The EU Digital Markets Act (DMA), which cleared an important hurdle in the EU’s complex legislative process this spring, appears headed for adoption in May. While full-scale implementation is not likely until 2024, companies providing “core platform services”, as well as those potentially receiving data from such companies, should understand not only what the DMA requires, but also its impact on existing obligations under the EU General Data Protection Regulation (GDPR).
In a nutshell, the DMA seeks to promote competition in the digital sector by curbing the market power and (perceived) unfair practices of large digital platforms acting as “gatekeepers.” The legislation does not seek to supplant existing competition laws, but rather targets the effects of core platform services on the internal market. According to the European Commission, gatekeepers are those entities who exercise considerable economic power over “whole platform ecosystems in the digital economy,” thereby blocking the entry of new market participants and leading to “serious imbalances in bargaining power.”
The European Commission introduced the first draft of the legislation in 2020 as part of the EU’s digital strategy. Following trilogue negotiations between the European Commission, the European Parliament, and EU Member States, the EU announced a provisional agreement on March 24, 2022. While the final text has not been officially released, a leaked version reveals what is in store.
Who is within scope of the DMA?
The DMA provides a laundry list of services deemed “core platform services”— search engines, social networking services, video-sharing platform services; operating systems, web browsers, virtual assistants, cloud computing services, online advertising services and more. The DMA will apply to these core platform services, but only to the extent they are acting as “gatekeepers” under the legislation.
The DMA defines the concept of “gatekeeper” by reference to three subjective criteria: (1) a significant impact in the internal market; (2) an important gateway for business users to reach end users; and (3) an entrenched and durable position in its operations. The DMA presumes that a core platform service satisfies these criteria if it meets the following thresholds:
significant impact: either annual EU revenue of €7.5 billion in each of the last three years, or market cap of €75 billion in the last financial year, and provides the same service in at least three member states;
important gateway: at least 45 million monthly active end users established or located in the Union and at least 10,000 yearly active business users established in the Union in the last year; and
entrenched and durable position: the end user and business user thresholds mentioned above were satisfied in each of the last three years.
Organizations falling within those thresholds are obliged to notify the Commission of its “gatekeeper” status within two months. Even if an organization does not satisfy these thresholds, the Commission may still designate it as a gatekeeper using a different set of criteria. Either way, once designated a gatekeeper, the organization is given six-months to achieve compliance with the obligations summarized below.
DMA do’s and don’ts
The key obligations for gatekeepers under the DMA include:
providing end-users—upon request and free of charge—effective portability of data and the tools to do so;
providing business-users—upon request and free of charge—with “effective, high-quality, continuous and real-time” access and use of aggregated and non-aggregated data, including personal data;
allowing effective interoperability of hardware and software with third parties (including messaging services);
allowing “sideloading,” i.e., permitting app users to install and use apps that are downloaded from third-party app resources—but gatekeepers may take “duly justified” measures to prevent endangering the integrity of their hardware or operating systems;
permitting business users to access advertisement information on a daily basis, as well as access to the gatekeeper’s performance measuring tools;
permitting advertisers and publishers to run their own verification and measurement tools to assess performance on gatekeepers’ platforms; and
allowing business users to promote offers and conclude contracts with end-users outside the gatekeeper’s platform.
As for prohibitions, gatekeepers will not be allowed to:
combine or use personal data between their different core platform services, unless the end-user has provided GDPR-style consent;
restrict business- and end-users’ ability to raise complaints;
request business- and end-users use the gatekeeper’s own identification services, web browser engine, or payment services;
use business-users’ data to leverage a competitive advantage;
treat their own services and products more favorably in ranking (and related indexing and crawling) than similar services or products offered by third parties on the gatekeeper’s platform;
prevent consumers from linking up to businesses outside their platforms; and
prevent users from uninstalling any pre-installed software or app.
How does the DMA mesh with the GDPR?
Significantly, the DMA promotes the sharing of data sets that may include personal data. In such cases, the GDPR would be triggered on account of the involvement of personal data processing. Notwithstanding the DMA’s guarantee that it complements the GDPR without prejudice to its application, gatekeepers—as well as organizations acting as data recipients—will need to engage in a compliance assessment, regulatory dialogue and seek further guidance to determine how GDPR requirements apply to the activities required under DMA.
Specifically in terms of the interplay between GDPR and DMA requirements, CPOs and counsel at both gatekeepers and data recipients will need to consider the following key issues:
The scope of the shared data.
Will data-sharing obligations be limited to data provided directly by individuals or extend to include data the gatekeeper observes, infers, and creates through routine user interaction, as opposed to direct provision of the data?
Will the competitive value of generated data matter for sharing activities?
To what extent will gatekeepers’ intellectual property rights and privacy and security interests apply to the shared data?
What measures will be required to prevent re-identification of shared data that has been effectively anonymized?
The appropriate legal basis under the GDPR for the sharing and further processing of shared data.
To what extent would consent be a viable option for GDPR compliance purposes, given an individual’s ability to refuse consent to the re-use of data or to withdraw it at any time?
Would a legal obligation under the DMA itself provide an appropriate legal basis, or would such an obligation be considered necessary for the purposes of relying on the legitimate interests legal basis under the GDPR?
Compliance with the data protection principles of GDPR Article 5 (e.g., transparency, purpose limitation, data minimization, and accountability) and the respective obligations and liabilities of gatekeepers and data recipients under the GDPR with regard to shared personal data.
For example, who has the duty to carry out a data protection impact assessment?
Would gatekeepers need to perform privacy and security due diligence before or after sharing data with a recipient pursuant to the DMA?
Would whether gatekeepers’ responsibilities end for any subsequent misuse of personal data after sharing?
More details about the interplay between the DMA and the GDPR can be found in a White Paper drafted by Hunton Andrews Kurth’s Centre for Information Policy Leadership entitled “Bridging the DMA and the GDPR.”
What lies ahead?
If the DMA is adopted in May as expected, it will enter into force in October 2022 and begin to apply six months later. Most expect the compliance process to then begin in the first quarter of 2023.
To help ensure legal certainty and promote the legislative goals of both the DMA and the GDPR, it will be essential to encourage further regulatory engagement and dialogue on how the obligations of the GDPR will work in concert with the DMA’s requirements. National data protection authorities and the European Data Protection Board will need to consider and interpret consistently the GDPR’s requirements in light of the DMA. They will also need to cooperate with the competition authorities enabling the Commission to enforce the DMA effectively. Finally, the Commission will need to specify further rules to ensure the correct implementation of the DMA’s provisions.
Moreover, to ensure appropriate security and prevent processing in violation of the GDPR, CPOs and counsel will need to address the obvious challenges created by the DMA’s provisions on sideloading, data portability, and cross-platform sharing. For this purpose, gatekeepers can also ask the Commission to specify the appropriate level of security to achieve effective DMA compliance. Interestingly, the U.S. is considering similar rules, and CPOs should also keep an eye on developments in the U.S. — specifically the proposed Open Acts Markets Act (S. 2710, H.R. 5017, H.R.7030).
Finally, CPOs will need to work across organizational silos in their own companies — with their competition lawyers, privacy lawyers, CPOs, data officers and technologists — to enable use of data in compliance with both the DMA and the GDPR in a more holistic and effective manner.