• Implement effective interoperability of hardware and software with third parties (including messaging services); • Provide for ‘sideloading’, i.e. permit app users to install and use third-party apps (“duly justified” measures by the gatekeeper to prevent endangering the integrity of the gatekeeper’s hardware or operating systems are permitted); • Enable business users to access ad information on a daily basis, as well as access to the gatekeeper’s performance measuring tools; • Provide advertisers and publishers with the ability to run their own verification and measurement tools to assess performance on gatekeepers’ platforms; and; • Allow business users to promote offers and conclude contracts with end-users outside the gatekeeper’s platform. Key gatekeeper Don’ts: • Combine or use personal data between individual core platform services, other gatekeepers or even third-party services, including for advertising purposes, unless the end-user has provided GDPR style consent; • Restrict business and end-users’ ability to raise complaints; • Restrict business and end-users to using only the gatekeeper’s identification services, web browser engine, or payment services; • Use business-users’ data to leverage a competitive advantage; • Favour gatekeeper’s own services and products in ranking (and related indexing and crawling) compared to similar services or products offered by third parties on the gatekeeper’s platform; • Prevent consumers from linking up to businesses outside their platforms; and • Restrict the removal of any pre-installed software or app. Interaction With EU Data Protection Law - Expected Challenges The DMA, once enacted, will not sit in a legal vacuum, and its interactions with EU and member state legislation will need to be considered – most notably, data protection legislation. The DMA references the GDPR, and gatekeepers and data recipients under the DMA alike will need to assess how GDPR requirements apply relative to the DMA. We outline below the key considerations: Prohibition of combining data across platform services Combining and comparing certain elements of the data, including personal data, is essential for ensuring high-level security across platforms and to detect and prevent malicious actor activity, such as identifying aliases for fraud prevention. This generally would be covered by the ‘legitimate interest’ legal basis under the GDPR. The DMA, however, provides only for a limited exception to its prohibition of data combination, namely where the end-user provided consent. The law also makes reference to the additional limited legal basis under Art. 6 (1) GDPR, which the DMA prohibition is to be without prejudice to, namely “legal obligation”, “vital interest of the data subject”, or “public interest”. These provisions will need careful consideration and interpretation before implementation in practice: • If the proposed consent is intended to be interpreted as consent under GDPR, does the DMA have the authority to change GDPR and limit the available legal basis for processing personal data under the GDPR? The DMA is not supposed to be lex specialis to the GDPR. • Consent has limited application in relation to data uses and combination for data security, or fraud prevention and detection. Bad actors are not likely to provide it. Consent can be withdrawn. Proliferation of consent requests for each service would result in consent fatigue. • The reference to “legal obligation”, “vital interest of the data subject”, or “public interest” of Article 6 (1) GDPR invites the question as to the use cases in the context of the DMA. Relying on ‘public interest’ for private organisations, for instance, can only have very limited and narrowly defined application. The scope of the shared data • Are data-sharing obligations limited to data provided directly by individuals, or would they also include data the gatekeeper observes, infers and creates through routine user interaction? • Will only data with a competitive value matter for data sharing obligations? 44 LAWYERMONTHLY SEPTEMBER 2022
RkJQdWJsaXNoZXIy Mjk3Mzkz