The EU’s Digital Markets Act: What Does It Mean for Businesses and Data Privacy?

What is the Digital Markets Act (DMA)?

The EU’s Digital Markets Act seeks to ensure that EU digital markets are contestable and fair. The act imposes a set of obligations on designated “gatekeepers” (i.e., providers of core platform services (CPSs), including search engines, social networking services, web browsers, communications services, online advertising services and virtual assistants) that apply throughout the EU. The European Council adopted the DMA in July 2022. It enters into force in November 2022 and will apply six months later.

Why Does it Matter?

• The European Commission and national competition authorities in the EU consider data to play an important role in creating competitive advantages for large digital players. According to the DMA, a platform with access to large amounts of data – including personal data – can exercise control over entire platform ecosystems in the digital economy and are “extremely difficult to challenge” by new or existing market operators.
• The EU has sought to tackle concerns with data concentration by giving the DMA a strong focus on data – including personal data – accumulated by gatekeepers. The DMA introduces obligations on gatekeepers aimed at ensuring that using such data does not unfairly undermine the contestability of CPSs.
• The obligations on gatekeepers imposed by the DMA overlap with the provisions and obligations of other EU legislation, in particular the General Data Protection Regulation (GDPR). Gatekeepers and their business users will need to assess how the DMA impacts their compliance with the GDPR.
• Particular attention should be paid to DMA obligations that are imposed on gatekeepers but create downstream responsibilities for business users when engaging with gatekeepers. Set out below are some of these obligations and the issues that businesses should consider before the DMA starts to apply in May 2023.

Areas of Focus for Businesses

• The DMA requires gatekeepers to enable the installation and use of third-party apps and app stores that use or interoperate with their own operating system. In other words, the DMA allows users to purchase and download apps from more than one app store, regardless of their device’s default operating system.
  
  However, gatekeepers can apply “proportionate measures” and settings to enable users to protect security in relation to third party apps or app stores. Security measures are typically aimed at protecting data – particularly personal data – processed by a given app or app store. This creates potential conflicts between the measures and settings that gatekeepers can implement under the DMA and the GDPR, and ePrivacy Directive compliant permissions obtained from third-party apps or app stores in relation to the use of personal data.
  
  Although gatekeepers are required to justify the measures that are introduced, there will be uncertainty as to how app developers and app store operators avoid providing users with conflicting information if they do not consider that a given security measure is necessary. Another consideration: Ensuring gatekeepers do not use the security measures to override previously granted permissions.

• The DMA introduces a data portability obligation. It requires gatekeepers to provide an end user and/or business user with access to data provided by the user or generated through the activity of the user through use of the gatekeeper’s CPSs, including the provision of continuous and real-time access to such data.
  
  According to the DMA, companies should comply with this obligation “in line with” the GDPR. Data subjects infrequently exercise the right to data portability under the GDPR, and it has not been subject to significant enforcement by data protection authorities. Furthermore, the GDPR only applies to the personal data of physical persons, not legal entities (i.e., a typical “business user”).
  
  It remains to be seen how satisfaction of the portability obligation in relation to business users will align with the GDPR-imposed data subject right. Perhaps this obligation will also cover personal data of end users relevant to a business user, and business users will become “joint controllers” of personal data disclosed under the DMA’s portability obligation, requiring a separate agreement with the gatekeeper.
  
  In addition, it is unclear how this portability requirement will interact with the data disclosure obligation set out in the DMA, discussed below. The obligation of “portability” requires the disclosure of data in a format that is reusable and thus is not the same as mere “access,” but both must be provided on a continuous and real-time basis.
• In addition to the portability requirement, gatekeepers are required to provide business users or their authorised third parties with effective, high quality, continuous and real-time access to aggregated and non-aggregated data, including personal data, that is required for or generated through use of the gatekeeper’s CPSs. This obligation allows business users or their authorised third parties to access data on the gatekeeper’s users’ interaction with the services offered by the business user through the gatekeeper’s platform.
  
  Again, the nature of the relationship between the gatekeeper and the business user or authorised third party is not clear: Are they joint controllers for the purposes of the GDPR? Which party will set the terms of the joint controller agreement? And will the business user be able to influence the consent wording?
• The DMA requires gatekeepers to provide third-party online search engine operators with access -- on fair, reasonable and non-discriminatory terms – to ranking, query, click and view data in relation to free and paid search generated by end users on its online search engines. It also requires anonymity for any query, click or view data that constitutes personal data.
  
  This may create compliance risks for gatekeepers and search engines. The challenges associated with anonymising search queries – or any personal data – are well-documented: The third-party search engine risks violating the GDPR if it obtains data from a gatekeeper that is not anonymised. Risk allocation between parties will be a key point of discussion, and search engine operators will expect transparency into the technical measures that gatekeepers adopt to comply (anonymisation is not optional – users may not consent to sharing search data that has not been fully de-identified).
• The DMA contains an “anti-circumvention” clause relating to collecting consent for processing personal data when that is required to comply with the DMA. Gatekeepers must either enable business users to collect consent directly from end users or comply with EU data protection rules “in other ways,” including by providing business users with anonymised data. Gatekeepers are not allowed to make obtaining consent by a business user more burdensome than it is for its own services. Although the spirit of this provision is clear, the implementation leaves generous scope for interpretation.

Be Prepared

The DMA is far-reaching and will affect gatekeepers as well as business users who rely on or use gatekeepers’ CPSs for their own services. In advance of the DMA coming into effect, business users should identify areas of their businesses that the DMA could impact and consider how to engage with large digital platforms to derive the advantages that the DMA could confer.