2022 marked a strong ending for the EU and its efforts to crackdown on the online platform economy and other digital technologies. Notably, the Digital Markets Act (DMA) and the Digital Services Act (DSA) both entered into force in late-October/early November 2022, and the final General Approach to the EU AI Act was adopted on December 6th 2022. However, this is just the beginning.
The first week of 2023 saw the Irish Data Protection Commission, an EU regulatory body, fining Meta over €400 million for breaching the GDPR by forcing users to accept targeted ads. With the DSA imposing regulations on algorithmic ad targeting and the DMA focuses on how online platforms operate with respect to fair competition and consumer choice, companies will soon struggle to find loopholes in avoiding doing their due diligence, meaning that digital technologies will be made safer for users.
This article gives a high-level overview of the DMA, focusing on Article 15, which mandates independent audits. It also discusses what this means in tandem with the DSA and EU AI Act.
Referred to as a landmark piece of legislation, the DMA strives to reduce the bottlenecks that so-called gatekeepers create by monopolising the digital economy. Here, gatekeepers are defined as providers of core platform services:
Providers of these services fall under the scope of the legislation if they meet these objective criteria:
1. Size that impacts the internal market
2. The control of an important gateway for business users towards final consumers
3. An entrenched and durable position
The designation of gatekeepers is based on the presumption that companies are given the opportunity to rebut this assumption. By providing evidence and arguments that speak to potential extenuating circumstances, companies can argue that they should not be designated as gatekeepers despite meeting the criteria.
While the DMA begins to apply on the 2nd of May 2023, companies will have until June/July 2023 to notify the commission of their qualification as a gatekeeper. Gatekeepers will then be officially designated around August/September 2023 and the DMA will become fully enforced from February/March 2024.
Conversely, the EU Commission can also launch their own market investigation using a qualitative assessment to deem a company a gatekeeper even if the outlined criteria or threshold are not met, extending the prowess of the legislation even further.
The designation of gatekeepers is significant because of the specific obligations that have been set forth by the legislation for them. Among these requirements is the Obligation of Independent Audit (Article 15).
Leaving no room to avoid transparency, under Article 15 companies must perform an independent audit about the profiling methods of customers used across any of its core platform service(s) and send this to the European Commission.
The DMA refers to the GDPR regarding defining and understanding the profiling methods in question, where Article 4, defines profiling as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’ Thus, under the DMA, data processing activities must be audited to ensure legal compliance.
The adoption of this definition by the DMA further exemplifies the EU Commission’s commitment towards the protection of natural persons in respect to the processing of their data. Consequently, companies should pay attention this definition as it is likely this will serve as the broad basis for the obligated independent audits.
Further, companies will also be obligated to make publicly available an overview of the audit and update this description annually.
Akin to its sister legislation, the DSA, which imposes hefty fines of up to 6% of annual revenue, the DMA does not hold back on fines. Failure to comply could result in a fine of up to 10% of the company’s total worldwide annual turnover or up to 20% in the case of repeated infringements and periodic penalty payments of up to 5% of the company’s total worldwide daily turnover.
Outside of independent audits, obligations for gatekeepers include:
The obligations of the gatekeepers highlight the EU’s overall commitment to protecting both consumer data and choice, as well as the legislation’s specific commitment to utilising transparency to foster market fairness.
The Commission has also outlined examples of specific don’ts which companies should be aware that will no longer be acceptable:
The focus on effective consent very well presents a threat to many big-tech companies existing businesses models where tacit consent has been considered the standard. However, the EU commission is making it clear that this will no longer cut it.
Although the EU AI Act is leading the discourse and preparation surrounding regulating the use of algorithms and artificial intelligence in business and organisational practices this may be considered a short-sighted approach. The collective impact of the EU AI Act, the DMA and DSA is likely to be significant and ensure that digital technologies in the EU are safer for users.
The three pieces of robust legislation will work in tandem to ensure companies are not misusing AI or leveraging innovative technology unchecked to promote gains while not considering implications for both the consumer and society.
While each of the legislation’s are underpinned by different goals and enforcement mechanisms, a central theme which cannot be ignored is transparency. Further, each piece of legislation mandates that companies and organisations that meet specific criteria conduct independent audits, conformity assessments and/or third-party audits in order to comply and avoid the potential of unprecedented fines.
While the rules will only be enforced for companies that have business operations in the EU, the DMA is also anticipated to accelerate setting a global precedent. For example, it is predicted that the Federal Trade Commission in the US will see a continuance in winning cases against companies which leverage data unchecked (Everalbum, Cambridge Analytica etc.).
Regulation like this will soon mean that AI around the world is deployed with greater accountability, and the importance of independent audits for your business will only grow.
Get in touch with us at firstname.lastname@example.org to find out more about how we can help you prepare for this and other upcoming regulations.
Written by Ashyana-Jasmine Kachra, Policy Associate at Holistic AI and Airlie Hilliard, Senior Researcher at Holistic AI
Subscribe to our newsletter!
Join our mailing list to receive the latest news and updates.
Our AI Governance, Risk and Compliance platform empowers your enterprise to confidently embrace AIGet Started