DP News – Week 45. The Digital Markets Act has come into force.
On 01 November, the EU Digital Markets Act (DMA) came into force and will become applicable six months later, on 02 May 2023. DMA affects so-called ‘gatekeepers’ providing ‘core platform services’.
Those ‘core platform services’ generally include (Article 2(2) of the DMA): online intermediation services (e.g., app store, online marketplace), search engines, social media platforms, video-sharing platforms, communications platforms, operating systems, web browsers, virtual assistants, cloud services, online advertising services.
To be covered by DMA, an entity must meet the following cumulative criterions:
– to have annual EU revenue of 7.5 billion euros or market capitalization of 75 billion euros and provide core platform services to at least three EU member states;
– to provide a core platform service with 45 million monthly active end users in the EU and 10’000 yearly active business users established or located in the EU. Those requirements must be met for at least 3 years.
Once those criteria are met, the respective entity has two months to notify the EU Commission, which has to confirm the status of ‘gatekeeper’ within 45 working days. This status will be reviewed at least every three years.
In particular, DMA imposes bans on several digital practices involving, inter alia, personal data. Under the DMA Article 5(2), “the gatekeeper shall not do any of the following:
(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
(c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
(d) sign in end users to other services of the gatekeeper in order to combine personal data, unless the end user has been presented with the specific choice and has given consent within the meaning of [the GDPR]”.