The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.
The objective of the DMA is to ensure fairness and contestability in digital markets. Data is becoming an increasingly important asset in today’s world, particularly in the digital sphere. As such, the DMA specifically foresees that gatekeepers will need to share certain types of data and allow interoperability in order to foster competition. By contrast, the EU General Data Protection Regulation (GDPR) is designed so as to restrict unnecessary collection of data in order to protect individuals from abusive practices.
Although in principle the two frameworks should not contradict each other (the DMA explicitly states that it will complement and apply “without prejudice” to the GDPR), there nonetheless exists a potential tension between how the DMA and the GDPR will be applied.
In this blog post, we describe the data-related obligations under the DMA and their intersection with the GDPR. We also summarise a panel discussion on this topic, moderated by Sidley Austin’s antitrust team in collaboration with OneTrust, between representatives of the Competition Directorate of the European Commission and the European Data Protection Supervisor (EDPS).
Overview of data-related obligations under the DMA
Below we provide an overview of the key data-related obligations under the DMA. Certain obligations build upon and go beyond those provided under the GDPR, e.g., those relating to data portability, sharing and interoperability.
|DMA Provision||Obligation on Gatekeepers|
|Article 5(2)||Refrain from processing data for advertising purposes or combining or cross-using personal data unless the user has been given a “specific choice” and has provided GDPR-grade consent.|
|Article 6(7)||Ensure that third-parties can effectively interoperate with the same hardware and software features controlled by the gatekeeper’s operating system or virtual assistant that are available to the gatekeepers’ own services.|
|Article 6(8)||Provide advertisers and publishers (and authorised third parties) with access to the performance measuring tools of the gatekeeper and the aggregated and non-aggregated data necessary to carry out their own independent verification of ad inventory.|
|Article 6(9)||Provide end users (and authorised third-parties) with effective portability of – and real-time and continuous access to – data provided or generated by the end users’ use of the gatekeeper’s platform.|
|Article 6(10)||Allow business users (and authorised third-parties) effective, high-quality, continuous and real-time access to, and use of, aggregated and non-aggregated data (including personal data) generated in their use of the gatekeeper’s platform. Access to personal data is subject to GDPR-grade consent.|
|Article 6(11)||Provide search engines with access to ranking, query, click and view data in relation to free and paid search generated by users – personal data shall be anonymised.|
|Article 7||Make basic functions of NI-ICS (e.g., instant messaging services) interoperable with other NI-ICS free of charge.|
|Articles 15 and 36(3)||Provide the European Commission with annual reports on consumer profiling. These reports will then go to the European Data Protection Board (EDPB) and can be used to enforce data protection law.|
The above are areas in which the DMA and GDPR may overlap. For example, the DMA requires GDPR-grade consent from users to allow gatekeepers to proceed with practices that would otherwise be prohibited, e.g., data processing for advertising purposes or combining or cross-using personal data (DMA Article 5(2)). However, the DMA also goes beyond the requirements of the GDPR by catering for circumstances where a user withdraws or fails to provide consent, requiring the gatekeepers to offer a “less personalized but equivalent alternative” of a given service such that the user is not disadvantaged by their choice. There are also circumstances where users may in practice not be able to meet the GDPR’s standard of consent, e.g., where in order to provide effective consent the user would have to receive detailed information on extensive datasets, which risks inconsistent application of the two instruments.
As another example of potential tension, designated gatekeepers under the DMA should ensure that users have “continuous and real-time access” to data, which may require gatekeepers to implement complicated technical solutions. By contrast, the GDPR provides that data controllers do not need to adopt or maintain technically compatible systems, which signifies that they are not required to transfer data when it is not technically feasible to do so. In addition, the scope of the DMA portability obligation includes data that is both provided and generated by the user while the scope of the GDPR obligations includes only data that is provided by the user.
As such, it remains to be seen whether in practice gatekeepers will be able to comply simultaneously with all data-related obligations in both the DMA and GDPR. In collaboration with OneTrust, Ken Daly and Monika Zdzieborska of Sidley Austin LLP moderated a panel discussion with Joao Vareda, Deputy Head of Unit at the DG Competition of the European Commission, and Thomas Zerdick, Head of Unit at the EDPS that considered the interplay between these instruments. The key highlights from the discussion are set out below.
Panel Discussion with the European Commission and EDPS
Joao Vareda – DG Competition
Joao Vareda noted that the DMA uses the same definitions as the GDPR, e.g., with respect to consent and personal data, and emphasised that there is a need for a harmonised approach by enforcement authorities in applying such concepts.
He emphasised that the DMA applies without prejudice to the GDPR and explicitly defers to the GDPR in certain circumstances. In that way, the DMA complements the GDPR and imposes additional data-related obligations. Despite being drafted for GDPR purposes, guidance from the EDPB will be also applicable under the DMA. Any guidance from the Commission on the application of the DMA may come later in the process and be provided after the Commission takes initial decisions in the DMA proceedings.
Mr. Vareda also confirmed that the Commission will coordinate with the relevant data protection authorities. He referred to previous close collaboration between the Commission and the EDPB in investigating the proposed acquisition of Fitbit, Inc by Google LLC. He acknowledged that “there is a lot to be determined” in terms of coordination between the authorities but confirmed the aim is to ensure “consistent outcomes”.
He recognised the need to develop a framework for resolving potential overlaps and noted that, in the future, the Commission might want to establish cooperation agreements with national data protection authorities in the Member States, similar to those currently established with the European Competition Network (ECN).
Thomas Zerdick – EDPS
Thomas Zerdick noted that, although the DMA and GDPR have distinct legal bases and pursue different objectives, there is a necessary interplay between these instruments. He emphasised that it is vital to ensure consistent interpretation and maintain a coherent regulatory approach. In particular, the DMA must not diminish, limit or differ from the rules under the GDPR.
He pointed out that there are certain matters of substance under the DMA that need to be clarified. For example, determining the necessary level of anonymisation for personal data that will be shared with search engines (DMA Article 6(11)), which will require input from data protection authorities, and how to interpret the data portability provision (DMA Article 6(9)) with reference to the GDPR.
There are also certain important enforcement aspects left unaddressed by the DMA. Mr. Zerdick argued that the level of cooperation between the Commission and data protection authorities is currently insufficient. He cautioned that the DMA does not provide for structured cooperation, which risks inconsistency in enforcement. Although the DMA imposes an obligation on the Commission to cooperate with national authorities, it does not include an equivalent provision with respect to the EU-wide data protection bodies.
While the DMA provides for the High-Level Advisory Group (which includes the EDPS and EDPB), this group has only advisory functions without any decision-making powers.
Similarly, Mr. Zerdick noted that although the DMA requires the Commission to forward auditing reports on data profiling to the EDPB, it applies only in limited circumstances. There are no express obligations in relation to sharing other information, for instance in relation to investigations by the Commission, that would further help in ensuring consistency in enforcement between the Commission and data protection authorities.
As such, Mr. Zerdick concluded that there is a missed opportunity in the lack of explicit provisions in the text providing for coordination between the Commission and data protection authorities under the DMA. Despite this, he was optimistic that clarification could still be achieved, whether in the Implementing Regulation, procedural guidance or even in memoranda of understanding – he noted that “the sky’s the limit”, but it will be important to address these enforcement issues before the DMA starts to be enforced.
There is clear consensus amongst the Commission and European data protection authorities as to the importance of inter-agency cooperation to achieve a harmonized approach to data-related enforcement. Despite this, so far the DMA fails to provide for explicit cooperation mechanisms, e.g., in relation to the GDPR, which risks inconsistent and fragmented application of these rules. It remains to be seen whether the Commission will address these issues in order to ensure effective regulatory coordination.
The DMA entered into force on 1 November 2022 and will apply from 2 May 2023. As a first step, the Commission will designate certain companies as ‘gatekeepers’ in a process taking around two to three months. Following that, designated gatekeepers will have further six months (i.e., until around Q1 2024) to comply with the obligations.
In parallel, the Commission is also working on other preparatory acts. In the coming weeks, it is expected to launch a public consultation on a draft Implementing Regulation for the DMA, which will focus on the practical aspects of the application of the DMA such as technical arrangements that gatekeepers need to implement to ensure compliance with the obligations. The Commission has also organised workshops with potential gatekeepers and interested third parties to discuss the practicalities of compliance, which started on 5 December 2022.