This post is the first of a series of blog posts about the Digital Markets Act (“DMA”), which was adopted on July 18, 2022, and it deals specifically with those provisions of the DMA that are relevant to organizations’ privacy programs.

The DMA sets out the following obligations and restrictions on gatekeepers that are relevant to compliance with privacy rules:

  1. it restricts the GDPR legal bases gatekeepers may rely on to process personal data in certain cases;
  2. it prohibits the processing of certain data generated or received from other businesses or their end users for the purpose of competing with other businesses;
  3. it requires the sharing of end users’ personal data with businesses operating on a gatekeeper’s platform, and with advertising companies the gatekeeper works with, at their request;
  4. it requires gatekeepers to port end users’ data at their request; and
  5. it requires gatekeepers to share independently audited information about profiling techniques with the European Commission.

Below we explain these obligations and prohibitions in more detail.

1.             Restricting the legal basis gatekeepers may rely on to process personal data

Under the EU General Data Protection Regulation (“GDPR”), companies must rely on one of the legal basis set out in Article 6 to process personal data.  The DMA provides that gatekeepers may only rely on four legal bases — namely (1) the end users’ (GDPR standard) consent, (2) a legal obligation, (3) the protection of vital interests, or (4) the performance of a task in the public interest — for the following data processing activities:

  • processing personal data of end users using third-party services that also make use of the gatekeeper’s core platform services for online advertising purposes;
  • regardless of the purpose:
    • combining personal data of end users from the relevant core platform service with personal data from end users of any other services provided (1) by the gatekeeper or (2) by third parties; and
    • “cross-using” personal data from end users of the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice-versa.

The DMA also states that gatekeepers may not log end users in to other services they provide in order to combine their personal data.

In practice, private organizations will need to rely on the end user’s consent in these circumstances.  The DMA specifies how companies can meet the GDPR’s standard of consent.  Notably, it states that:

  • at the time of giving consent, the end user should (where applicable) be informed that not giving consent can lead to a less personalized offer, but that the core platform service will otherwise remain unchanged;
  • end users who choose not to give their consent should generally not receive a different or lower-quality service;
  • in limited circumstances only, end users should be able to give consent to a gatekeeper using their personal data to provide online advertising services through each third-party service that makes use of a gatekeeper’s core platform service;
  • online interfaces should not deceive, manipulate or otherwise materially distort or impair the ability of end users to freely give consent– in other words, so-called “dark patterns” to encourage end users to give consent are prohibited;
  • gatekeepers should not be allowed to prompt end users to give their consent for a particular purpose more than once a year; and
  • where consent is required, gatekeepers must allow business users of their services to access the consents obtained by the gatekeeper or be able to comply with data protection rules (e.g., requirements to be able to demonstrate that consent has been obtained) in other ways.

2.            Prohibiting processing of non-public data for competition purposes

The DMA prohibits gatekeepers from using, for the purpose of competing with other businesses, any data generated or provided by those business users or their customers in the context of their use of a gatekeeper’s core platform services or related services, unless that data is publicly available.  This could include any data generated by business users as a result of the commercial activities of business users or their customers (e.g., click, search, view and voice data).

3.            Sharing personal data with other businesses

Gatekeepers must provide:

  • Business users (and third parties authorized by them) with real-time access to personal data of end users that engage with the products or services provided by those business users, where that data is generated in the context of the use of the relevant core platform services or related services, subject to certain conditions.
  • Advertisers and publishers (and third parties authorized by them) with access to tools for measuring ad performance, and with the data necessary for advertisers and publishers to verify the ad inventory, on request.
  • Number-independent interpersonal communications services (also known as “over-the-top” communications) with personal data needed to make these services interoperable with the gatekeeper’s services, at the end user’s request.

The DMA also requires that gatekeepers provide, on request and on fair, reasonable, and non-discriminatory terms, anonymized data about ranking, query, click and view data about searches on the gatekeeper’s own search engines to other providers of online search engines. It is unclear whether the European Commission will issue guidance on the standard of anonymization in this context.

4.            Porting end users’ data

The DMA requires gatekeepers to provide end users with the ability to port data they have provided or that is generated through their activity on a core platform service to other providers, free of charge.

5.            Sharing data on profiling with the European Commission

Within six months of being designated as a gatekeeper, each gatekeeper must submit to the Commission an independently audited description of any techniques it uses to profile consumers on its core platform services.  This must at least include information about (1) whether personal data is involved; (2) the purpose of the profiling; (3) the duration of the profiling; (4) the impact of such profiling on the gatekeeper’s services; (5) the steps taken to effectively enable end users to be aware of the relevant use of such profiling; and (6) the steps taken to seek end users’ consent or provide them with the possibility of denying or withdrawing consent.  The Commission will transmit this information to the European Data Protection Board.

*                      *                      *

Combining our competition, technology regulatory and privacy expertise, our cross-disciplinary team has advised several companies in analyzing the DMA’s provisions, helping clients understand how they might be impacted, and assisting them with developing global compliance strategies. The Covington team will keep monitoring the developments on the DMA, and is happy to assist with any potential inquiry on the topic.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Christian Ahlborn Christian Ahlborn

For more than 20 years Christian Ahlborn has been advising multinational corporates, banks and other institutions on all aspects of global competition law, combining an in-depth understanding of the subject with a pragmatic approach.

Christian is qualified in England & Wales and in…

For more than 20 years Christian Ahlborn has been advising multinational corporates, banks and other institutions on all aspects of global competition law, combining an in-depth understanding of the subject with a pragmatic approach.

Christian is qualified in England & Wales and in Germany and is widely recognized as a market-leading competition lawyer. He is also a trained economist. Christian belongs to a small group of antitrust practitioners who can bring both a legal and economic perspective to a case.

Christian advises major corporates, banks and institutions on all areas of global competition law. He has a broad range of experience in EU competition law, particularly in relation to complex M&A, behavioral antitrust work, control of dominance issues and State aid control. He is well-known for extensive work on high-profile matters.

Christian’s experience spans many industry sectors, with particular experience in financial services, IT, fast-moving consumer goods and mining.

During his career Christian has been seconded to the European Commission’s Directorate-General for Competition and to the Bundeskartellamt. He is also well known on the Brussels market.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Diane Valat

Diane Valat is a Trainee who attended IE University in Madrid, Spain.