Personal Data Processing by Online Platforms and Search Engines : The Case of the EU Digital Services Act

Abstract

The new EU Digital Services Act (DSA) is intended to regulate intermediary service providers, with particular attention to online platforms and search engines. The core activity of such platforms and engines is personal data processing, pursuant to the tasks of content moderation and recommendations. This means that regarding personal data, there is an interconnection between the GDPR and the DSA, and it is a matter of law to determine how they interact in the EU digital space. This paper endeavours to draw a comprehensive picture of how the GDPR and the DSA seek to provide better guidance on the adequacy and enforcement of personal data protection. It is argued that their relationship is best described as the DSA being the lex specialis vis-à-vis the GDPR, but this is somewhat blurred by instances where the latter is mostly complementing the former, such as 1. specific legal basis for data processing in compliance with new legal obligations for platforms; 2. a new articulation between both regulations concerning dark patterns; 3. new prohibitions on personal data processing; 4. new duties for the protection of personal data; and 5. a new ancillary institutional framework to regulate data protection by online platforms in collaboration with national data protection authorities.