Here Comes the Digital Markets Act, Important New Legislation From the EU Boosting Privacy and Interoperability

Posted on Jan 10, 2022 by Glyn Moody

Back in June 2021, this blog noted that there were two important proposals for new laws moving their way through the European Union’s legislative system. One, the Digital Services Act (DSA), aims to regulate how all digital services, notably social media, operate in the EU. For example, it will stipulate rules for the removal of illegal goods, services or content online, as well as putting in place safeguards for users whose content has been deleted in error. The other, the Digital Markets Act (DMA), is aimed at what are called digital “gatekeepers”. It is an attempt by the EU to rein in the top online companies, sometimes known collectively as GAFAM — Google, Apple, Facebook, Amazon and Microsoft. Most of them are multi-trillion-dollar companies, and they are now so powerful that they can challenge nation states — and win.

Where the DSA is highly contentious, because of its desire to lay down what is illegal content online — something that touches on human rights such as freedom of speech — the DMA has a great deal of support across the political spectrum in Europe. The GAFAM group has long been regarded as too powerful, and even as a threat to European democracy; calls to clip the wings of these companies have been heard for years. The DMA aims to impose a number of wide-ranging restrictions on these digital giants, and if passed is likely to have a major impact on them not just in the EU, but globally.

Although the DMA is largely an antitrust law, it does contain some additional protection for online privacy, recently strengthened by a vote in the European Parliament as part of the legislative process. MEPs added a new element to the text addressing micro-targeted advertising. A press release from the European Parliament explains:

The text says that a gatekeeper shall, “for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising”, except if there is a “clear, explicit, renewed, informed consent”, in line with the General Data Protection Regulation. In particular, personal data of minors shall not be processed for commercial purposes, such as direct marketing, profiling and behaviorally targeted advertising, MEPs stress.

This is not as strong as the complete ban on micro-targeted advertising that some MEPs have called for. It is nonetheless a huge step in the right direction, because it recognizes that micro-targeted advertising is inherently intrusive, and that people require special protection from its worst effects when they go online.

Another proposal that will bolster privacy, albeit indirectly, is a new ability for the EU to restrict gatekeeper companies from making what are rather dramatically called “killer acquisitions”. This move is designed to stop the further concentrations of power in the hands of GAFAM companies. Historically, many of them have bought dozens of startups as well as other, more established companies, either for their technology, or simply to remove potential rivals. Under the DMA, the EU could intervene to prevent that. That could be a boon for privacy when used in conjunction with another subtle but important aspect of the DMA. The proposed text from the European Parliament explains:

The lack of interconnection features among the gatekeeper services may substantially affect users choice and ability to switch due to the incapacity for end user to reconstruct social connections and networks provided by the gatekeeper even if multi-homing is possible. Therefore, it should be allowed for any providers of equivalent core platform services to interconnect with the gatekeepers number independent interpersonal communication services or social network services upon their request and free of charge.

Interconnection should be provided under the conditions and quality that are available or used by the gatekeeper, while ensuring a high level of security and personal data protection. In the particular case of number-dependent intercommunication services, interconnection requirements should mean giving the possibility for third-party providers to request access and interconnection for features such as text, video, voice and picture, while it should provide access and interconnection on basic features such as posts, likes and comments for social networking services.

As a number of posts on PIA Blog have emphasized, true interoperability would allow alternative services to Internet giants like Facebook to be created without the problem of network effects, which currently keep users locked into the dominant platform. If people could use any service to communicate with friends and family on other platforms — as is possible with email, for example — there will be no compelling reason to stay on Facebook, and accept its pervasive tracking. Instead, people could migrate to Facebook-compatible systems that respect user privacy. These might come from innovative startups, which the DMA would ensure are not simply bought up by Facebook to kill off the threat.

Although it is unlikely that the EU sees this requirement as one of the key parts of the DMA, it may well turn out to be one of the most far-reaching in its effects; once interoperability is available in the EU, it is likely that other citizens — and their governments — will demand it too.

A measure of the support for the DMA is evident from a plenary vote that took place in the European Parliament at the end of last year. The DMA text prepared by the specialist Internal Market and Consumer Protection Committee was passed by 642 votes in favor, 8 against and 46 abstentions. The European Parliament will now negotiate a final joint text of the law with the European Commission and the governments of the EU member states. Given the widespread backing both inside and outside the European Parliament, it is likely to be a relatively quick procedure.

The impact of the DMA will be significant, not least because it foresees fines for non-compliance that are “not less than 4% and not exceeding 20% of its total worldwide turnover in the preceding financial year”. For GAFAM companies, that’s potentially tens of billions of dollars, and not something that even they can take lightly.

Featured image by Steven Lek.