and Jannigje Bezemer and Laura Grant.
I. Introducing the Digital Package
In December 2020, the European Commission released a digital package aimed at creating a safer space for users in line with its digital strategy. To do this, it adopted two legislative proposals known as the Digital Markets Act (DMA) and the Digital Services Act (DSA). By 25th March 2022, a political agreement was reached regarding the DMA and almost a month later – 23rd April 2022 – the same was agreed upon with the DSA. The European Parliament approved both Acts on 5th July 2022, and the Council formally approved the DMA on 18th July 2022. The DSA should be approved by September. Once approved, they will enter into force 20 days after their publication in the EU Official Journal. The DMA will then be directly applicable after entry into force six months later, whilst the DSA will be applicable by 1st January 2024 or fifteen months, whichever comes later.
A key question concerning the impact of each instrument on users’ fundamental rights is how far the DMA-DSA proposals will help strengthen or complement the GDPR. The digital package focuses primarily on regulating the online market; when providing services online businesses rely heavily on the collection of personal data, and therefore the intertwined application of the GDPR (General Data Protection Regulation), DMA, and DSA requires more exploration.
This two-part blog post series will introduce the rationale behind the digital package and the provisions and aims of both the DMA and DSA. It will demonstrate the impact of both Acts on users’ fundamental rights online, their relationship to the GDPR, and provide commentary and critique from relevant bodies and authorities in the field. The first instalment of this series will focus primarily on the Digital Markets Act.
II. Why the need for such proposals?
The digital package was created by the Commission to regulate and harmonize landmark rules concerning online platforms in the European Union (EU). With the proposed package, the Commission aims to make online platforms more transparent and accountable for how they track and use personal data. At the same time, it aims to empower users with the freedom of choice regarding the content they receive. In this way, the goal is to reduce the dominance of large tech firms, provide protection for “netizens”, and remove barriers for smaller businesses.
But that sounds so abstract, is it not? Well, think of it this way:
You are an online user. You open your browser and start searching for information. When you reach for your phone, you scroll through your social media. When reading articles of interest, you visit websites. As you do so, data about you, the topics you search, the accounts you follow is constantly gathered. You also get pop-ups to accept cookies, see advertisements, watch videos, or read article recommendations. The next thing you know, your content is curated and highly personalised to your tastes without you actively doing anything or even noticing.
But sometimes you do notice. You start receiving spam emails in your inbox even though you don’t remember signing up for something. You get promo deals in your physical mailbox with your name and address on it. You visit a random website but the advertisement that pops up is for something else you searched a few days ago. That went from, “oh, how convenient” to “oh no, that’s creepy!”. Suddenly you ask, is my privacy being violated online? What do I do?
Therein lies a key question: can the DMA and DSA help ensure that the online environment adequately protects the fundamental rights of users, giving them more power to choose how much data they want to share, and increase transparency and accountability with regards to how online platforms use their personal data? We hope to answer these questions over the course of this blog-post series.
III. The Digital Markets Act
The DMA consists of a set of rules that regulate the actions of so-called “gatekeepers” to ensure a fairer marketplace and increase availability of service options for users (individuals) and business users. This limits the proposal to large online platforms who have significant impact on the internal market. These platforms are labelled as gatekeepers because their online presence is so dominant that they are deeply entrenched in a user’s daily life. To give you an idea, think of Google, Amazon, Booking.com, Instagram, Facebook (Meta), and Twitter. From the names alone, it is easy to infer that smaller platforms such as Ecosia, Bol.Com, NextDoor or Vero are unable to compete, let alone come to the forefront of anyone’s minds. This creates tremendous power for larger tech companies who can ‘gatekeep’ content from businesses to users. With the DMA, this can be prevented.
According to Article 2(1) of the proposed legislation, a gatekeeper is defined as, “an undertaking providing core platform services”. Core platform services are subsequently listed in Article 2(2) and may consist of: “(a) online intermediation services; (b) online search engines; (c) online social networking services; (d) video-sharing platform services; (e) number-independent interpersonal communications services; (f) operating systems; (g) web browsers; (h) virtual assistants; (i) cloud computing services; (j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i).”
The DMA includes a list of ‘dos and don’ts’ within Chapter III, Articles 5 and 6, obliging companies falling under the scope to ensure openness of digital services and at the same time prevent unfair conditions on businesses and users alike. In terms of the “do’s”: gatekeepers must allow third parties to operate with their services and allow businesses to access data generated in the gatekeeper platform. Regarding the “don’ts”: the products or services of gatekeepers cannot be ranked higher than other third parties on their platforms, they cannot prefer business users that use their own ancillary services, they cannot stop users from easily un-installing pre-loaded software applications and using third-party applications.
As a result of the DMA, the European Commission will be able to undertake market investigations in addition to sanctioning the non-compliant behaviour of gatekeepers. If a gatekeeper fails in its obligations to do or refrain from certain acts, it can risk a fine of up to 10% of its worldwide turnover. Repeat offenders will be forced to pay up to 20% and if systematic failure is found (at least three times in eight years), the Commission can open a market investigation in addition to imposing behavioural or structural remedies.
IV. Significance to the GDPR
Interestingly, as mentioned above, the DMA primarily focuses on regulations that bring competition law into effect. For example, many of the obligations for gatekeeper platforms revolve around giving their business users opportunities to promote themselves, while prohibiting them from limiting or, to a certain extent, discriminating other business users. This primarily points to allowing fair competition. These obligations complement the competition and consumer protection legal regimes, but at the same time, some provisions clearly complement data protection legislation.
The European Data Protection Supervisor (‘EDPS’) has stated in its Opinion of February 2021 that it welcomes the proposal as it “seeks not only to promote fair and open markets” but also “the fair processing of personal data”. The Opinion specifically highlighted the importance of Articles 5(f)[1], 6(1)(b)[2] and 6(1)(e)[3] – now Articles 5(8), 6(3) and 6(6) respectively as per the adopted text – as they would mutually reinforce the contestability of the market while at the same time provide users with the option of controlling what they want to do with their personal data.
Article 5(8)[4] on the prohibition of mandatory subscription by users has been highlighted before when discussing the validity of consent by “tying the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract and service”[5]. In this case, the EDPS has already clarified that if a service provider blocks content or only provides services to a user when they sign up/register with the service, incurring more data-sharing than necessary, this does not constitute a genuine choice. Even if the end-user has given consent for processing additional categories of personal data, this consent isn’t freely given. The DMA strengthens and clarifies this concern regarding the activities of gatekeepers: this provision is therefore inextricably linked to the data protection field.
The other provision – Article 6(3) – mentioned by the EDPS, requires gatekeepers to allow users to un-install pre-installed software applications (e.g. think of Google Photos, Google Drive or Google Docs pre-installed on a new Android device) except for applications essential for the functioning of the operating system or device which cannot be offered on a standalone basis by third parties. Even if at first glance this provision seams to protect competition, it also protects the privacy of the users by not collecting additional personal data through the additional services or pre-installed software devices gatekeepers offer and use.
Another significant provision is Article 5(2)(a)-(d), still highly debated. This holds that a gatekeeper:
- Must not, without the user’s consent, combine personal data collected from the relevant core platform service with personal data from any other services they offer through the core platform (e.g. when data is collected through Facebook Payments services, this data should not be combined by Meta with personal data collected from the user when such individuals make use of Facebook Messenger or Instagram Chat services) and,
- Must not, without the user’s consent, combine personal data collected from the relevant core platform service with personal data from any other services they offer outside of the core platform or with personal data from third parties (e.g. data shared with Meta by their business partners; e.g. when buying a product from an online shop that has a Meta pixel technology included on the website, the online shop will transfer information over the acquisition of that product to Meta together with personal data) and,
- Must not, cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services and vice-versa, and
- Must not, without the user’s consent, sign in users to other services of the gatekeeper in order to combine personal data.
The initial intention of the legislator[6] appeared to ban an all-encompassing consent i.e. a single button consent allowing gatekeepers to combine data sets about the user, collected via the range of services they provide and received from third parties through cookies etc. Therefore, individual users of these core platforms should be able to freely choose to opt-in to such business practices. This can be only achieved once the information about these practices is provided to the individuals in an explicit, clear, and straightforward manner and those individuals indicate that they consent to the collection and processing of personal data.
However, concerns have been raised on the final wording of Article 5(2)[7] and its implication on the GDPR’s purpose limitation principle. It was argued that the singular reference in 5(2)(a) to “process, for the purpose of providing online advertising services” implies that online advertising is based on a single data processing purpose, whilst realistically more than one processing activity takes place when a user is targeted with ads. Both the Irish Council for Civil Liberties (‘ICCL’)[8] as well as Digital Content Next (‘DCN’) and the European Publishers Council (‘EPC’)[9] argued that the final wording of Article 5(2) sub-paragraph 2 would create a loophole for gatekeepers and could still rely on an all-encompassing, single button consent, overriding the requirements within Article 6 GDPR to clearly identify and convey the purpose and legal basis for each processing activity from the controller to the user. These stakeholders proposed to remove this flaw from the text by adding the wording “specific processing activities” so the text would read as follows: “unless the end user has been given a clear request for each processing purpose that states the specific processing purpose, and the sources of the data, and the result of the combination or cross-use of the personal data, in line with the requirements under Article 4(11), Article 6(1) point (a), and Article 7 of Regulation (EU) 2016/679.”
In response to these concerns, MEPs found that the article simply builds on the GDPR and that the purpose of the DMA is not to modify or overrule the GDPR. To explicitly reiterate, processing would then be redundant. It also argues that the DMA would in fact strengthen the principle of consent rather than reduce and set the bar higher for data usage practices. Thus, one can conclude that the final text adopted by the trialogue is subject to interpretation and it will be for the Commission to interpret and give additional guidelines.
Notably, the EDPS, in its Opinion of February 2021[10], did not refer to this flaw when discussing the initial version of the DMA proposed by the Commission. It only recommended that the consent form should be drafted “as user-friendly as possible”, referring to the concept of data protection by design and default in the sense that the DMA could refer “the functionalities for …offering the opportunity to grant, modify and revoke consent…as user friendly as possible”.
However, the problem with consent as a lawful basis has been highly debated in the data protection fora in the last years, up to the point that some data protection practitioners stated that it has lost its purpose. This is mainly due to the frequency by which consent is requested when individuals use online services, including core platform services. In the digital era, consent has become so tedious for individuals there is no guarantee that such consent is informed and represents an unambiguous indication of the user’s wishes. In order to understand to what they are consenting, individuals must read the privacy policy. This has proved particularly difficult due to the lengthy and complex texts, but also due to the extreme pace of the digital era. The concept of ‘consent fatigue’ has influenced many data protection professionals to avoid using consent as a lawful basis as much as possible. The question is: how will this user-friendly consent (or banner) be drafted by gatekeepers to make sure that the consent given by individuals for combining/cross-using different datasets for different purposes complies with GDPR and escape the aforementioned criticism? Will this really give back the control to individuals over the extent of their personal data gatekeepers can combine or cross-use?
V. Conclusion: What is the future of the DMA?
According to the European Commission, the DMA has a great deal of benefits for both business users as well as the individuals. Smaller entrepreneurs and start-ups will be able to offer their services in an environment that is much fairer than it used to be. In this manner, they would not be solely dependent on gatekeepers to offer their services and have more opportunities to innovate without having to deal with unfair terms and conditions. For users, this means a greater variety of options to choose from and the ability to take control of the services they wish to use. It will also be easier for users to choose alternative options that are available beyond the limits of certain online platforms and choose fairer competitive prices, which in turn will stimulate the market.
Nevertheless, whilst the DMA aims to regulate the actions of gatekeepers, the lack of clarity provided in the final text as discussed may preclude the Act from working as effectively as desired. It is hoped that despite the concerns raised by the EDPS, the ICCL, DCN, and the EPC the Act in practice will work effectively to build upon the GDPR, creating a fairer marketplace and increasing the options available for users and “netizens” to protect their fundamental rights when using the services of the gatekeepers.
Our next blog post in this two-part series, focusing on the Digital Services Act, will be published on EIPA’s website in August 2022. See you next time!
The views expressed in this blog are those of the authors and not necessarily those of EIPA.