State of play on the enforcement of the DMA for the media industry
Since the DMA’s entry into force, the undersigned media associations of broadcasters, publishers, and sales houses, have become aware of concerns to the media sector that we believe should be flagged to the European Commission in its role as enforcer. As the gatekeepers comply with these new obligations, many of our respective members raised the issue of new or unchanged practices by the core platform services which achieve the opposite of what the DMA sets out to do. Some use cases were identified where DMA articles are being breached, and the concrete implementation and enforcement of the DMA should address those challenges, or at least be prepared to tackle them. The purpose of this note is to reflect on how these rules should be enforced in the context of the relationship between media companies (as business users) and gatekeepers.
The DMA provides for obligations to be observed by gatekeepers, whether positive obligations upon requests from the business users (Articles 5(9), 5(10), 6(8) and 6(10) DMA), or negative obligations (Articles 5(2) and 6(2) DMA) refraining them from pursuing certain practices. Despite DMA provisions guaranteeing that data be made available to business users upon request, significant discrepancies remain when it comes to the conditions for asking and accessing such data, leading to potential instances of self-preferencing (Article 6(5) DMA). The chosen strategies of Google and Amazon indicate that these issues will only worsen for the media and advertising sectors.
Google / Chrome privacy sandbox
As Google Chrome continues with its planned third-party cookie deprecation via its Privacy Sandbox, European broadcasters, publishers, and sales houses will need to be able to access certain critical data needed for their businesses. Though it has been made clear by Google and the UK Competition Markets Authority (CMA) that the Privacy Sandbox and its proposed APIs do not aim to recreate the full functionalities of third-party cookies, broadcasters, publishers, and sales houses will still face an uncertain future, while Google’s pre-eminent position will only be strengthened. The current reports regarding how the Privacy Sandbox mechanisms would function seem to indicate a complete makeover, to the extent that Google seems to be using the excuse of respecting privacy to eventually bypass competition and DMA rules. Therefore, and as put by the CMA itself in its last report from April 2024, there is a need to ensure “that Google does not design, develop or use the Privacy Sandbox tools in ways that reinforce the existing market position of its advertising products and services”. However, in their current form, endeavours such as Privacy Sandbox will only result in strengthening the monopolistic position of Google and Chrome, as they will increase their hold on critical data with many elements being left to Google’s discretion, notably concerning how it is creating generic and broad ‘topics’ in their APIs.
The CMA also notably concludes that further restrictions may need to be applied on Google’s use of first-party data to target and measure ads on Google’s owned and operated (O&O) inventory as well as that “Google currently retains significant discretion over how Privacy Sandbox works, develops over time, and the conditions for using Privacy Sandbox.”
The undersigned fully agree with the raised concerns, driving the need to clarify the longer-term governance arrangements for Privacy Sandbox and further investigation into Google’s own data access and use not being affected by the Privacy Sandbox. We see a high risk for self-preferencing if Google retains significant discretion over how Privacy Sandbox works in detail and develops over time.
Even if alternative solutions can be found to third-party cookies and tracking, to allow a gatekeeper the prerogative on how and which business users can access crucial data to continue providing their services will further erode a notional level playing field. In addition, the use of topics API will worsen access to critical data compared to the use of third-party cookies and will not ensure an adequate level of granularity.
As the ad auction process will be integrated within the Chrome browser, Google would become, even more than before, the hub for digital advertising auctions and will have complete oversight on everyone else, with the possibility to observe how all the competitors are bidding and to decide who wins or not. In fact, Chrome will be the one initiating the ad auction, a participant in the ad auction, the one who will oversee serving the ad (i.e. Protected Audience) and orchestrating the measurement of the effectiveness and attribution of advertisers’ campaigns. Concrete safeguards rather than blind trust are required to ensure Google will not overstep and use it to its advantage.
Privacy Sandbox will also enable Google to fully control important features related to the delivery of advertising, such as invalid traffic (including fraud) filtering, which at present are managed by independent third parties. In fact, the latest information gathered shows that Google propose to manage the fraud filtering mechanics for the rest of the industry.
Considering the above, we encourage the Commission to evaluate if the existing designations of Chrome and Android, in which Google is implementing the Privacy Sandbox, and of Alphabet’s online advertising services, suffice to address the noted concerns, or if the implementation of the Privacy Sandbox will require dedicated measures to properly enforce the obligations of the DMA. Privacy Sandbox appears unfit with the objectives of the DMA, particularly we see huge conflicts with the following obligations in Articles 5 and 6.
- Article 5(2) DMA
Article 5(2) aims at reducing gatekeepers’ enormous data advantage and levelling the playing field with businesses. The Privacy Sandbox, if unaddressed, can result in a serious harm to these objectives as it will allow Google to re-define the boundaries of what is considered first-party data and third-party data. Therefore, by doing so, Google can strengthen its position even more and combine vast amounts of user data while preventing third parties from doing so via the deprecation of third-party cookies, thus circumventing the obligations laid down in Art. 5(2).
- Articles 5(8), 5(9), 5(10), 6(8) and 6(10) DMA
User’s requests can be triggered through those articles, effectively allowing business users to ‘request’ data from gatekeepers. Yet, initial feedback from our members informed us that such requests are triggered through the usual mechanism of the Google Ad Manager (GAM). The information delivered remained the same (content-wise) as before the implementation of the DMA, with no discernible improvement in terms of transparency or granularity of data. Being granted access to the metrics and the methodology used by gatekeepers is essential for advertisers to monitor their investments.
- Article 6(8) DMA
One of the main risks in the implementation of the Privacy Sandbox would be the lack of access to the performance measuring tools used by the gatekeepers. Using Topics API and the other mechanisms that the Privacy Sandbox will eventually introduce, and considering everything will be concentrated within Chrome, business users will be left unable to independently verify the performance of their ad campaigns and will be forced to rely on Chrome’s data without any external audit (i.e. Attribution Reporting API). This will prevent publishers from optimising or improving their advertising inventory both from the end user and advertiser perspective. Privacy Sandbox should not hinder the possibility, as provided under 6(8) DMA, to access data essential to publishers and advertisers, such as access in real time and with granularity to allow the optimisation of performance, all free of charge.
- Article 6(10) DMA
Each gatekeeper has their own system in place when it comes to data handling. Nevertheless, this data is accessible to gatekeepers before anyone else. The issue of not providing such data in non-aggregated form, and only sharing some of it in real time, causes substantial difficulties for business users who must already juggle with each gatekeeper’s system.
- Article 6(5) DMA
In combination with all the other elements in the gatekeepers’ ecosystems, self-preferencing can potentially happen on several markets at any moment and at the same time since gatekeepers are not only using the CPS they offer, but also all the wide-encompassing services which are not defined as CPS under the DMA. In the case of Google’s Privacy Sandbox, the absence of transparency makes it difficult to assess how Chrome and the Sandbox tools ranks advertising bids and determines the winner of the auction. Consequently, online intermediation can make the advertising actors, including sales houses, locked and severely dependent on the terms and the good will of the gatekeepers.
More transparency is thus needed to monitor gatekeepers’ actions when it comes to the data they hoard, to properly assess how much and in what form they release it. The monopolistic and self-preferencing tendencies are highlighted in the CMA’s last report from April 2024 on the Privacy Sandbox, notably in its points 14(a) and 14(b) where the CMA described Google Ad Manager (GMA) as “Google’s integrated ad server and supply side platform (SSP), accounting for more than 90% of the display ads in the UK”. Moreover, it specified that since Google “retains significant discretion over how Privacy Sandbox works,” it does create “a risk of self-preferencing.”
Amazon: Combination of data and self-preferencing
- Articles 5(2) and 6(2) DMA, and ensuing self-preferencing risks under 6(5) DMA
Gatekeepers such as Google and Amazon possess critical data for advertisers, sales houses, and media. This relation of power illustrates a situation of unfair competition. The negative obligation under article 5(2), when combined with 6(2), seeks to avoid the anti-competitive use from gatekeepers of data that they nonetheless have in their possession and which is not publicly available. No real safeguard is provided as to how concretely they can avoid using this data to their competitive advantage, and current behaviour from the gatekeepers show how much they are prone to use this data, whether knowingly or not with the introduction of AI tools able to process huge amounts of it without sorting it out. Furthermore, as Amazon Ads is designated as a CPS it is crucial to ensure that Amazon Ads complies with the DMA obligations on all Amazon services that offer advertising, including Amazon Prime Video.
Still, Amazon makes it clear in their compliance report that they plan to combine the data collected across their services after obtaining users’ consents through prompts. While Amazon will most likely defend this practice by stating they obtained ‘valid user consent’ through their consent prompts, a practice that falls short of respecting the applicable legal standard.
- Virtual assistants
We remain concerned regarding the fact that, at present, no virtual assistant (e.g. Amazon’s Alexa) has been designated gatekeeper under the DMA, even though our members are facing anti-competitive issues daily. Furthermore, Amazon has alerted broadcasters that they will impose revenue shares of the advertising (including linear ads delivered on broadcasters’ properties) for radio skills and apps available on Alexa by 2025. This confirms the gatekeeping power of Amazon’s virtual assistant. We strongly encourage the European Commission to designate Virtual Assistance as Core Platform Service in their own merit to properly address those issues.
Conclusions
The overall feedback from the media industry on the practices gatekeepers are putting in place in reaction to the advertising related data provisions of the DMA, those mentioned in this statement being only a small portion, is that Google and Amazon are not in full compliance, thus dismissing the spirit of the DMA and the overall EU competition framework.
We are raising these issues to advise the European Commission not to settle but instead build on the CMA’s work on the Privacy Sandbox, to put in place a more privacy-friendly market while preserving a market that remains competitive and viable for all its actors. The DMA standards should be upheld to ensure proper data sharing, transparency, and respect of users’ privacy on the gatekeepers and advertisers’ parts. Only through proper cooperation between each actor in the light of the DMA can the balance in providing compliant services to end users while ensuring the perennity of the market be achieved. If effectively enforced, we believe the DMA can help in addressing those issues in due time.