The EC Digital Markets Act and data

What gives the tech giants their power? A crucial factor is their data dominance. Controlling vast quantities of proprietary data has helped them to out-perform competitors and new entrants, and this has attracted legislative and regulatory scrutiny.  

The EC published its Digital Markets Act in December 2020. The European Parliament adopted the compromise text on 5 July 2022 and the Council adoption followed on 18 July 2022, paving the way for the Act to be published in the Official Journal. The DMA is intended to regulate digital markets, effectively to help 'level the playing field' and address concerns raised by the market power of those large online players, to be designated as "gatekeepers" by the European Commission. Data driven advantages, including access to and collection of personal and non-personal data and analytics capabilities, are explicitly cited as relevant to a company's designation as gatekeeper.   

The DMA places a series of restrictions and obligations on those online businesses designated as gatekeepers in relation to designated core platform services – the core data-related provisions are included in Articles 5-6. Initially, designation is done by reference to clearly set out criteria, but there is a considerable discretionary element as we explore in more detail here.

Many of the obligations and restrictions relate to the gatekeepers' use of data, especially data provided by third party businesses and end users. On the whole, the aim is, not to prevent the gatekeepers from using the data, but to ensure it is not used unfairly. So, for example, there is a prohibition on gatekeepers combining data sourced from different core services without consent. This has clearly come out of the concerns over past big tech acquisitions of huge data troves – Google and YouTube, Facebook and WhatsApp.  

Another aim is to ensure gatekeepers do not get an unfair advantage over their business customers due to the data generated by them (for example, third party sellers and advertisers), or by the end users of those sellers. Consequently, there are provisions requiring gatekeepers to provide access to certain types of data, and restrictions on what gatekeepers can do with such data. The other major issue tackled by the DMA in terms of data, is consumer access to the personal data they generate, and restrictions on how that data can be used by gatekeepers. 

Data provisions in brief

In respect of data, gatekeepers:

• must not combine personal data sourced from different core services, unless users consent to a GDPR standard (consent not to be sought more than once per year)
• must not process personal data from end users using third party services which use core platform services for their advertising purposes, unless users consent to a GDPR standard
• must not use non-public data generated from business and end users to compete with business users
• must not use personal data from users that are using the service provided by a third party when that third-party service is using the gatekeeper’s platform
• must provide continuous and real time access to data subjects whose personal data is processed
• must provide business users with free, effective, high-quality, continuous and real-time access and use of aggregated and non-aggregated data, generated in the use of the core platform services by those business users and the end users engaging with the products or services provided by those business users
• must provide advertisers with access to both aggregated and non-aggregated data for the ads they run.

Data provisions in more detail

Article 5 restrictions on use of personal data 

Gatekeepers shall not:

• process end-user personal data to provide online advertising services using services provided by third parties which use the gatekeeper's core platform services, without end-user consent. Where consent has been refused or withdrawn, it cannot be requested for the same purpose more than once within a one year period;
• combine personal data from one core platform service with another, or with any other gatekeeper service, or with personal data from third-party services;
• cross-use personal data between the relevant core platform service and other services (including other core platform services) provided by the gatekeeper; or
• sign in end users to other gatekeeper services in order to combine personal data.

This is without prejudice to the possibility of the gatekeeper relying on the lawful bases of processing to comply with a legal obligation, to protect vital data subject interests, or for a task carried out in the public interest, under the GDPR.

Obligations to share advertising data

These are included in Article 5.

The gatekeeper shall provide on request:

• Each advertiser to which it supplies online advertising services (or authorised third parties) with free, daily information concerning each advert placed. This should cover: the price and fees paid by that advertiser including any gatekeeper deductions or charges, remuneration received by the publisher including any deductions or charges, unless the publisher does not consent in which case the information will be the daily average remuneration received by the publisher, and the metrics on which each of the prices, fees and remunerations are calculated.
• Each publisher to which it supplies online advertising services (or an authorised third party), free daily information concerning each advert displayed on the publisher's inventory. This should cover: remuneration and fees paid by that publisher (including deductions and surcharges) for each relevant online advertising service provided by the gatekeeper, and the price paid by the advertiser including any deductions and surcharges. If the advertiser does not consent to the sharing of the information, the information should be the daily average price paid by that advertiser, and the measure on which each of the prices and remunerations are calculated.

Restrictions on use of non-public data – 6(1-2)

• The gatekeeper shall not use any data generated by business users in the context of the relevant core platform services or services provided together or in support of core platform services, including data generated or provided by the end users of the business users unless the data is publicly available.
• Data which is not publicly available includes any aggregated and non-aggregated data generated by business users that can be inferred from or collected through the commercial activities of business users or their end users including click, search, view and voice data on the relevant core platform services or services provided with or in support of the core platform services of the gatekeeper.

Article 6 data sharing obligations

Article 6 obligations may be subject to more detailed requirements by the Commission under the procedure set out in Article 8.

The gatekeeper shall:

• provide advertisers and publishers (and their authorised third parties), on request and free of charge, with access to the gatekeeper's performance measuring tools and the data needed for them to carry out their own independent verification of the advertisements inventory. The relevant data includes aggregated and non-aggregated data and must be provided in such a way that the advertisers and publishers can run their own verification measurement tools to assess the performance of the gatekeeper's core platform services
• provide end users and their authorised third parties on request and free of charge, with portability of the data provided by the end user or generated through their activity in the context of the relevant core platform service. This includes by providing free tools to facilitate data portability and the provision of continuous and real-time access to such data
• provide business users and their authorised third parties, on request and free of charge, with effective, high-quality, continuous and real-time access to and use of aggregated and non-aggregated data, including personal data provided for or generated in the context of the relevant core platform service(s) provided together with or in support of those services by those business users and the end users engaging with the products or services provided by those business users. Access to personal data shall only be provided and used where directly connected with the use effectuated by the end user in respect of the products or services offered by the relevant business user through the core platform service, and when the end user opts in to the data sharing by giving consent 
• provide any third party online search engine at their request, with access on fair, reasonable and non-discriminatory terms to ranking, query, click and view data in relation to free and paid searches generated by end users on their online search engine. Any personal data must be anonymised.

Other data-related provisions

• In general, personal data must always be handled in accordance with the GDPR.  
• The Commission has the power to make delegated acts to extend provisions regarding certain types of data to other types of data.
• Where consent is required to facilitate sharing of data by business users, the gatekeeper must taken necessary steps to enable business users to collect the required consent, or to assist with other steps to make sharing lawful, such as anonymisation.
• Gatekeepers are required to inform the Commission of any intended concentration (within the meaning of Article 3 Regulation (EC) 139/2004) where the merging entities or the target enable the collection of data.
• Within six months following gatekeeper designation, the gatekeeper must submit an independently audited description of any consumer profiling carried out by any of its core platform services listed in the designation decision. This will also be sent to the EDPB.
• The Commission has the power to request access to any data and algorithms of undertakings and information about testing together with relevant information, and subject to various administrative requirements.
• The Commission also has various inspection rights covering data and there are offences associated with failure to comply.

What does this mean?

The DMA will come into force 20 days after it is published in the Official Journal. Following that, it will take six months to apply, likely taking up to mid-2023. The designation of gatekeepers process will start, which might take up to mid-2023. The compliance process is expected to begin around Q1 2024. Gatekeepers will have six months to comply with their obligations following their designation.

Gatekeepers are the businesses on whom the obligations and restrictions fall (you can see more on these here) and they will have the most work to do to implement the DMA but the impact will be widely felt. Given the range of products and services supplied by the gatekeepers across the internet, and the range of businesses and end users reliant on them, this is a hugely significant piece of legislation and one which has extra territorial effect.

The UK government is looking to tackle similar issues under its planned but as yet unpublished Digital Markets, Competition and Consumer Bill as we discuss here. How far it will resemble the DMA remains to be seen.