Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
The Digital Markets Act is the EU’s latest move to try and regulate big technology platforms. The Digital Markets Act joins the dots between competition law and data protection law and actively targets large data-driven platforms. The Digital Markets Act is separate to merger control regulation and the GDPR. The Digital Markets Act is set to regulate the sweet spot, or regulatory shadow in which online platforms currently reside and which “traditional” competition law is unable to tackle.
The Digital Markets Act Digital Markets Act will complement (on a without-prejudice basis) other pieces of EU legislation and, from a data perspective, the GDPR in particular. The Digital Markets Act refers to and uses GDPR definitions in providing for new data protection rules which are in addition to those in the GDPR. The Digital Markets Act does not actually amend the GDPR, however. The Digital Markets Act is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Digital Markets Act Scope – Data’s Key Role
The Digital Markets Act only catches large platforms, which the Digital Markets Act terms Gatekeepers. To be a “Gatekeeper”, a platform must have a significant impact on the internal market, provide an important gateway for platforms, and enjoy an entrenched and durable position.
Market-share figures are used to bring platforms within scope of the above criteria, and this is likely to form the basis of much of the EU Commission’s jurisdiction. Importantly, Article 3(8) of the Digital Markets Act will provide flexibility to the EU Commission to disregard empirical figures and rely on a more “look and feel” approach to determining whether a platform comes within the criteria above.
A crucial challenge in a competition strategy for data-driven platforms where market-share figures are not met (and compulsory notification is not mandated) will be to remain out of the regulator’s spotlight. Data (in the general sense) is clearly included in Article 3(8) as one of the criteria which the EU Commission may use to bring an undertaking within the scope of the Digital Markets Act. Whether an organisation has data-driven advantages and whether it collects personal and non-personal data, or has analytics capability, will be decisive.
Digital Markets Act’s Combined Data Rules
Article 5(2) regulates platforms making use of combined personal datasets. Single sign-on platforms where personal data is combined for a comprehensive user profile, which data can then be sold to advertisers can be invasive from a privacy perspective. There are now clear provisions in the Digital Markets Act tied to the GDPR standard of consent, offering data subjects a choice as to whether they wish to have their personal data combined from several different platform services. Interestingly, asides from consent, there are quite limited other bases which platforms can use to legitimise such combined data. Currently commonly deployed bases for legitimising such processing such as legitimate interests or being necessary for a contract will not be available.
Levelling the playing field – access to Gatekeeper data for free and on FRAND terms
The Digital Markets Act now provides for a right for business users of a Gatekeeper to request, free of charge, high-quality and real time access to data which is generated in connection with its use of the Gatekeeper’s platform. Gatekeepers have a competitive advantage in the collection and use of both personal and non-personal data. Consider, for example, the position of a large eCommerce platform, which both provides the platform for sellers and sells goods themselves on the same online marketplace; there is a clear competitive advantage for the eCommerce platform in obtaining its competitors’ sales data.
In a similar vein, Gatekeepers will now have to provide access to competitors, on FRAND-style (fair, reasonable and non-discriminatory) terms, to details of competitively-sensitive search engine data which is used to refine search engine results.
Should I be taking notice of the Digital Markets Act?
If within scope, the Digital Markets Act should trigger a reassessment in corporate strategy relating to combining personal datasets. This is particularly the case where platforms use a single sign-on strategy for multiple services. Platforms will now need to have a consumer-ready platform available for those users where they cannot find a legitimate basis to combine end users’ personal data. The Digital Markets Act's data access provisions are also likely to be a significant operational burden; however, it remains to be seen whether it will pose a competitive risk to incumbents due to the scale of data needed by market entrants in the search engine space to be competitive.
There is much to take stock of in the Digital Markets Act. It clearly ushers in a new era for both data protection and competition law and, arguably, muddies the waters between the two areas. Interestingly, many of the obligations in the Digital Markets Act apply not just to personal data, but also to what is now being termed “non-personal data” which, in this context, is data which may be competitively sensitive or otherwise valuable. If you would like assistance navigating whether your platform’s activities are likely to be in scope of the Digital Markets Act, or this complex and evolving area generally, please get in touch with one of the team.