After its initial proposal in December 2020, the landmark European Digital Markets Act (DMA) has entered into force on the 1st of November 2022. This new regulation is striving for a fair and competitive digital economy and establishing a level playing field for businesses operating online. To help foster competition, the DMA relies on ‘interoperability’. This is an important tool in promoting competition and to prevent monopolies shutting down, or stifling user-empowered growth and innovation. The DMA will require gatekeepers to allow other services to ‘interoperate’ with their services, prevent them from treating their own service with favourability, and require them to allow their users to uninstall any pre-installed apps or software.
In this blog, we will focus on what the purpose of this new regulation is, how it will have an impact on EU GDPR and EU data rights, and what steps should be taken to manage tensions between the DMA and the EU GDPR. As this legislation only affects data subjects who are resident within the European Union, ‘GDPR’ refers only to EU GDPR.
The Digital Markets Act is the regulation that sets rules for a narrowly defined large online platform called the gatekeepers. Its main objective is to solve the traditional anti-trust problems in the digital sector by defining a large online platform that provides an important gateway between business users (BUs) and consumers as a digital gatekeeper.
The digital gatekeeper is the core online platform that will offer services between consumers and organisations, it will have most likely become indispensable to thousands of organisations and millions of consumers.
The core platform providers can be online intermediation services, search engines, video-sharing platforms, web browsers, operating systems, online advertising services and digital assistants.
The 3-part test to qualify as a gatekeeper includes:
The Commission then designates the organisation as a gatekeeper, unless the organisation provides compelling evidence to the contrary. The Gatekeeper must comply with the requirements within 6 months of being awarded gatekeeper status and it will be re-evaluated every 3 years.
If any digital platform qualifies as a gatekeeper under the above criteria, they will be required to:
Digital gatekeepers should keep in mind that they should not:
In case of non-compliance, the gatekeepers will be imposed fines of up to 10% of its total global annual turnover or 20% in the event of a repeated infringement. Periodically, the gatekeeper may be entitled to fines up to 5% of the average daily global turnover in case of non-compliance with prior recommendations.
Before going through the DMA’s impacts on the GDPR, the first thing to bear in mind is that both instruments have a philosophical difference in approach. For the GDPR, its purpose is to limit the data flows and empower the An individual who can be identified or is identifiable from data. and, in some cases, this means preventing data sharing.
On the other hand, the purpose of the DMA is to encourage data sharing, to bypass traditional anti-trust enforcement, and to create upfront obligations to gatekeepers in order to level the playing field for small companies in the digital world. Meaning the DMA has a more economic and anti-monopolistic stance when compared to the GDPR, which takes an economically natural standing – treating all businesses the same. Thus, they have different purposes and different legal bases.
Though the DMA and the GDPR have different legal bases, there are similarities between both. In some situations, the DMA follows and refers to the rules set out in the GDPR. For example, the DMA refers to the definition of ‘consent’ and ‘profiling’ that are laid out in the GDPR and complements Article 4 of the GDPR. The DMA solves the problem regarding the lack of transparency in profiling practices by letting the gatekeepers submit an independently audited description of the techniques for profiling of their consumers.
Despite the similarities between the DMA and the GDPR, there are some unclear areas which may create tensions between the two pieces of legislation. The main three are:
To ensure the cooperation between both instruments, further examples and guidance on how best to involve the data protection authorities and the EDPB in the formal decision-making An approved and established way of completing a certain task. from the European Commission and vice versa is required.
Though there is indeed a need for some coordination and clarification, there’s no contradiction between the DMA and the GDPR. Still, other tensions remain unsolved and all we can do is wait and see.
If your organisation will be impacted by the new regulation and require advice and support with complying with both EU and/or The UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., please fill out the form below.
Fill in your details below and we’ll get back to you as soon as possible