The Digital Markets Act is shifting the power of data


The new Digital Markets Act (DMA) is expanding the portfolio of data and digital platform regulations required under European Union (EU) Law.


The DMA is an EU regulation that was formally published in the Official Journal of the European Union, and entered into force on Nov. 1, 2022. The DMA aims to promote competition and fairness among online platforms and is the first of two new regulations that are part of the EU's initiative to develop a "Digital Services Package."


The Digital Services Package also includes the Digital Services Act (DSA), which defines responsibilities and accountability for online platform content (entered into force Nov. 15, 2022).


With the DMA already in force, there will be a six-month transition period before the DMA becomes effective and service companies (the “gatekeepers” defined below) will have 15 months to meet compliance requirements. 


Timeline for DMA enforcement

In addition to promoting fairness and competition among online platforms, the DMA aims to regulate and establish specific limitations on “gatekeepers.” The DMA defines a gatekeeper as a digital platform that provides an important gateway between business users and consumers.


The goal of the DMA is to ban certain practices used by these gatekeeper platforms and to enable the European Commission (“Commission”) to conduct investigations and sanction non-compliant behaviors. Gatekeepers will be required to adhere to a list of obligations and prohibitions that may force them to change how they interact with users, partners and competitors.



Who are the gatekeepers?


Self-reporting gatekeepers will include online platforms operating in the EU that meet specific criteria:

  1. Operating a core gateway platform that meets the criteria of a service. Examples of services may include the following:
    • Online intermediation services
    • Online search engines
    • Online social networking services
    • Video-sharing platform services
    • Number-independent interpersonal communications services
    • Operating systems
    • Web browsers
    • Virtual assistants
    • Cloud computing services
    • Online advertising services, including advertising intermediation services
  2. Being considered a service in an "entrenched and durable position," for at least the last three financial years. That is, the service has built its reputation and will continue to control its current market share for the foreseeable future.

  3. Providing services in at least three EU Member States and satisfying at least one of the thresholds below:
    • EU annual revenue of at least €7.5 billion, or
    • Market capitalization of at least €75 billion while servicing 45 million active end users (monthly) and 10,000 active business users (annually) within the EU

If these criteria apply, a company must self-report as a gatekeeper. However, the company can dispute the gatekeeper title and make a case that exceptional circumstances exclude them from being designated as a gatekeeper.


Conversely, if a company does not meet all three criteria listed above, it would not have to self-report as a gatekeeper. However, the Commission can make its own determination that a company is considered a gatekeeper and require them to comply with the DMA.





Gatekeeper obligations


In general, gatekeepers will be required to protect the privacy of their end users. The DMA enhances several privacy protections established under General Data Protection Regulation (GDPR). These enhancements include an expansion of data portability rights (the ease of access to users’ data) and additional consent requirements. For example, gatekeepers must receive explicit consent from end users to perform the following:

  • Process personal data for targeted advertising
  • Combine or cross-use personal data between services
    This applies to services offered by the same gatekeeper. For instance, a company would need the user’s explicit consent to process data originally collected through its retail platform for additional uses within that company’s video streaming platform.
  • Combine personal data from the platform service with third-party data
    This includes data collected from third-party websites such as cookies.



Penalties for non-compliance


Like other recent EU regulations, the Commission may impose penalties for non-compliance under the DMA. If a gatekeeper is found to be non-compliant with any of the DMA’s obligations, penalties may include: 

  • Fines up to 10% of revenue reported in the preceding financial year
  • Fines up to 20% of revenue reported in the preceding financial year for repeated infringements
  • Injunctions, imposed by the Commission, preventing a company from acquiring other companies within the EU for an unspecified period of time



Your next steps


Businesses should start preparing for when DMA enforcement begins May 2023. Complete the following activities before May 2023, to ensure you meet the DMA’s compliance requirements:

  1. Determine whether your business meets the definition of gatekeeper based on the criteria listed above.
    • If not, document a defensible position as to why your company is not considered a gatekeeper in the EU.
    • If so, perform the additional activities below and notify the Commission as required under the DMA.
  2. Review privacy notices and consent language to ensure explicit consent is obtained prior to processing data for targeted advertising or cross-use within the organization.
  3. Implement effective consent and preference management controls to track end-user preferences and maintain an audit trail.
  4. Begin analyzing if the DSA is also applicable to your organization and identify next steps to meet additional compliance requirements.






Our cybersecurity and privacy insights