DMA: Security Implications of New EU Anti-Trust Laws

The Digital Markets Act vs the Gatekeepers – a balancing act

The Digital Market Act (DMA) - a European legislation being discussed in the European Parliament Paul Henri-Spaak building
The ongoing power struggle between the EU and Big Tech companies highlights the pressing need for a balanced and nuanced approach to regulatory policies that consider the interests of all parties involved, not in the least consumers. The Digital Markets Act (DMA) aims at achieving this balance, but will it succeed?

A few leading tech giants are dominating digital markets worldwide, making it difficult for small businesses to penetrate the market. The EU faces the daunting task of curbing their monopoly and giving EU citizens more control over their data through the Digital Markets Act (DMA), but there's a catch...

What is the Digital Markets Act?

The Digital Markets Act or DMA is a set of regulations defined by the European Commission. It applies to digital business operators in the European Union who meet the criteria that qualifies them as gatekeepers. The purpose of these regulations is to provide a fairer environment for businesses who depend on these gatekeepers in order to offer their services in the European single market.

Put simply: Big Tech companies considered as gatekeepers must open up their platforms to smaller competitors for a fairer competition.

The new legislation is meant to enable tech start-ups to compete and innovate in the online platform environment without having to comply with unfair terms imposed by the platforms, which can limit their development or decrease their chance to get their products in front of consumers. Too much power in the hands of a select few can stifle innovation and restrict fair competition.

At the same time, the Commission is confident that the new measures will lead to better and more options for consumers to choose from, allow them direct access to services, fairer prices and more opportunities to switch providers if they choose to do so, as a result of a healthier competitive environment.

The Commission aims to achieve this while allowing the gatekeepers to retain all of their current opportunities to innovate and offer new services. But they would no longer be allowed to use unfair practices to their advantage, neither towards the business users nor the customers that depend on them. And while current regulatory fragmentation in the EU often means increased compliance costs for platforms that operate cross-border, the new unified legislation would help solve this problem as well and provide more legal certainty for the gatekeepers.

What is the Digital Services Act?

The new Digital Services Act (DSA) is a single set of rules applicable throughout the EU, with mechanisms enabling the European Commission and Member States to coordinate their actions. Its main goal is to combat illegal goods, content or services being distributed online. It includes:

  • Measures for users to flag such content and for platforms to cooperate with “trusted flaggers”.
  • New obligations on traceability of business users in online market places
  • Effective safeguards for users, including the possibility to challenge platforms’ content moderation decisions
  • Obligations for very large platforms that reach more than 10% of the EU’s population to prevent abuse of their systems
  • Improved accessibility of platforms for people with disabilities
  • Bans on targeted adverts to children (or based on special characteristics of users) on online platforms
  • Transparency measures for online platforms, including user-facing transparency of online advertising and transparency on the algorithms used for recommendation. Additionally, authorities and researchers will have access to data on key platforms in order to scrutinize how they work.
  • An oversight structure to match the complexity of the online space. Member States will have the primary role, supported by a new European Board for Digital Services; for very large platforms, supervision and enforcement by the Commission.
  • Small and micro-enterprises are exempted from the most costly obligations, but are free to apply the best practices for their competitive advantage.
  • Platforms and other intermediaries are not liable for users’ unlawful behavior unless they are aware of illegal acts and fail to remove them.

EU Parliament image by Marius Oprea on Unsplash

Who qualifies as a gatekeeper?

The DMA defines as a gatekeeper a large online platform with a strong economic position, significant impact on the internal market and active in multiple EU countries (regardless of whether they are based in the EU or not), and which links a large user base to a large number of businesses. Additionally, such a platform qualifies as a gatekeeper only if it is also stable over time, meaning that it has met the previous criteria in each of the last three financial years.

Obviously, the criteria will only be met by a handful of Big Tech platforms that have a disproportionate impact on the market.

Companies like Google / Alphabet Inc., Apple, Microsoft, Amazon and Meta will qualify as gatekeepers.

For example, under the DMA Amazon will have to stop favoring its own products over those of independent vendors that the platform is hosting, and Google will no longer be allowed to collect data from services like Maps and YouTube, and combine it with Google Search data without users’ explicit consent.

This is good as the Google search monopoly must be broken, particularly since Google is using its market dominance giving YouTube alternatives like Invidious a hard time, even threatening to destroy them completely.

What is the current status of the DMA?

The DMA will go into effect in May 2023. Then, in the following 4 months, companies that provide core platform services will clarify with the Commission whether or not they qualify as gatekeepers, and those that meet the criteria will have another 6 months from receiving the decision to ensure compliance with the obligations outlined in the DMA. In an effort to strike the right balance between competing needs, the Commission is organizing technical workshops to get views on gatekeepers’ compliance from interested stakeholders.

If gatekeepers don’t comply with the new regulation after the allowed 6 months, they will be fined up to 10% of their total worldwide annual turnover or, in the event of repeated infringements, up to 20%, and they can incur periodic penalty payments of up to 5% of the average daily turnover. Additionally, in cases of systematic infringements, other remedies may also be imposed on the gatekeepers after a market investigation, on a case by case basis, including structural remedies like the divestiture of (parts of) a business.

The text provisionally agreed on by European Parliament and Council negotiators targets large companies providing so-called “core platform services” most prone to unfair business practices, such as social networks, messengers, browsers or search engines, with a market capitalization of at least 75 billion euro or European turnover of €7.5 billion over the past three years or a core platform counting 45 million European users.

What will the new rules mean for gatekeepers?

The gatekeepers will have to

  • allow third parties to inter-operate with the gatekeeper’s own services “in specific situations”
  • allow their business users to access the usage data they’ve generated on the platform
  • enable advertisers and publishers on their platform to exercise more control over their own content
  • allow their business users to promote their offer and conclude contracts with customers outside the gatekeeper’s platform

And at the same time these gatekeepers will no longer be allowed to favor their own products and services over those offered by independent sellers hosted on their platforms, in terms of ranking, or prevent users from uninstalling any preinstalled app or software, or pool data from their various divisions, and most importantly from a privacy perspective, they will no longer be allowed to track end users outside of the gatekeepers’ platform for targeted advertising without their explicit consent.

The complete set of regulations was published in the Official Journal of the European Union and it’s available in multiple languages.

Flags of the European Union in front of the EU-commission building "Berlaymont" in Brussels, Belgium

What are the security implications?

While most of the proposed regulations are great news, there are two proposed measures that raise security concerns: the inter-operability requirement in the DMA and the transparency requirements in the DSA.

It’s not yet clear who qualifies as a key platform in the DSA – very large platforms? - or what type of data they will have to share. As for inter-operability, despite the ambiguity implied by the “in specific situations” word choice, it means that messaging apps like WhatsApp and Facebook Messenger will have to be inter-operable with services like Signal, allowing their end-users to exchange messages, send files or make calls. Obviously, there is a vast difference in terms of encryption protocols and privacy policies between these services, so many are asking if this will mean compromising the end-to-end encryption and Perfect Forward Secrecy that Signal users have been enjoying so far, if they choose to send or receive cross-platform messages or calls. Co-legislators agreed to assess in the future interoperability obligations for social networks as well.

Another unintended consequence might be forcing gatekeepers’ app stores to weaken the vetting of developers allowed to distribute their apps through these platforms. Even with current standards in place, a Positive Technologies report found vulnerabilities classified as “high risk” in 38% of iOS apps and 43% of Android apps. These vulnerabilities pose not just privacy risks but also make users more vulnerable to malicious hackers, either private or state-operated.

Some are expressing concerns that, if enacted without proper consideration, opening up digital platforms and forcing data sharing can enable “malign entities” to “wage economic or, even worse, military cyberwarfare”. For context, it should be noted that while the quoted author, Prof. Björn Lundqvist, is a renowned competition law scholar, the CEPA is funded by several organizations that are the target of the DMA: Amazon Web Services, Google and Microsoft. But that doesn’t mean these concerns should be dismissed.

A lot of the security risks arise from the act’s definition of “business user”, which is currently very broad and includes not only small entities trying to grow their business through the core platforms, but also companies or even governments originating from unfriendly jurisdictions, who could use the data access rule to obtain data from the gatekeepers.

Worst-case scenarios of how the current version of the DMA could be used include Google being forced to share European search data with rivals that include Russia’s Yandex or China’s Alibaba. The risks get even higher when you consider all of the data collected by Amazon’s cloud service or Alexa, or by Apple and Android car systems. It’s almost as if it was a terrible idea to allow any company to collect and keep that much user data in the first place...

A first step to mitigate these risks is to better define who can use the data access rule, to make sure it only empowers the end-users and small businesses. In an ideal world, imposing restrictions on what type of data the gatekeepers can store would also lower the security risks if malicious actors would get access to that data.

The DMA states that end-to-end encryption should be maintained, but finding a technical solution to achieve interoperability without breaking the encryption will take time (Meta announced it wants to interconnect WhatsApp and Messenger in March 2019 but hasn’t been able to do it yet) and the Commission should adjust its deadlines accordingly, to make sure that this is done right.

Additionally, it should ensure a way for gatekeepers to raise legitimate objections to interoperability requests that would jeopardize user security, like requests from Russian or Chinese messaging apps. The current version of the act does provide an exemption on specific grounds of public security, but it’s crucial to ensure that this exemption can be applied with the necessary speed and flexibility.

And as the Electronic Frontier Foundation advises the DMA should explicitly prohibit any messaging service that “breaks the promise of end-to-end encryption through any means — including by scanning messages in the client-side app or adding ‘ghost’ participants to chats” from being able to “demand interoperability”.

The current language in the act allows gatekeepers to take “strictly necessary and proportionate” measures to preserve security. Through its series of technical workshops the Commission aims to get feedback on the current legal text. After it’s finalized at technical level and checked by lawyer-linguists, it will need to be approved by both Parliament and Council.

Hopefully it will find the right balance between resisting requests from digital gatekeepers who just want to delay or avoid regulation that impacts their profits, and addressing legitimate security concerns.