On Thursday 25 March, the Council and the European Parliament reached a political agreement on the proposed Digital Market Act (DMA) which legislates on digital services.
This text, which could come into force in 2023, aims to regulate the digital services offered by the major platforms whose unfair commercial practices have been under the spotlight in recent years.
This concerns the so-called "essential services" offered by the digital giants - in the proposed text, they are referred to as "gatekeepers" - such as intermediation services (app stores, marketplaces and others), search engines, messaging applications or social networks.
Although the problems that this bill aims to solve are inherited from web2, the technological solutions and methods of today that prefigure the transition to web3 must nevertheless receive our full attention.
- What are the issues that the DMA wants to address?
- What are the main principles behind the DMA?
- How can web3 technologies solve these problems?
Web2 abuses targeted by the DMA
The monetisation of personal data, on which the business models of the digital giants are built, creates numerous failures
- The management of user consent for essential services is more than imperfect: unsubscribing from a website or newsletter is never as simple as signing up. To this can be added the reuse of personal data collected during a service for the needs of another service or the forced use of application ecosystems (Google Assistant for Android smartphones, for example), which remain common practices.
- The differential treatment of business users according to opaque criteria and the resulting unfair conditions are obstacles to free and undistorted competition. Examples include search results on Amazon that highlight Amazon products to the detriment of those of marketplace sellers, or Google Shopping links in searches for e-commerce products.
- Today's essential services, such as instant messaging services, are locked into proprietary protocols that keep users in a single ecosystem that tracks all interactions to meet a business imperative
The DMA aims to solve these problems by providing a stricter framework for the so-called access controllers and more specifically for the digital giants.
The text targets all companies with an annual turnover of at least EUR 7.5 billion in the EU or with a stock market value of at least EUR 75 billion with at least 45 million monthly end-users and at least 10,000 business users established in the EU.
Interoperability, transparency and privacy at the heart of the proposed solutions
While the implementation of the proposals outlined in this text may seem ambitious, the principles behind them are interesting because they are part of a global transition to the web3.
Privacy by design: seeking consent for any service
While most of the provisions of the RGPD already deal with this issue, the DMA recalls certain principles and mentions concrete use cases. For example, it is recalled that the use of personal data collected for a specific service is strictly reserved for that service. The use of this personal data to access other services of the same company is not authorised; it must be done after having obtained the consent of the person concerned for these services.
Transparency in the operation of services
Gatekeepers must now provide access to all marketing and advertising performance data on their platforms. The regulator is specifically targeting Amazon, whose revenue from online advertising, its marketplace and its Amazon Web Services are not disclosed.
Interoperability of technology standards for essential services
This is perhaps the most surprising element of the text, which already contains proposals that may seem radical: gatekeepers are asked to ensure interoperability of the core functionality of their services such as instant messaging. Imagine a world where users of Whatsapp can send messages to users of Apple's iMessage. It's hard to see how this would work in practice, but the intention is interesting.
Failure to comply with these rules can result in penalties of up to 10% of the access controller's total worldwide turnover (20% in the case of a repeat offence). In addition, if an access controller repeatedly fails to comply with these provisions (at least 3 times in 8 years), the European Commission reserves the right to open a market investigation and to impose structural change measures...
If the abuses we listed in the first part of this article are indeed problematic, they are on the way to disappearing with the arrival of web3, making the proposed measures obsolete.
When Self-Sovereign Identity meets Blockchain...
The Self-Sovereign Identity is an approach that gives full control of personal data back to the data holder. In concrete terms, this means that all digital interactions involving a user, a sender and a verifier cannot take place without the express consent of the latter.
This is trust triangle:
This approach makes it possible to preserve personal data from start to finish, from the creation of the relationship with an Internet user to the unsubscribing of a service or the subscription to a newsletter... This is possible because consent is at the centre of the interaction between the sender, the verifier and the end user.
Blockchain technology is based on transparency
Transparency is at the core of the Blockchain technology, through the sharing of information between all the nodes in the blockchain. In a public blockchain, each node that has a key can have read access to all transactions already anchored in a chain and can also validate the addition of new blocks according to the consensus algorithm in force.
If the DMA wishes to restore transparency with a view to respecting the rules of free and undistorted competition, blockchain technology has a decisive advantage. Since each new transaction on a blockchain requires validation by the actors of the nodes, it is possible to imagine, for example, a management model for third-party sellers in a marketplace that is transparent, democratic and, above all, traceable.
Interoperability is an important objective for the implementation of a web3 compatible standard
In its Web Ethics Principles published last year, the W3C reiterates the importance of a web built on protocols that are compatible with all browsers, all OSes and all devices:
"The existence of interoperable implementations allows for competition and, thus, a variety of choices for Internet users"
This is the principle on which many open-source dApps - decentralized apps - are built and which interact with each other to grow a common ecosystem, just as we see many projects developing in the world of DeFi - decentralized finance - that promote inter-chain transactions...
Looking at the world of digital identity, in June 2021 the European Commission issued a proposal for a secureEuropean digital identity allowing each citizen to have a wallet to securely store their identity documents to access online services, while controlling end-to-end personal data shared with third parties.
These wallets will have to be interoperable and may be issued by companies or public players. We can thus see the philosophy of web3 at work: to give European citizens the choice of wallet, which will have to be compatible with the standards decided at European level.
Web3 already provides a solution to the excesses of Web2... and buries the DMA
The intentions of the Digital Market Act and the Digital Service Act are laudable because they highlight the failings of the web2 and the centralisation of power in the hands of the digital giants... but these problems are on the way out with the widespread use of web3 technologies. If the scope and nature of the proposed sanctions is a strong signal to the ecosystem, their enforcement seems complicated...
However, it is time to invest in technological solutions of the present (with Blockchain) and to adopt end-user centric approaches (through an ISS approach) for secure and privacy-friendly management of individual and corporate digital identities.
If you would like to start a conversation on these topics, please contact us!