Four years after the GDPR (General Data Protection Regulation) took effect, the EU is on the verge of another landmark data protection legislation.
The EU DMA (Digital Markets Act), which intends to limit the power of tech giants operating in the EU, was this week approved by the European Commission alongside the Digital Service Package.
Under the legislation, large digital platforms will be subject to new rules regarding the use of sensitive data. The objective is to ensure a fair level of competition in the tech sector and to promote greater competition in the industry.
What is the Digital Markets Act?
The DMA is an upcoming legislation that seeks to restrict the powers of large tech firms and curb unfair practices in the way sensitive data is used.
The legislation won’t supplant existing competition laws, instead targeting as-yet-unregulated online practices.
According to the European Commission’s proposal, the DMA will target “gatekeepers” who exercise considerable economic power over “whole platform ecosystems in the digital economy”.
The proposal states that these practices stifle new market participants and create “serious imbalances in bargaining power”.
There have been calls for tighter regulation for several years. The European Commission introduced the first draft of the legislation in 2020 as part of the EU’s digital strategy.
Negotiations were slow going, with the European Commission, European Parliament, EU Member States all being consulted. A provisional agreement was made on 24 March 2022 and a final decision is expected this week.
Who will the DMA affect?
The DMA targets the “gatekeepers” of digital platforms – i.e. organisations that have a stranglehold on within “core platform services”. Those services include search engines, social networking services, video-sharing platforms, web browsers, virtual assistants, Cloud computing providers and online advertisers.
What makes an organisation a “gatekeeper” is still uncertain, with the DMA relying on subjective criteria. It states that an organisation will fall within its scope if it:
- Has a significant impact in the internal market;
- Provides an important gateway for business users to reach end users; and
- Holds an entrenched and durable position in its operations.
Those terms are also given a more concrete definition. The DMA states that an organisation will have a “significant impact in the internal market” if it:
- Has an annual EU revenue of €7.5 billion in each of the last three years;
- Has a market cap of €75 billion in the last financial year; and
- Provides the same service in at least three member states.
Organisations that have an “important gateway for business users to reach end users” are defines as those with:
- At least 45 million monthly active end users established or located in the EU; and
- At least 10,000 yearly active business users established in the EU.
Finally, an organisation will be considered to have an “entrenched and durable position in its operations” if the end user and business user thresholds have been satisfied in each of the last three years.
Organisations that fall within each of those thresholds will be required to notify the European Commission of its “gatekeeper” status within two months. Once its status has been confirmed, the organisation will be given six months to achieve compliance.
What are the DMA’s requirements?
The DMA’s requirements can be split into “obligations” and “prohibitions” – i.e. things organisations must do and things they cannot do.
Under the current proposals, organisations must:
- Give end users the right to effective portability of data and the tools to do so;
- Give business users the right to “effective, high-quality, continuous and real-time” access to and use of aggregated and non-aggregated data, including personal data;
- Allow effective interoperability of third-party hardware and software;
- Enable “sideloading” – i.e. permitting app users to install and use apps that are downloaded from third-party app resources;
- Allow business users to access advertisement information on a daily basis, as well as access to the gatekeeper’s performance measuring tools;
- Allow advertisers and publishers to run their own verification and measurement tools to assess performance on gatekeepers’ platforms; and
- Allow business users to promote offers and conclude contracts with end users outside the gatekeeper’s platform.
Meanwhile, organisations will be prohibited from:
- Combining or using personal data between their different core platform services (for example, the Meta-owned Facebook and WhatsApp), unless the end-user has provided GDPR-style consent;
- Restricting users’ ability to raise complaints;
- Requiring people use the gatekeeper’s own identification services, web browser engine, or payment services;
- Using business users’ personal data to gain a competitive advantage;
- Treating their own services and products more favourably in ranking (and related indexing and crawling) than those offered by competitors;
- Preventing consumers from linking up to businesses outside their platforms; and
- Preventing users from uninstalling pre-installed software or apps.
Although the DMA passed the final review later this week, organisations shouldn’t expect a drastic overhaul right away. A transition period is expected to last until at least 2024, with organisations using this time to adjust their business practices accordingly.
It will also be necessary to determine how the DMA’s requirements will affect existing obligations under the GDPR. National data protection bodies and the European Data Protection Boad will need to review the requirements and ensure that they can be applied consistently with existing laws.
Finally, the European Commission will need to specify further rules to ensure that the DMA’s provisions are interpreted and implemented correctly.
Although implementation seems a long way off, it’s always advisable for organisations to stay on top of the latest regulatory developments and ensure they have the knowledge to anticipate and respond to industry changes.
If your organisation has a DPO (data protection officer), they will be able to advise you on how to proceed. Even if you aren’t legally required to appoint one, the potential for regulatory change demonstrates why it’s helpful to have internal expertise.
There are many ways that organisations can appoint a DPO or someone in a similar role, so if you’re worried about the cost of hiring a full-time expert, you needn’t be. One option is to appoint an internal candidate, while another is to hire a third party on a service contract.
You can find out more about hiring a DPO and the advice they can give you about regulatory changes on our website.