What is the Digital Markets Act and what does it mean for our privacy and wider rights?

The European Union’s ‘Digital Markets Act’ came into force on the 7 March 2024. The law aims to make the EU’s markets in the digital sector fairer and more contestable by imposing restrictions on designated ‘gatekeepers’ in an attempt to empower competitors and reinstate the rights of users.

 

Long Read
Close up image of text on Monoply board game

Introduction

For years PI has been documenting the market dominance and associated power of Big Tech over the digital economy, and the threats this poses to our privacy and wider rights.

The digital economy is characterised by a handful of Big Tech companies that have established and maintained dominance over the digital market through opaque and exploitative practices. Big Tech exploits the data of those who use their platforms in ways which interfere with our privacy and wider rights. In addition, they often impose abusive terms and conditions on other businesses, which ensure that they cannot integrate their services with these platforms or benefit from technological innovations. These practices allow Big Tech to maintain its monopoly in the absence of worthy competitors.

Public perception of Big Tech does not always capture the extent of its control over the digital economy. It is widely perceived that we are living through a technological revolution but often people don’t realise it is accompanied by a ‘tech-driven economic revolution’. Their surveillance practices and exploitation of our privacy and wider rights have enabled Big Tech to leverage their power and position in the economy, which is not the natural result of technological advancement, but of monopolistic competition. These exploitative practices have been normalised to the extent that we live under a sense of collective apathy and helplessness, in which we either assume to know or simply do not care about the data they collect and what they do with it.

The ‘free’ services and platforms that Big Tech offer have become the default means by which we communicate, shop and navigate. We seldom spare a second thought over whether there may be alternative and, in some cases, preferable options. Furthermore, the concentration of users accessing their services and platforms allows them to collect vast amounts of personal data, and to combine this data across multiple platforms. This results in a so-called ‘network effect’ whereby users base the value of the service/product on the number of people that use it, for example if most of your friends are using a particular social network you are more inclined to use it too, therefore there is less incentive to use an alternative, even if there are better services available. However, this also allows for that service or platform to improve their functionally with the increasing number of people using it and the amount of data collected. Social media companies and other digital business models benefit massively from these so-called network effects.

Therefore, within these digital markets, the value of personal data, in particular, is paramount. The more data that is collected and combined, the more incentives for companies to pursue business strategies aimed at the collection and exploitation of yet more data, and the vicious cycle continues. Whats more, is that this data can be leveraged in ways that allows Big Tech to gain power outside of their own platforms. They can harness their concentration of data and power into the ability to enter new markets through acquisition or innovation. We have seen this play out with Google’s acquisition of Fitbit which enabled Google to potentially establish itself as an even stronger player in the market for health data-related services including health tracking devices. Its acquisition of Youtube and DeepMind are other instances where the search giant entered, and eventually play a major role, in adjacent digital markets.

The more markets Big Tech dominate, and the more data and power they have, the better they become at exploiting their users to consolidate their position in new or existing markets. That is why effective competition in the digital market is necessary to protect our privacy and wider rights, as well as to safeguard innovation and fair competition.

With this in mind, the European Union (EU) has taken the lead in the development of legislation to tackle these issues.

The Digital Markets Act (DMA)

The Digital Markets Act (DMA) is the first legislation of its kind. It aims to comprehensively regulate the power of the largest Big Tech companies and to address some of the negative effects of their dominance of the digital market in the European Union (EU). It includes measures encouraging the integration and access of smaller players to the digital market, and measures aimed at giving users more choice and freedom. The DMA complements existing EU competition rules for example, those outlined in the Treaty on the Functioning of the European Union (TFEU).

The European Commission (EC) introduced the initial proposal for the DMA in December 2020. Following this it went through several amendments and iterations while progressing through the EU parliament, Council and trilogue stages, including with input from civil society. Throughout these stages, PI closely monitored and advocated for strengthening the DMA, including providing a written submission to support the negotiations in the trilogue. We made several recommendations on specific topics and provisions including - ensuring focus on the rights and interests of end users; strengthening interoperability; measures to address the negative effects of mergers; strengthening transparency in profiling; ensuring civil society organisations in the implementation and monitoring of the DMA and; ensuring the DMA’s full conformity with the General Data Protection Regulation (GDPR).
The final Regulation was adopted by the European Parliament and the Council on 14 September 2022 and the DMA entered into force on 1 November 2022, and became applicable on 2 May 2023.

The EC is the main enforcer of the DMA through a joint team from the Directorate-General for Competition (DG COMP) and the Directorate-General for Communications, Networks, Content and Technology (DG Connect), both of which are responsible for the implementation and enforcement of the DMA, more commonly referred to as the DMA enforcement team.

The premise of the DMA is to ensure fair and open digital markets by laying down a set of obligations and prohibitions on several Big Tech companies and the platforms and services they provide who have been identified as ‘gatekeepers’.

Although, the legislation is not without its faults, it has the potential to give businesses and competitors a greater opportunity to compete with and to place their products in the digital market dominated by big tech companies. As well as to introduce measures that will enable individuals to have greater control of their devices and data by reinforcing their rights as consumers or ‘end users’.

Below we provide an overview of the DMA, including the role of gatekeepers. We also discuss specific issues the DMA seeks to address, such as upholding benefits to ‘business users’, targeted advertising, app and browser freedom, and interoperability, as well as highlight key criticisms and issues with compliance and investigations into non-compliance.

Gatekeepers

Article 3.1(a) and 3.1(b) of the DMA outlines the requirements for defining a ‘gatekeeper’. Firstly, a gatekeeper must have a significant impact on the EU internal market and enjoy an entrenched and durable position, in its operations, or it is foreseeable that it will enjoy such a position in the near future. Having significant impact on the internal market means that they must have an annual EU revenue of at least €7.5 billion in each of the last three fiscal years or an average market cap of €75 billion in the last fiscal year.

Secondly, they must provide a ‘core platform service’ which is acts as an important gateway for business users to reach end users. They must have at least 45 million monthly active users of these services within the EU, and more than 10,000 yearly active EU business users, within each of the last three fiscal years. The DMA lists the types of ‘core platform services’ to include:

  • Online intermediation services;
  • Online search engines;
  • Online social networking services;
  • Video-sharing platform services;
  • Number-independent interpersonal communications services;
  • Operating systems;
  • Web browsers;
  • Virtual assistants;
  • Cloud computing services and;
  • Online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i).

In meeting these criteria, the following companies have been initially identified as gatekeepers by the EC and are hence subject to the DMA – Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. Across these gatekeepers a total of 22 core platform services they provide have been designated under the DMA. For example, Meta’s core platform services subject to the DMA are Whatsapp, Facebook, FB Marketplace, FB Messenger, Meta Ads, Instagram and Facebook Gaming. In May 2024, the EC added Booking.com as an additional gatekeeper. The complete and updated list of gatekeepers and related core platform services can be found on the EC website.

In accordance with Article 4 of the DMA the Commission has the power to reconsider, amend or repeal gatekeeper designation and will review those already designated as gatekeepers every 3 years.

© European Commission (Licensed under CC BY 4.0)

Key obligations and prohibitions

The DMA imposes several restrictions and obligations on gatekeepers which seek to enforce the rights of both other ‘business users’ or competitors operating within the digital market and individual’s/consumers or ‘end users’ who use their services. Some of the key issues the DMA covers include specific benefits to reinforce the rights of business users; restrictions on targeted advertising; measures to reinforce app and browser freedom and interoperability of messaging services.

Benefits to ‘business users’

The DMA seeks to address the imbalance of power and disproportionate advantage gatekeepers have had over their consequently smaller competitors, and to stop them from imposing terms and conditions that does not let others capture the benefits of their own contributions. To empower these business users the DMA has imposed several obligations and prohibitions on gatekeepers to address such behaviour.

One example, is regarding increasing transparency and agency for business users advertising on gatekeeper platforms. Under the DMA gatekeepers must provide companies with the tools and information necessary for advertisers and publishers to carry out their own independent verification of the performance of their advertisements hosted by the gatekeeper. This is to curtail any attempts by gatekeeper’s to engage in exploitative practices such as inflating ad metrics to increase ad revenue, which Facebook has previously been accused of doing. Such measures established within the DMA should prevent these types of practices from occurring.

The DMA also states that gatekeepers should allow their business users to promote their offers and conclude contracts with their customers outside the gatekeeper’s platform. For example, the obligations imposed via the DMA should allow a company like Spotify to promote alternative subscriptions such as Spotify Premium, or services like their audiobooks within the Spotify app. Currently, due to Apple restrictions, you can’t subscribe to Spotify Premium through the app for iPhone and iPad. In fact, Spotify has outlined a number of ways in which it hopes it will benefit from the rules imposed by the DMA, including the ability to directly communicate with customers in the Spotify app about subscription offerings and the ability to offer promotions as well as direct payment in-app.This comes after a lengthy yearlong battle between Spotify and Apple in the lead up to the DMA over the display of pricing information within the Spotify app.

Another example is that a gatekeeper can no longer treat its own services and products more favourably in ranking than similar services or products offered by third parties on the gatekeeper’s platform. For example, Amazon in theory cannot rank its own products more favourably on Amazon Marketplace to that of third-party sellers offering the same products. However, Amazon is currently under investigation by the EC for continuing to preference its own brand products on its Amazon Store.

Personalised or targeted advertising

As previously outlined, one way in which gatekeeper’s market dominance has been built and maintained is through the collection of individual’s personal data and interactions with their platform, and sharing this data with third parties for the purpose of online advertising, through which they generate revenue. In practice, gatekeepers will collect personal data directly from users through signing up to their services such as a user’s name, age, location and email address. This is then combined with data accumulated from a users’ interaction with their services or platforms for example, what posts they like on social media, which subscriptions they have signed up to using their email address and which products they have bought. As well as ‘metadata’’ which is data that provides information about other data, such as your device type and make, unique identifiers generated by your phone’s operating system and information such as the times you connected and how long you spent using the service. Thanks to online tracking techniques, gatekeepers might also collect information about users on other sites implementing their trackers, such as a news site displaying a Facebook like button or a website displaying Google ads. All this data is combined to build a relatively accurate and valuable picture of users that platforms can monetise. Furthermore, Gatekeepers have had a further advantage of accumulating this data across the number of platforms and services they possess, which in practice, occurs without users being fully aware and having given consent. You can learn more about the privacy and security issues related to these practices on our AdTech learning page.

To address such exploitative practices, Article 5 of the DMA places prohibitions and obligations on Gatekeepers regarding their practices of sharing users’ personal data across its services for the purpose of personalised or targeted advertising. As well as to reinforce users’ rights to freely give consent. In practice this should mean that a company like Alphabet can no longer use data collected on you via your interaction with Google Maps to target you with ads on Google Search without your explicit and meaningful consent.

In this regard the DMA outlines specific requirements around the way in which gatekeepers garner consent from users and prohibits the manipulative and malicious practices they employ to make the user think consenting is more favourable. For example, it specifically outlines that withdrawing consent should not be more difficult than giving consent. Users must be presented with a user-friendly solution to allow them to provide, modify or withdraw consent in an explicit, clear and straightforward manner. Furthermore, choosing to not consent cannot come at a hindrance to certain functionalities or that the user is subject to degraded quality.

Some measures employed by gatekeepers have sparked significant debate and can be said to fall short on meeting the specific requirements. In particular, Meta’s ad-free subscription service which allows users to pay €9.99 per month to use Instagram and Facebook without advertising. Meta has presented this as an option that will “empower end users to freely choose whether Meta can carry out certain data processing activities between different services". They believe that end users are presented with a neutral choice between two options: a personalised service which involves data combination; and a less personalised alternative designed to function without data combination. However, this tactic was met with significant criticism and subsequently subject to investigation for being non-compliant. In July 2024, the EC published its preliminary findings that the “pay or consent” model does not comply with Article 5(2) of DMA as it does not allow users to exercise their right to freely consent, and enable them to opt for a service that uses less of their personal data.

App and browser freedom

Article 6 of the DMA has the potential to empower users with greater freedom to choose their software and apps on their devices, including the right to remove pre-installed apps and gatekeeper search engines. For example, Apple’s Safari search engine as the default browser on iPhone. Article 6(3) enables users to uninstall gatekeepers’ apps on the operating system except those that are essential for the functioning of the operating system or device, and cannot be offered by third parties. In practice this means the gatekeeper should allow and enable users to change their defaults for voice assistants, search engines, browsers, messaging apps and more. Furthermore, they mustn’t prompt the user to replace any of these with a gatekeeper service.

Already there been reports of an increase in uptake of third-party browsers by iPhone users. For example, Aloha Browser claim its EU users have jumped by 250 per cent since March when Apple displayed a new default browser choice screen. Similar increases have also been reported by Brave, Firefox, Vivaldi, DuckDuckGo, Ecosia, and Opera.

However, gatekeepers can still apply measures and settings to protect the security of third-party apps or app store. This has been flagged by critics and competitors as a loophole gatekeepers are deploying to deter users, in the form of a warning message when users choose third-party apps, flagging that they may not be secure or legitimate. Therefore this feature can potentially be leveraged as a scare tactic. We co-signed a civil society submission to the EC highlighting attempts by Apple to circumvent aspects of the DMA that are meant to allow people freedom of choice on their own devices. It presents evidence that Apple has been interpreting the DMA’s browser choice provision in a way that makes it difficult for people to choose a web browser other than Apple’s own Safari on iPhones and iPads by using deceptive design tactics.

Interoperability

Interoperability is the ability to exchange data, information and functionality across different platforms and applications. In other words, it is about making different systems or infrastructures compatible with one another by making them mutually legible and able to interconnect.

Article 7 of the DMA imposes an interoperability clause for number-based messaging services such as Meta’s Whatsapp and Facebook Messenger. It requires gatekeepers to ensure free of charge and upon request, interoperability with certain basic functionalities of their number-independent interpersonal communications services to third-party providers of such services. This will enable third party or alternative messaging services, for example, Signal, Telegram, and Viber, to become interoperable with messaging platforms that are provided by gatekeepers. In practice this means that if two people are using different messaging apps, they can continue to communicate with each other through their app of choice given that both parties are opted in to the feature. For example, you should be able to send and receive messages from your Signal app to someone using Whatsapp, provided both parties opted-in.

This could potentially pave the way for a different communication infrastructure providing people with greater choice and freedom, and could even reinforce wider rights such as the right to freedom of assembly and protest. Messaging apps have become vital for individuals to organise and communicate with fellow protesters and curtails the ability of governments to shut down lines of communication.

Interoperability could also allow for greater accessibility, which can aid the enjoyment of wider rights such as freedom from discrimination and equality. For example, by allowing the ability of smaller competitors to interoperate with larger messaging apps, it could foster innovation and create new ways to assist with language translation within those messaging apps. This could be particularly beneficial given the vast cultural and linguistic diversity across Europe. Therefore, interoperability could be seen as innovation for greater equality.

The interoperability obligation on messaging services will initially focus on messaging, sending images, voice messages, videos, and files between two people, calls and group chats will come at a later time. The rules only apply to messaging services and not traditional SMS messaging.

It is key that people are given the ability to choose whether or not they want to participate and opt in to exchanging messages with third parties. However, there is a risk that gatekeepers will make this option inaccessible within the app interface and not promote it to users in a clear and meaningful way which restricts the number of individuals opting in.

Furthermore, the interoperability provisions of the DMA have also sparked debate around end-to-end encryption. The DMA requires enabling interoperability should not diminish the privacy and security of users, but from a technical perspective it creates new challenges for upholding end-to-end encryption. While it’s an excellent demand from a competition perspective the EC should be particularly careful to ensure it doesn’t erode security of those services.

Gatekeepers’ reluctance to implement the DMA

Big tech companies have raised criticism of the DMA since it was first introduced by the EC and they have dragged their feet in implementing the obligations imposed on them. Some unsuccessfully challenged the EC’s decision to designate them as gatekeepers for some core services, as well as arguing that certain DMA provisions undermine security and hamper innovation. These are all well known and tested tactics to resist changes which may affect their dominance in the digital market and their practices of exploiting individuals’ data to maintain and grow their power.

The EC’s designation of Big Tech companies and their services as gatekeepers under the DMA was immediately met with resistance by some players. Meta was the first to bring a legal challenge before the EU’s General Court, contesting the inclusion of its Messenger and Marketplace services within the DMA’s framework. They argued that these specific services did not qualify because it is a consumer-to-consumer service without intermediary involvement and therefore should be exempted from the gatekeeper designation. TikTok, owned by ByteDance, also challenged its classification as a social network and a digital gatekeeper under the DMA arguing it has not been operating in the market that long and does not meet the law’s threshold for revenues generated in the European Economic Area of 7.5 billion euros ($8.13 billion) per annum.
Apple also made a legal challenge at efforts to re-classify its core platform services, particularly with regards to its operating systems (iOS, iPadOS, macOS, watchOS, and tvOS), App Store, and Safari, arguing that these services should be segregated according to their device-specific functionality. They have also argued that it runs five separate App Stores (which would be conveniently small enough to avoid the EU regulation) instead of a single platform. While this argument wasn’t successful, they did manage to convince the EC that iMessage doesn’t qualify as gatekeeper service, avoiding requirements to make it interoperable with other messaging platforms.

Article 11 of the DMA outlines requirements for gatekeeper ‘reporting’ and provides that within 6 months of being designated a gatekeeper they must provide reports in a detailed and transparent manner that outline the measures it has implemented to ensure compliance with the obligations laid down in Articles 5, 6 and 7. In addition, the EC organised a series of compliance workshops facilitated by the EC inviting each gatekeeper to present their their compliance measures and respond to interested stakeholders including civil society.

Following these, gatekeeper’s measures to comply have drawn criticism from smaller competitors and civil society as falling short in meeting their obligations. For smaller competitors to benefit from the DMA they are reliant on the gatekeepers to implement changes for them to be able to take advantage of these rights. Civil society has also been working to highlight gatekeeper’s lack of compliance. For example, alongside colleagues at EDRi we co-signed a submission to the EC highlighting Apple’s attempts to circumvent the DMA’s goals of allowing people freedom of choice on their own devices.

This has not gone unnoticed as the EC DMA enforcement team has since announced several investigations into gatekeepers’ non-compliance with the DMA. A number of investigations have been launched against Apple, the first which concerned a breach of Article 5(4) regarding steering rules and business terms of the App store and the second concerned a breach of Article 6(3) regarding their obligation to easily uninstall apps, change default settings and prompt users with choice screens. A third investigation was also launched concerning possible breach of Article 6(4) regarding the ability to offer an app via an alternative distribution channel. Apple has so far kept the option to subscribe to the previous conditions, which do not allow alternative distribution channels at all.

Two investigations have also been launched into Alphabet, the first which concerned a possible breach of Article 5(4) regarding rules on steering in Google Play, and the second a possible breach of Article 6(5) which concerns self-preferencing on Google Search.

So far the Commission has published their preliminary findings of two investigations. In June 2024, the EC announced Apple’s non-compliance with Article 5(4) their preliminary findings confirm that Apple’s App Store rules are in breach of the DMA “as they prevent app developers from freely steering consumers to alternative channels for offers and content”.

In July 2024, the EC also published its preliminary findings that Meta’s “pay or consent” advertising model fails to comply with Article 5(2). In the Commission’s preliminary view, this binary choice forces users to consent to the combination of their personal data and fails to provide them a less personalised but equivalent version of Meta’s social networks.

Gatekeepers have also been openly critical about changes required of them under the DMA which they argue will come with implications for the security of their products and services. Apple has complained that changes required of them would make iPhones and laptops less secure. For example, they maintain that rules they have imposed via the Apple App store has protected people from installing applications from unauthorised sources and has therefore protected iPhone users’ from fraud and malware. However, this argument is somewhat misplaced given that the DMA specifically references the need to maintain upholding privacy and security alongside any changes. Additionally, some gatekeepers are already lagging behind some competitors who offer even further privacy focused services such as messaging service ‘Signal’.

Likewise, Google’s Director of Competition wrote that some rules imposed on them under the DMA have led to difficult trade-offs that will impact on their users and businesses. For example, they claim that businesses will lose out due to changes that have had to make to Google Search which they argue may send more traffic to large intermediaries and aggregators, and less traffic to direct suppliers like hotels, airlines, merchants and restaurants. For consumers, they also claim some of the features they have developed to help people get things done quickly and securely online for example, like providing recommendations across different products, won’t work in the same way anymore.

These narratives are particularly unhelpful for consumers and small businesses given the context of Big Tech’s dominance and control over the market, and their ability to maintain opacity around their practices, which may sow seeds of doubt in users’ minds. Furthermore, these arguments are not surprising given the nature and purpose of the DMA which is to break up Big Tech’s dominance in the digital market, and curtail their exploitative practices to dismantle their power.

Conclusions

The DMA has the potential to address some of the negative effects of Big Tech’s concentration of power by imposing restrictions on their exploitative practices, by reinforcing the rights of users and empowering competitors. Healthy competition is key for our rights as users of digital products and services, and we should not allow gatekeepers to diminish or take away our digital rights and freedoms. In theory, competition should flourish through obligations imposed on Big Tech companies by giving users greater choice in a variety of markets and stop the ability of Big Tech to hinder the innovation and standards of its competitors. However, gatekeeper’s willingness to implement measures and comply with the DMA alongside the EC’s enforcement and oversight of the DMA is paramount to its success. Furthermore, the Commission must continue to include civil society and other relevant stakeholders in the enforcement of the rules, to make sure a variety of perspectives are considered and to ensure the full potential of the DMA is realised.