The writer is international policy director at Stanford University’s Cyber Policy Center
Four years ago, milestone GDPR legislation on the protection of data came into effect. Now the EU is in the final stages of writing history again, with a new law that seeks to clarify competition responsibilities for big tech firms up front. The aim of the Digital Markets Act (DMA) is to prevent these gatekeeper companies from abusing their market dominance and not simply bring them to court for antitrust violations.
Instead of breaking up monopolistic companies, the DMA would open them up, says French Digital Minister Cedric O. Amazon, for example, would not be able to use its insights into buyer activities to best position its own brands on its own platform. Users would be able to seamlessly send messages to friends on other platforms, and Apple would have to allow access to rival app stores. Default settings would no longer create lock-ins, giving internet users much-needed freedom.
It should come as no surprise that major tech firms are criticizing the new rules, which aim to increase their responsibilities and decrease their power. It is also unsurprising that the DMA has become one of the most heavily lobbied pieces of legislation ever produced in Brussels. Facebook, Google, Microsoft and Apple alone spent about € 20mn last year in an attempt to influence it.
Lobbyists quickly latched on to privacy as a possible argument. What is cleverer, after all, than using one key EU achievement against another? It can be difficult to distinguish between the lobbying noise and the civil liberties alarm. But while there are details to be spelled out about combining security and competition, there are also clear indicators of how that may be achieved.
WhatsApp’s chief Will Cathcart, whose company has implemented end-to-end encryption between users, foresees problems, as do others with a less direct stake in the competition laws and a better record in privacy protections. They worry the well-intended focus on interoperability might have security downsides. When the consumer can choose their messaging platform, they should then be able to interact with all other platforms, in the way email does. Interoperability would lower the cost and hassle of switching, helping competition and consumer choice. The question is whether these proposed obligations might clash with those of end-to-end encryption.
But this is not a mission impossible. When an internet user has deliberately chosen a messaging platform with the highest encryption standards – to be certain of confidentiality or to protect a source – the fact that their message would be shared over to another platform of a friend or colleague, should not change the protection of their data. The DMA foresees that APIs must have the same levels of data protection for remote and internal users, according to Matrix, an open-source project fostering secure communications, which also proposes “bridges” for encrypted data.
Additionally, it is useful to remember that competition and privacy protections go two ways. Monopolists can more easily downgrade data protection standards, as Facebook has, because consumers have fewer alternatives. With more competition, the chances are that better privacy protection becomes a competitive advantage. Even if the US lacks a federal data protection law, its courts are currently hearing several cases challenging the harmful relationship between privacy and antitrust. Federal Trade Commission chair Lina Khan called the new DMA legislation a “landmark proposal to promote fair access to markets controlled by digital gatekeepers”. She recognizes the implications of corporate access to information for privacy and security, in addition to competition. It is exactly that combination that the EU now needs to tackle.
The DMA’s details are still being worked out, and methods of enforcement will also be critical. There is wriggle room between the political agreement reached, and the final text after experts fine-tune it. It will only be possible to seriously weigh all concerns against this last iteration, which should be available in the next few weeks.
Yet the discussion about interoperability and encryption – or between the GDPR and DMA – already hints at a major challenge the EU is still to face. After the DMA, the Digital Services Act, the AI Act, and the Data Act will follow, to ensure more countervailing powers to balance those of technology companies. For EU lawmakers and regulators with ambitions to curb the power of big tech, ensuring that these different laws also work well together will be the next big hurdle.