We have it! Both the Council of the European Union and the Internal Market and Consumer Protection Committee adopted their versions of the Digital Markets Act. After the upcoming EP Plenary vote we will spend a good part of 2022 following the intransparent and unpredictable negotiations between the two bodies. Let’s take a look at what they are bringing to the negotiating table if it comes to big ideas and, above all, new benefits for users.
How it started, how it’s going
After the European Commission showed its proposals for the Digital Markets Act, there were different views on how to make it better; the EC proposal lacked teeth, especially regarding any mechanisms that could break the grip that GAFAM has on the internet. For us, at Wikimedia, the most desired approach would have been to address the business model and not merely base the gatekeeper qualification on turnover and market capitalisation.
It turned out very quickly, however, that the legislators are not in a mood to overturn the status quo. That was not exactly the key objective for the IMCO Committee Rapporteur, although Shadow Rapporteurs managed to introduce good ideas, as we will see below. Now we are awaiting the Plenary vote, most likely on December 16th. It remains to be seen whether the IMCO report will be in any way amended. But it doesn’t seem likely that the changes, if any, are substantial and it is unlikely that the file that the need for is so widely understood would be rejected.
“Since DMA gives new powers to the European Commission, it seemed inevitable that the Council would want to partake in these duties.”
It is quite difficult to follow the work of the Council of the EU as the member states remain quite secretive of the negotiations. What we see from the Council’s adopted approach is that the member states generally liked the EC’s ideas and didn’t change the qualifications to become a gatekeeper. But they shortened deadlines in the procedure of designating them.
One thing is for certain at the Council: proposals are usually tweaked to ensure participation of member states’ representatives in decision making. Since DMA gives new functions and powers to the European Commission, it seemed inevitable that the Council would want to partake in these duties. And so they did, ensuring that their representatives can take part in market investigations as well as initiating their own, that there is exchange of information between various bodies and that the national courts can have the EC’s observations and request information while proceeding with the application of the DMA.
Gatekeepers: big or huge?
According to both the Commission and the Council, to be recognised as a gatekeeper, a provider of core platform services needs to have a significant impact on the market reflected in a turnover of at least 6,5 billion euro in the last 3 financial years. The market value of the company also needs to be as high as 65 billion in the last financial year. It also needs to be an important gateway for businesses to reach their clients – serving at least 10 thousands of the former (yearly) and 45 million of the latter (monthly).
The IMCO compromise amendments set up the thresholds at 8 billion euro of annual EEA turnover with the equivalent market capitalisation raised to 80 billion over the last 2 financial years. IMCO also included web browsers, virtual assistants and connected TV in the list of core services that can be designated as gatekeepers.
There are clearly two different philosophies at the negotiating table: one limiting the scope to the most powerful and giving them even more obligations with the assumption that they can shoulder the load. The other keeps the thresholds at a level that may include more undertakings than only GAFAM, including intermediaries based in the EU, but keeping the obligations at the minimum set out by the EC. As the latter is favoured also by the Council, we can expect many hours of negotiations to resolve this clash.
Users’ data across services
The EC suggested that the gatekeepers should refrain from combining personal data of users across various core services. This practice sets the platforms at a competitive advantage over other businesses that cannot infer business decisions from such a wide sweep of data. It also leads to surveillance of user activity in and outside of platforms and to profiling of behaviour.
The IMCO text makes the provision (article 5(a)) even stronger by prohibiting not only combining but also cross-using the data. It would only be possible if an end user consented based upon a specific choice that is presented in an explicit and clear manner. This way users would decide if they want to provide data to get personalised content and platforms would need to clearly explain what they collect and for what purpose.
Surprisingly, the Rapporteur was in the end convinced to add a new provision specifically tackling advertising (article 6(aa) – new). As per IMCO report, a gatekeeper should refrain from combining personal data in order to deliver targeted or micro-targeted advertising, regardless if it is for its own commercial purposes or for third-party advertising in gatekeeper’s own services. It would only be possible under the same condition of informed consent, as in the case of combining data from multiple core services.
Unfortunately the Council watered down the limitation, proposing that the gatekeeper may also rely on provisions in the General Data Protection Regulation (or GDPR) relating to the so-called legitimate interest. This concept has been widely criticised by privacy experts because it is so wide and blurry that only a company’s inventiveness limits finding a good reason to justify almost any instance of data processing.
If the Council prevails in the trilogues we may have a very weak provision that in practice will not change anything. Gatekeepers will be inventing excuses to collect and cross-use data instead of providing users with a meaningful choice regarding their privacy.
“There are two different philosophies at the negotiating table: one limiting the scope to the most powerful and giving them more obligations with the assumption that they can shoulder the load. The other includes more undertakings than GAFAM while keeping the obligations at the minimum set out by the EC.”
The EC proposed that the a decision to use one “gatekeeping” service should not result in an involuntary subscription to a bunch of others offered by the same company. While the Council had no major issue with how this provision is formulated, the IMCO compromise on article 5(f) widens its scope. The MEPs didn’t see why the limitation on bundling shouldn’t be extended to any core services of an intermediary instead of only those meeting the gatekeeping criteria.
Obviously we love the IMCO understanding of the problem and hopefully the MEPs will convince the member states it is the only sensible solution. Otherwise the matrix of which datasets can or cannot be combined will become too complex and the whole idea of preventing abuse of data collection will be seriously weakened as it will be easy to hide a misuse.
Removal of preinstalled apps
Nothing more infuriating than buying a new device with a bunch of apps that are not crucial to the functioning of the operating system but which we will never use and cannot uninstall. Good news is that the DMA will put an end to that. IMCO MEPs decided that this provision is self-explanatory and moved it from article 6, which contains a set of provisions that need to be further specified, to article 5, where no additional guidelines are needed. They made it clear that a gatekeeper controlling an operating system needs to allow both installation and uninstallation of apps as easily as possible.
MEPs believe that it should also be possible to change the default settings that direct or steer end users to services or products offered by the gatekeeper. The latter seems to be a result of many competition probes and cases that focused on preferential treatment of in-house services over consumers’ choice.
The Council introduced the same wording in the text, but the provision sits in its original place (article 6(b)). It means that if the Council’s idea prevails, we will expect additional guidelines specifying how this obligation should be met in practice.
Since the very beginning a lack of proper interoperability requirements enabling users to to connect through various messaging apps, social media platforms or providers of access to platforms (for example ensuring greater privacy and protection from surveillance) was the greatest disappointment of the DMA. To our surprise, the final IMCO compromise includes an expanded concept on interoperability.
MEPs decided on focusing the original provision on a free of charge access and interoperability between various services and gatekeeper’s hardware and software features via its operating system. Here interoperability should be offered with the same conditions at which the gatekeeper accesses them. Two new provisions specify that interconnection should be also possible between messaging apps and services (the so-called number independent interpersonal communication services) and social networks (article 6(1)(fa) and 6(1)(fb) respectively). In the case of social networks, however, after the DMA enters into force the EC would have 18 months to adopt a delegated act defining the appropriate scope and features for the interconnection as well as its standards or technical specifications.
There are also safeguards for both the platforms wishing to connect and for the gatekeepers. The interconnection should be provided under objectively the same conditions and quality that are available or used by the gatekeeper, on one hand. On the other hand, a high level of security of personal data should be guaranteed. In the case of hardware and software features accessible through an operating system, interoperability should not compromise the integrity or security of the operating system, but any limitations imposed by the gatekeeper should be duly justified.
The Council focuses on refining the conditions of interoperability between businesses regarding hardware and software. The conditions should be fair, reasonable and nondiscriminatory, says the Council. Conditions of access shouldn’t be degraded for third-party services but it should also be possible to take necessary measures ensuring the integrity of the operating system.
While the Council is clearly preoccupied with the business-to-business side of interoperability, the provisions devised at IMCO provide a real value proposal for end users, even as the users are not explicitly mentioned in the text. It is clear that if messaging apps and social networks can be accessed through many entry points, users will benefit from more choice on how to connect with each other and with other services.
Portability of data
There is no real interoperability without portability of data. Both the Council and the MEPs tweak the original provisions in a similar way. Portability should be free of charge, and that includes access to the tools that should facilitate it effectively. End users can get the data by themselves or through a service providing such a service that they choose. All that in line with the General Data Protection Regulation, naturellement.
It seems that it is one of the few provisions that is well understood across the legislative table, not unlikely because GDPR already introduced this concept. It then seems to be one of the isssues that won’t need to be discussed at length.
The best provisions can be weakened in practice since the platforms can put a lot of effort in developing behavioural techniques to nudge users away from making the choice that benefits them and not the excessive data collection. The EC proposal provides that gatekeepers shouldn’t undermine their obligations, but it is quite a vague way of taming the creativity of masters of the behavioural game.
Both the Council text and the IMCO compromise make the provisions of article 11 better. The Council specifies that the ban on circumvention includes behavioural techniques or interface design. It also requires that the companies don’t segment, divide, split or fragment services to avoid meeting quantitative thresholds, and the EC would have the right to determine if any such process results in a circumvention.
The IMCO proposals are of a wider effect. The obligations should be duly implemented by a gatekeeper who should not subvert users’ choice, autonomy or decision-making, and it doesn’t matter how that effect is achieved, be it through the structure, design or user interface.
Besides that, neither the gatekeeper nor an undertaking to which it belongs should carry out practices that would have a circumventing effect. It doesn’t matter if these practices would result from a contract, behaviour or otherwise. Interoperability gets a special mention and it cannot be limited ”using technical protection measures, discriminatory terms of service, subjecting application programming interfaces to copyright or providing misleading information.”
While the member states’ idea is already good in making sure that gatekeepers have little maneuver to circumvent the obligations, MEPs proposal go even further in ensuring that gatekeepers behave across their various services. Seeing that the two are not very much apart, and each has its different strong points, the combined version could provide a basis to meaningfully tackle unfair and subversive practices.
The right to be heard
The DMA proposal provides that gatekeepers have the right to be heard on preliminary findings as well as the measures the EC intends to take in a number of cases. These decisions and processes could benefit enormously from the input of concerned third parties: other businesses, users and their organisations, researchers of the platform ecosystem or experts.
While the Council doesn’t see such a need, the IMCO Committee decided to expand the right to be heard in article 30 to third parties with legitimate interest. While it is good to see, it is also uncertain what that legitimate interest is. Can users of the platform in question also be heard, or only those who can demonstrate damage caused by the gatekeeper in a specific case? Would think-tanks, experts or associations be included? Importantly, will the trilogues provide an opportunity to make this inclusion more precise?
The stake of negotiations
The documents show the evolution of thinking about the Digital Market Act in the institutions that spent months deliberating the future of gatekeepers. Both the representatives of the member states and the IMCO Rapporteur seemed to start with a desired market setup in their minds.
The Council’s tweaks are mostly focused on making the obligations easily applicable to the entities that will have to comply with them. Rapporteur Schwab started from presenting a narrowed scope with raising the thresholds and some moderate tweaks improving users’ experience on platforms. 1200 amendments later, the trade off has become obvious: less entities would have even more obligations. Some of them quite far reaching: Shadow Rapporteurs managed to convince MEP Schwab to expand interoperability, something that he had not envisioned in his draft report or in his amendments.
“Each subject is discussed in its own time and compromises are achieved gradually – we will most likely end up with a mix of both approaches.”
The debate in trilogues will then engage in a fundamental question: does Europe want to seriously target GAFAM, or do we prefer targeting more platforms with less obligations? Since both positions have strong supporters, it may take months to agree which approach is the winning one. The refined obligations that concern end users may then be treated as a part of the package or be discussed in parallel. Because of the topical fragmentation of the discussion – each subject is discussed in its own time and compromises are achieved gradually – we will most likely end up with a mix of both approaches. It would mean for example that the DMA will have both quantitative thresholds somewhat raised and some of the obligations will serve the end users’ interest better.
It is worrisome that there is no alignment regarding the obligations that could change the status quo in a most profound way, namely ban on combining data and use for advertising and interoperability of messaging apps and social networks. The best scenario including serious wins based on the EP’s expansions of the obligations will depend on the strength of the mandate of the EP delegation that is expressed through the result of the Plenary vote – and on the negotiating skills of the German chrisitan democrat, MEP Schwab.