DSM & GDPR: Oil and Water?
case study

DSM & GDPR: Oil and Water?

Allegro Group Position Paper


The Juncker Commission’s flagship Digital Single Market (DSM) strategy, in the words of Robert Madelin[1], is focused, ambitious, and risk-taking. Senior European Commission officials will acknowledge that in implementing the DSM, the Commission is going to have to accept a certain amount of conflict and opposition.


One of the conflicts that it has sought to avoid is with advocates of the proposed General Data Protection Regulation (GDPR). And yet, it is quite possible that the GDPR is the biggest obstacle to the realisation of the DSM. This paper examines some of the key tensions and in some cases, contradictions between the two.


Underlying Principles



Borderless Mindset vs. Data Localisation

The DSM explicitly endorses the borderless mindset that advocates of digitalisation insist is necessary [2].Borders, whether within Europe or between Europe and the rest of the world, are incompatible with the DSM vision. In this mindset, data localisation requirements are a no-no.

The GDPR is fundamentally pro-borders as a mechanism to protect personal data. The most important border is the external border of the EU with the outside world, inherited from the 1995 Directive, which bans the export of personal data from the EU, subject to certain exceptions. Other jurisdictions regard this, rightly or wrongly, as one big data localisation requirement.

Online vs. Offline

The DSM strategy seeks to help the digital part of the single market catch up with the offline world by targeting "barriers that do not exist in the physical Single Market" [3].

The GDPR goes in the opposite direction by specifically targeting the online world. If this were not clear from the texts on the table (notably on the right to be forgotten, data portability, and the definition of personal data itself), it is certainly clear from the rhetoric, which is focused on the challenge of dealing with big multinational (mainly American) Internet companies. The impact of these online-focused provisions on the offline world has not been systematically assessed.

Power of Major U.S. Platforms

The DSM acknowledges the challenge posed by American leadership in many parts of the digital space and responds with a high level of ambition for European competitors – the politics of hope.

The GDPR expresses the politics of despair and proposes rules that are designed to slow down big US players rather than empower their European competitors. For example, forcing the broad use of explicit consent would help cement the positions of the market players with the largest numbers of registered users.




Practical Implementation


The DSM seeks to harmonise, and indicates a wide range of proposals that will make rules more consistent across Europe.

The GDPR pays lip service to harmonisation – notably in that it is a Regulation and not a Directive – but in reality is likely to decisively prevent harmonisation. This is the case for provisions relating to the “one-stop-shop”, to codes of conduct, to broad exemptions for the public sector and employment law, and a range of other areas where the secondary policy will have to be made by the Commission, data protection authorities, or other bodies.

Big Data and the Internet of Things

The DSM acknowledges the fundamental economic and social importance of cloud computing, big data, and the Internet of Things, and aims to stimulate investments in these to make Europe a global leader.

The GDPR views big data as a risk. Provisions on profiling seek to establish the principle of individual control over the public good, and the purpose limitation principle seems likely to be worded in such a way that makes it impossible to use existing data to address problems that were not envisaged at the time of collection, without asking every individual for explicit permission.


The DSM aims to sweep away a range of barriers to investment in innovation in Europe, notably by focusing on ownership, interoperability, usability, and access to data.

The GDPR views innovation with suspicion. The European Parliament is proposing to restrict the use of one of the key legal bases (Article 6.1.f) such that it can only be used if it meets the “reasonable expectations” of the data subject. What is innovation if not unexpected?

Illegal Content & Cybersecurity

The DSM seeks to promote a more effective fight against illegal content and cybersecurity threats by examining what actions can be taken by digital market actors.

Simultaneously, the GDPR seems likely to restrict the legal bases available for industry to take such actions (notably Article 6.1.f).

Once-Only principle

The DSM seeks to encourage public authorities to make the citizen-consumer’s experience easier by doing more data processing and exchange in the back-office. The idea is that once the authorities have your data, the citizen-consumer does not need to provide it again in order to obtain a new public service.

But the GDPR obliges data controllers to seek permission anytime they process data for something other than the original purpose. The fact that an insertion is needed in the DSM clarifying that Once-Only must be done in compliance with data protection legislation [4] strongly implies that the drafters were aware of this conflict or tension.


The DSM clearly states the ambition of bringing legal certainty as to the allocation of liability relating to the processing of data. Indeed it explicitly acknowledges the role of the liability regime in the e-Commerce Directive in underpinning the growth of the Internet.

The drafters of the DSM understood the tension with the GDPR- why else would the ambition be qualified by reference to personal data: “Legal certainty as to the allocation of liability (other than personal data related) is important for the roll-out of the Internet of Things.” Is liability related to personal data not important for the Internet of Things?

Skills Gap

The DSM shows a clear understanding of the skills gap in Europe with regard to the ICT, and promises to address this.

By dramatically increasing the administrative burden on companies and requiring the appointment of data protection officers, the GDPR will create massive demand for data protection professionals, especially lawyers. Neither the DSM nor GDPR seem to acknowledge this particular skills gap.


The Allegro Group believes that this combination of differences in the underlying principles and the practical implementation would create significant friction for the realisation of the Juncker Commission’s ambitious DSM vision. While it is clear that confronting these tensions head-on would constitute a major political risk, the Allegro Group believes that the risk to the Juncker Commission of seeing the DSM fail because of the legacy of the Barroso Commission may prove to be bigger.






About the Allegro Group

The Allegro Group is the leading Central and East European e-commerce company. From its Polish home in Pozna?, the group has expanded to cover close to a score of European countries, including 7 EU Member States. It operates e-marketplaces, e-retail sites, e-classifieds sites, online comparison shopping businesses, and a global online payments business.

Contact: Chris Sherwood, Head of Public Policy for the Allegro Group: chris.sherwood@allegrogroup.com


[1] See http://www.euractiv.com/sections/innovation-industry/madelin-i-have-been-appointed-job-be-creative-317192 “What distinguished the Digital Single Market from the Digital Agenda for Europe is that it is very focused and much more ambitious.

Between 2010 and 2015 we cleared the ground, we laid the foundations, with 138 actions. Strategically, Juncker went from having the strong vertical approach under Neelie Kroes to having a sort of T-shaped digital policy, which is more mainstreamed, with more focus and more risk-taking.

The 16 actions under the DSM are almost all in areas where there is real political judgement to be exercised about what the market will bear in terms of the speed of change.”

[2] See text of Juncker Commission Priority no 2 A Connected Digital Single Market. “We can create a fair level playing field where all companies offering their goods or services in the European Union are subject to the same data protection and consumer rules, regardless of where there server is based.”

[3] See DSM Strategy p.3

[4] See section 4.3.2 of the DSM Strategy on e-government


Find out how you can change this today