TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The data provisions in the EU's upcoming Big Tech law Related reading: The EU's DMA and DSA: Why this should be of interest to privacy pros

rss_feed

""

""

""

The EU's Digital Markets Act is a legislative proposal meant to define a list of do's and don'ts for online platforms so large that they are deemed to play a "gatekeeper" role. The rationale is that these platforms enjoy such an entrenched and durable position that they prevent competition in the European single market.

A gatekeeper has a dominant position in a critical digital market and acts as a gateway for businesses that want to reach their customers. These digital markets include cloud services, social media, search engines, advertising, online marketplaces, instant messaging and operating systems. The list might be extended to virtual assistants and web browsers. 

The assumption is that traditional competition rules have failed to address the fast-paced digital environment, as antitrust decisions can take years of judicial review. By contrast, the DMA's obligations are meant to be ex-ante, although to what extent they will be self-enforceable remains a crucial question mark upon the regulation. 

While the criteria for identifying such gatekeepers are still subject to intense negotiations, Amazon, Apple, Google, Meta and Microsoft are all set to fall under the scope. In total, between 10 and 20 companies are expected to be designated as gatekeepers.

The new regulation is expected to be adopted in the coming weeks as the EU negotiators are closing in on some of the most contentious points. Data provisions have a particularly prominent role in this regulation, given the vital role data has acquired in determining companies' market position in the digital economy.

Data in competition policy

"We are in a market power crisis and a privacy crisis, and two reinforce each other. Because it is the systematic violations of data protection that are preserving and cementing market power, allowing it to be extended and cascading into multiple markets, and it is the unprecedented levels of market power that allow data protection violations at scale," Cristina Caffarra, a senior consultant at Charles River Associates, said.

Due to the network effect intrinsic to many digital services, access to data has increasingly become a matter of competition policy. Still, the fragmented institutional design has prevented regulators from adequately addressing the problem, as antitrust agencies work in silos without the necessary insights from the data protection authorities. 

"Most of the studies leading up to the DMA recognize that gatekeepers' privileged access to data is a key reason why they have entrenched market power. There are legitimate concerns, too, that gatekeepers are withholding information from their business users to keep the market opaque," Zach Meyers, a research fellow at the Centre for European Reform, said.

The U.K.'s Competition and Markets Authority has been spearheading bridging these two sides of digital regulation with a joint statement with the Information Commissioner's Office. At the EU level, this will be one of the central topics of the conference on the future of privacy organized by the European Data Protection Supervisor.

Data sharing

The DMA provides that gatekeepers must grant their business users access to the data they generate by using their platform. The intention is to enable companies also to take advantage of the data of their transactions. 

In line with the EU General Data Protection Regulation, business users would have to request user consent to access personal data. Gatekeepers will be obliged to assist commercial users in obtaining the necessary permission.

Commercial activities using gatekeeper platforms have so far been facing a massive power imbalance where the platform could insist on remaining the intermediator between the business and customers, hence remaining in control of valuable data. Under the DMA, companies would be better able to circumvent the gatekeepers.

The European Tech Alliance, made of EU-born heavyweights like Spotify and Booking, sees the DMA's data-sharing obligations "as a way to foster fair access to data and data-driven innovation. Access to data is key for algorithmic training and is a condition to the development of artificial intelligence in the EU."

However, businesses will have to set up their systems to receive the data, which might not be provided in easy-to-understand and process ways. EU lawmakers proposed to address this problem by giving commercial users the possibility to analyze the data directly on the gatekeepers' databases. It is still unclear if this proposal will fly.

Data portability

Gatekeepers will have to ensure "data portability" continuously and in real-time, enabling business and end-users to transfer their data outside the platforms with an appropriate interface, expanding the data portability right included in the GDPR.

Similar obligations have been included in the draft Data Act that the European Commission presented last month. However, this proposal has a much broader scope than the DMA and is only related to non-personal data.

During the negotiations, EU lawmakers and diplomats clarified that business users could use this provision, acting on behalf of end-users. Similarly, a new platform might request user consent to transfer the user's data from the gatekeeper's platform to the new platform, facilitating the switching between competing platforms.

"This could be useful so that a business user could move to a competing platform without losing all the data they accumulated on their previous platform," CER's Meyers said. That would be the case for business reviews that could be easily moved onto a competing platform without a business user needing to build a new profile and reputation from scratch. 

Big Tech companies also launched the Data Transfer Project in 2018, an initiative to create a common framework based on open-source to enable transfers of data in a common format. On March 9, Google announced it would invest $3 million to facilitate data transfers over the next five years.

Data combining

The capacity of internet giants to combine data from different services is seen as yet another barrier to fair competition. Gatekeepers will need to offer users the possibility to opt out of such an option with a less personalized alternative that does not degrade the quality of the service. As a result, Meta would not be able to merge data from Facebook, WhatsApp and Instagram.

The Irish Council for Civil Liberties insisted that the way these provisions were formulated could accidentally justify the gatekeepers to create an opt-in option for all data processing practices, including cross-platform combining. As a result of its amendment recently taken on board by the co-legislators, the gatekeepers will have to request consent for each processing purpose.

"If you use the language of processing purposes, then the Commission itself can supervise purpose limitation without having to wait for the Irish Data Protection Commission or the Luxembourgish Data Protection Authority. It's potentially profound," ICCL's senior fellow Johnny Ryan said.

Targeted advertising

Google, Meta and the likes will need to open up their systems to advertisers, informing them where their advertising fees are spent and providing performance management tools. As illustrated in the ongoing probes on the "Jedi Blue" ad agreement between Google and Facebook, it is currently challenging for advertisers to know whether online digital services give them the best value for money.

The European Parliament has been pushing for including a ban on targeted advertising for underage users. This ban has received growing support from major EU countries, but it is likely to be moved to the Digital Services Act, the DMA's sister proposal that covers all online players. 

Killer acquisitions

Another significant addition to the DMA compared to the original proposal relates to the possibility to block killer acquisitions, namely the practice of acquiring a company for the sole purpose of shutting down a nascent competitor.

EU lawmakers have been pushing for including measures against this practice as the takeovers from gatekeepers might not trigger the thresholds of the EU Merger Regulation. Still, the data held by the acquired company could lead to further consolidation of market power, as was the case with Facebook's acquisition of WhatsApp and Google's Fitbit takeover.

The DMA is based on a different legal basis that could open the door to disruptive legal challenges. Thus, the European Commission was reluctant to accept these provisions in the negotiations. A potential solution was found in giving this option to the EU executive in cases of systematic non-compliance with the new rules.

Relation with the GDPR

"The full extent of how the tension between data access rights and the GDPR will be resolved in detail will only become apparent in practice. However, the legislator does not seem to intend changes for the protection of personal data," Stefan Hessel, co-head of the digital business unit at reuschlaw, said.

However, while the DMA explicitly mentions it is not intended to supersede the GDPR, the two legislations pursue different objectives. The contestability of the internal market and the protection of personal data might not be immediately compatible.

For instance, Google will be obliged to give competitors search data, but since that purpose would be beyond the user consent, the data would need to be anonymized. As a result, the provision might not have the desired effect as Google is likely to retain superior data insights.

"It'll be difficult for the gatekeepers to thoroughly understand where to draw the line between personal data and anonymous data when trying to figure out what data sets should be siloed between services and which data sets could actually be leveraged across the platform," Otto Lindholm, head of data and privacy at Dottir, said.

Photo by Alexandre Debiève on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.