Michael Veale Profile picture
15 Dec, 33 tweets, 7 min read
Digital Markets Act Thread
Core to the DMA is the idea of "core platform services" and providers thereof, listed here and defined either within the reg or in previous regs. Big and powerful providers of these are in scope, basically.
The juicy parts of the DMA are Articles 5 and 6. These contain obligations for gatekeepers in relation to core services. Art 6 obligations can be further specified by the EC through implementing acts.
Art 5: platforms must
- silo data relating to core services
- not forbid businesses from using other intermediaries too
- allow businesses to contract with users outside the platform but fulfil contracts through the platform (i.e. stopping the Apple App Store tax)
- not forbid businesses from dobbing them in to law enforcement
- not force businesses to use a particular ID service (may interact with the DSA's KYC requirements?)
- not bundle their core services together and force you to sign up to 2+
AND interestingly for ads
- provide advertisers and publishers with the price/remuneration deets (to stop intermediaries controlling market visibility).

Now, art 6, which can be further specified with implementing acts...
The Art 6 requirements are a little less self explanatory. Implementing Acts mean both that they can be strengthened over time, but also give lobbyists something to fight to weaken the instrument with at a later date.
Many of these Art 6 requirements will likely in practice be linked to convoluted processes of standardisation which have never been good at resisting industry capture.
Platforms must
- not use data of their business users to compete with them.

Classic Amazon clause, common complaint and concern all over the world. Pretty self-explanatory start.
- Allow end users to uninstall preinstalled software unless it is technically essential and cannot be offered standalone.

This hits at things like Google Play Services, and is likely to set up fights about what is technically essential or not.
Interesting this para starts with 'core platform service' but ends with 'operating system' as exception. How do you "uninstall" from a cloud service? As written, sort of implies you can, which is an interesting concept (uninstall a/b testing?). also e.g. Facebook apps of old...
Here's a biggie.
- allow installation and effective use of 3rd party software/app store using and interoperating with an OS, and allow their access by means other than through a core platform service.
The exemption to this is that gatekeepers can take proportionate measures to keep their OSs secure. This is clearly aimed at App Stores. It asks a whole range of things: what about access to APIs in the OS? What are these proportionate measures?
This provision would remove the "soft law" that App Store policies wield. Hooray for open software! But also will affect App Stores as regulating apps with trackers in, for example. Or App Stores forbidding pornographic apps. Lots to parse here. Expect Apple to sue.
Actually, expect Apple to do nothing, and someone to eventually sue, but the whole thing to turn into a mess because replacing the current system needs a clear vision of what follows, and requires deep OS changes too.
- not rank their own products better than others'. Similar to issues in the B2B platforms regulation. Straightforward most of the time.
- refrain from technically restricting the ability of end users to switch between and subscribe to different apps/services to be accessed using the OS, including internet access.

This one is pretty open ended.
It has flavours of net neutrality — sorry, Open Internet — bundling of hardware by a cell provider for example. It may also be speaking to things like telling Siri to use Spotify rather than Apple music. Interoperability vibes within an OS. Wide scope for implementing acts.
If anyone has more insight into that provision and exactly what or who it is aiming at, you should let me know...
- allow businesses, in the offering of 'ancillary services' to interoperate with OS, hardware and software.

Again, ancillary services is a HUGE definition (pictured). Aimed at payment, but would this provision prevent an iPhone limiting access to BT, NFC, UWB for non Apple apps?
Nearly there at the end of Art 6. Well, not quite but hang in there.
- provide advertisers and publishers with free analysis and vertification tools/information.

Another one aimed at the market failure of adtech, likely put in by publishers.
NOW THIS ONE
- provide effective data portability AND tools for end users to facilitate its exercise (normal, download your data tools exist) BUT INCLUDING by the provision of CONTINUOUS and REAL-TIME access.

This is bordering on interoperability, or one of its prerequisites.
There are weasel words in this provision, but not as many as there could be. The link between this and the GDPR is interesting, and an acknowledgement that data portability has failed.
A LOT of data falls within the scope of interoperability. A lot could then be accessed in real time. Expect this to be lobbied out, probably to be limited in scope. If not, expect huge non-compliance with it in its entirety.
- provide business users with real-time aggregated/non-aggregated data generated by end-users in their interaction with the platform. Personal data only when it relates to that business user's services and where consent is provided.

Basically, hit counters, demographics...
The consent barrier likely will mean few businesses will get personal data from this proposed provision. They also can't set up their own experiments so no a/b testing for them. Restricted by what platform collects.
Nothing here I see directly prevents e.g. Amazon from only a/b testing its own products and getting more data on that, apart from the data silo provision earlier.

Does Amazon have to treat its product sales team as if they were a business under this provision?
- if you're a search engine, provide other search engine providers on FRAND basis with "ranking, query, click and view data" that is anonymised (if it's query, click and view).
I can forsee an 'anonymisation' fight saying that Google Spain says this is all personal data... but I don't think that would stand in the way here. But this data is huge. Enormous. How often? How?
If a university set up a search engine, that would be a pretty nice dataset to get hold of. I'm a bit baffled about exactly what this dataset would look like in practice...
- apply FRAND terms to app store terms and conditions
I should probably note I've not read the recitals in full yet and there could be Interesting Clarifications in there.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Michael Veale

Michael Veale Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mikarv

15 Dec
Today's Online Harms consultation response is perhaps the first major UK divergence from a big principle of EU law not tied to Brexit directly: it explicitly proposes a measure ignoring the prohibition on requiring intermediaries like platforms to generally monitor content.
the e-Commerce Directive art 15 prohibits member states from requiring internet intermediaries to actively look for illegal content; this is because the awareness would make them liable.
The Online Harms White Paper roughly kept with this, indicating that automatic detection systems were an approach platforms could use, but they would not be required to. Consultation responses (unsurprisingly) agreed.
Read 11 tweets
24 Sep
After a long, unnecessary saga, England/Wales launches a decentralised contact tracing app based on the DP-3T work led by @carmelatroncoso, following other regions of the UK.

On privacy and public health grounds, you should download and use it. apps.apple.com/gb/app/nhs-cov…
The original was a triple whammy of hubris: wouldn’t work abroad, wouldn’t work technologically on platforms, centralisation open for abuse and function creep.

This version has much better foundations.

I understand mistrust that may linger — but please do try this new one.
We’ve also learned plenty about platforms. If governments want the citizens to be able to run arbitrary code on mobile devices, making use of all sensors, they’ll need the law to crack open walled gardens. theguardian.com/commentisfree/…
Read 9 tweets
12 Aug
I suspect students in England will make a very large number of subject access requests under the GDPR to schools from tomorrow for their teacher-estimated grade as well as rank-order in the class — information which will likely have determined their university entrance. 1/
There is a relevant exemption/delay provision in the Data Protection Act 2018 sch 2 para 25 for exam scripts, but this only pushes the deadline to a minimum of 22 September 2020. The ICO has confirmed this. ico.org.uk/global/data-pr… Image
The only time I can see a plausible ground for this grade to be refused is where the rank order reveals data about others, such as in classes of 2 or 3 (wow). Even then, no presumption against disclosure (see DB v General Medical Council [2018] EWCA Civ 1497).
Read 4 tweets
10 Aug
I am so excited this info-filled, beautiful, OA volume is out. Please:

- obtain an actual meatspace copy
- donate & download it in cyberspace (shop.meatspacepress.com/product/data-j…)
- DL for free on meatspacepress.com.

Amazing, timely work by @linnetelwin @empo11on @XGargi @shazjameson
There are dispatches from a huge array of countries... Image
... from a huge array of authors... Image
Read 6 tweets
16 Jul
Looks like the Court agrees with @maxschrems - it is for DPAs to strike down SCCs with certain countries, rather than throwing the mechanism itself out, and the Court decides to answer the Privacy Shield questions (the AG said they did not need to), and strikes it down.
SCCs now haunted by the question of how an underfunded DPA examines all of a third country’s laws and assessed whether SCCs remain valid, when they can’t even take complaints effectively in their own legal system.
As always, the press release isn’t the full judgement. That’ll be at this link, later curia.europa.eu/juris/fiche.js…
Read 4 tweets
11 Jul
national parliamentary committee can be public authority & data controller says CJEU.

clearly some v strange bg to this case though, as DE admin court referred a 2nd q doubting its own ability to refer under TFEU 267 due to general lack of independence curia.europa.eu/juris/document…
in headache inducing logic typical of art 267, CJEU says they are independent so can refer the DP question, but that the independence question is technically inadmissible because isn’t necessary to answer the issue in the main proceedings, so it says it actually never answered it
anyway besides the strange act of self-doubt which appears to be about the appointment of temporary judges & the ministry of justice’s IT support of the ct computers, the case is generally unremarkable other than to say the definition of public authority is wide & eu law applies
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!