Introduction to Digital Markets Act
The dominance of large online platforms has been plaguing the EU’s digital economy. Although the number of small and medium online platforms operating across the EU exceeds 10,000, the largest share of the market is occupied by a small number of large online platforms. To rebalance the competitiveness of the market, legal solutions have been crafted by various national authorities to regulate large digital platforms. However, this fragmented approach begets unsuccessful decisions against large platforms, as they continue to retain a disproportionate power to influence the digital market. Against this backdrop, the Digital Markets Act (DMA) started to apply from 3 May 2023, aiming to ensure a centralised enforcement scenario as well as a contestable and fair digital market in the EU.
The DMA specifically targets large online platforms that provide core platform services, ranging from online social networking and video-sharing platform to cloud computing and virtual assistants. As core services providers, they offer an important gateway between business users and end users, a position that can grant them the power to act as a private rule maker, and thus create a bottleneck in the digital economy. If they meet the quantitative thresholds of over 45 million active end users each month or over 7.5 billion euros turnover in the last three financial years, these large online platforms will be designated as ‘gatekeepers’ in the DMA, and thus be obliged to comply with a list of do’s and don’ts, including data-related obligations.
Transition from Separation to Interplay
Traditionally prior to the enactment of the DMA, data protection and competition were considered as distinctive issues, and hence governed by separate areas of law.[1] In the case of Asnef-Equifax, the European Court stated that “any possible issues relating to the sensitivity of personal data are not, as such, a matter for competition law, they may be resolved on the basis of the relevant provisions governing data protection[2]”. This separation implication is further substantiated by the merger case of Facebook and WhatsApp, where the European Commission stated that data protection issues “do not fall within the scope of the EU competition law rules but instead within the scope of the EU data protection rules[3]”.
Contrary to this traditional separation approach, the DMA takes a harmonised stance, where competition rules are intertwined with data protection. This interplay can be initially found in the elements that need to be considered by the European Commission while designating the gatekeeper. Apart from the economic size (e.g. turnover and market capitalisation), it is specified that, inter alia, network effects relating to the organisation’s access to and collection of personal data, as well as a conglomerate corporate structure enabling the organisation to combine data from different sources, must be taken into account. Adding these advantages to assess the market dominance of a gatekeeper heralds a new era where the EU authorities have realised the important role played by data in the digital market, and thus decided to integrate data protection into competition regulations to “contribute to the proper functioning” of this market across the EU. Starting from this transition, we will focus on the specific data-related obligations of gatekeepers listed in the DMA to explore how the DMA would fit in a broader context of rules concerning data protection in the General Data Protection Regulation (GDPR).
Lawfulness of Data Combination and Cross-use by Gatekeepers
Concerning the protection of personal data, Article 5(2) of the DMA imposes the most restrictive burden on the gatekeeper, who is banned from combining and cross-using personal data from different services provided separately by the gatekeeper. Taking Apple as an example, it has provided the operating system iOS, the web browser Safari, the virtual assistant Siri, and the cloud computing service iCloud, all of which are listed as core platform services in the DMA. If Apple is designated as a gatekeeper by the Commission, it will not be allowed to combine and cross-use personal data collected separately from each service even though Apple is the sole provider of these services. The rationale behind this restriction, from data protection perspective, is the principle of purpose limitation in the GDPR – personal data collected for one service cannot be reused for the purpose of another service.
This ban would be lifted if the gatekeeper could rely on the lawful basis of legal obligation, vital interest, public interest, or effective consent. However, confronting the dominant position of the gatekeeper, could consent be freely given by the user of services? The German Competition Authority challenged the validity of consent in the case of Meta v. Bundeskartellamt, where they stated that Facebook users did not give consent freely and effectively through the social network’s terms of service because there was an imbalance of power between the data controller and the data subject. Granted that it is unlikely that the user is able to deny his or her consent to data processing when an imbalance of power occurs in the gatekeeper context, this does not mean that the gatekeeper cannot rely on consent as a lawful basis for data combination and cross-use. In other words, the dominant position of the gatekeeper cannot per se render consent invalid. As long as the gatekeeper could testify that the user can exercise a real choice, the provision of its service is not conditional on consent to combine or cross-use data, and there is no risk of negative consequences if the user denies or withdraws consent, the consent could be utilised by the gatekeeper as a lawful basis. This interpretation resonates with the EDPB’s guideline on consent[4] and the advisory opinion from Advocate General Rantos[5]. It needs to be highlighted though that the purpose of data combination or cross-use must be separated from other purposes pursued by the gatekeeper, and consent is required to be obtained for each purpose.
Miscellaneous Data Protection Concerns
It has also been noticed that the DMA allows users to switch platforms if they wish so, providing better interoperability with services that are alternative to those of the gatekeeper. For example, under the DMA, users of WhatsApp, the messaging platform provided by Meta, would be allowed to switch to Apple’s iMessage or any other platforms offering similar services. However, during the switching process, how to ensure the free movement of data from the gatekeeper to another service provider could present technical challenges. Although gatekeepers are not required to adopt compatible data processing systems, it is advised that the interoperable programming systems and data formats are standardised in each of the core platform services listed in the DMA to facilitate data transmission. This would also potentially serve to demonstrate the gatekeepers’ compliance with the requirement of the right of data portability in the GDPR.
Another potential concern is the third-party access to data provided by the gatekeeper when the third party is using the gatekeeper’s platform to offer products or services. A typical example is the third-party mobile applications provided in the operating system such as iOS and Android. In this scenario, Apple and Google, both of which could be designated as gatekeepers, are required to grant third party access to data directly connected with the use of relevant mobile applications offered by third party. It is understood that aggregated data could be shared with third parties given these data are out of the scope of GDPR, while non-aggregated personal data need to be consented by the user to such sharing.
Lastly, the DMA requires gatekeepers to submit to the Commission an independently audited description of the profiling techniques they use and to publish a summary version of that audited description. The Commission is then required to transmit that audited description to the European Data Protection Board (EDPB). It is uncertain, however, how these bodies will effectively coordinate and cooperate for enforcement purposes, if it is found that such profiling is against GDPR, for example, for lack of explicit consent from the user. This question waits to be resolved by the Commission.
Conclusion
Undoubtedly, by integrating data protection and competition rules, the DMA will not only create fair competition and generate robust innovation, but also provide a high level of GDPR-compliant data protection to service users. The digital market participants are glad to see these potential benefits brought by the DMA, but the concentration of enforcement power of the European Commission who is the sole enforcer appears to be risky, as the involvement of the EDPB and national data protection and competition authorities has been significantly restricted. The extent of the cooperation between the Commission and the aforementioned authorities will determine how risks of this centralised enforcement model could be mitigated to establish a fair and contestable data-driven market in the digital sector across Europe.
[1] Information Governance Services. Looking Ahead: The EU Approach to Competition and Data Protection. https://www.informationgovernanceservices.com/looking-ahead-the-eu-approach-to-competition-and-data-protection/. Accessed 04 May 2023.
[2] Judgment of the Court (Third Chamber) of 23 November 2006. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62005CJ0238. Accessed 04 May 2023.
[3] European Commission. Mergers: Commission approves acquisition of WhatsApp by Facebook. https://ec.europa.eu/commission/presscorner/detail/en/IP_14_1088. Accessed 04 May 2023.
[4] European Data Protection Board. Guidelines 05/2020 on Consent under Regulation 2016/679. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 04 May 2023.
[5] Opinion of Advocate General Rantos delivered on 20 September 2022. https://curia.europa.eu/juris/document/document.jsf?text=&docid=265901&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=423303. Accessed 04 May 2023.
