The Digital Markets Act: What you need to know about the EU's new DMA
Technical standards, GDPR friction questions remain...
European policy makers have agreed the terms of strict new rules targeting the world’s largest technology companies under the Digital Markets Act (DMA) -- which aims to boost interoperability and improve competition.
The vision, in short, is of a world in which the sometimes walled gardens of "Big Tech" are replaced by a more open and pluralistic digital environment. Critics say that the rules are a threat to intellectual property.
The swift political agreement between the European Parliament and EU Member States also aims to further enforce rules around data portability and consent to the use of personal data -- in language earlier criticised for still notably lacking precision. Whether the agreed text answers that criticism remains to be seen.
Follow The Stack on LinkedIn for more
A European Commission (EC) spokesperson told The Stack: "The text still needs to be finalised at technical level, so it’s not available yet. It should take two or three weeks before they will distribute and publish it..."
EC Competition Commissioner Margrethe Vestager -- who also chairs the Commissioners’ Group on a "Europe Fit for the Digital Age" -- said Friday meanwhile that she expects the DMA to take effect in October 2022.
A consultation in 2020 and the European Parliament's agreed position on the proposed text give plenty of insight into the proposed rules, however. Wondering what does the Digital Markets Act (DMA) do? Read on.
What is the Digital Markets Act? And who is affected?
The DMA aims to limit the market power of big online platforms that it dubs "gatekeepers".
The rules will affect companies with over €8 billion in turnover in the European Economic Area (EEA), a market capitalisation of over €80 billion and at least 45 million monthly users and 10,000+ business users. Amazon, Apple, Google and Facebook were all named by Commissioners during a press conference. Alibaba, Booking.com and Microsoft will also be among several other large companies that are affected by the DMA.
What does the Digital Markets Act do?
The DMA will ensure end-users have the option to uninstall pre-installed software applications on a core platform service at any stage. (No more fuming at being unable to uninstall Chrome from Android phones.)
More controversially, the Digital Markets Act will also force messenger services to ensure interoperability with other messenging services, e.g. via an Open API.
Other rules -- to-date, worded notably vaguely -- demand "effective portability of data generated through the activity of a business user or end-user". (Critics have warned of potential frictions with current data protection rules like the GDPR. Full analysis will not be possible for some weeks on this. Many are watching closely.)
Describing it as “among the first initiatives of its kind to comprehensively regulate the gatekeeper power of the largest digital companies” the EC itself said that the companies targeted by the DMA will have to:
- Ensure that users have the right to unsubscribe from core platform services
- Not require software [like browsers] by default alongside the operating system
- Ensure the interoperability of their instant messaging services’ basic functionalities
- Allow app developers fair access to the supplementary functionalities of smartphones (e.g. NFC chip)
- Give sellers access to their marketing or advertising performance data on the platform
Interoperability ftw?
Forcing interoperability between messengers is among the many proposals to have drawn a very mixed reaction. Matthew Hodgson, technical co-founder, Matrix, an open standard for real time communication, said: "The DMA’s [stipulation on interoperability is] a huge step forwards, but the best interoperability comes from a widely adopted open standard rather than a tangle of bridges -- as demonstrated by both the web and email."
Element co-founder Amandine Le Pape added: "It is significant that interoperability applies to group chat. Big Tech argued against it on the grounds that it wasn’t technically feasible, but that was eventually debunked with Matrix and others proving that interoperable group chats, with end-to-end encryption, is perfectly possible."
(For more details on the Open API vs Bridges approach to messaging interoperability under the DMA, read this post by Ian Brown, an expert on the subject and a visiting CyberBRICS Professor at FGV Law School.)
Le Pape added: "Group calls do not seem to be in scope."
Other providers were bluntly critical: “Interoperability would cement the monopoly of the top dogs, instead of breaking it up,” Julia Weiss, spokesperson for the messaging app Threema, told Wired: “If existing users of free messenger A with bad privacy practices could communicate with users of privacy-conscious paid messenger B, they will not pay money for messenger B, effectively depriving it of its only source of revenue.”
See also: Messaging Layer Security is coming of age
The EC meanwhile says it plans a "robust supervisory architecture", in a March 25 press release noting "the Commission will be able to impose penalties and fines of up to 10% of a company's worldwide turnover, and that may, in the event of repeated infringements, reach up to 20% of such turnover" -- a potentially huge sum.
It is justifying the legislation under Article 114 of the Treaty on the Functioning of the European Union, citing the need for smooth functioning of the single market across digital products and the plethora of existing regulatory actions by member states, adding that EU-wide alignment may make life easier for Big Tech.
(Earlier proposed textual amendments by the EU Parliament note that "a number of regulatory solutions have already been adopted at national level or proposed to address unfair practices and the contestability of digital services or at least with regard to some of them. This has created a risk of divergent regulatory solutions and thereby fragmentation of the internal market, thus raising the risk of increased compliance costs...")
Snapshots of the early DMA text
Article 6(1)(a) says that companies in scope shall “refrain from using, in competition with business users, any data not publicly available, which is generated through activities by those business users, including by the end-users of these business users, of its core platform services or provided by those business users of its core platform services or by the end-users of these business users”; Article 6(1)(e), meanwhile, provides that "gatekeepers" shall “refrain from technically restricting the ability of end-users to switch between and subscribe to different software applications and services to be accessed using the operating system of the gatekeeper, including as regards the choice of the internet service provider for end-users and Article 13 obliges them to submit an independently audited description of any techniques for profiling of consumers that the gatekeeper applies."
Recital (36) meanwhile clarifies that “The conduct of combining end user data from different sources or signing in users to different services of gatekeepers gives them potential advantages in terms of accumulation of data, thereby raising barriers to entry. To ensure that gatekeepers do not unfairly undermine the contestability of core platform services, they should enable their end users to freely choose to opt-in to such business practices by offering a less personalised alternative. The possibility should cover all possible sources of personal data, including own services of the gatekeeper as well as third party websites, and should be proactively presented to the end user in an explicit, clear and straightforward manner.”
Big Tech and its lawyers raise an eyebrow...
Responding to the news on Friday, an Apple spokesperson said the company worried that "some provisions of the DMA will create unnecessary privacy and security vulnerabilities for our users, while others will prohibit us from charging for intellectual property in which we invest a great deal” -- playing a broadly positive note Google did add that it feared "some of the rules could reduce innovation and the choice available to Europeans.”
Many questions remain unanswered and more clinical insight from across industry is likely to emerge in coming weeks with the publication of the finalised text -- which is not expected to answer them immediately.
One curious observer, technology advisor and NED Peter Curnow-Ford was among those with compliance questions: "How do you manage GDPR across platforms especially if the party you are communicating with is on a platform where you have not already agreed to that platform's GDPR terms -- especially an issue with regards to where the servers and data are located and over which networks the data transits?"
Even the European Data Protection Supervisor (EDPS) had warned in February 2021 that elements of the draft text "may cause confusion that could lead to inconsistency with the GDPR".
The success or otherwise of the Digital Markets Act's efforts to crowbar open perceived walled gardens may end up relying in no small part on what the EDPS wanted to see in its response to the initial consultation: clear technical standards for both protocol interoperability and data interoperability and "more broadly... institutionalised and structured cooperation between the relevant competent oversight authorities, including data protection authorities" -- something that has, per not always been entirely forthcoming."