on whether users can share content, including posts and replies. 

There is an exception covering most blogs and other sites with comment sections, as long as sharing content is not the principal purpose of the service.

Then there are the VLOPs and VLOSEs, platforms used by 10% of more of the population of the EU, that have more extensive DSA obligations, including maintaining a searchable public database of targeted ads.

(Interestingly, all 19 of the DSA’s VLOPs and VLOSEs are US-based companies except four: Alibaba AliExpress, Booking.com, TikTok, and Zolando).

What are the other obligations under the DSA?

Targeted ads aside, DSA-covered platforms are also subject to a range of new content moderation and reporting obligations.

Among other things, platforms must publish clear terms and conditions and apply their own rules in a fair and transparent way.

If content gets restricted or demonetised, users have a right to know why—and they must be allowed the opportunity to appeal.

Platforms must provide processes for reporting and removing illegal content, including content related to financial fraud, child sexual abuse material, and counterfeit products.

The law won’t see full enforcement until next February, by which time each EU country must establish a Digital Services Coordinator. However, users in EU countries should see new reporting mechanisms on social platforms from this week onwards.

Privacy Regulators Sign Joint Letter on Data Scraping

A global coalition of privacy and data protection regulators has released a statement setting out key concerns on “data scraping and the protection of privacy”.

• The letter is signed by the heads of regulators from Australia, Canada, the UK, Hong Kong, Switzerland, Norway, New Zealand, Columbia, Jersey, Morocco, Argentina, and Mexico.
• The regulators set “key expectations” on social media firms and other website operators to protect users’ data from scraping—the mass collection of publicly available personal data by third parties.
• The letter also sets out some steps that individuals can take to better protect their personal data online.

What does the letter say?

The letter sets out some of the risks associated with data scraping, including:

• Targeted cyberattacks: Scraped data can end up for sale on the dark web.
• Identity fraud: Scraped data can be used in impersonation social engineering attacks.
• Monitoring, profiling, and surveillance: Scraped data can be used for facial recognition and other unauthorized surveillance purposes.
• Unauthorized intelligence gathering: Government and spies can use scraped data for intelligence purposes.
• Spam: Scraped data can benefit companies sending unsolicited direct marketing.

What about AI?

Interestingly, the letter doesn’t mention AI. This is despite the fact that large language models (LLMs) are normally trained on scraped data.

It’s hard to say why the 12 regulators chose to omit AI training from the scope of their statement, given how important certain AI systems have become over the past year.

What are they going to do about it?

There’s no specific threat of enforcement action in the letter. However, the signatories all belong to the Global Privacy Assembly’s International Enforcement Working Group (IEWG).

The statement sets “expectations” on social media firms and other website operators, including that they should: 

• Designate resources to tackle scraping.
• Implement monitoring and rate limiting to restrict unusual account activity.
• Use tools such as CAPTCHAs and IP-blocking to weed out bots.

Don’t most platforms do that stuff already?

Yes, most major platforms already implement the protections above. Some companies, including Meta and Microsoft, have also taken legal action to stop scrapers.

The regulators say they “welcome” a reply from the named social media firms and other companies within one month.

Irish Court Says Regulator Not Required to Tackle Adtech Complaint

The Irish High Court has ruled that the Irish Data Protection Commission (DPC) is not obliged to investigate a 2018 complaint against Google’s adtech practices.

• The judicial review against the DPC was brought by Johnny Ryan, now a senior fellow at the Irish Council for Civil Liberties (ICCL).
• Ryan claimed the DPC violated the GDPR and the Irish Data Protection Act by failing to investigate his 2018 complaint about Google’s “real-time bidding” process.
• The court found that the DPC had discretion over the “sequencing” and “extent” of its inquiries.

What happened here?

In 2018, Johnny Ryan—a data protection activist who, at the time, worked for Brave Software and now works for nonprofit the ICCL—submitted a complaint to the Irish DPC alleging that Google violated the GDPR via its targeted advertising processes.

The Irish DPC said, effectively, that it would deal with Ryan’s complaint after finishing its own investigation into the adtech industry because there was a “clear overlap” between Ryan’s complaints and its investigation.

But that was like five years ago…

Indeed. The DPC’s investigation into adtech is taking a very long time. The DPC argues that Ryan will ultimately get an outcome quicker if it completes its own investigation first.

After several years of delay, Ryan submitted a judicial review of the DPC’s decision to postpone the investigation of his complaint, arguing that:

• The DPC’s “own volition” inquiry into the adtech industry does not fully cover the issues raised in his complaint (specifically those related to data security), and
• As such, the DPC has a responsibility to investigate his complaint within a reasonable period and with all due diligence.

What did the court say?

The court sided with the DPC. Here are some of the key findings in the court’s judgment:

• A data protection authority is obliged to “handle” all complaints it receives, but has broad discretion regarding how to do so.
• The DPC was entitled to delay the investigation of Ryan’s complaint until after it concludes its own investigation.
• The DPC can consider the following factors, among other things, when deciding how to handle a complaint:The seriousness of the alleged infringement.The need to manage its resources.The need to comply with fair procedures on both sides.

Is this bad for data subjects?

GDPR enforcement remains a contentious issue even as the number of fines and other decisions increases across the EU.

The ICCL itself alleges that the Irish DPC has created a “bottleneck” of GDPR enforcement, as most decisions related to “big tech” are channelled through the regulator.

The DPC is not the only data protection authority to assert its broad discretion over complaint-handling in court. The UK’s Information Commissioner’s Office (ICO) has defended similar cases in the courts of England and Wales.

Some data protection authorities have immense caseloads and might have to make hard decisions about which cases warrant a detailed investigation.

However, the GDPR’s complaints mechanism could be undermined if regulators have too much power in deciding which complaints can be ignored—or delayed to the point that they are effectively ignored.

What We’re Reading

Check out these three privacy-related reads published this week:

• This Twitter thread from Catalina Goatana shows how TikTok’s user interface has changed in response to the Digital Services Act (DSA).
• 5 Ways to Prepare for Google’s 90-Day TLS Certificate Expiration: For security professionals, AppViewX’s Murali Palanisamy offers some tips on dealing with a major upcoming change from Google.
• Met police data platform deployed with data protection issues: As the UK continues to pump out serious data breaches at a weekly rate, Sebastian Klovig Skelton reports for ComputerWeekly about one aspect of what’s going wrong.