by Christina Etteldorf//
With the publication of the text reflecting the final agreement between the EU legislative bodies on the Digital Markets Act (DMA)1, we now have a pretty clear picture of what the regulation of so-called gatekeepers to protect fair and transparent competition in the EU Digital Single Market will look like in future. What is less clear at the moment, however, is how this instrument of internal market law will prove to function in practice, in particular how it will interact with existing legislation, not necessarily created with a view to economic or commercial aspects. This is also and especially true with regard to data protection law: the reason for gatekeepers, the likes of the GAMAM2, to be considered as such in the DMA, i.e. companies which can dictate conditions for competition and market entry for smaller entities because of their dominant market power, is usually their profit-oriented use of (personal) data. Thus, it is not surprising that a simple word search for the term “data” in the DMA yields a solid 152 hits, “personal data” 34 hits. When it comes to the inevitable follow-up question of the interrelation with the EU General Data Protection Regulation, the DMA is very explicit in emphasising that it will remain “without prejudice” to the GDPR. Whether this can actually be implemented in practice in a stringent way, however, can certainly be questioned.3
Data in the DMA
A number of the “do’s and don’ts” that the DMA will impose on gatekeepers concern directly or indirectly the processing of data: Art. 6(9) DMA establishes an obligation to effectively provide end-users with the portability of data generated on core platform services, which is broader than the right to data portability laid down in Art. 20 GDPR, requiring for example a “continuous and real-time access” and not being limited to personal data. Art. 6(10) and (11) DMA deal with obligations to provide certain business users with access to certain data, including personal data, generated on core platform services in order to enable them to eg. analyse these data for their own purposes. Art. 7 DMA aims to ensure the interoperability of number-independent interpersonal communication services (NI-ICS) by basically obliging gatekeepers to open their interfaces for third party NI-ICS, which most likely will require the exchange of (personal) data, too. The provision that most vividly documents the relevance of the DMA in terms of data protection (law) is, however, Art. 5(2) DMA: Gatekeepers shall refrain from using end-user data obtained from business users for advertising purposes, and from combining or using such data across different services. But also outside of its catalogue of duties vis-à-vis end and business users, the DMA draws some connecting lines to the GDPR. For example, according to Art. 15 DMA, gatekeepers shall submit to the Commission an independently audited description of any techniques for (data-driven) profiling of consumers they apply on their core platform services.
Interrelation and Enforcement
The above mentioned rules raise some legitimate questions about the relationship between DMA and GDPR: Do the provisions on granting access to data and opening of interfaces simultaneously provide for a justification of the associated transmission of personal data under the GDPR? Will the right to data portability under the DMA in future be ancillary to the right under the GDPR or will it be “mixed” by gatekeepers? Will a different level of protection apply to gatekeepers with regard to the merging and commercial use of personal data and does this differ from (or even override) the previous assessments by the EDPB4? How can different supervisory regimes (in the DMA governed by the European Commission and in the GDPR by national authorities) be reconciled so that the concerned bodies can mutually benefit from their supervisory activities? Can one and the same behaviour which violates the DMA and the GDPR also be punished cumulatively under the two sets of Regulations, each with severe fines?
Warnings about these potential conflicts have been raised extensively in the course of the legislative procedure.5 However, the DMA, unlike the Digital Services Act (DSA)6, does not contain a general provision determining the relationship to other legal acts outside of competition and telecommunications law. Only Recital 12 picks up concerns by stating that the DMA should apply “without prejudice” to the rules (in particular) of the GDPR and Directive 2002/58/EC. However, the DMA itself confirms that this general statement might not be sufficient by containing numerous “ifs and buts” along the specific data-relevant provisions. For example, Recital 59 of the DMA clarifies, “for the avoidance of doubt”, that Art. 6(9) DMA complements Art. 20 GDPR or Art. 6(10) (still) requires consent when it comes to providing business user with access to personal data of end-users in line with the GDPR.
But even these clarifications do not always dispel final concerns. Without being able to go into detail here, the impact of Art. 5(2) subpara. 3 DMA shall be underlined: Although, as mentioned above, gatekeepers are in principle prohibited from merging personal data collected from third parties and using them for advertising purposes, the DMA still allows them to rely (also for these purposes) on Article 6(1), points (c), (d) and (e) GDPR. What looks like a consistent clarification of the GDPR having priority (“without prejudice”) status on first glance, a closer look reveals that a very important provision, especially for the commercial activities of companies, is missing here, namely Art. 6 (1)(f) GDPR. Thus, while companies can invoke legitimate interests for data processing for advertising purposes under the GDPR (Recital 47 even explicitly addresses direct marketing), this is denied to gatekeepers under the DMA.
Push to Enforcement or Potential for Conflict?
If one reads the DMA and its recitals from beginning to end, it is very apparent that in many places it is emphasised that the DMA is “without prejudice” to the GDPR (Recitals 12, 36 and 37), that gatekeepers must continue to comply with their obligations under data protection law (Recital 65) and that the level of protection enshrined there should not be undermined (Recital 64). From this, one can read between the lines that the importance and validity of data protection law is by no means being questioned, but rather that problems are seen in enforcement, which the GDPR has apparently not resolved, at least with regard to gatekeepers. This is also underlined by provisions such as Art. 36(3) DMA, which explicitly states that the results of the independent audits on profiling, should also serve to enforce the GDPR. Accordingly, the Commission is obliged to forward the audit reports to the EDPB. However, structured rules for the exchange of information or cooperation within the framework of supervision are still missing. Whether the DMA will become a push for the enforcement of the GDPR against this background, or whether conflicts will lead to more legal uncertainty remains to be seen, most likely at least until the beginning of 2024 when the DMA will become practically effective.
Christina Etteldorf, Institut of European Media Law, Saarbrücken (Germany)
1Proposition de règlement du parlement européen et du conseil relatif aux marchés contestables et équitables dans le secteur numérique (législation sur les marchés numériques) – Lettre du président du COREPER à la présidente de la Commission IMCO, ST 8722 2022 INIT.
2Google, Amazon, Meta (formerly Facebook), Apple and Microsoft.
4For example: While the DMA strictly prohibits gatekeepers from repeatedly requesting consent more than once a year in the context of Art. 5(2) DMA, the EDPB (Guidelines 3/2022) has just recently been rather cautious about this ‘dark pattern’ of ‘continuous prompting’ by (only) reminding of the importance of adhering to the principles of data minimisation and purpose limitation.
5See for example EDPS, Opinion 2/2021 on the Proposal for a Digital Markets Act.