Trusted Future has long supported European efforts aimed at advancing a more vibrant, innovative, safe, secure, competitive and trustworthy digital ecosystem. But we have also been critical of the way Europe has implemented its Digital Markets Act because it has undermined Europe’s forward progress. Today, as a result of the DMA’s implementation, European consumers and businesses face a less secure, less innovative, and more fragmented digital experience.
This week Teresa Ribera, the European Commission’s Executive Vice-President for a Clean, Just and Competitive Transition, delivered the European Commission’s first review of the Digital Markets Act (DMA) and highlighted its “positive impact.” Earlier this month, Ribera likewise called the DMA’s regulatory impact a “success story.” The report’s accompanying staff report also claims a “tangible positive impact observable across all obligations.” But this is an unbalanced view of the DMA: the benefits are exaggerated, and the costs to users are ignored. The report is dismissive of any negative impacts on users, provides no evidence of consumer demand for or uptake in new options, and completely fails to either acknowledge or evaluate the DMA’s widely known negative privacy safety and security impacts.
We are disheartened but not surprised. As any teacher knows, in grading your own work, people are more likely to give themselves an A+. That is especially true when a regulator is asked to grade their own work.
It’s unfortunate that this report, intended as a key indicator of the effectiveness of the DMA, missed the opportunity to analyze the DMA’s full impact. The EC missed a critical opportunity to dig deeper, to do a more honest assessment, to better align its broader digital rulebooks, and find ways to address some of the very real consumer and business harms that the DMA has created. Most glaringly, the report completely failed to consider the DMA’s broad and harmful impacts to user privacy, safety, security and innovation, or to suggest ways it intends to address these shortcomings. It underscores some of the fundamental challenges the EC has had since the beginning of its work in implementing the DMA.
So what did they miss in their report? What are they calling a success story?
Last year we completed our own analysis and deep dive into the DMA’s impact in the mobile ecosystem. Despite its goals, we found major problems in the way the DMA is being implemented. It has created vast unintended consequences and is impeding Europe’s broader ability to advance a more vibrant, innovative, safe, secure, competitive and trustworthy digital ecosystem. While some ideas may be well-intentioned, European consumers and businesses face a less secure, less innovative, and more fragmented digital experience because of the way the DMA has been implemented.
What our analysis found, and what the DMA progress report missed.
We found:
- The DMA created an “App Governance Gap” that undermines Europe’s rules aimed at advancing a safer app store. We found the DMA’s Article 6(4) obligations on alternative app distribution created a digital disconnect between the EU’s ambitions for a safer app store ecosystem (as required by the EU’s Digital Services Act) and the DMA’s sideloading loophole that has created a new app governance gap and backdoor for harmful apps – expanding some of the exact harms the DSA tries to mitigate. This EC’s DMA report failed to explore the demonstrable ways that the DMA, by opening up the gatekeeper’s gates, has opened the floodgates to apps with illicit and pornographic content, that it would allow innovative new ways to defraud, scam and rip off consumers and businesses, that it would lead to a rush in intellectual property theft enabling apps, or that it would open a backdoor through which parents can no longer protect children and the apps they access.
⠀
- What the report missed on safety. The report’s evaluation of Article 6(4) regarding alternative distribution channels of apps which is at the heart of the newly created app governance gap, completely failed to evaluate the wide variety of harmful apps now being made available and the degraded consumer experience. There was no discussion or evaluation of its impact on children, on scams and fraud, and on intellectual property protection – issues at the intersection of parallel DSA app store regulation. We are specifically disappointed that DG-Connect, who enforces the DSA, did not engage in this effort to seek opportunities to better align the DMA with its broader mandate and rules aimed at protecting kids, consumers, and creators through its app store rules.
⠀
- What the report missed on safety. The report’s evaluation of Article 6(4) regarding alternative distribution channels of apps which is at the heart of the newly created app governance gap, completely failed to evaluate the wide variety of harmful apps now being made available and the degraded consumer experience. There was no discussion or evaluation of its impact on children, on scams and fraud, and on intellectual property protection – issues at the intersection of parallel DSA app store regulation. We are specifically disappointed that DG-Connect, who enforces the DSA, did not engage in this effort to seek opportunities to better align the DMA with its broader mandate and rules aimed at protecting kids, consumers, and creators through its app store rules.
- The DMA Undermines Europe’s efforts to improve the mobile security European consumers, businesses, and critical infrastructure depend upon. We also found the DMA exacerbates some of the very mobile security risks that the Cyber Resilience Act is designed to protect against – putting European consumers and businesses at greater risk. The DMA’s interoperability rules, for example, dangerously disable key security safeguards designed to protect user privacy and safety. For European businesses, these DMA requirements can expose their enterprise networks, critical infrastructure and daily operations to disruptive and expensive new security threats – risks that can start with a simple mobile phishing attack. According to Lookout, a single mobile phishing attack, for example, could cost a 5,000-employee organization almost $4 million. At a time when one in four European SME business owners has already been targeted by cyber scammers, this isn’t the time to weaken European security, or mandate interoperable insecurity.
⠀
- What the report missed on security. The report is especially absent of any technical or specific analysis of the DMA’s security impacts. We are specifically disappointed, for example, that ENISA, Europe’s cybersecurity expert agency, and the Member State national security agencies, haven’t been given bigger voices at the table to drive security best practices more directly into DMA rules – especially around DMA interoperability mandates. While the report says that “the Commission intends to increase cross-regulatory cooperation and to explore with the DMA High-Level group which measures should be taken to further step up coordination and cooperation between digital regulators,” given past practice we are skeptical that they will give Europe’s primary security and privacy expert agencies an equal voice in the DMA’s implementation. We are also concerned that the Member States’ national security agencies, who by the Treaty on European Union, Article 4(2) retain sole “competency” over national security issues, have not been brought to the table for these issues. It is critical that as the expert agencies in the Member States on national security, they have a voice, because (in addition to Europol and ENISA) they have issued specific advice to not allow alternative app stores on devices, and depend upon mobile devices that are built to be secure by design.
⠀ - What the report missed on privacy. We are likewise disappointed the report is virtually silent on the DMA’s privacy impacts. On Page 10 of the staff working report, the EC acknowledges that they are working on “joint guidelines on the interplay between the DMA and the GDPR,” but we were expecting this to be a full and fair assessment that followed the facts. Instead, the EC instead seems to presume the outcome saying the guidance, will “help prevent gatekeepers from using fallacious privacy and security arguments as a means to avoid effective compliance.” This appears to assume that the legitimate privacy and security issues that we and other technologists have identified are “fallacious” without ever showing an evidence-based technical feasibility study to adequately assess their impact or mitigate their harms.
⠀
- What the report missed on security. The report is especially absent of any technical or specific analysis of the DMA’s security impacts. We are specifically disappointed, for example, that ENISA, Europe’s cybersecurity expert agency, and the Member State national security agencies, haven’t been given bigger voices at the table to drive security best practices more directly into DMA rules – especially around DMA interoperability mandates. While the report says that “the Commission intends to increase cross-regulatory cooperation and to explore with the DMA High-Level group which measures should be taken to further step up coordination and cooperation between digital regulators,” given past practice we are skeptical that they will give Europe’s primary security and privacy expert agencies an equal voice in the DMA’s implementation. We are also concerned that the Member States’ national security agencies, who by the Treaty on European Union, Article 4(2) retain sole “competency” over national security issues, have not been brought to the table for these issues. It is critical that as the expert agencies in the Member States on national security, they have a voice, because (in addition to Europol and ENISA) they have issued specific advice to not allow alternative app stores on devices, and depend upon mobile devices that are built to be secure by design.
- Impedes competition and hinders Europe’s economic potential. Our analysis found that despite the DMA’s self-stated pro-competition goals, the DMA is triggering major economic losses of as much as €114 billion for firms across the broader EU economy, a reduction of 0.64% of total turnover according to economic analysis by Lama Economic Research. The study further estimates annual revenue losses per worker up to €1,122 depending on the intensity of digital service use across sectors. DMA interventions did not spur European startup creation or growth and may have harmed the entrepreneurs it was supposed to help. These regulations are driving away the investment that the EU badly needs and choking the growth of its most promising scaleups.
⠀
- What the report missed on the economy and competition. At a time when there is growing consensus (for example here, here and here) that regulatory simplification could be the single most powerful lever to boost investment and innovation in Europe, the EC missed an important opportunity to assess and better align its goals with its broader digital rulebook. In this moment of rising geopolitical tensions, accelerating technological change, and anemic European economic growth, we’ve outlined a better and more comprehensive roadmap for how Europe can kickstart its innovation engine, and expand its economic potential.
⠀
- What the report missed on the economy and competition. At a time when there is growing consensus (for example here, here and here) that regulatory simplification could be the single most powerful lever to boost investment and innovation in Europe, the EC missed an important opportunity to assess and better align its goals with its broader digital rulebook. In this moment of rising geopolitical tensions, accelerating technological change, and anemic European economic growth, we’ve outlined a better and more comprehensive roadmap for how Europe can kickstart its innovation engine, and expand its economic potential.
There are some positives in the report – and details still missing. We appreciate that the commission, when looking at social media interoperability, took an evidence-based approach, looking at technical feasibility, and consumer demand through an external study. With the help of a 300-page study by an external contractor, the Commission now understands that the idea of social media interoperability involves significant technical complexities, and that demand for such interoperability from both end users and business users is limited.
The EC should have done equivalent studies like this for the other DMA interoperability “benefits” which would have allowed them to make more informed regulatory choices that incorporated technical complexity, better mitigated potential harms, and weighed consumer demand for changes against regulatory costs. We encourage the Commission to take a similar evidence-based technical analysis approach to its other interoperability mandates.
To that end, we note however that in September of 2023, the commission launched a similar study on mobile ecosystems that, by “the end of the 6 months contract,” would “have mapped and presented comprehensively the possible security concerns stemming from the un-installation of software applications (Article 6(3) of the DMA), side-loading (Article 6(4) of the DMA) and vertical interoperability (Article 6(7) of the DMA) obligations whilst proposing effective measures to tackle them and solutions to mitigate risks associated with the identified security concerns.” This week’s report makes zero mention of this analysis or its findings. Given that the EC’s DMA rules have resulted in broad and predictable privacy, safety and security issues that could have been avoided by the kind of feasibility study the EC performed in the context of social media interoperability, we believe the commission should release its mobile ecosystem report and the underlying evidence it relied upon to “to mitigate risks associated with the identified security concerns.” Back when the study was announced, we suggested eight questions that should be asked and answered by the study to ensure the security issues were effectively analyzed – we have not seen the answers to those eight basic questions. If for some reason the EC does not believe the analysis was sufficiently rigorous, it should pause enforcement in this area until it can revise and improve its underlying analysis.
Moving forward
As the commission weighs additional smartphone interoperability rules, like the recently announced rules that would force Google to share vast amounts of personal data with competitors, and open significant new security risks, the commission should release the study it is relying on or likewise contract with an external contractor to do a feasibility study to evaluate the technical complexities, the demand, and the costs associated with the perceived benefits. Specifically, we are concerned about the commission’s efforts, as described on page 83 of its report, aimed at “improving interoperability of operating systems with third-party AI services, through Article 6(7) of the DMA, and promoting access to high-quality data for AI models, for instance through Article 6(11) of the DMA for the search engine component.” Doing a thorough evidence-based technical analysis is critical because experts are already warning that such smartphone AI and search interoperability mandates would compel sensitive data to be shared with unknown third parties and would “amount to one of the largest mandated transfers of sensitive user data in Europe in decades, making the privacy problem immediate and sizeable” – warning that it creates vast new national security risks.
Conclusions
After more than two years of implementation, while the EC has given itself an A+, an independent assessment would mark this as incomplete. It’s unbalanced in its assessment, is missing the technical evidence it used to mitigate known harms and fails to provide evidence of actual consumer demand for the broad mandates it requires. The report admits that there is scant evidence of user demand for the DMA’s supposed benefits.
Trusted Future strongly believes Europe needs to advance a more dynamic, vibrant, innovative, and trustworthy ecosystem that can lift its economy and protect new competition – but the DMA is off course and is now impeding progress in key areas. Europe should embrace a more trusted technological future – a future that protects consumer privacy, safety and security, and business opportunity. The shortest path to progress begins with a regulatory retooling that takes a more evidence-based approach to actual consumer harms.