On March 24, 2022, the European Parliament and European Council approved the final text of the DMA. The DMA imposes more regulation over core platform services, such as online search engines, marketplaces, and the like. The Commission will designate gatekeeper organizations – which encompasses big tech providers with over 45 million monthly end users and ten thousand business users in the EU, amongst other requirements – for higher regulation.

Formal approval and publishing of the DMA should occur later this year or early next year. After the law goes into force, there will be a grace period before it is actionable so gatekeepers can provide information and become compliant. As such, expect the effective date to be sometime in 2023 or early 2024. In the meantime, the Commission has encouraged organizations to come forward with any questions to foster compliance. While affected organizations absolutely need to start thinking about updating compliance programs, the DMA holds additional implications for eDiscovery practitioners and can heighten security risks.

Key DMA Provisions

The recent agreement on the DMA is a huge stride in the EU’s digital strategy. Violations can result in fines up to 20 percent of an organization’s total turnover. Here are four major features of the new law:

1. Gatekeepers will need to provide users with choice over browsers, search engines, and virtual assistants. Third-party app stores will also need to be allowed on gatekeeper platforms to offer user choice.
    
2. Smaller messaging platforms can request interoperability from gatekeepers. What this means is that users will be able to communicate across different apps. The DMA does not address social media platforms, but this will likely be a topic of discussion down the road after seeing how interoperability works with messaging platforms.
    
3. Users will need to provide consent before a gatekeeper can process or combine personal data across platforms to initiate targeted advertising.
    
4. Gatekeepers must provide information to the Commission about acquisition plans for smaller core platform services. In the future, the Commission may have the power to temporarily halt acquisitions in this space.

Expected eDiscovery Repercussions

When a new data law passes, it is crucial for eDiscovery practitioners to consider potential effects. If smaller organizations leverage their interoperability rights, data preservation and collection challenges will undoubtedly emerge. This would affect not only EU cases and investigations, but also those originating in other countries dealing with EU custodians. Combining content across platforms can lead to challenges identifying where data lives, extraction roadblocks, and increased data sources requiring more expense and time. Expect innovative technology and processes to emerge over the next few years that address challenges associated with extracting and reviewing messenger content with multiple file types without missing responsive data, as this is a risk resulting from interoperability.

Others have speculated on ways that leveraging the DMA’s interoperability power can benefit eDiscovery processes. Examples include streamlined collection for ephemeral messaging content and less chance of evidence spoliation since there will be more locations where data is housed.

Security Concerns

While the DMA states that interoperability requires high security data protection controls, this function inherently poses security challenges. Gatekeepers and smaller platforms that become interoperable would essentially have to agree to use the same encryption techniques and controls that foster functionality while reducing the risk that threat actors can access the messaging content. It may prove difficult to get both parties on the same page with adequate oversight.

State of the DSA and Beyond

The DSA is still in the works, but recently had some movement. This law is similar to the DMA but has more focus on regulating the content platforms host. Several debated provisions exist, such as using dark patterns to obtain data or purchases, elevating privacy protection for minors, and user compensation when infringement occurs. There have been proposals on these and other issues concerning the level of regulation and wording that should appear in the law. This movement, coupled along with the recent DMA passage, will likely propel the final approval of the DSA sometime this year.

Just as the GDPR continues to influence other countries around the world to update privacy frameworks, the EU’s expanded digital strategy could jumpstart a new regulatory trend. Other regulators have similar concerns regarding big tech, so interested parties should watch and see how DMA enforcement unfolds, what gaps the DSA will cover, and which country makes the next move in this area.

For more information on how Epiq can help you, click here.