Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Unpacking the EU's suite of new era digital legislation - Part two: the DMA

On 25 March 2022, a little more than a year after the initial proposal of the European Commission ('the Commission'), the Council of the European Union ('the Council'), and the European Parliament ('the Parliament') announced that they had reached a provisional political agreement on the Proposal for a Regulation on Contestable and Fair Markets in the Digital Sector (Digital Markets Act) ('the DMA'). The DMA, together with several other data and digital related legislative proposals, comprises the EU's envisaged regulatory framework for a digital single market in the EU. With regulation and enforcement of EU data protection laws as dynamic and evolving as ever, organisations could be forgiven for failing to keep pace with the recent flurry of legislative acronyms and their potential impact on business operations. In this five-part Insight series, OneTrust DataGuidance aims to bring you up to speed, demystifying the acronyms as we unpick the broader policy context informing the legislative proposals, the key obligations that they will entail for affected parties, and the issues that must still be resolved in order to reach political consensus, with accompanying commentary and insights provided by Wim Nauwelaerts, Partner at Alston & Bird. In part two, we take a look at the DMA.

artJazz / Essentials collection / istockphoto.com

Policy context

The DMA sits within the ambitious 'Europe fit for the Digital Age' strategy, as presented by the Commission at the end of 20201. The 'Europe fit for the Digital Age' strategy aims at, among other things, fostering innovation, growth, and competitiveness. It is in this perspective that the DMA seeks to comprehensively regulate the power of certain digital actors which operate as 'gatekeepers' in the digital sector, and to prevent unfair practices. Specifically, the DMA, in the text proposed by the Commission, explains that certain core online platforms increasingly 'enjoy an entrenched and durable position, often as a result of the creation of conglomerate ecosystems around their core platform services, which reinforces existing entry barriers'2.

However, it should be noted that the DMA does not seek to replace the existing rules under EU competition law, but rather to complement them. Specifically, the DMA proposes a 'regulatory shift towards a pre-emptive model'3. In other words, the DMA seeks to establish an ex-ante strategy, on account of the fact that the mechanisms of competition law, by intervening after the restrictive or abusive conduct has taken place, does not seem able to rein in the gatekeeping potential of certain digital actors4. The DMA thus seeks to integrate EU competition law, in that it would create the conditions to act ahead of unlawful practices, without limiting the ability to intervene ex-post under EU (and national) competition rules5.

In addition, the DMA should be considered together with another envisaged legislative development at EU level, namely the Digital Services Act ('DSA'). In fact, whereas the DMA focuses on economic considerations and unfair practices by large online platforms, the DSA aims to tackle wider societal risks, such as the safety of users online. On this basis, the DMA and the DSA establish one set of rules, directly applicable EU-wide, to create a safer and more open digital space6.

Notably, the DMA complements data protection laws. For instance, the DMA, in the text proposed by the Commission, points out that transparency obligations on deep consumer profiling will help inform enforcement under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The interplay between the DMA and data protection law will be further discussed below.

Overview of key provisions

In summary, the DMA establishes rules and obligations that apply to certain providers of online platforms, sets out when such providers are 'gatekeepers', and establishes punishments in case of non-compliance with its rules and obligations.

At the time of writing, the text of the provisional agreement on the DMA reached by the Parliament and the Council has not been released yet. Therefore, the following paragraphs takes into account the text of the DMA as proposed by the Commission, and the main amendments to the same agreed by the Parliament and the Council, as outlined by the relevant press release.

Subject matter and scope

The DMA's scope is to ensure contestable and fair markets in the digital sector across the EU, but solely where providers of core platform services meeting the 'gatekeepers' criteria are present (Article 1(1) of the DMA). Namely, under the DMA, core platform services are those that fall within the broad list indicated in Article 2(2) of the DMA, specifically:

  • online intermediation services;

  • online search engines;
  • online social networking services;
  • video-sharing platform services;
  • number-independent interpersonal communication services;
  • operating systems;
  • cloud computing services; and
  • advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by a provider of any of the core platform services listed in the points above.

The applicability of the DMA, provided that the further criteria to meet the definition of gatekeepers are met, depends on whether the 'core platform service' is either provided or offered to business users established in the EU, or end users established or located in the EU, regardless of the place of establishment or residence of the gatekeeper and is irrespective of the law otherwise applicable to the provision of service (Article 1(2) of the DMA).

Designation of gatekeepers

Chapter II of the DMA sets out the conditions for the designation of providers of 'core platform services' as 'gatekeeper'. More specifically, the DMA establishes that a provider of core platform services shall be designed as gatekeeper if it meets the following qualitative criteria (Article 3(1) of the DMA):

  • it has a significant impact on the internal market;
  • it operates a core platform service which serves as an important gateway for business users to reach end users; and
  • it enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future.

Further to this, the DMA, in the text proposed by the Commission, established that the above qualitative criteria are presumed to be satisfied, if a provider of core platform services meets certain quantitative criteria. On this point, the Council and the Parliament have raised the quantitative threshold previously identified by the Commission and accordingly, for a provider of core platform services to qualify as a gatekeeper, this must:

  • have had an annual turnover of at least €7.5 billion within the EU in the past three years, or have a market valuation of at least €75 billion;
  • have at least 45 million monthly end users and at least 10,000 business users established in the EU; and
  • control one or more core platform services in at least three member states.

The quantitative metrics serve as a rebuttable presumption to determine the status of gatekeeper; however, notwithstanding the quantitative criteria, a provider of a core platform service could still be deemed a gatekeeper on a case-by-case assessment by means of a market investigation7.

Generally, small and medium-sized enterprises are exempt from being identified as gatekeepers. Notably, in order to ensure the obligations are imposed in a progressive manner, the DMA includes the category of 'emerging gatekeeper' which will enable the Commission to impose certain obligations on companies in a competitive position, not yet considered sustainable.

Obligations of gatekeepers

Chapter III of the DMA, in the text proposed by the Commission, specifies which practices of gatekeepers limit contestability and are unfair, and accordingly sets out obligations and prohibitions on the same.

The Council and the Parliament provisional agreement appears to confirm that gatekeeper must:

  • ensure that users have the right to unsubscribe from core platform services under similar conditions to subscription;
  • for the most important software, such as web browsers, not require this software by default upon installation of the operating system;
  • ensure the interoperability of their instant messaging services’ basic functionalities;
  • allow app developers fair access to the supplementary functionalities of smartphones (e.g. NFC chip);
  • give sellers access to their marketing or advertising performance data on the platform; and
  • inform the Commission of their acquisitions and mergers.

Conversely, gatekeepers are prohibited from:

  • ranking their own products or services higher than those of others (self-preferencing);
  • reuse private data collected during a service for the purposes of another service;
  • establish unfair conditions for business users;
  • pre-install certain software applications; and
  • require app developers to use certain services (e.g. payment systems or identity providers) in order to be listed in app stores.

Enforcement and penalties

Chapter V of the DMA, in the version proposed by the Commission, contains the provisions concerning enforcement and applicable penalties in case of non-compliance.

The DMA provides that its sole enforcement will be the Commission, which will have the power to issue non-compliance decisions as well as to impose fines. With regards to the latter, where a gatekeeper infringes the DMA, the Commission may issue a fine of up to 10% of the gatekeeper's total worldwide turnover, and when the violations have a recurrent nature, the upper limit of the fine is raised to up to 20% of the gatekeeper's worldwide turnover. Moreover, when a gatekeeper systematically fails to comply with the DMA, which is intended in terms of at least three violations in eight years, then the Commission may proceed with a market investigation, which, in turn, may lead to behavioural or structural remedies.

Interaction with EU data protection law - expected challenges

The DMA, once enacted, will not sit in a legal vacuum, hence its interactions with other pieces of EU legislation, and notably EU data protection law, need to be considered.

In outlining the relevance of the DMA for companies from a data protection perspective, Nauwelaerts pointed out, "The DMA imposes obligations on gatekeepers to share both aggregated and non-aggregated data, and where mixed data sets are involved, gatekeepers will be subject to the GDPR to the extent that these data sets include personal data - which is most often the case.  In practice, this means that gatekeepers as well as business users should have a clear understanding of their respective roles and responsibilities under the GDPR, as controller, joint controller, or processor of the personal data that are processed in the context of core platform services. These roles and responsibilities will need to be defined and reflected in the gatekeeper's terms of use or GDPR-specific compliance documentation, such as data processing or joint controllership agreements. 

In addition to the general requirement to ensure compliance with the GDPR, some of the obligations that the DMA imposes on gatekeepers include references to specific GDPR requirements, which are likely to trigger a need for additional compliance measures. These specific requirements mainly relate to the legal bases for data processing, data access and portability, and data security in the context of core platform services".                        

Legal bases for processing

With respect to the legal bases for the processing, Nauwelaerts highlighted, "There is a strong emphasis on consent as the legislator's preferred legal basis for processing personal data collected via online platforms. Under the DMA, gatekeepers are not allowed to combine personal data obtained from different sources, unless the end user has been presented with specific choices, and has consented in the sense of the GDPR.  If the end user does not consent, the gatekeepers will not be able to rely on other legal grounds in the GDPR (such as legitimate interest). In the eyes of the Commission, data accumulation can result in unfair advantages for gatekeepers and therefore end users should have the free choice of whether or not to opt in to such data practice. The available options should be proactively presented to end users in an explicit, clear, and straightforward manner".

Nauwelaerts further specified, "If end user consent for collecting and further processing of personal data is required to ensure compliance with the DMA, gatekeepers will have to implement the necessary measures that enable business users to directly obtain the required consents from data subjects. Alternatively, they will have to ensure that their business users can comply with EU data protection law in another way, for instance, by providing business users with anonymized data instead of personal data. Gatekeepers will have to make sure that it is not more difficult for business users to obtain consent than it is for the gatekeeper in question".

Data access and portability

Nauwelaerts further identifies that "[t]he DMA requires gatekeepers to provide business users with effective, high-quality, continuous, and real-time access and use of the data that are processed in the context of core platform services. To the extent that the processing involves personal data, providing such access and use will only be required if two cumulative conditions are fulfilled:

  1. the data must be directly connected with the use by the end user in respect of the products or services offered by the business user through the core platform services, and
  2. the end user has consented (in accordance with the GDPR) to the data sharing.

When these conditions are fulfilled, gatekeepers will have to allow unhindered access to the data, free of charge. For many gatekeepers, this means that they will have to invest in implementing technical measures aimed at facilitating data access by business users. With these data sharing obligations, the DMA goes far beyond the GDPR’s right of access by the data subject; it establishes a new right of data access for business users, who seek to use the data for their own (commercial) purposes.

The DMA also builds upon and expands the data portability right that is enshrined in the GDPR. Gatekeepers will be required to provide tools to end users to facilitate their exercise of the data portability right under the GDPR, including by providing continuous and real-time access to data. This can be achieved, for example, through high-quality application programming interfaces. In addition, facilitating switching or multi-homing should result in increased choices for business users and end users, while creating incentives for all stakeholders to innovate".

Data security

The DMA would also create challenges for data security. In this regard, Nauwelaerts commented:

"In the case of core platform services involving search engines, the DMA requires gatekeepers to allow third-party search engines fair, reasonable, and non-discriminatory access to search related data. Gatekeepers will also have to ensure that personal data are anonymised before granting access to those data. What anonymisation means in this specific context is, however, unclear at this point. Without further guidance from the Commission or the European Data Protection Board on this topic, it can be expected that gatekeepers will develop diverging practices around this anonymisation requirement. The DMA also expects these gatekeepers refrain from substantially degrading the quality or usefulness of the search data. Again, without proper guidelines, it will be challenging for gatekeepers to reconcile this expectation with the legal requirement to apply anonymisation.

In addition to requiring the use of anonymisation as a privacy enhancing tool, the DMA obliges gatekeepers to build compliance with the new (Digital Markets) rules into the design of their core platform services. This implies that gatekeepers should take steps to apply data protection by design and by default, as much as, and as early as possible prior to launching new core platform services. This obligation may also cause gatekeepers to re-assess, and where necessary, re-design the services that they are currently offering.

The DMA further adds that in some cases it may be appropriate for the Commission, following a dialogue with the gatekeeper concerned, to further specify the measures that should be adopted in order to comply with not only the gatekeeper's obligations (to ensure fair practices) under the DMA, but also with the GDPR, the ePrivacy rules8, and with legislation on cybersecurity, consumer protection, and product safety".

Enforcement

Additionally, Nauwelaerts explained that it remains unclear how the competent authorities will deal in case of non-compliance with both the DMA and the GDPR. In particular, Nauwelaerts assesses the situation in the following terms:

"If a gatekeeper fails to comply with the DMA, the Commission will have the power to issue non-compliance decisions (Article 25 of the DMA), as well as impose fines (Article 26 of the DMA) and periodic penalty payments (Article 27 of the DMA). This centralised enforcement system is a major improvement over the GDPR's enforcement regime, which is characterised by fragmented enforcement powers in the hands of 27 supervisory authorities throughout the EU.  Gatekeepers - whose business activities are cross-border by nature - will find it more efficient having to deal with only one regulator in the EU when their compliance with the DMA is challenged. However, it is currently unclear how enforcement will work in cases where a gatekeeper has failed to comply with both the DMA and the GDPR, and whether non-compliant gatekeepers could simultaneously face scrutiny and enforcement action by the Commission and supervisory authorities".  

Next steps

Now that a provisional agreement between the Council and the Parliament has been reached, it is required to obtain the approval of both co-legislators.

Further to this, Article 39 of the DMA, in the text proposed by the Commission, provides that the DMA shall enter into force on the 20th day following the day of its publication in the Official Journal of the EU, and shall become applicable six months afterwards.

In the shorter-term, the next step towards the enactment of the DMA will be the release of the finalised text of the provisional political agreement between the Parliament and the Council. This will allow the public to evaluate the full range of amendments agreed by the co-legislators, and thus the DMA in the version that is likely to be the final one.

Anna Baldin Privacy Analyst
[email protected]

Comments provided by:
Wim Nauwelaerts Partner
[email protected]
Alston & Bird, Brussels


1. Available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2347
2. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0842&from=en
3. Available at: https://www.europarl.europa.eu/RegData/etudes/STUD/2022/703345/IPOL_STU(2022)703345_EN.pdf
4. Supra.
5. European Commission DMA Proposal, pg. 4.
6. European Commission, the Digital Services Act Package, available at: https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package
7. European Commission DMA Proposal, pg. 7.
8. Currently contained in the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), available at: https://platform.dataguidance.com/legal-research/directive-privacy-and-electronic-communications-200258ec-amended-eprivacy-directive. Please note that a Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) was presented by the Commission in 2021.