Berlin’s Data Protection Authority (DPA) recently tried an unusual route: it sent Digital Services Act (DSA) Article 16 notices to Apple and Google, urging them to delist the DeepSeek app over alleged GDPR-breaching data transfers to China. This move—using a law designed for illegal online content to police complex data transfers—is a potential game-changer, and a controversial one.
If this becomes the norm, are we prepared for platforms like Apple and Google to become quasi-judicial arbiters of complex GDPR disputes? And what does this mean for legal certainty and the EU’s single market, where an app might be deemed “illegal” in one country but fine in another based on non-binding notices?
In his new article, From Transfers to Takedowns: Can Article 16 DSA Police GDPR Violations?, just published at the European Law Blog, Theodore Christakis argues this approach is a legally problematic overreach for two key reasons:
- The GDPR Claim is on Thin Ice: The Berlin DPA alleges a violation of Chapter V of the GDPR by DeepSeek due to an “illegal transfer” of data to China. However, direct data collection from EU users by a non-EU company does not qualify as a “transfer” under the EDPB’s own guidelines. While other GDPR rules may be at play, the specific violation cited appears incorrect.
- The Wrong Tool for the Job: An Article 16 DSA “notice” is non-binding; it does not compel removal but merely gives the platform “actual knowledge” of an allegation. Relying on this mechanism pressures digital giants to act as unwilling arbiters of complex privacy disputes. A binding, reviewable Article 9 DSA “order” is the proper, legally sound tool for such a significant action.
A Proposed Path Forward: A Two-Track Framework
This situation highlights a real enforcement gap against uncooperative, non-established companies —a challenge epitomized by the Clearview AI saga. But there is a better way. Christakis’s article proposes a clear, two-track framework to maintain the integrity of both regulations:
- Track 1 (The Default): For companies with an EU presence or those that cooperate with authorities, the GDPR’s own powerful enforcement toolkit should be the primary route.
- Track 2 (The Last Resort): For truly non-cooperative companies with no EU base, a formal, binding, and appealable DSA Article 9 order can be used as a last-resort compliance lever.
This balanced approach keeps the lanes clear: GDPR for privacy, DSA for intermediary liability. It prevents overreach while offering regulators a viable tool when all GDPR avenues have been exhausted.
To explore the full legal analysis, the precedents, and the detailed framework, read the full article.
* * *
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
