What is the Digital Markets Act and what does it mean for our privacy and wider rights?

Key obligations and prohibitions

The DMA imposes several restrictions and obligations on gatekeepers which seek to enforce the rights of both other ‘business users’ or competitors operating within the digital market and individual’s/consumers or ‘end users’ who use their services. Some of the key issues the DMA covers include specific benefits to reinforce the rights of business users; restrictions on targeted advertising; measures to reinforce app and browser freedom and interoperability of messaging services.

Benefits to ‘business users’

The DMA seeks to address the imbalance of power and disproportionate advantage gatekeepers have had over their consequently smaller competitors, and to stop them from imposing terms and conditions that does not let others capture the benefits of their own contributions. To empower these business users the DMA has imposed several obligations and prohibitions on gatekeepers to address such behaviour.

One example, is regarding increasing transparency and agency for business users advertising on gatekeeper platforms. Under the DMA gatekeepers must provide companies with the tools and information necessary for advertisers and publishers to carry out their own independent verification of the performance of their advertisements hosted by the gatekeeper. This is to curtail any attempts by gatekeeper’s to engage in exploitative practices such as inflating ad metrics to increase ad revenue, which Facebook has previously been accused of doing. Such measures established within the DMA should prevent these types of practices from occurring.

The DMA also states that gatekeepers should allow their business users to promote their offers and conclude contracts with their customers outside the gatekeeper’s platform. For example, the obligations imposed via the DMA should allow a company like Spotify to promote alternative subscriptions such as Spotify Premium, or services like their audiobooks within the Spotify app. Currently, due to Apple restrictions, you can’t subscribe to Spotify Premium through the app for iPhone and iPad. In fact, Spotify has outlined a number of ways in which it hopes it will benefit from the rules imposed by the DMA, including the ability to directly communicate with customers in the Spotify app about subscription offerings and the ability to offer promotions as well as direct payment in-app.This comes after a lengthy yearlong battle between Spotify and Apple in the lead up to the DMA over the display of pricing information within the Spotify app.

Another example is that a gatekeeper can no longer treat its own services and products more favourably in ranking than similar services or products offered by third parties on the gatekeeper’s platform. For example, Amazon in theory cannot rank its own products more favourably on Amazon Marketplace to that of third-party sellers offering the same products. However, Amazon is currently under investigation by the EC for continuing to preference its own brand products on its Amazon Store.

Personalised or targeted advertising

As previously outlined, one way in which gatekeeper’s market dominance has been built and maintained is through the collection of individual’s personal data and interactions with their platform, and sharing this data with third parties for the purpose of online advertising, through which they generate revenue. In practice, gatekeepers will collect personal data directly from users through signing up to their services such as a user’s name, age, location and email address. This is then combined with data accumulated from a users’ interaction with their services or platforms for example, what posts they like on social media, which subscriptions they have signed up to using their email address and which products they have bought. As well as ‘metadata’’ which is data that provides information about other data, such as your device type and make, unique identifiers generated by your phone’s operating system and information such as the times you connected and how long you spent using the service. Thanks to online tracking techniques, gatekeepers might also collect information about users on other sites implementing their trackers, such as a news site displaying a Facebook like button or a website displaying Google ads. All this data is combined to build a relatively accurate and valuable picture of users that platforms can monetise. Furthermore, Gatekeepers have had a further advantage of accumulating this data across the number of platforms and services they possess, which in practice, occurs without users being fully aware and having given consent. You can learn more about the privacy and security issues related to these practices on our AdTech learning page.

To address such exploitative practices, Article 5 of the DMA places prohibitions and obligations on Gatekeepers regarding their practices of sharing users’ personal data across its services for the purpose of personalised or targeted advertising. As well as to reinforce users’ rights to freely give consent. In practice this should mean that a company like Alphabet can no longer use data collected on you via your interaction with Google Maps to target you with ads on Google Search without your explicit and meaningful consent.

In this regard the DMA outlines specific requirements around the way in which gatekeepers garner consent from users and prohibits the manipulative and malicious practices they employ to make the user think consenting is more favourable. For example, it specifically outlines that withdrawing consent should not be more difficult than giving consent. Users must be presented with a user-friendly solution to allow them to provide, modify or withdraw consent in an explicit, clear and straightforward manner. Furthermore, choosing to not consent cannot come at a hindrance to certain functionalities or that the user is subject to degraded quality.

Some measures employed by gatekeepers have sparked significant debate and can be said to fall short on meeting the specific requirements. In particular, Meta’s ad-free subscription service which allows users to pay €9.99 per month to use Instagram and Facebook without advertising. Meta has presented this as an option that will “empower end users to freely choose whether Meta can carry out certain data processing activities between different services". They believe that end users are presented with a neutral choice between two options: a personalised service which involves data combination; and a less personalised alternative designed to function without data combination. However, this tactic was met with significant criticism and subsequently subject to investigation for being non-compliant. In July 2024, the EC published its preliminary findings that the “pay or consent” model does not comply with Article 5(2) of DMA as it does not allow users to exercise their right to freely consent, and enable them to opt for a service that uses less of their personal data.

App and browser freedom

Article 6 of the DMA has the potential to empower users with greater freedom to choose their software and apps on their devices, including the right to remove pre-installed apps and gatekeeper search engines. For example, Apple’s Safari search engine as the default browser on iPhone. Article 6(3) enables users to uninstall gatekeepers’ apps on the operating system except those that are essential for the functioning of the operating system or device, and cannot be offered by third parties. In practice this means the gatekeeper should allow and enable users to change their defaults for voice assistants, search engines, browsers, messaging apps and more. Furthermore, they mustn’t prompt the user to replace any of these with a gatekeeper service.

Already there been reports of an increase in uptake of third-party browsers by iPhone users. For example, Aloha Browser claim its EU users have jumped by 250 per cent since March when Apple displayed a new default browser choice screen. Similar increases have also been reported by Brave, Firefox, Vivaldi, DuckDuckGo, Ecosia, and Opera.

However, gatekeepers can still apply measures and settings to protect the security of third-party apps or app store. This has been flagged by critics and competitors as a loophole gatekeepers are deploying to deter users, in the form of a warning message when users choose third-party apps, flagging that they may not be secure or legitimate. Therefore this feature can potentially be leveraged as a scare tactic. We co-signed a civil society submission to the EC highlighting attempts by Apple to circumvent aspects of the DMA that are meant to allow people freedom of choice on their own devices. It presents evidence that Apple has been interpreting the DMA’s browser choice provision in a way that makes it difficult for people to choose a web browser other than Apple’s own Safari on iPhones and iPads by using deceptive design tactics.

Interoperability

Interoperability is the ability to exchange data, information and functionality across different platforms and applications. In other words, it is about making different systems or infrastructures compatible with one another by making them mutually legible and able to interconnect.

Article 7 of the DMA imposes an interoperability clause for number-based messaging services such as Meta’s Whatsapp and Facebook Messenger. It requires gatekeepers to ensure free of charge and upon request, interoperability with certain basic functionalities of their number-independent interpersonal communications services to third-party providers of such services. This will enable third party or alternative messaging services, for example, Signal, Telegram, and Viber, to become interoperable with messaging platforms that are provided by gatekeepers. In practice this means that if two people are using different messaging apps, they can continue to communicate with each other through their app of choice given that both parties are opted in to the feature. For example, you should be able to send and receive messages from your Signal app to someone using Whatsapp, provided both parties opted-in.

This could potentially pave the way for a different communication infrastructure providing people with greater choice and freedom, and could even reinforce wider rights such as the right to freedom of assembly and protest. Messaging apps have become vital for individuals to organise and communicate with fellow protesters and curtails the ability of governments to shut down lines of communication.

Interoperability could also allow for greater accessibility, which can aid the enjoyment of wider rights such as freedom from discrimination and equality. For example, by allowing the ability of smaller competitors to interoperate with larger messaging apps, it could foster innovation and create new ways to assist with language translation within those messaging apps. This could be particularly beneficial given the vast cultural and linguistic diversity across Europe. Therefore, interoperability could be seen as innovation for greater equality.

The interoperability obligation on messaging services will initially focus on messaging, sending images, voice messages, videos, and files between two people, calls and group chats will come at a later time. The rules only apply to messaging services and not traditional SMS messaging.

It is key that people are given the ability to choose whether or not they want to participate and opt in to exchanging messages with third parties. However, there is a risk that gatekeepers will make this option inaccessible within the app interface and not promote it to users in a clear and meaningful way which restricts the number of individuals opting in.

Furthermore, the interoperability provisions of the DMA have also sparked debate around end-to-end encryption. The DMA requires enabling interoperability should not diminish the privacy and security of users, but from a technical perspective it creates new challenges for upholding end-to-end encryption. While it’s an excellent demand from a competition perspective the EC should be particularly careful to ensure it doesn’t erode security of those services.

Gatekeepers’ reluctance to implement the DMA

Big tech companies have raised criticism of the DMA since it was first introduced by the EC and they have dragged their feet in implementing the obligations imposed on them. Some unsuccessfully challenged the EC’s decision to designate them as gatekeepers for some core services, as well as arguing that certain DMA provisions undermine security and hamper innovation. These are all well known and tested tactics to resist changes which may affect their dominance in the digital market and their practices of exploiting individuals’ data to maintain and grow their power.

The EC’s designation of Big Tech companies and their services as gatekeepers under the DMA was immediately met with resistance by some players. Meta was the first to bring a legal challenge before the EU’s General Court, contesting the inclusion of its Messenger and Marketplace services within the DMA’s framework. They argued that these specific services did not qualify because it is a consumer-to-consumer service without intermediary involvement and therefore should be exempted from the gatekeeper designation. TikTok, owned by ByteDance, also challenged its classification as a social network and a digital gatekeeper under the DMA arguing it has not been operating in the market that long and does not meet the law’s threshold for revenues generated in the European Economic Area of 7.5 billion euros ($8.13 billion) per annum.
Apple also made a legal challenge at efforts to re-classify its core platform services, particularly with regards to its operating systems (iOS, iPadOS, macOS, watchOS, and tvOS), App Store, and Safari, arguing that these services should be segregated according to their device-specific functionality. They have also argued that it runs five separate App Stores (which would be conveniently small enough to avoid the EU regulation) instead of a single platform. While this argument wasn’t successful, they did manage to convince the EC that iMessage doesn’t qualify as gatekeeper service, avoiding requirements to make it interoperable with other messaging platforms.

Article 11 of the DMA outlines requirements for gatekeeper ‘reporting’ and provides that within 6 months of being designated a gatekeeper they must provide reports in a detailed and transparent manner that outline the measures it has implemented to ensure compliance with the obligations laid down in Articles 5, 6 and 7. In addition, the EC organised a series of compliance workshops facilitated by the EC inviting each gatekeeper to present their their compliance measures and respond to interested stakeholders including civil society.

Following these, gatekeeper’s measures to comply have drawn criticism from smaller competitors and civil society as falling short in meeting their obligations. For smaller competitors to benefit from the DMA they are reliant on the gatekeepers to implement changes for them to be able to take advantage of these rights. Civil society has also been working to highlight gatekeeper’s lack of compliance. For example, alongside colleagues at EDRi we co-signed a submission to the EC highlighting Apple’s attempts to circumvent the DMA’s goals of allowing people freedom of choice on their own devices.

This has not gone unnoticed as the EC DMA enforcement team has since announced several investigations into gatekeepers’ non-compliance with the DMA. A number of investigations have been launched against Apple, the first which concerned a breach of Article 5(4) regarding steering rules and business terms of the App store and the second concerned a breach of Article 6(3) regarding their obligation to easily uninstall apps, change default settings and prompt users with choice screens. A third investigation was also launched concerning possible breach of Article 6(4) regarding the ability to offer an app via an alternative distribution channel. Apple has so far kept the option to subscribe to the previous conditions, which do not allow alternative distribution channels at all.

Two investigations have also been launched into Alphabet, the first which concerned a possible breach of Article 5(4) regarding rules on steering in Google Play, and the second a possible breach of Article 6(5) which concerns self-preferencing on Google Search.

So far the Commission has published their preliminary findings of two investigations. In June 2024, the EC announced Apple’s non-compliance with Article 5(4) their preliminary findings confirm that Apple’s App Store rules are in breach of the DMA “as they prevent app developers from freely steering consumers to alternative channels for offers and content”.

In July 2024, the EC also published its preliminary findings that Meta’s “pay or consent” advertising model fails to comply with Article 5(2). In the Commission’s preliminary view, this binary choice forces users to consent to the combination of their personal data and fails to provide them a less personalised but equivalent version of Meta’s social networks.

Gatekeepers have also been openly critical about changes required of them under the DMA which they argue will come with implications for the security of their products and services. Apple has complained that changes required of them would make iPhones and laptops less secure. For example, they maintain that rules they have imposed via the Apple App store has protected people from installing applications from unauthorised sources and has therefore protected iPhone users’ from fraud and malware. However, this argument is somewhat misplaced given that the DMA specifically references the need to maintain upholding privacy and security alongside any changes. Additionally, some gatekeepers are already lagging behind some competitors who offer even further privacy focused services such as messaging service ‘Signal’.

Likewise, Google’s Director of Competition wrote that some rules imposed on them under the DMA have led to difficult trade-offs that will impact on their users and businesses. For example, they claim that businesses will lose out due to changes that have had to make to Google Search which they argue may send more traffic to large intermediaries and aggregators, and less traffic to direct suppliers like hotels, airlines, merchants and restaurants. For consumers, they also claim some of the features they have developed to help people get things done quickly and securely online for example, like providing recommendations across different products, won’t work in the same way anymore.

These narratives are particularly unhelpful for consumers and small businesses given the context of Big Tech’s dominance and control over the market, and their ability to maintain opacity around their practices, which may sow seeds of doubt in users’ minds. Furthermore, these arguments are not surprising given the nature and purpose of the DMA which is to break up Big Tech’s dominance in the digital market, and curtail their exploitative practices to dismantle their power.

Conclusions

The DMA has the potential to address some of the negative effects of Big Tech’s concentration of power by imposing restrictions on their exploitative practices, by reinforcing the rights of users and empowering competitors. Healthy competition is key for our rights as users of digital products and services, and we should not allow gatekeepers to diminish or take away our digital rights and freedoms. In theory, competition should flourish through obligations imposed on Big Tech companies by giving users greater choice in a variety of markets and stop the ability of Big Tech to hinder the innovation and standards of its competitors. However, gatekeeper’s willingness to implement measures and comply with the DMA alongside the EC’s enforcement and oversight of the DMA is paramount to its success. Furthermore, the Commission must continue to include civil society and other relevant stakeholders in the enforcement of the rules, to make sure a variety of perspectives are considered and to ensure the full potential of the DMA is realised.