Proton
An illustration of the DMA acting as a counterbalance to Big Tech's power.

The DMA could help make the internet a level playing field – but is the EU serious about taking on Big Tech?

Just a handful of massive companies, with wealth greater than some countries, controls almost every aspect of the internet. They can decide which voices to amplify or silence, which businesses to boost or crush (or acquire), and what personal data they will collect and monetize, all with almost no accountability or oversight.

This centralization of power into the hands of a few multinational corporations runs counter to the original dream of a free, open, and fair internet. And as the events of recent years(new window) have shown, they are a threat to democracy.

In December 2020, the European Commission released its proposal for the Digital Markets Act(new window) (DMA), the EU’s attempt to curtail Big Tech’s power and revive competition on the internet. Like the flurry of American antitrust investigations, the DMA is a sign that politicians finally have recognized how much Big Tech has abused its ever-growing power over the past decade.

As a company dedicated to building a better internet for all, we have been following the developments in the EU closely and we support the DMA. We’ve created this analysis to help our community better understand the issues around the DMA and what it would do. 

But there is also a strong caveat: This regulation will only be as effective as its enforcement. The EU must devote the resources necessary to fundamentally shift the balance of power on the internet back into the hands of people.

Who does the DMA apply to?

The DMA is a set of rules that target “gatekeeper platforms,” which are massive tech companies that control “core platform services” of the internet that link a business and its customers. A gatekeeper can control more than one core platform service, and many of them do. The DMA contains a list of what are considered core platform services, which includes search engines, social networking services, certain messaging services, and operating systems. The European Commission can also add services to that list as necessary.

In many cases, these core platform services function as a bottleneck, forcing all companies to use the same tool to reach the vast majority of their market. Controlling these bottlenecks gives a gatekeeper platform immense power to effectively cut off a company from the segment of the market it controls. Think of how Apple controls which apps it allows on its mobile devices or how Google controls which companies will be the first search result. This control coupled with Big Tech’s global scale has given these companies unprecedented power. 

To ensure that it does not hinder companies that are still developing, the DMA’s rules would only apply to gatekeeper platforms that have met all of the following criteria for the past three years:

  • Achieve either an average market capitalization of at least €65 billion — or have an annual turnover of at least €6.5 billion in the European Economic Area (EEA) 
  • Have at least 45 million monthly active end users within the EU 
  • Have at least 10,000 yearly active business users within the EU

(It is slightly more complicated than this, but these are the important standards to know.)

The DMA only targets the truly massive corporations. This way, companies and potential competitors to the Big Tech monopolists are not burdened with undue regulation.

What does the DMA do?

The DMA rules would impose a number of obligations on gatekeepers. These obligations are intended to prevent them from abusing their power and engaging in anti-competitive behavior. They do not address free speech on the internet or how to govern it (that is covered in the EU’s proposed Digital Services Act). Think of the DMA as essentially a list of “Dos” and “Don’ts” for Big Tech. Some of the most important obligations are listed below:

  • Article 5(a) — Don’t mix personal data without a user’s explicit consent
    This would prevent gatekeepers from combining personal data collected from their core platform services with personal data collected from other services or from a data broker without explicit consent. It would also prevent them from forcing you to automatically sign in to all of a gatekeeper’s services if you only want to sign in to one.
    Example: Google would not be able combine the data it has collected from you with commercially available data, like your credit score. You would also be able to sign in to Gmail without signing in to all of Google’s services.
  • Article 5(c) — Do allow business users to promote offers to end users
    In effect, gatekeepers would be required to allow businesses to inform their customers about alternative purchase options.
    Example: Apple would have to let app developers inform their users of cheaper subscription offers that are available via their website in the App Store. 
  • Article 5(e) — Don’t force business users to adopt the platform’s authentication system.
    Businesses could still choose to use the gatekeeper’s ID system, but it would not be required.
    Example: An app developer would be allowed to create their own ID system for their app and Google would not be able to force them to use its ID system.
  • Article 5(f) — Don’t cross-tie core products.
    Gatekeepers would not be able to force users to sign up for one of its core services as a precondition to getting access to another of its services or products. Gatekeepers’ products and services would be available to users separately.
    Example: Users would be able to access the Android operating system without a Gmail account.
  • Article 6(a) — Don’t spy on business users to gain an unfair competitive advantage.
    Currently, gatekeepers can use private data from their platform and monitor their business users’ data to determine how to place, price, and advertise competing goods or services. The DMA would ban this practice.
    Example: Amazon would no longer be able to use its search results data to determine what goods to clone and start selling itself.
  • Article 6(b) — Do allow users to uninstall any pre-installed software applications
    Gatekeepers would have to allow their users to uninstall any pre-installed software applications that are not essential to running the hardware.
    Example: You would be able to delete the pre-installed calendar or calculator apps on your smartphone.
  • Article 6(c) — Do allow third-party app stores and users to side-load apps.
    Under the DMA, gatekeepers would only be allowed to prevent third-party app stores if they damage or undermine the “integrity of the hardware or operating system.”
    Gatekeepers would not be able to prevent users from accessing services they acquired outside their platform.
    Example: Apple would not be able to block users from downloading apps that are not in the App Store.
  • Article 6(d) — Don’t give preference to platforms’ own products in rankings.
    Gatekeepers would not be able to unfairly rank their own products and services more favorably than their competitors. 
  • Article 6(e) — Don’t lock users in.
    Gatekeepers would not be able to technically restrict users from deleting apps or switching away from default apps. They also would not be able to force users to use a particular internet service provider.
  • Article 6(f) — Do make platforms interoperable with other service providers.
    Gatekeepers would have to make their platforms open to some key third-party service providers, like payment providers, digital identity providers, or ad-tech sellers, on the same terms as their own services.
  • Article 6(h) — Do make data portable and continuously accessible in real time.
    Gatekeepers would have to give all users the ability to download their data and take it to a rival. They would also have to make both end and business user data continuously accessible in real time to their competitors.
  • Article 6(i) — Do give businesses access to their own data.
    Gatekeepers would have to give business users real-time, continuous access to high-quality data from the gatekeepers’ platform about their sales, customers, and other commercial activity. 
  • Article 6(k) — Do provide fair and nondiscriminatory access to app stores.
    The DMA states that gatekeepers that manage app stores would have to accept apps onto their platform in a fair and nondiscriminatory manner.

What happens if a company violates a DMA obligation?

The DMA currently states that the European Commission alone will be responsible for enforcement, meaning they would investigate any alleged violations and hand out penalties to any gatekeepers that violate the DMA’s new rules. 

The authors of the DMA seem to understand the size of the companies they are trying to rein in. In fact, these companies are so large, they regularly set aside billions of dollars just to pay regulatory fines. In light of this, gatekeepers that violate the DMA would face:

  • Fines of up to 10% of the company’s total worldwide annual turnover
    Example: Facebook’s global revenue for 2019 was $71 billion. It could, therefore, be subject to a $7.1 billion fine.
  • Periodic penalty payments of up to 5% of the average daily turnover for ongoing infractions

And if a company repeatedly or systematically violates its DMA obligations as a gatekeeper, the Commission could impose additional penalties, including potential “structural remedies” (e.g., being forced to sell parts of the business).

The DMA could change the internet

As an organization dedicated to defending fundamental human rights and democracy, Proton supports the DMA as a welcome recognition that it is time to stop letting Big Tech run the internet. 

Big Tech’s accumulation of power has been an ongoing concern. Before we can create an internet that puts people first, we need to end the monopolies’ domination. The DMA targets many of the most egregious abuses over the past decade, especially in the mobile device sector. 

If the DMA’s obligations are enforced quickly and vigorously, they have the potential to change the very business model many of the gatekeepers rely upon. Several of the DMA’s obligations, such as the prohibition on mixing gatekeeper data and commercially available data, would make it harder for companies like Google and Facebook to monetize users’ personal data. 

And if these companies continuously violate the DMA, the Commission could force Google to divest from YouTube (or Facebook from Instagram).

The DMA’s success or failure will come down to how the current draft’s principles are fleshed out into actual provisions that can be implemented and how the Commission decides to pursue enforcement. Big Tech has been cementing its position for years, so it is important that the EU gets the DMA correct from the beginning. Every delay gives tech monopolists more time to further entrench their advantages.

One cause for concern is the amount of manpower the European Commission is calling for. According to recent documents, the task group that will lead DMA enforcement is to be composed of 80 individuals, which seems woefully inadequate given their task’s scope and complexity. Further, the Commission suggests creating this team only after the DMA is enacted, meaning they could be stuck playing catch up. 

The GDPR is a pertinent example. The GDPR has been successful in giving users a greater window into which companies have access to their data. The DMA is also taking inspiration from the GDPR in that it is legislation that aspires to be global in its impact. Unfortunately, the current DMA proposal did not learn from the GDPR’s mistake of not having national data protection agencies fully staffed when the GDPR was implemented. This staffing lag meant that it took over a year before any major penalties for GDPR infractions were handed out.

Advocating for a strong DMA 

We are now entering a critical phase of the DMA. Big Tech is going to try to exert all its influence to water down the DMA obligations and their enforcement, precisely because it would expose them to true competition. European citizens and independent tech companies must prevent these lobbying efforts from succeeding. 

We will go into greater depth on how we would like to see the DMA bolstered and implemented in another blog post. 

If you live in Europe and want an internet that respects your security, privacy, and freedom, contact your MEP(new window) and tell them you support a strong DMA that is actively enforced. 

The DMA represents the best chance society has had in years to check Big Tech’s power and break up the monopolists.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Related articles

The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.
A graphic interpretation of a block of how many gigabytes in a terabyte
Learn how many GB are in a TB and discover the best way to securely store and share your files — no matter their size.
The cover image for a Proton blog, showing a phone screen with a lock logo and three password fields surrounding the phone
Here's what to look for when choosing an enterprise password manager to streamline collaboration and protect your organization's sensitive data.