This morning, the EU Internal Market and Consumer Protection Committee adopted its position on the Digital Markets Act (DMA) proposal.
The proposal stems from the observation that very few companies represent the largest share of the digital economy. To ensure the online market remains fair and contestable, new obligations and restrictions will be imposed on big online platforms that act as “gatekeepers”. Indeed, some of them exercise such control over the digital ecosystem that traditional businesses are now dependent on them, making it impossible for other operators to enter the market, with negative financial and societal implications.
To do so, thresholds have been determined to identify these gatekeepers, even if the Commission still might designate as such companies that don’t reach the lower limits. The scope entails online intermediation services, social networks and search engines, companies with a turnover of €8 billion in the European Economic Area and providing a core platform service in at least three Member States. As a result, the proposal targets Google, Meta, Amazon, Apple and Microsoft.
From a data protection point of view, the proposal complements the current regulations by specifying that gatekeepers will be responsible for complying with the new obligations laid down in the DMA together with other EU laws. It aims to implement transparency obligations on deep consumer profiling and mandatory opt-out for data combination across core platform services to strengthen and support GDPR enforcement.
Indeed, the Commission has taken into account that some entry barriers to the market are directly derived from network effects and data-driven advantages. In particular when the provider can access and collect personal and non-personal data on a massive scale and has huge analytics capabilities.
Therefore, according to the DMA draft, a gatekeeper shall refrain from combining personal data sourced from its core platform services with personal data from any other services it offers or with personal data from third-party services, and from signing in end-users to other services in order to combine personal data, unless the end-user has been presented with the specific choice and provided consent.
Transparency should also be enhanced, with gatekeepers being asked to provide the basis upon which profiling is performed, whether personal data and data derived from user activity is relied on, the processing applied, the purpose for and use of the profile, and the steps taken to inform users of such profiling, as well as to seek their consent.
The DMA will be voted in the plenary in mid-December 2021. The approved text will then be negotiated with EU governments, planned to start in the first semester of 2022. It should be contemplated together with the Digital Services Act, which will address other issues such as third-parties liability, illegal content and algorithms and will be submitted at a future meeting.
Even though it is designed to adapt the competition rules to the online market, consumer privacy is an essential part of the upcoming regulation changes. Indeed, and as highlighted by the EDPS, competition and data protection are intrinsically linked and the latter shall be reinforced too.
 Recital (61)