EU Digital Markets Act: 101

By IAPP Managing Director, Europe, Isabelle Roccia

FOCUS AREAS EU DIGITAL MARKETS ACT

Purpose of the DMA
The Digital Markets Act creates new obligations for Gatekeepers that offer core platform services to business users established in the EU or end users established or located in the EU
big technology platforms acting as "gatekeepers irrespective of the place of establishment or residence of the gatekeepers.
providing core platform services" to create a
fairer environment for business users that rely on Entities that meet the following cumulative conditions qualify as gatekeeper:
gatekeepers, and to ensure consumers have access 1. If they have annual EU revenue of 7.5 billion euros or market capitalization of 75 billion euros and provide core platform services to at
to better services and can easily switch providers. least three EU member states.
2. They provide a core platform service with 45 million monthly active end users in EU and 10,000 yearly active business users established
ORGANIZATIONS or located in EU.
Key changes the DMA brings
WITHIN SCOPE a. Business users are any entity acting in a commercial or professional capacity using core platform services for the purpose of
ϻ Creates a qualification of "gatekeeper." providing goods or services to end users.
ϻ Necessitates gatekeepers reexamine their data b. End users are any entity (other than business users) using core platform services.
processing activities on multiple services and 3. They have satisfied the requirements in (2) for at least three years.
around the issues of consent.
An entity that meets all criteria must notify the Commission within two months of meeting the criteria, which in turn has 45 working days
to confirm the designation. The Commission can also designate gatekeepers absent a self-notification. The status of gatekeeper, once
Key challenges posed by the DMA established, will be reviewed on a regular basis and at least every three years.
ϻ Determining a robust, futureproof and
undisputed methodology, and quantitative
thresholds to qualify gatekeepers. Any of the following 10 types of online services are in scope, regardless of the technology used:

ϻ Possible compatibility and consistency issues ϻ Online intermediation services (e.g., app store, online marketplace).
between the DMA, the EU General Data ϻ Search engines.
Protection Regulation and the ePrivacy Directive. ϻ Social media platforms.
ϻ Video-sharing platforms.
Important dates COVERED ϻ Communications platforms.

The DMA entered into force 1 Nov. 2022 and SERVICES ϻ Operating systems.
became applicable six months after that date, ϻ Web browsers.
2 May 2023. ϻ Virtual assistants.
Specific provisions apply directly from 1 Nov. 2022, ϻ Cloud services.
starting with the European Commission's work ϻ Online advertising services.
to determine the methodology for designating
gatekeepers and to lay down implementing Online intermediation services can also be active in the field of financial services.
provisions, including the creation of a high-level
advisory group. Provisions on representative
The DMA prohibits digital practices by gatekeepers which make it difficult for users to use products and services offered by non-gatekeeper
actions and on breach reporting apply from providers. The following is a non-exhaustive list of prohibitions:
25 June 2023.
ϻ Self-preferencing their services in search results.
ϻ Combining personal data obtained from their subsidiaries.
Additional resources ϻ Prevent interoperability communications services like end-to-end texting.
PROHIBITED
ϻ EU Digital Markets Act published in PRACTICES ϻ Limiting business users' dealings with end users.
Official Journal of European Union ϻ Forcing users to use gatekeepers' other services in the context of services provided by business users through core platform services.
ϻ EU Data Initiatives in Context ϻ Establishing the right to use third-party applications on users' devices.
ϻ Council of the European Union offers DMA ϻ Prohibiting the use of users' personal data of users using third-party services that, in turn, make use of gatekeepers' core platform services.
final approval
ϻ Preventing users from raising issues of non-compliance with EU or national law.
ϻ The EU's DMA and DSA: Why this should be
of interest to privacy pros
ϻ A view from Brussels: EU GDPR & DGA, DSA, The DMA enables the European Commission to investigate and sanction noncompliance. The penalties for violating the DMA include:
DMA: When the rubber meets the road ENFORCEMENT
ϻ 10% of gatekeepers' worldwide revenue if gatekeepers intentionally or negligently fail to comply with the DMA, 20% for repeated violations.
(IAPP Video) AND PENALTIES
ϻ 1% for 11 other infractions such as failure to notify, submit information, provide access to data, rectify, submit to an inspection and more.

IAPP disclaims all warranties, expressed or implied, with respect to the contents of this material, including any warranties of accuracy, merchantability, or fitness for a particular purpose. Nothing herein should be construed as legal advice. Updated October 2023.
© 2023 International Association of Privacy Professionals. All rights reserved. iapp.org