New Costs and Cybersecurity Challenges Flagged as DMA Compliance Starts

Last week marked the compliance deadline of the European Union’s Digital Markets Act (DMA), that creates ex ante competition policy regulations for large digital platforms, or “gatekeepers.” U.S. companies whose various services were designed as “gatekeepers”—Alphabet, Amazon, Apple, Meta, and Microsoft—have been working to comply with the DMA, as has Chinese ByteDance (parent company of TikTok), which was also designated and has contested the designation. Last year, Scholl Chair analysis concluded that the DMA could entail tens of billions in compliance costs and fines to the targeted companies and possibly additional tens of billions to their customers in the form of increased service costs, and tilts the playing field in favor of Chinese platforms. What then is changing in Europe, and what are the impacts on European consumers and businesses—and what are implications to competitive dynamics, especially as most Chinese platforms are not covered?

Moreover, the DMA is not only problematic to tech companies and consumers, but also creates costs and cybersecurity challenges to airlines, hotels, advertisers, brands, European agencies, and consumers. An indicative survey of 250 European consumers, conducted by the author, was done to assess how these regulations’ costs would be passed to European customers. The survey was conducted online between March 5 and March 9, 2024, as a random sample of 250 European adults across 24 EU nations. This list breaks down the survey results by sector:

  • Airlines, Hotels, Restaurants, and Local Services: To ensure it meets DMA and does not “self-preference” or prioritize its own travel services on Google Search, Google has announced that it will completely remove the Google Flights feature that aggregates flights information from its search page and replace it with groups of links to third party aggregators. Same applies for Google’s hotel comparison tools. This means European consumers will now need to take an extra step to find flights and hotels: they would google for example “flights to Paris” first and then click on a link for a site like Kayak and Booking.com.

European hotels have lobbied against the change as it favors intermediary aggregators that take a commission for brokering flights and rooms. Sebastien Bazin, the CEO of French hospitality company Accor noted that the DMA “requires Google to raise reservation platforms above independent hotels” and increases hotels distribution costs. He is not alone—French senators have warned the European Commission that hotels may increase their prices to compensate for the intermediation costs. In a LinkedIn post, a hotel booking engine Mirai has reported a 30 percent drop in clicks and bookings among its clients, with aggregators presumably gaining, though some aggregators think Google is not doing enough. The survey of European consumers found that 41 percent of the 250 respondents and 55 percent of the respondents that look for travel weekly think the new setup will “take up more time” and 35 percent think it will “reduce visibility into flights and hotels,” while 23 percent think the opposite.

  • Brands and Advertisers: Advertisers wishing to reach customers across multiple services offered by a company (for example, across Google Search and Maps) will now need to collect additional, specific user consent on top of when users already provide consents to access various services. If consent is not granted, advertisers using Google will not be able to build specific audiences or run personalized advertising campaigns. Many advertisers expect the new rules to decrease their audiences and audience quality and force them to come up with new ways to collect consumer data, for example through inventory data and marketing campaign databases. This in turn may increase brands’ customer acquisition costs and impact small brands in particular, with limited budgets and high reliance on large platforms to reach their audiences. And this is the direction where at least part of the market is headed: the survey found that 47 percent would not or probably would not provide this consent, with older users least likely to give consent.
  • Interlinked, Synchronized Services: The DMA requires gatekeepers to forego interlinking user data on two services like Meta’s Instagram and Facebook, unless the user provides consent. There are clear implications—for example, a Facebook Messenger user cannot use Messenger to communicate with Meta Marketplace users, unless the users allow this interlinking. European consumers are not necessarily thrilled—the survey suggest that 64 percent of respondents find that the end to automatic synchronization of services complicates life “a lot” or “somewhat,” and 87 percent will give or may give permission, for example, to Meta and Google to interconnect their services, with 35- to 44-year-olds being most likely to promote interoperability.
  • Cybersecurity and IP protection, Including for Government Users: The DMA has various implications to cybersecurity and intellectual property (IP). For example, by limiting platforms’ ability to combine data across different core platform services, it can impede the targeted companies’ access to cross-platform data to detect and shut down threats. It can also expose users to fraud. As an example, app stores have been concerned about developers leading users to alternative payment methods that lack the protections of the stores’ own payment systems or make it difficult to cancel subscriptions. Apple has been concerned that users sideloading third-party apps could also inadvertently introduce malware and other problems onto iPhones and erode their privacy. Indeed, Apple reports that several European government agencies for example in defense, banking, and emergency services, have reached out to Apple to ensure government employees cannot sideload third-party apps onto government-purchased iPhones. Will Europeans then sideload apps on their iPhones? While only 10 percent of iPhone users in our survey said they would “definitely” sideload other apps, 58 percent said they would “maybe” sideload apps or “likely” sideload at least one app.

Most Chinese platforms such as Tencent, Baidu, Alibaba, and Huawei that remain outside the DMA’s coverage should be pleased as they now can engage in activities U.S. companies cannot: offering interlinked services, prioritizing their own services, operating closed ecosystems, and safeguarding their data.

In addition, DMA provisions requiring platforms to provide data to third parties can enable U.S. rivals, including from China and Russia, to access sensitive user data and even trade secrets. The CEO of the Munich Security Conference Benedikt Franke recently suggested that these security concerns were not sufficiently addressed in the making of the DMA.

How the DMA ends up shaping Europe’s digital market now depends on the European Commission, which has said it will not hesitate to take action against presumed violations, with fines potentially mounting to 10 percent of the targeted company’s turnover. The question that the commission would ideally ask first is whether Europeans are now better off.

Kati Suominen is an adjunct fellow (non-resident) with the Europe Program at the Center for Strategic and International Studies in Washington, D.C.

Image
Kati Suominen
Adjunct Fellow (Non-resident), Scholl Chair in International Business