The Digital Markets Act: what is the situation today?
On 24/3/2022, the European Parliament published a press release in which it states:
On Thursday evening, Parliament and Council negotiators agreed new EU rules to limit the market power of big online platforms.
The Digital Markets Act (DMA) will blacklist certain practices used by large platforms acting as “gatekeepers” and enable the Commission to carry out market investigations and sanction non-compliant behaviour.
The text provisionally agreed by Parliament and Council negotiators targets large companies providing so-called “core platform services” most prone to unfair business practices, such as social networks or search engines, with a market capitalisation of at least 75 billion euro or an annual turnover of 7.5 billion. To be designated as “gatekeepers”, these companies must also provide certain services such as browsers, messengers or social media, which have at least 45 million monthly end users in the EU.and 10 000 annual business users.
During a close to 8-hour long trilogue (three-way talks between Parliament, Council and Commission), EU lawmakers agreed that the largest messaging services (such as Whatsapp, Facebook Messenger or iMessage) will have to open up and interoperate with smaller messaging platforms, if they so request. Users of small or big platforms would then be able to exchange messages, send files or make video calls across messaging apps, thus giving them more choice. As regards interoperability obligation for social networks, co-legislators agreed that such interoperability provisions will be assessed in the future.
Parliament also ensured that combining personal data for targeted advertising will only be allowed with explicit consent to the gatekeeper. They also managed to include a requirement to allow users to freely choose their browser, virtual assistants or search engines.
If a gatekeeper does not comply with the rules, the Commission can impose fines of up to 10% of its total worldwide turnover in the preceding financial year, and 20% in case of repeated infringements. In case of systematic infringements, the Commission may ban them from acquiring other companies for a certain time.
From that press release, therefore, in summary, it emerges that:
- there has been a trilogue (negotiation) between the European Parliament, the Council and the European Commission;
- the “negotiated” version contains changes to the text that defines “gatekeepers
- the “negotiated” version contains amendments to the text that identifies “gatekeepers” (market capitalization of at least 75 billion euros or annual turnover of 7.5 billion euros);
- obligation for “gatekeepers” to make their messaging platforms (such as Whatsapp, Facebook Messenger or iMessage) interoperable with smaller ones;
- targeted advertising (targeted advertising) will only be possible with the consent of gatekeepers;
- sanctions for gatekeepers who do not respect the rules.
Messaging systems in the DMA and privacy
The indisputable fact that big players supplying instant messaging services is officially acquired at the European level, especially when it comes to subjects having their main registered office outside Europe.
The press, as mentioned above, release expressly refers to Whatsapp, Facebook Messenger and iMessage (specifying that the first two are part of the same Facebook/Meta group, while Apple owns the last one). Among the best-known instant messaging apps, Signal, Telegram, and Threma have significantly been excluded because they cannot be traced back to “gatekeepers” that have the requirements indicated (market capitalization of at least 75 billion euros or an annual turnover of 7.5 billion).
From what emerges from the press release, it would seem that while Europe is aware of these prominent players and providers of messaging services, it is not so aware of the technical nature of the same, which are considered centralized.
In the context of the DMA, Europe’s attention is more projected toward the “market” and digital economy component rather than (also) concerning personal data protection profiles. As we have repeatedly stated, a centralized messaging system does not seem to comply with Recital (7) of the GDPR where it states “Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.”. All this, without considering other evaluations about compliance with the principles contained in the GDPR itself, among which we mention those in Article 5 (Principles applicable to the processing of personal data) as well as that of data protection by design and protection by default according to Article 25.
Among the entities that likely and to our knowledge do not qualify as “gatekeepers” is Matrix (The Matrix.org Foundation CIC or The Matrix.org Foundation).
Matrix, which we have already discussed, has developed an open standard for interoperable, decentralized, real-time communication over IP.
On DMA, Matrix has published an article entitled “Interoperability without sacrificing privacy: Matrix and the DMA” representing, in essence, that with their protocol is possible to ensure - provided that the “gatekeepers” provide the API - interoperability in total security and respect for privacy.
While fully agreeing with what Matrix wrote and with the proposed solutions, we believe that - at the legislative level - it is necessary to start a careful reflection on how technically we can guarantee and realize interoperability by other subjects different from Matrix itself.
The risk could be that of not being able to fully guarantee E2EE encryption with consequent prejudice for privacy and compliance with the GDPR, given that the GDPR itself sets out in Article 3 the territorial scope, i.e. the conditions for the applicability of EU Regulation 2016/679 to processing carried out in the Union.
In essence, the entire context relating to the protection of personal data for the exclusive benefit of the needs of the market and the digital economy should not be overlooked in the whirlwind of consolidating a solid position of Europe in the digital sphere.
We are still waiting for the final version, as announced in the press release.