Used Services and Cookies

Our website uses cookies to enhance your user experience. Some cookies are essential for the operation and management of the site, while others are used for anonymous statistics or personalized content. Please note that limiting cookie use may impair certain functions of the website.

More information: Imprint, Data protection

Essential cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website or, for example, saving your cookie settings. The website cannot function properly without these cookies. This category cannot be deactivated.
  • Name:
    ukie_a_cookie_consent_manager
  • Domain:
    blomstein.com
  • Purpose:
    Stores the cookie preferences of website visitors.
  • Name:
    blomstein_session
  • Domain:
    blomstein.com
  • Purpose:
    The session cookie is essential for the basic functioning of the website. It allows users to navigate through the site and use its basic features.
  • Name:
    XSRF-TOKEN
  • Domain:
    blomstein.com
  • Purpose:
    This cookie serves security purposes and aids in preventing Cross-Site Request Forgery (CSRF) attacks. It is a technical necessity.
These cookies collect information about how you use a website, e.g. which pages you have visited and which links you have clicked on.
  • Name:
    _ga
  • Domain:
    blomstein.com
  • Purpose:
    The Google Analytics cookie _ga is used to distinguish users by assigning a unique identification number to each visitor. This number is sent to Google Analytics each time a page is accessed in order to collect user, session and campaign data and to statistically evaluate the use of the website. The cookie helps website operators to understand how visitors interact with the website by collecting information anonymously and generating reports.
  • Name:
    _ga_*
  • Domain:
    blomstein.com
  • Purpose:
    The _ga_[container_id] cookie, specific to Google Analytics 4 (GA4), is used to distinguish website visitors by assigning a unique ID for each session and each user. It enables the collection and analysis of data on user behavior on the website in anonymized form. This includes tracking page views, interactions and the path users take on the website to give website operators deeper insights into the use of their site and improve the user experience.
  • Name:
    _gid
  • Domain:
    blomstein.com
  • Purpose:
    The _gid cookie is a cookie set by Google Analytics that is used to distinguish users. It assigns a unique identification number to each visitor to the website, which is sent to Google Analytics each time the page is accessed. This makes it possible to track and analyze user behavior on the website over a period of 24 hours.
  • Name:
    _gat_gtag_UA_77241503_1
  • Domain:
    blomstein.com
  • Purpose:
    The _gat_gtag_UA_77241503_1 cookie is part of Google Analytics and Google Tag Manager and is used to throttle the request rate, i.e. it limits data collection on high traffic websites. This cookie is linked to a specific Google Analytics property ID (in this case UA-77241503-1), which means that it is used for performance monitoring and control of data collection for that specific website property.
DE EN

DMA and Data – No More Leveraging for Gatekeepers?

19.03.2024
PDF download
Recent News

EU incorporates Binding Valuation Information Decisions in Customs Legislation

Selling and delivering goods from the EU –the regulatory framework for the defence and security industry

Data on Demand? Access to Gatekeeper data for business users under the Digital Markets Act

Since March 7th, all core platform services that the European Commission has designated as gatekeepers under the Digital Markets Act (DMA) so far, must comply with the DMA’s obligations and had to submit comprehensive compliance reports. In these reports, they must show in a detailed and transparent manner all relevant information needed by the European Commission to assess the gatekeeper’s effective compliance with the DMA.

In our series of briefings, we recap the key milestones of the DMA implementation, deep dive into the various obligations that gatekeepers are facing, lay out the DMA’s implications for stakeholders who are not (currently) within the direct scope of the legislation and update you on the current status of affairs in the DMA’s implementation.

This time we focus on: Data related DMA obligations.

Data Collection and Market Power

At its core, the DMA addresses the crucial issue of data and market power, aiming to redefine gatekeepers’ rights and responsibilities when collecting data from business users and end users. By establishing rules on the processing, combination, and utilization of data, the DMA aims at restraining the ability of gatekeepers to leverage their control over vast datasets sourced from core platform services to assure market dominance across multiple data driven markets where these data sets provide the gatekeeper a competitive advantage.

Picture this: You are an online retailer using a gatekeeper’s marketplace. The gatekeeper competes with your business at the retail level and takes advantage of data obtained from your sales and customers in the marketplace. Further, you are an ad-tech company who uses a gatekeeper’s social media platform to launch advertisement campaigns. The gatekeeper uses personal data derived (e.g., clicks, views) from the campaign to feed its data base for the provision of advertisement services itself. Or you are a provider of software applications which uses a gatekeeper’s software application store. The gatekeeper uses data derived from your business’ activities in the application store to inform decisions related to its own offering of software applications. These scenarios depict some of the business practices the DMA aims to prevent as the default practice of gatekeepers.

Limiting Data Leverage, Reinforcing Data Privacy

Article 5(2) of the DMA imposes stringent limitations on the conduct of gatekeepers concerning the accumulation and use of end-user data. Gatekeepers are now required to refrain from the following behaviours, unless the end-user provides express consent:

(1) processing personal data sourced from third parties (e.g., business users) for online advertising purposes,

(2) combining personal data sourced from the core platform with data sourced from other services provided separately by the gatekeeper or from third-party services,

(3) cross-using personal data sourced from the core platform service in other services provided separately by the gatekeeper,

(4) signing-in users to other services of the gatekeeper to combine data.

This provision builds upon the framework established by the General Data Protection Regulation (GDPR) and broadens its principles to encompass potential market distortions. By doing so, it not only grants individuals more control over shaping their online experience according to their preferences, but also seeks to promote the contestability of core platform services by enabling end users to freely choose if and how a gatekeeper uses their data. The DMA recitals expressly indicate that access to core platform services or certain functionalities shall not be conditioned to the end user’s consent. Therefore, a less personalised service should not be different or of degraded quality compared to the service provided to the end users who provide consent.

In fact, the concerns addressed in this provision evolve from previous case law. In 2019, the German Bundeskartellamt found that Facebook breached competition rules by compelling users to agree to the combination of their social network data with personal data collected from other Meta services such as WhatsApp and Instagram (see decision here). This understanding was later confirmed by the European Court of Justice (Case-252/21).

Notably, Meta has taken steps towards compliance with the GDPR and the DMA by introducing an advertisement-free subscription option for Facebook and Instagram. However, it remains to be seen if it is an acceptable business solution to assure compliance with this DMA provision.

Safeguarding Business User Data

Article 6(2) focuses on the relationship between gatekeepers and their business users, mandating that gatekeepers refrain from making use of non-public data sourced from business users to directly compete against them in an adjacent market (e.g. online retail, advertising, software applications). The provision aims to foster a level playing field wherein businesses are not unfairly disadvantaged by the platforms they rely on.

Non-public data encompasses various forms of information, including both aggregated and non-aggregated data derived from the commercial activities of business users or their customers. This includes data directly related to the business, such as suppliers, prices, orders, terms and conditions, as well data related to the customers of those business users, such as clicks, searches, views, and voice interactions, occurring within the core platform services or ancillary services provided by the gatekeeper.

This provision also draws from past case law notably exemplified by the investigations involving Amazon conducted by the European Commission and the CMA. The focal concern was Amazon's potential utilization of non-public business data sourced from marketplace sellers, which could enable its retail arm, Amazon Retail, to optimize decision-making processes, e.g., identifying lucrative product markets, engaging directly with successful suppliers of third-party sellers, and negotiating supplier terms more favourably. These investigations resulted in commitments from Amazon to abstain from employing such data in its retail operations.

Comprehensive Implications for the Digital Ecosystem

The implications of these provisions are far-reaching across the digital ecosystem:

  • For gatekeepers: The provisions require a fundamental reassessment of how user data is collected, processed, and used. Compliance will require technological and procedural adjustments, such as most obviously the introduction of a consent prompt, and potentially also altering business models where user consent cannot be acquired.

  • For third-party business users: The provisions offer a safeguard against core platform service providers leveraging data sets across their ecosystems that have been collected with the help of third-party business users. Breaking open the walled gardens many gatekeepers have been building (e.g. through the all too convenient single sign-on) may establish a more equitable level playing field for third-party business users.

  • For end users: Promise a more user-centric digital environment, with enhanced privacy protections and a wider choice of services. On the other hand, sceptics question the practical effects of the opt in provision, noting the challenge for end-users to fully grasp the implications of sharing their data, thus hindering their ability to make an informed decision when deciding whether to provide consent.

Looking Ahead: Enforcement

By tackling the complex interplay between data and market dominance, the DMA data provisions are a key enforcement tool with an ambitious mission: Rebalance the data value chain by limiting how gatekeepers collect and use data. Through this effort, the aim is to cultivate a fairer landscape for competitors in data-driven markets by limiting how gatekeepers make use of data sets across the various services they provide. However, in particular in relation to Article 5 (2), the actual potential to bring about the desired change in the competitive dynamics of the digital markets highly depends on end users making thoughtful use of their newly acquired consent rights. Where end users out of convenience consent, a phenomenon well observed in relation to cookie consent banners, the DMA provision is at risk to remain a toothless tiger.

In fact, business partners of gatekeepers, competitors and consumer organizations play a significant role in the enforcement of these provisions. The DMA introduces relevant tools and opportunities for third-parties to flag ongoing misconducts and assert their rights, e.g., presenting complaints to the European Commission or National Competition Authority (NCA), applying for interim measures before the European Commission, and seeking injunctive relief and damages in national courts (see our briefing on private enforcement of the DMA here).

BLOMSTEIN will continue to monitor and assess the developments and practical application of the DMA provisions. If you have any questions on the topic, Anna Huttenlauch, Elisa Theresa Hauch and Ana Carolina Vidal will be happy to assist you.

 

  1. DMA Briefing Series – Kick Off

  2. Private Enforcement under the DMA

  3. Use of End User / Business User Data (Article 5 para 2, Article 6 para 2)

  4. Most-Favored-Nation Clauses (Article 5 para. 3)

  5. Anti-Steering Practices (Article 5 paras. 4 and 5)

  6. Tying and Bundling (Article 5 paras.7 and 8)

  7. Advertising under the DMA (Article 5 para. 9 and 10 and Article 6 para 8)

  8. Self-Preferencing (Article 6 para. 5)

  9. Interoperability, Portability and Switching (Article 6 para. 3, 4, 6, 7, 9)

  10. Business User Access to Data (Article 6 para 10)

  11. Access to Data and Services (Article 6 para 10 - 12)

  12. Outlook: Digital Regulation around the Globe

back to overview