The EU Regulation on contestable and fair markets in the digital sector (Digital Markets Act) (“DMA”), which came into force in 2022, prevents certain large online platform service providers from treating their business and end users unfairly. For example, online platform service providers that fall within the scope of the DMA must allow their business users to access the data they generate in their use of the platform and to promote their products and conclude contracts with their customers outside the platform, and must not treat services and products offered by the platform service provider itself more favourably in ranking than similar services or products offered by third parties on the platform.

Platform services such as online marketplaces, search engines and social networking services (known as “core platform services”) are subject to these fair treatment obligations if and when the core platform service provider is designated as a “gatekeeper” under the DMA. A core platform service provider will be designated a gatekeeper if it meets certain qualitative criteria, namely, if it has significant impact on the internal market, if the core platform service serves as an important gateway for business users to reach end users, and if it enjoys an entrenched and durable position in its operations. The DMA sets out certain quantitative criteria that, if met by the core platform service, establish a presumption that the qualitative criteria are met. For example, a core platform service will be presumed to serve as an important gateway if its service has at least 45m monthly active end users in the EU and more than 10,000 yearly active business users in the EU in the last financial year.

On 6 September 2023, the EU Commission designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft – in respect of 22 core platform services including TikTok, Facebook, Instagram, LinkedIn, WhatsApp, Google Maps, Google Play, Google Shopping, YouTube, Google Search, Chrome, Google Android and Windows PC OS. These companies have six months, from the date of designation, to ensure compliance with the DMA obligations in respect of each of their designated services.

There are certain reporting obligations under the DMA, including an obligation to submit to the Commission an independently audited description of any techniques used for profiling consumers that the gatekeeper applies to the core platform services listed in its designation (which the Commission will pass on to the European Data Protection Board), to make an overview of the audited description publicly available, and to update the description and overview at least annually. Profiling, which is as defined under GDPR, is any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. In July 2023, the European Commission published a consultation on a template for these reports and, on 12 December 2023, it published the replies to the consultation and the final template. The template requires numerous pieces of information from the gatekeeper for each core platform service including the purposes of the profiling, each category of data and personal data used, the data inferred about consumers from the processing, the duration of retention of all such data, the legal basis relied on under GDPR, whether consent is required under GDPR and, if so, steps taken to seek consent, the qualitative and quantitative impact or importance of the profiling, actions to make consumers aware of profiling, and statistics on how many consumers chose to undergo profiling and how many refuse it if given the choice.

For more information, click here and here.