Digital Markets Act: The EU Commission is Cracking Down
Regulations

Digital Markets Act: The EU Commission is Cracking Down

January 10, 2023

Key Takeaways

  • The Digital Markets Act (DMA) came into effect on 1 November 2022, and focuses on regulating how online platforms operate with respect to fair competition and consumer choice by reducing the bottlenecks that so-called gatekeepers create by monopolising the digital economy.
  • The designation of gatekeepers is based on the presumption that companies are given the opportunity to rebut this assumption.
  • Conversely, the EU Commission can also launch their own market investigation using a qualitative assessment to deem a company a gatekeeper even if the outlined criteria or threshold are not met, extending the reach of the legislation even further.
  • Leaving no room to avoid transparency, under Article 15 companies must perform an independent audit about the profiling methods of customers used across any of its core platform service(s) and send this to the European Commission.    
  • The collective impact of the EU AI Act, the DMA and DSA is likely to be significant and ensure that digital technologies in the EU are safer for users, with the potential to set a global precedent.

2022 marked a strong ending for the EU and its efforts to crackdown on the online platform economy and other digital technologies. Notably, the Digital Markets Act  (DMA) and the Digital Services Act (DSA) both entered into force in late-October/early November 2022, and the final General Approach to the EU AI Act was adopted on December 6th 2022. However, this is just the beginning.

The first week of 2023 saw the Irish Data Protection Commission, an EU regulatory body, fining Meta over €400 million for breaching the GDPR by forcing users to accept targeted ads. With the DSA imposing regulations on algorithmic ad targeting and the DMA focuses on how online platforms operate with respect to fair competition and consumer choice, companies will soon struggle to find loopholes in avoiding doing their due diligence, meaning that digital technologies will be made safer for users.

This article gives a high-level overview of the DMA, focusing on Article 15, which mandates independent audits. It also discusses what this means in tandem with the DSA and EU AI Act.

The Digital Markets Act at a Glance

Referred to as a landmark piece of legislation, the DMA strives to reduce the bottlenecks that so-called gatekeepers create by monopolising the digital economy. Here, gatekeepers are defined as providers of core platform services:

  • Online intermediation services
  • Online search engines
  • Online social networking services
  • Video-sharing platform services
  • Number-independent interpersonal communication services
  • Operating systems
  • Cloud computing services
  • Advertising services
  • Web browsers
  • Virtual assistants

Providers of these services fall under the scope of the legislation if they meet these objective criteria:

1. Size that impacts the internal market

  1. Annual union turnover equal to or above €7.5 billion in in each of the last three financial years
    OR
  2. Average market capitalisation or equivalent fair market value amounted to at least €75 billion in the last financial year
    AND
  3. Provides core platform service in at least three Member States

2. The control of an important gateway for business users towards final consumers

  1. If the company operates a core platform service with more than 45 million monthly active end users established
    OR
  2. Located in the EU and more than 10,000 yearly active business users established in the EU in the last financial year

3. An entrenched and durable position

  1. If the company met the second criterion in each of the last three financial years

The designation of gatekeepers is based on the presumption that companies are given the opportunity to rebut this assumption. By providing evidence and arguments that speak to potential extenuating circumstances, companies can argue that they should not be designated as gatekeepers despite meeting the criteria.

Enforcement

While the DMA begins to apply on the 2nd of May 2023, companies will have until June/July 2023 to notify the commission of their qualification as a gatekeeper. Gatekeepers will then be officially designated around August/September 2023 and the DMA will become fully enforced from February/March 2024.

Conversely, the EU Commission can also launch their own market investigation using a qualitative assessment to deem a company a gatekeeper even if the outlined criteria or threshold are not met, extending the prowess of the legislation even further.

Article 15

The designation of gatekeepers is significant because of the specific obligations that have been set forth by the legislation for them. Among these requirements is the Obligation of Independent Audit (Article 15).

Leaving no room to avoid transparency, under Article 15 companies must perform an independent audit about the profiling methods of customers used across any of its core platform service(s) and send this to the European Commission.

The DMA refers to the GDPR regarding defining and understanding the profiling methods in question, where Article 4, defines profiling as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’ Thus, under the DMA, data processing activities must be audited to ensure legal compliance.

The adoption of this definition by the DMA further exemplifies the EU Commission’s commitment towards the protection of natural persons in respect to the processing of their data. Consequently, companies should pay attention this definition as it is likely this will serve as the broad basis for the obligated independent audits.

Further, companies will also be obligated to make publicly available an overview of the audit and update this description annually.

Digital Markets Act

Akin to its sister legislation, the DSA, which imposes hefty fines of up to 6% of annual revenue, the DMA does not hold back on fines. Failure to comply could result in a fine of up to 10% of the company’s total worldwide annual turnover or up to 20% in the case of repeated infringements and periodic penalty payments of up to 5% of the company’s total worldwide daily turnover.

Do’s & Don'ts

Outside of independent audits, obligations for gatekeepers include:

  • Allowing business users to access the data they generate on the platform
  • Providing companies that advertise on their platform the information and tools necessary for both advertisers and publishers to carry-out their own independent verification of their advertisements hosted on the platform
  • Allowing business users to promote and conclude contracts with customers outside of the gatekeeper’s platform

The obligations of the gatekeepers highlight the EU’s overall commitment to protecting both consumer data and choice, as well as the legislation’s specific commitment to utilising transparency to foster market fairness.

The Commission has also outlined examples of specific don’ts which companies should be aware that will no longer be acceptable:

  • Treating their own services and products more favourably than in ranking than those offered by third parties on the platform
  • Preventing consumers from reaching businesses outside of their platforms (linking)
  • Preventing users from being able to uninstall any pre-installed software or app that they want to
  • Tracking end-users for purposes outside of the gatekeeper’s core platform service for purposes of targeted advertising, without effective consent being granted
Digital Markets Act - Do's and Don'ts

The focus on effective consent very well presents a threat to many big-tech companies existing businesses models where tacit consent has been considered the standard. However, the EU commission is making it clear that this will no longer cut it.

The Power of Three

Although the EU AI Act is leading the discourse and preparation surrounding regulating the use of algorithms and artificial intelligence in business and organisational practices this may be considered a short-sighted approach. The collective impact of the EU AI Act, the DMA and DSA is likely to be significant and ensure that digital technologies in the EU are safer for users.

The three pieces of robust legislation will work in tandem to ensure companies are not misusing AI or leveraging innovative technology unchecked to promote gains while not considering implications for both the consumer and society.

While each of the legislation’s are underpinned by different goals and enforcement mechanisms, a central theme which cannot be ignored is transparency. Further, each piece of legislation mandates that companies and organisations that meet specific criteria conduct independent audits, conformity assessments and/or third-party audits in order to comply and avoid the potential of unprecedented fines.

Your next steps

While the rules will only be enforced for companies that have business operations in the EU, the DMA is also anticipated to accelerate setting a global precedent. For example, it is predicted that the Federal Trade Commission in the US will see a continuance in winning cases against companies which leverage data unchecked (Everalbum, Cambridge Analytica etc.).

Regulation like this will soon mean that AI around the world is deployed with greater accountability, and the importance of independent audits for your business will only grow.

Get in touch with us at we@holisticai.com to find out more about how we can help you prepare for this and other upcoming regulations.

Written by Ashyana-Jasmine Kachra, Policy Associate at Holistic AI and Airlie Hilliard, Senior Researcher at Holistic AI

Manage risks. Embrace AI.

Our automated AI Risk Management platform empowers your enterprise to confidently embrace AI

Get Started