In our first blogpost in this two-part series, we began to unpack the EU Digital Markets Act (DMA), exploring some of its key provisions and their likely impacts on human rights. In this blogpost, we will dive further into the obligations in the DMA which mandate interoperability between gatekeepers and other services.
While interoperability certainly seems an attractive way to address the significant power or monopoly of particular companies, there are as yet unanswered questions about some of the DMA’s interoperability requirements, their potential implications for privacy and security protections for end users, and whether gatekeepers’ licensing schemes for relevant Application Programming Interfaces or other technical solutions would be subject to independent oversight. We explore these concerns in detail below.
What is interoperability?
Interoperability is defined in Article 2 of the DMA as follows:
“Interoperability means the ability to exchange information and mutually use the information which has been exchanged through interfaces or other solutions, so that all elements of hardware or software work with other hardware and software and with users in all the ways in which they are intended to function”.
The broad idea is that forcing platforms to interoperate with each other gives users more choice over the services and applications they wish to use online. At present, end users and business users are often forced to use gatekeeper services or products because their friends or clients are using the gatekeeper service. But if a user can switch to an alternative service and still have access to those within the gatekeeper service or system, the user will be able to select services based on their quality, their sustainability or ethical business models, their security or privacy provisions or any other metric that the user places value on.
There are different types of interoperability or integration of services. Vertical interoperability affects products and services at different levels of the value chain or product or protocol stack; for example by allowing a piece of hardware to run multiple operating systems, or allowing an operating system to run multiple app stores. Horizontal interoperability, in contrast, affects products and services at the same level of the chain or stack; for example by permitting users to send an email from one server to another. Interoperability may be implemented through shared protocols, APIs or other technical solutions like data pools. The different technical means of implementing interoperability, and the different types of interoperability that might be required, will each impact the gatekeeper digital ecosystem in a different way, and will have different potential impacts on users’ human rights.
The DMA’s interoperability requirements
The recent revisions to the DMA considerably strengthened its requirements on interoperability, meaning that it now goes well beyond existing requirements related to interoperability in other areas of EU regulation, such as the Electronic Communications Code or competition law. Most of the interoperability requirements of the DMA relate to vertical interoperability between a gatekeeper and third party services. This is because the gatekeepers that the DMA targets are, by nature, often vertically integrated, with control over whole online ecosystems and groups of services (see the definition of gatekeeper companies in part one of this blogpost for some examples), giving them a considerable advantage over downstream competitors. For example, the near-field communication chip that Apple includes in its iPhones is, at present, only compatible with Apple iPay software, meaning that other payment processing services—which sit downstream from the hardware itself—cannot access or interface with this functionality in the way that Apple’s own services can.
The DMA requires gatekeepers to provide vertical interoperability between their operating systems and third party software applications (Article 6.4) and between their hardware, software and operating system features and third party software and hardware providers (Article 6.7), in order to “allow competing third parties to interconnect …to the respective features as effectively as the gatekeeper’s own services or hardware”. These obligations would mean that Apple would no longer be able to limit its payment chip to ApplePay transactions, or that a Google pixel watch would have to be compatible with non-Google operating systems. The gatekeeper may refuse to do this only where such interoperability would compromise the integrity or security of its services.
The DMA also includes a requirement for gatekeepers to ensure data portability. Gatekeepers have a considerable advantage over competitors due to the amount of data that they can collect in the provision of their core platform services and other digital services, and data portability mitigates against this by ensuring that users can easily choose to switch to different services or use multiple services at once without having the leave their data or history behind. To this end, Article 6.9 requires that gatekeepers provide end users with the necessary tools and technical means to port all of their data in a usable format out of the core platform service in question in a continuous and real-time fashion.
Finally, during their final discussions on the draft text in March, EU policymakers also incorporated a new requirement for gatekeepers to ensure horizontal interoperability of their interpersonal communications services, to make it easier for new services to compete with existing ones and reduce the costs for end users who wish to switch to alternatives. Article 7 requires gatekeepers to make basic functionalities of their interpersonal communications services interoperable, including end-to-end messaging, sharing of images, voice messages, videos and files. In practice, this would mean that users could text Apple’s iMessage or Meta’s WhatsApp from other messenger services, like Signal and Telegram. This new requirement will be phased in over time; gatekeepers must facilitate such interoperability for messaging and file sharing between two individual users immediately upon designation as a gatekeeper, whereas this must be possible for group chats within two years of designation and for voice and video calls between both individuals and groups within four years of designation. Gatekeepers will also have to publish a “reference offer”, setting out the technical details and general terms and conditions of interoperability with its interpersonal communications services.
While vertical interoperability can be very effective for addressing competition issues caused by gatekeepers owning whole stacks or systems of products, some argue that the new horizontal interoperability requirement will not actually impact the network dominance of major platforms, as it applies only to a set of common features, and may in fact reduce the incentive for users to use multiple services (‘multi-homing’), potentially reducing competition. There is also an argument that mandated interoperability of any kind may in fact limit innovation potential by adding new technical standards as barriers to entry for new market players. Yet the novel approach taken by the EU in this respect also faces more immediate questions, both in terms of technical feasibility and in terms of impacts on end user privacy and security protections. We explore both in detail below.
Implementation and Technical Standards
One way of achieving the interoperability required by the DMA is via the establishment of common standards and protocols, like https and SMTP for web and email traffic, to ensure that third parties can interoperate with gatekeeper services in a safe and secure way. There are already many independent efforts to develop such standards for social media. For example, Mastodon, a federated network of social networking sites, allows users of different Mastodon sites to communicate with each other; and Diaspora functions as an intermediary service from which users can post to their profiles on other major platforms. Yet these independent projects are a long way from the sort of institutionalised technical standards necessary for full interoperability between gatekeeper services and third party services. The development of such technical standards will require considerable coordination between EU policymakers, standardisation bodies and other stakeholders. While this need is mentioned in the introductory text of the DMA, it is highly unlikely that such a process of standardisation will be feasible within the six month timeframe of implementation envisaged by the text.
Beyond technical solutions and standards, it will also be necessary for gatekeepers to develop licensing regimes and pricing regimes for access to their interfaces and APIs. This will require considerable thought around how different degrees of interoperability would be assessed and/or priced, who would have oversight over the licensing terms and requirements, and who would take on dispute resolution between parties where required. At present, the DMA provides little clarity on the types of licensing systems that would be acceptable and how eligibility for access should be assessed and priced by the gatekeeper.
Privacy and Encryption
It is not yet clear what the impact of the DMA’s interoperability requirements will be on user privacy and security. While the text states that interoperability measures must not undermine security and data protection measures, it is not yet clear how this would technically work in practice, particularly where interoperability is provided through open APIs, which are entry points for cyber threat actors. There are also differing opinions on whether it is feasible to implement interoperability for end-to-end encrypted messaging services, as would be required under the new Article 7 of the DMA.
Some argue that it is virtually impossible to make end-to-end encrypted services interoperable without seriously compromising their security. Others argue that it is technically possible through either open API libraries with API keys, or through a single global standard for encryption that all companies would have to switch to, but that all such solutions are complex and expensive and could still carry security risks, such as difficulties in identifying malicious activity or authenticating users’ identities. And some are of the opinion that existing global standards supporting end-to-end encryption—like Matrix and XMPP—are proof that such interoperability is not only possible but already taking place. One problem with the creation of a global encryption standard is that it is as yet unclear whether encryption keys would fall under the category of personal data protected by the GDPR, which would prevent their inclusion in the global directory of approved keys necessary for such a standard.
Some have also suggested that messaging services could perhaps allow users to send messages with other platforms at different levels of encryption so long as this difference is indicated clearly to the user. However, this approach may in fact strengthen the market dominance of the gatekeeper after all, who could guarantee the strongest level of encryption with its internal services. This approach could also open up users to downgrade attacks and allow lower quality services to poach clients from higher quality ones, and would require the creation of some kind of external classification or validation scheme for the different levels of security provided by third party services.
Our recommendations to policymakers
The complex technical and policy considerations associated with the interoperability requirements in the DMA require further thought. EU policymakers should:
- Allow more time for gatekeepers to meet the interoperability requirements, particularly across encrypted services, to ensure that they have had adequate time to consult with civil society and cryptography experts about appropriate solutions
- Work with civil society and technical experts to provide more clarity on which features and functionalities would need to be made vertically interoperable under the DMA and what they hope such interoperability to achieve
- Explicitly require gatekeepers to assess the privacy and security risks of any proposed technical interoperability solutions prior to roll out
- Consider a more robust system of transparency and oversight of gatekeepers’ interoperability measures, to ensure that data protection regulations are being adhered to and that any licensing conditions are fair and non-discriminatory
Now that the DMA has been adopted by the European Parliament, it will soon be formally adopted by the Council and published in the EU Official Journal, likely in September or October. It will enter into force twenty days after publication, and begin to apply six months after entering into force. The designation of gatekeeper services is expected to be completed by the end of summer 2023, and gatekeepers will have a maximum of six months after they have been designated to comply with the new obligations.
While Apple, Google, and other big tech companies are teaming up to resist the DMA’s new penalties, it’s likely that the DMA—along with its sister legislation, the Digital Services Act, which will begin to apply in late 2023 or early 2024—will considerably influence platform regulation efforts worldwide. For example, some of the legislation being proposed in the US—such as the Digital Services Oversight and Safety Act (DSOSA), the American Innovation and Choice Online Act and the Open App Markets Act—draw upon similar antitrust principles. Even where the legislative approach is not mirrored, it’s likely that platforms’ efforts to comply with the Digital Services Package will apply to their operations in all jurisdictions, not just the European Digital Market. We’ll continue to monitor updates as the DMA progresses through its final stages of approval—sign up to our Digest for regular updates.
Useful resources on interoperability
- Mitch Stoltz, Andrew Crocker, Christoph Schmonmay, Electronic Frontier Foundation: The EU Digital Markets Act’s Interoperability Rule Addresses An Important Need, But Raises Difficult Security Problems for Encrypted Messaging, 2 May 2022.
- Gustaf Bjorksten, Access Now, Encrypt all the messages — across all the platforms, 27 April 2022.
- Matt Burgess, WIRED, Forcing WhatsApp and iMessage to Work Together Is Doomed to Fail, 29 March 2022.
- Corin Faife, The Verge: Security experts say new EU rules will damage WhatsApp encryption, 28 March 2022.
- EDRi: The Digital Markets Act promises to free people from digital walled gardens, 25 March 2022.
- Matthew Hodgson, Matrix: How do you implement interoperability in a DMA world? 9 March 2022.
- Zander Arnao, Tech Policy Press: Why Social Media Needs Mandatory Interoperability, 7 March 2022.
- Marc Bourreau, Jan Krämer, Miriam Buiten, Centre on Regulation in Europe, Interoperability In Digital Markets, 2022.
- OECD, Data portability, interoperability and digital platform competition, Competition Committee Discussion Paper, 2021.