How the EU Digital Markets Act Affects GDPR
Coming into effect later this year, the EU Digital Markets Act will have a profound effect on the regulation of ‘gatekeeper’ giants in the digital tech sector. It will also intersect with GDPR rules, impacting many companies currently active in Europe.
Bojana Bellamy and Aaron Simpson of Hunton Andrews Kurth LLP examine this impact and how businesses should prepare below.
The new EU Digital Markets Act (DMA), a landmark piece of antitrust legislation intended to maintain competition specifically in the digital sector, has cleared the final legislative hurdle after its adoption by the Council of the European Union in July. This is the first major overhaul of digital legislation in the EU in more than two decades and will have an impact throughout the tech industry for years to come.
The DMA sets out a new framework of obligations for large online platforms, so-called ‘gatekeepers’ who provide ‘core platform services’. The DMA provides an extensive list of what constitutes ‘core platform services’ — ubiquitous services such as search engines, social networking services, video-sharing platform services, operating systems, web browsers, virtual assistants, cloud computing services and online advertising services all fall within scope. The DMA further applies a threshold in terms of turnover, end users and business user numbers that generally must be met, which limits the field of regulated entities.
Although the DMA will not come into force before Q2 2024 (with a six-month implementation phase), companies providing ‘core platform services’, and those likely to receive data from such companies, should proactively seek to understand the implications not only of the DMA, but also how the DMA interacts with existing privacy laws such as the EU General Data Protection Regulation (GDPR).
Background to the Act
The DMA has been in discussion since 2020 as a supplement to existing competition law and part of the EU’s overall digital strategy. The stated purpose is to rein in what legislators perceive to be the substantial economic power of major tech companies and their ability to block “the entry of new market participants”, leading to “serious imbalances in bargaining power.”
The DMA essentially establishes additional requirements for core online platforms, designated in the DMA as ‘gatekeepers’, to ensure they are not limiting competition in the digital market. These obligations largely reflect and codify the existing competition law cases and doctrine of the EU Commission and the Court of Justice of the European Union.
The DMA essentially establishes additional requirements for core online platforms, designated in the DMA as ‘gatekeepers’, to ensure they are not limiting competition in the digital market.
Who Will Be Impacted by the DMA?
The DMA applies directly only to those core platform services acting as ‘gatekeepers’. The DMA defines ‘gatekeeper’ to mean those online platforms that (i) significantly impact the internal market, (ii) provide an important gateway for business users to reach end users, and (iii) enjoy an entrenched and durable position in their operations. In addition to this general definition, the DMA presumes that a core platform service satisfies these criteria where it meets the following economic thresholds:
- Internal market impact: achieving annual turnover in the European Economic Area (EEA) equal to or above €7.5 billion in each of the last three financial years or an average market capitalisation or equivalent fair market value amounting to at least €75 billion in the last financial year and providing the same core platform service in at least three EU Member States.
- Important gateway: where the company operates a core platform service with more than 45 million monthly active end users established or located in the EU and at least 10,000 yearly active business users established in the EU in the last financial year.
- An entrenched and durable position: where the company met the end user and business user thresholds above in each of the last three financial years.
Organisations falling within scope of the above definitions must notify the Commission of their gatekeeper status without delay per the DMA. The Commission can also designate an organisation as a gatekeeper even where it does not strictly meet all of the above criteria.
The DMA imposes certain prohibitions and obligations on those organisations it intends to regulate – the “Do’s and Don’ts” of the DMA.
Key gatekeeper Dos:
- Provide data portability to end-users — upon request and free of charge — and assist end users accordingly;
- Provide “effective, high-quality, continuous and real-time” access and use of aggregated and non-aggregated data, including personal data, to business users — again only upon request but free of charge;
- Implement effective interoperability of hardware and software with third parties (including messaging services);
- Provide for ‘sideloading’, i.e. permit app users to install and use third-party apps (“duly justified” measures by the gatekeeper to prevent endangering the integrity of the gatekeeper’s hardware or operating systems are permitted);
- Enable business users to access ad information on a daily basis, as well as access to the gatekeeper’s performance measuring tools;
- Provide advertisers and publishers with the ability to run their own verification and measurement tools to assess performance on gatekeepers’ platforms; and
- Allow business users to promote offers and conclude contracts with end-users outside the gatekeeper’s platform.
Key gatekeeper Don’ts:
- Combine or use personal data between individual core platform services, other gatekeepers or even third-party services, including for advertising purposes, unless the end-user has provided GDPR-style consent;
- Restrict business and end-users’ ability to raise complaints;
- Restrict business and end-users to using only the gatekeeper’s identification services, web browser engine, or payment services;
- Use business-users’ data to leverage a competitive advantage;
- Favour gatekeeper’s own services and products in ranking (and related indexing and crawling) compared to similar services or products offered by third parties on the gatekeeper’s platform;
- Prevent consumers from linking up to businesses outside their platforms; and
- Restrict the removal of any pre-installed software or app.
The DMA applies directly only to those core platform services acting as ‘gatekeepers’.
Interaction With EU Data Protection Law – Expected Challenges
The DMA, once enacted, will not sit in a legal vacuum, and its interactions with EU and member state legislation will need to be considered – most notably, data protection legislation. The DMA references the GDPR, and gatekeepers and data recipients under the DMA alike will need to assess how GDPR requirements apply relative to the DMA. We outline below the key considerations:
Prohibition of combining data across platform services
Combining and comparing certain elements of the data, including personal data, is essential for ensuring high-level security across platforms and to detect and prevent malicious actor activity, such as identifying aliases for fraud prevention. This generally would be covered by the ‘legitimate interest’ legal basis under the GDPR. The DMA, however, provides only for a limited exception to its prohibition of data combination, namely where the end-user provided consent. The law also makes reference to the additional limited legal basis under Art. 6 (1) GDPR, which the DMA prohibition is to be without prejudice to, namely “legal obligation”, “vital interest of the data subject”, or “public interest”. These provisions will need careful consideration and interpretation before implementation in practice:
- If the proposed consent is intended to be interpreted as consent under GDPR, does the DMA have the authority to change GDPR and limit the available legal basis for processing personal data under the GDPR? The DMA is not supposed to be lex specialis to the GDPR.
- Consent has limited application in relation to data uses and combination for data security, or fraud prevention and detection. Bad actors are not likely to provide it. Consent can be withdrawn. Proliferation of consent requests for each service would result in consent fatigue.
- The reference to “legal obligation”, “vital interest of the data subject”, or “public interest” of Article 6 (1) GDPR invites the question as to the use cases in the context of the DMA. Relying on ‘public interest’ for private organisations, for instance, can only have very limited and narrowly defined application.
The scope of the shared data
- Are data-sharing obligations limited to data provided directly by individuals, or would they also include data the gatekeeper observes, infers and creates through routine user interaction?
- Will only data with a competitive value matter for data sharing obligations?
- How will gatekeepers’ intellectual property, privacy and data security interests find application in the data sharing process?
- What measures will be required to prevent re-identification of shared data that has been effectively anonymised or pseudonymised?
Liability of gatekeepers and data recipients under GDPR data protection principles with regard to shared personal data
- Who is responsible for carrying out data protection impact assessments?
- Do gatekeepers have to perform privacy and security due diligence before or after sharing data with a recipient pursuant to the DMA? Can they refuse to share where the due diligence identifies risks?
- Would gatekeepers’ responsibilities end for any subsequent misuse of personal data after sharing?
For a more detailed analysis regarding the interplay between the DMA and the GDPR, please see the White Paper by Hunton Andrews Kurth’s Centre for Information Policy Leadership: ‘Bridging the DMA and the GDPR’.
The DMA will be published in the Official Journal, likely in October 2022, and come into force 20 days later with a six-month implementation period. Gatekeepers will have a maximum of six months after designation to comply with the new rules. Fines for violations of the DMA can reach up to an eye-watering 10% of their annual global turnover or up to 20% in case of repeat offenders, e.g. violating similar obligations relating to the same core platform service.
Companies in scope for any of the DMA’s effects need to begin planning for its implementation. They will have to consider the practical challenges of appropriate security and GDPR-compliant processing created by the DMA’s provisions on data sharing, sideloading, data portability and data combination across platforms. The Commission has powers to issue further implementation guidance, which should be welcomed by impacted businesses. Gatekeepers also have the ability to request further guidance from the Commission regarding the appropriate level of security.
That being said, only further, multistakeholder regulatory engagement and cooperation will ensure legal certainty and coherent application of GDPR in concert with the DMA’s requirements. National data protection authorities and the European Data Protection Board must develop consistent guidance across the Union with respect to the DMA. Cooperation with the competition authorities on the EU and national level also will be vital.
As we have seen with the GDPR, given the hot button nature of the issues that triggered the creation of the DMA, the introduction of new digital legislation in the EU may well have a global knock-on effect. Legislators in the US, Japan and Australia have recently been publicly calling for tighter regulation of online platforms. As the DMA takes shape across the EU, global platforms will need to carefully monitor developments in the US (for instance, the proposed Open Acts Markets Act (S. 2710, H.R. 5017, H.R.7030), Japan and other countries.
Bojana Bellamy, President
Aaron Simpson, Partner
30 St Mary Axe, London EC3A 8EP
Tel: +44 02072 205703 | +44 02072 205612
E: bbellamy@HuntonAK.com | asimpson@HuntonAK.com
Bojana Bellamy is the President of Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership (CIPL), a preeminent global privacy and data policy think tank located in Washington DC, London and Brussels.
Aaron Simpson is a partner at Hunton Andrews Kurth in the firm’s New York and London offices. He advises clients on a broad range of complex global privacy, data protection and cybersecurity matters, including with respect to existing and emerging requirements in the US and EU.
 More details about the Japanese Digital Markets Competition Council’s Interim Assessment of Competition within the Mobile Ecosystem can be found in the official public consultation response by the Centre for Information Policy Leadership to the Interim Assessment.