This post is the first of a series of blog posts about the Digital Markets Act (“DMA”), which was adopted on July 18, 2022, and it deals specifically with those provisions of the DMA that are relevant to organizations’ privacy programs.
The DMA sets out the following obligations and restrictions on gatekeepers that are relevant to compliance with privacy rules:
- it restricts the GDPR legal bases gatekeepers may rely on to process personal data in certain cases;
- it prohibits the processing of certain data generated or received from other businesses or their end users for the purpose of competing with other businesses;
- it requires the sharing of end users’ personal data with businesses operating on a gatekeeper’s platform, and with advertising companies the gatekeeper works with, at their request;
- it requires gatekeepers to port end users’ data at their request; and
- it requires gatekeepers to share independently audited information about profiling techniques with the European Commission.
Below we explain these obligations and prohibitions in more detail.
1. Restricting the legal basis gatekeepers may rely on to process personal data
Under the EU General Data Protection Regulation (“GDPR”), companies must rely on one of the legal basis set out in Article 6 to process personal data. The DMA provides that gatekeepers may only rely on four legal bases — namely (1) the end users’ (GDPR standard) consent, (2) a legal obligation, (3) the protection of vital interests, or (4) the performance of a task in the public interest — for the following data processing activities:
- processing personal data of end users using third-party services that also make use of the gatekeeper’s core platform services for online advertising purposes;
- regardless of the purpose:
- combining personal data of end users from the relevant core platform service with personal data from end users of any other services provided (1) by the gatekeeper or (2) by third parties; and
- “cross-using” personal data from end users of the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice-versa.
The DMA also states that gatekeepers may not log end users in to other services they provide in order to combine their personal data.
In practice, private organizations will need to rely on the end user’s consent in these circumstances. The DMA specifies how companies can meet the GDPR’s standard of consent. Notably, it states that:
- at the time of giving consent, the end user should (where applicable) be informed that not giving consent can lead to a less personalized offer, but that the core platform service will otherwise remain unchanged;
- end users who choose not to give their consent should generally not receive a different or lower-quality service;
- in limited circumstances only, end users should be able to give consent to a gatekeeper using their personal data to provide online advertising services through each third-party service that makes use of a gatekeeper’s core platform service;
- online interfaces should not deceive, manipulate or otherwise materially distort or impair the ability of end users to freely give consent– in other words, so-called “dark patterns” to encourage end users to give consent are prohibited;
- gatekeepers should not be allowed to prompt end users to give their consent for a particular purpose more than once a year; and
- where consent is required, gatekeepers must allow business users of their services to access the consents obtained by the gatekeeper or be able to comply with data protection rules (e.g., requirements to be able to demonstrate that consent has been obtained) in other ways.
2. Prohibiting processing of non-public data for competition purposes
The DMA prohibits gatekeepers from using, for the purpose of competing with other businesses, any data generated or provided by those business users or their customers in the context of their use of a gatekeeper’s core platform services or related services, unless that data is publicly available. This could include any data generated by business users as a result of the commercial activities of business users or their customers (e.g., click, search, view and voice data).
3. Sharing personal data with other businesses
Gatekeepers must provide:
- Business users (and third parties authorized by them) with real-time access to personal data of end users that engage with the products or services provided by those business users, where that data is generated in the context of the use of the relevant core platform services or related services, subject to certain conditions.
- Advertisers and publishers (and third parties authorized by them) with access to tools for measuring ad performance, and with the data necessary for advertisers and publishers to verify the ad inventory, on request.
- Number-independent interpersonal communications services (also known as “over-the-top” communications) with personal data needed to make these services interoperable with the gatekeeper’s services, at the end user’s request.
The DMA also requires that gatekeepers provide, on request and on fair, reasonable, and non-discriminatory terms, anonymized data about ranking, query, click and view data about searches on the gatekeeper’s own search engines to other providers of online search engines. It is unclear whether the European Commission will issue guidance on the standard of anonymization in this context.
4. Porting end users’ data
The DMA requires gatekeepers to provide end users with the ability to port data they have provided or that is generated through their activity on a core platform service to other providers, free of charge.
5. Sharing data on profiling with the European Commission
Within six months of being designated as a gatekeeper, each gatekeeper must submit to the Commission an independently audited description of any techniques it uses to profile consumers on its core platform services. This must at least include information about (1) whether personal data is involved; (2) the purpose of the profiling; (3) the duration of the profiling; (4) the impact of such profiling on the gatekeeper’s services; (5) the steps taken to effectively enable end users to be aware of the relevant use of such profiling; and (6) the steps taken to seek end users’ consent or provide them with the possibility of denying or withdrawing consent. The Commission will transmit this information to the European Data Protection Board.
* * *
Combining our competition, technology regulatory and privacy expertise, our cross-disciplinary team has advised several companies in analyzing the DMA’s provisions, helping clients understand how they might be impacted, and assisting them with developing global compliance strategies. The Covington team will keep monitoring the developments on the DMA, and is happy to assist with any potential inquiry on the topic.