The European Union's (EU) Digital Markets Act (DMA) aims to control large online platforms – called 'gatekeepers’ – to ensure they promote fair competition and give consumers more choices in the digital economy. It includes requirements like audits of customer profiling methods and rules on how they operate and interact with other businesses and consumers. Passed into law in 2022, gatekeeper status will be established in 2023 before a full enforcement date in early 2024.
Key Takeaways
The close of 2022 saw the European Union make significant strides in its campaign to regulate the online platform economy and other digital technologies. Notably, the Digital Markets Act (DMA) and the Digital Services Act (DSA) both entered into force in late-October/early November 2022, and the final General Approach to the EU AI Act was adopted on December 6th 2022. However, this is just the beginning.
The first week of 2023 saw the Irish Data Protection Commission, an EU regulatory body, fining Meta over €400 million for breaching the GDPR by forcing users to accept targeted ads. With the DSA imposing regulations on algorithmic ad targeting and the DMA focuses on how online platforms operate with respect to fair competition and consumer choice, companies will soon struggle to find loopholes in avoiding doing their due diligence, meaning that digital technologies will be made safer for users.
This article gives a high-level overview of the DMA, focusing on Article 15, which mandates independent audits. It also discusses what this means in tandem with the DSA and EU AI Act.
Referred to as a landmark piece of legislation, the DMA strives to reduce the bottlenecks that so-called gatekeepers create by monopolising the digital economy. Here, gatekeepers are defined as providers of core platform services:
Providers of these services fall under the scope of the legislation if they meet these objective criteria:
1. Size that impacts the internal market
2. The control of an important gateway for business users towards final consumers
3. An entrenched and durable position
The designation of gatekeepers is based on the presumption that companies are given the opportunity to rebut this assumption. By providing evidence and arguments that speak to potential extenuating circumstances, companies can argue that they should not be designated as gatekeepers despite meeting the criteria.
While the DMA begins to apply on the 2nd of May 2023, companies will have until June/July 2023 to notify the commission of their qualification as a gatekeeper. Gatekeepers will then be officially designated around August/September 2023 and the DMA will become fully enforced from February/March 2024.
Conversely, the EU Commission can also launch their own market investigation using a qualitative assessment to deem a company a gatekeeper even if the outlined criteria or threshold are not met, extending the prowess of the legislation even further.
The designation of gatekeepers is significant because of the specific obligations that have been set forth by the legislation for them. Among these requirements is the Obligation of Independent Audit (Article 15).
Leaving no room to avoid transparency, under Article 15 companies must perform an independent audit about the profiling methods of customers used across any of its core platform service(s) and send this to the European Commission.
The DMA refers to the GDPR regarding defining and understanding the profiling methods in question, where Article 4, defines profiling as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’ Thus, under the DMA, data processing activities must be audited to ensure legal compliance.
The adoption of this definition by the DMA further exemplifies the EU Commission’s commitment towards the protection of natural persons in respect to the processing of their data. Consequently, companies should pay attention this definition as it is likely this will serve as the broad basis for the obligated independent audits.
Further, companies will also be obligated to make publicly available an overview of the audit and update this description annually.
Akin to its sister legislation, the DSA, which imposes hefty fines of up to 6% of annual revenue, the DMA does not hold back on fines. Failure to comply could result in a fine of up to 10% of the company’s total worldwide annual turnover or up to 20% in the case of repeated infringements and periodic penalty payments of up to 5% of the company’s total worldwide daily turnover.
Outside of independent audits, obligations for gatekeepers include:
The obligations of the gatekeepers highlight the EU’s overall commitment to protecting both consumer data and choice, as well as the legislation’s specific commitment to utilising transparency to foster market fairness.
The Commission has also outlined examples of specific don’ts which companies should be aware that will no longer be acceptable:
The focus on effective consent very well presents a threat to many big-tech companies existing businesses models where tacit consent has been considered the standard. However, the EU commission is making it clear that this will no longer cut it.
Although the EU AI Act is leading the discourse and preparation surrounding regulating the use of algorithms and artificial intelligence in business and organisational practices this may be considered a short-sighted approach. The collective impact of the EU AI Act, the DMA and DSA is likely to be significant and ensure that digital technologies in the EU are safer for users.
The three pieces of robust legislation will work in tandem to ensure companies are not misusing AI or leveraging innovative technology unchecked to promote gains while not considering implications for both the consumer and society.
While each of the legislation’s are underpinned by different goals and enforcement mechanisms, a central theme which cannot be ignored is transparency. Further, each piece of legislation mandates that companies and organisations that meet specific criteria conduct independent audits, conformity assessments and/or third-party audits in order to comply and avoid the potential of unprecedented fines.
While the rules will only be enforced for companies that have business operations in the EU, the DMA is also anticipated to accelerate setting a global precedent. For example, it is predicted that the Federal Trade Commission in the US will see a continuance in winning cases against companies which leverage data unchecked (Everalbum, Cambridge Analytica etc.).
Regulation like this will soon mean that AI around the world is deployed with greater accountability, and the importance of independent audits for your business will only grow.
Get in touch with us at we@holisticai.com to find out more about how we can help you prepare for this and other upcoming regulations.
The legislation was officially enforced on 2 May 2023. Once gatekeeper status is established, the act will be fully enforced from February or March 2024.
The Digital Markets Act applies to providers of core platform services that meet specific size, control, and durability criteria defined in the legislation. These services include online intermediation services, online search engines, social networking services, and video-sharing platform services.
The purpose of the Digital Markets Act is to regulate how online platforms operate, with the aim of ensuring fair competition and consumer choice in the digital economy. It aims to control the influence of 'gatekeepers' who monopolise the digital economy and mandates independent audits of customer profiling methods.
The DSA imposes regulations on algorithmic ad targeting, whereas the DMA focuses on regulating the operations of online platforms to promote fair competition and consumer choice.
Under the DMA, 'gatekeepers' are defined as providers of core platform services that meet specific criteria related to their size, control of an important gateway for business users towards final consumers, and an entrenched and durable position in the market. These services can include things like online search engines and social networking services among others.
DISCLAIMER: This blog article is for informational purposes only. This blog article is not intended to, and does not, provide legal advice or a legal opinion. It is not a do-it-yourself guide to resolving legal issues or handling litigation. This blog article is not a substitute for experienced legal counsel and does not provide legal advice regarding any situation or employer.
Schedule a call with one of our experts