Although it would appear that no fewer than 10 000 online platforms operate in the EU, the digital market seems to be moulded by just a handful of them. This raised concerns among the Authorities in terms of, among others, transparency and fair competition. The Digital Markets Act (DMA)1, together with the upcoming Digital Services Act (DSA), forms a central part of the package proposed by the Commission to address such concerns, setting up specific obligations for the digital giants, the so-called gatekeepers. A gatekeeper, according to the DMA, is an undertaking providing core platform services (such as online intermediation services, online search engines, video-sharing platform services, web browsers etc.), which:
- has a significant impact on the internal market;
- is an important gateway for business users to reach end users; and
- profits from an entrenched and durable position in its operations or is likely to achieve such a position in the near future.
According to the DMA, the Commission shall designate an entity as a gatekeeper, when the above criteria are met, taking into account certain thresholds in terms of: annual EU turnover2, minimum number of active users3 and timeframe4. Even if such thresholds are not strictly met, the Commission is also entitled to label an entity as a gatekeeper when, due to its data driven advantages (in particular related to its access to personal data, analytics capabilities and corporate structure) and other criteria, the entity is in a position to influence the market.
While we cannot predict all the ramifications of the upcoming DMA, impacting as it does a complex and, to some extent, opaque framework, yet we can expect at least a few consequences for the entities relying upon digital marketing services (whether to profit from advertising spaces or promote their positioning).
1. Information on costs and metrics associated with digital advertising
The conditions on which gatekeepers provide online advertising services to business users (including both advertisers and publishers) have, in fact, been considered by most commentators as opaque and non-transparent: apparently, advertisers and publishers are not provided with a clear picture of the conditions required to access advertising services. The logic of referral and / or monetization criteria have not been (nor seem to currently be) set out for business users such as publishers and advertisers. There has been heated debate about gatekeepers using “arcane” algorithms to calculate the metrics, resulting in business users being unable to understand how costs are calculated and, ultimately, unable to determine whether a particular service is profitable. Several parties have red-flagged this dysfunctionality. Among others, it is worth noting the EU paper Study Online advertising: the impact of targeted advertising on advertisers, market access and consumer choice5. The Study pointed out that “advertisers cannot understand why they win or lose auctions for specific keywords and how the final price for the impression or conversion is determined. Likewise, publishers face similar uncertainty since they observe only their personal ad revenue, but how much is pocketed by the intermediary remains unknown. The same applies to performance data of the advertisement or the ad-inventory”.
Therefore, the legislator decided to include the requirement for gatekeepers to provide publishers and advertisers with detailed information on the costs associated with particular advertising services. This principle is clearly explained in Recital 45 of the DMA, where the legislator introduces the need to ensure that: (i) publishers and advertisers are informed of the costs associated with a relevant ad (including through disclosure of the remuneration received by the publisher – or the average remuneration), and (ii) it is made clear to them what criterion is used to calculate the pricing model (e.g. price for impression, per view, etc.). Article 5(9) and (10) state that this information should be provided free of charge.
A very similar approach is proposed for the calculation of metrics. In particular, Recital 58 underlines the importance of publishers and advertisers being provided with free of charge access to gatekeepers’ performance measuring tools, so they can carry out their own assessment of gatekeepers’ services (the same obligations are further explained in Article 6(8)).
2. Expected limitations in targeting
Gatekeepers often collect directly end users’ personal data for the purpose of providing advertising services when end users use third parties’ websites and apps. They also receive a vast amount of data from the business users that rely upon their services. Considering that some gatekeepers may also provide various core platform services, they are well-placed to combine and cross-use personal data. For this reason, the legislation decided to put some limitations on the gatekeepers’ ability to process personal data (see Article 5(2) of the DMA). In particular, gatekeepers are prevented from (i) processing end users’ personal data for the purpose of providing advertising services, if such data is retrieved from the use of services offered by third parties making use of core platform services of the gatekeepers, (ii) combining personal data derived from multiple services offered by the gatekeeper or by third parties, (iii) cross-using personal data (derived from a core platform service) in other services offered separately by the gatekeeper and vice-versa, and (iv) signing in end users to other services of the gatekeeper in order to combine personal data. However, this prohibition can be overridden if the end user provides a GDPR-valid consent.
The main consequences of the above approach appear to be that:
- Gatekeepers will be limited in providing their advertising services to the extent they are currently doing, given that their ability to create complex end users’ advertising profiles will likely be limited. This will probably impact the effectiveness of an ad seeking to influence targeted consumers.
- It could be argued that, based on the actual wording used in Article 5(2) second subparagraph, gatekeepers will be able to rely upon one single opt-in to carry out all the different combining / cross-using activities above summarized. Although a number of commentators claim that such combination would require multiple consents (given that multiple purposes may be identified), the final decision of the trilogue seems to facilitate the gatekeepers’ operations. The validity of such “multi-processing activities” consent will depend on the interpretation that will be given by the Commission: on one side, it is to be reminded that Article 13 has introduced an anti-circumvention provision upon the gatekeepers but, on the other side, one may say that Recital 32 of the GDPR does not clearly require that consent for multiple activities should be obtained by separate declarations. So much remains to be clarified!
3. Limitations on targeting minors and profiling based on sensitive data
Originally expected to be addressed by the DMA and then shifted to the DSA, bans on targeting of minors and other vulnerable users are becoming a reality. Article 24 (1b) of the DSA, which is expected to apply from the beginning of 2024, prevents the targeting of minors or relying upon sensitive personal data for the purpose of displaying advertisements. Although it is as yet unclear which age thresholds are being considered and whether Member States will have any autonomy in shaping them: this is a key battleground.
Such regulations should provide a safer digital space, given that in the current legal framework, advertising profiles include all sorts of sensitive data. Based on what has been identified by several stakeholders and commentators, ads are (also) based on special categories of data.
It is not possible to dive into such topic here – as it would require more research and double checks, in order to get a clear sense of the size of the phenomenon. However, even if the DSA had not introduced a limitation on targeting minors and profiling based on sensitive data, it may not result easy to justify such an extent in the use of data: first and foremost, the consent collected from a user may result as not being valid and, moreover, a risk assessment may lead to the consequence that less data should be processed.
It appears that the legislator decided to draw up a set of rules in the DMA, aimed at ensuring more transparency and correcting what has been detected as an imbalance in the market. Such rules include provisions to strengthen the position of publishers and advertisers.
Moreover, the DMA appears to complete the GDPR’s requirements, with the aim of strengthening the protection of personal data and preventing from carrying out certain processing activities (e.g. the combining of personal data, collected from different sources).
The DMA’s intended purpose is clear: however, much will depend on how it will be interpreted and applied by the relevant Authorities. The DMA will not end the debate: we will keep you posted