How Google complies with Digital Markets Act in the EU
Google's DMA journey: Thorough, tactical and selective...
The Digital Markets Act (“DMA”) officially came into force on March 7, 2024, marking a significant milestone in regulatory oversight of digital gatekeepers.
I shared an article covering the recent developments related to the Digital Markets Act in the European Union (“EU”) on March 7, 2024. You can access it (available only in Turkish) here. This article will focus solely on Alphabet’s (referred as “Google” throughout the article) compliance process.
Dear European Commission, can we not stop for a day? We kindly request that you place a minimum of 3 business days between interventions.
As I was drafting the article below on Google's compliance with the DMA, significant regulatory developments unfolded. The Commission announced that it has initiated non-compliance investigations under the DMA against major tech giants, including Alphabet (Google's parent company), Apple and Meta.
These investigations scrutinize specific practices:
Alphabet is under investigation for steering practices within Google Play and potential self-preferencing on Google Search.
Apple faces inquiries regarding steering in the App Store and the design of Safari's choice screen.
Meta is examined for its "pay or consent" model, raising concerns about user consent and data usage practices.
The Commission explains concerns that the measures adopted by these gatekeepers might not fully meet their DMA obligations. Furthermore, the investigations extend to Apple's new fee structures for alternative app stores and Amazon's product ranking practices on its marketplace. To ensure thorough oversight, the Commission has mandated these companies to retain specific documents, aiding in monitoring compliance efforts.
The proceedings aim to assess whether Alphabet and Apple's app store policies comply with DMA requirements, particularly Article 5(4), which mandates allowing app developers to direct consumers to external offers. Concerns have been raised about various restrictions imposed by these companies, potentially limiting developers' ability to engage freely with consumers.
For Alphabet, the Commission seeks to determine if Google's search result displays may unduly favor its services over competitors', a practice known as self-preferencing. Similarly, Apple's compliance with user choice obligations, particularly around software uninstallation, default setting adjustments, and the effective presentation of alternative services through choice screens, is under scrutiny.
Meta's "pay or consent" model is questioned for possibly not offering a genuine choice to users unwilling to consent to data combination across services, potentially breaching Article 5(2) of the DMA.
Additionally, the Commission explores whether Amazon's practices favor its own products on its platform and if Apple's terms for alternative app stores undermine DMA objectives. Retention orders have been issued to key players, including Microsoft, to preserve evidence pertinent to compliance assessment.
The Commission has also allowed Meta a six-month extension to meet interoperability obligations for Facebook Messenger, underlining a flexible approach to DMA enforcement based on specific circumstances.
The aim is to conclude these investigations within 12 months, with potential outcomes ranging from preliminary findings communication to imposing fines or requiring significant business adjustments in cases of infringement.
Photo: https://www.androidpolice.com/how-google-comply-dma/
With the milestone on March 7, gatekeepers were required to submit comprehensive compliance reports detailing their adherence to DMA provisions.
Following this, the European Commission (“EC”) embarked on a series of workshops regarding each gatekeeper, which are open to public. These workshops serve as platforms for gatekeeper representatives to engage with stakeholders, dissecting their approaches to compliance.
I have enrolled to the DMA enforcement workshop on “Google’s DMA Compliance Solutions” in the beginning of March 2024, received an invitation from European Commission DMA Team along with a Workshop Agenda on 20th of March and attented the full-day workshop on 21th of March.
Here is the agenda of the workshop:
This essay delves into the Workshop convened by the EC to evaluate Google's compliance measures, right after a compact analysis of the Google’s Non-Confidential Summary of DMA Compliance Report.
Who is Google?
Source: https://www.kamilfranek.com/what-companies-alphabet-google-owns/
Who is Independent Compliance Function (“ICF”) of Google?
The ICF was established specifically to ensure compliance with the DMA's stringent regulations.
Its primary objective is to oversee, assess and enforce Google's adherence to the DMA, ensuring that all operations align with DMA provisions.
It is comprised of experts in compliance, legal and technical fields, the ICF operates with a high degree of independence within Google's corporate structure.
While part of Google, the ICF operates independently to maintain objectivity in its compliance assessments and recommendations.
The exact formation date of the ICF is tied to the preparatory phase for the DMA compliance, indicating a proactive approach ahead of the DMA's full applicability.
This structure represents a dedicated and independent oversight mechanism and highlights the importance of regulatory compliance within Google’s operations.
Google's DMA Compliance Report
211-page document, the most systematic and comprehensive of all
Google's compliance with the DMA represents a comprehensive approach to aligning its Core Platform Services (CPSs) with the new regulatory requirements set forth by the European Union. This compliance effort spans across multiple services, including the following:
Google Android,
Google Chrome,
Google Play,
Google Search,
Google Shopping,
Google Maps,
YouTube,
Google Ads.
This summary outlines the following sections of the Report, focusing on the pre-DMA implementation and changes made and the actions planned to adhere to the DMA's obligations:
(a) Non-confidential summary of the Art. 5(2) Chapter
(b) Non-confidential summary of the Art. 6(2) Chapter
(c) Non-confidential summary of the Art. 6(9) Chapter
(d) Non-confidential summary of the Art. 6(10) Chapter
(e) Non-confidential summary of the Google Ads Chapter
(f) Non-confidential summary of the Google Android Chapter
(g) Non-confidential summary of the Google Chrome Chapter
(h) Non-confidential summary of the Google Maps Chapter
(i) Non-confidential summary of the Google Play Chapter
(j) Non-confidential summary of the Google Search Chapter
(k) Non-confidential summary of the Google Shopping Chapter
Art. 5(2) Compliance: Data Exchange Controls
Pre-DMA Implementation: Google had established a system of technical controls, policies and governance practices governing the processing of end-user personal data. These included data storage specific to each service, restricted data access across services, and pre-existing consent systems and controls.
Post-DMA Implementation: Google introduced new consent screens allowing users to easily accept or reject cross-service data exchanges, enhancing user control over their data. Backend infrastructure was developed to record and enforce these consent choices across Google’s systems.
Google developed a new consent framework to facilitate user consent for cross-service personal data processing as required by Art. 5(2). This framework includes consent options for each CPS, enabling Google to operate each service as a separate data entity based on user consent.
For data exchanges between two CPSs, users must consent to cross-service data processing for both services involved. Google provides separate consent options for each CPS, allowing users to make informed choices.
Signed-out users with an EEA IP address are treated as non-consenting users, and Google does not prompt them for Art. 5(2) consent choices.
Art. 6(2) Compliance: Strengthening Data Governance and Control
Prior to DMA Implementation: Before the implementation of the DMA, Google already had established internal policies and technical controls aimed at safeguarding user data, including that of business users and their customers. These pre-existing measures were designed to limit access to and protect the integrity and confidentiality of data managed by Google.
Post-DMA Enhancements: In anticipation of the DMA's requirements, Google has developed a unified compliance program that integrates new policies, training, and technical controls specifically designed to adhere to Article 6(2) of the DMA. This program aims to maintain Google's compliance posture while aligning with the DMA's objectives concerning data access and usage.
Development of New Policies and Practices: Google has crafted new policies and training programs that consolidate its pre-existing controls into a comprehensive, DMA-compliant framework. This approach ensures a cohesive understanding and application of data access and usage rules across the organization.
Technical Controls: Integral to Google's compliance are the technical controls that enforce the newly established policies. These controls play a critical role in managing data access and usage in line with DMA requirements.
Assessment and Feedback: Google maintains a compliance readiness program to continuously assess and address compliance risks, ensuring that its products and services remain aligned with the DMA and other applicable regulations.
Art. 6(9) Compliance: Advancing Data Portability and User Empowerment
Prior to DMA Implementation: Before the implementation of the DMA, Google's approach to data portability was primarily shaped by existing regulations such as the General Data Protection Regulation (“GDPR”) in the European Union, which already included provisions for data portability under Article 20. This meant that Google, like other tech companies operating within the EU, was obligated to allow users to obtain and reuse their personal data across different services upon request. The GDPR's introduction of data portability rights marked a significant shift towards giving individuals more control over their personal information, a principle that Google integrated into its services.
Post-DMA Enhancements: The introduction of the DMA represents a consolidation and expansion of these pre-existing principles, with a specific focus on the obligations of gatekeepers in the digital market to ensure a higher degree of interoperability and user empowerment. The DMA's provisions aim to make data portability more comprehensive, user-friendly, and effective in promoting competition and innovation by requiring gatekeepers to facilitate seamless data transfer mechanisms, not just offering the possibility of data export.
Enhanced Portability Features: Google introduced new functionalities across its services to simplify the process for end users and authorized third parties to transfer data. This initiative reflects Google's dedication to providing users with control over their personal data and easing the data migration process to other platforms or services.
User-Centric Design: The enhancements focus on making the data portability process as intuitive and user-friendly as possible. This includes clear instructions, straightforward mechanisms for data export, and secure transfer protocols to protect user data during the migration process.
Technical Infrastructure Upgrades: To support these enhanced portability features, Google has invested in upgrading its technical infrastructure. This ensures that the data portability requests are processed efficiently, with minimal disruption to the user experience and without compromising on data security.
Empowering Users and Third Parties: By allowing users and authorized third parties to access a broad range of data types, Google not only complies with the DMA but also empowers users to leverage their data across different services. This fosters innovation and competition among digital services by making it easier for users to switch providers or use multiple services concurrently.
Art. 6(10) Compliance: Google's DMA Compliance on Data Transparency
Pre-DMA Compliance: Google already had practices in place that aligned closely with the requirements of Art. 6(10), offering substantial data to business users beyond what the provision mandates. This includes access to analytics and comprehensive documentation on data accessibility.
Post-DMA Enhancements: As of March 6, 2024, Google confirms its compliance with Art. 6(10), underscoring its commitment to maintaining high data transparency standards in alignment with the DMA.
Data Sharing Practices: Google has a history of sharing data information and insights with its business users, empowering them through extensive data and analytics tools.
Compliance Measures: Despite its pre-existing compliance, Google has taken further steps to ensure its practices align fully with Art. 6(10), emphasizing its dedication to providing business users with meaningful data insights.
Documentation and Tools: Google provides business users with detailed documentation and sophisticated tools for accessing and analyzing the provided data, ensuring transparency and utility.
Google Ads Chapter
Pre-DMA Compliance: Before the DMA, Google Ads offered advertisers various levels of data transparency and user control, allowing them to understand and optimize their ad performance. However, the extent of transparency around ad auction dynamics, bidding processes, and the allocation of advertising slots could vary, leaving room for improvement in clarity and comprehensiveness. Advertisers had access to a range of performance metrics and analytics tools. While these tools were powerful, there was an ongoing demand for more granular data and insights to better understand the ad auction process and the factors influencing ad performance.
Post-DMA Implementation:
Enhanced Data Controls: Google has introduced new controls for cross-service exchanges of personal data, aligning with Article 5(2) of the DMA, ensuring that personal data is handled with heightened privacy and security measures.
Unified Policy and Training: A comprehensive Google-wide policy and compliance training program have been developed to unify pre-existing controls into a program compliant with Article 6(2) of the DMA. This unified approach aims to solidify Google's commitment to data protection and user privacy across all its services.
Event-level Price and Fee Transparency: Google has taken steps to provide even greater transparency regarding the pricing and fees associated with its advertising services. New files disclosing event-level price and fee information are now available, giving advertisers and publishers a clearer understanding of their costs and the value derived from using Google Ads.
Regional Data Access for Publishers: A new non-aggregate data solution, "Regional Data Access," will be provided to publishers at no additional cost. This solution is similar to Google's existing Data Transfer Files (DTFs) and allows EEA publishers and their authorized third parties access to valuable data to enhance their advertising strategies.
Google Android Chapter
Pre-DMA Compliance: Prior to the DMA's adoption, Google Android already complied with a wide range of regulatory requirements, affirming its alignment with key aspects of the DMA. Notably, certain DMA articles, such as Article 5(2), 5(3), and others related to specific obligations, do not apply to Google Android, highlighting the tailored approach to compliance based on the specificities of each CPS.
Post-DMA Implementation: Google took additional steps to prepare for the DMA, including policies to enhance cross-service data exchanges and processes to ensure fair conditions for Google Play's business users. These measures underline Google's proactive stance in adapting to regulatory changes and enhancing user and business user experiences on Android.
Google-wide Policy and Compliance Training: To address the DMA's requirements, Google developed a comprehensive policy and compliance training program that integrates pre-existing controls. This initiative ensures a unified compliance approach across Google's services, including Android.
Choice Screens for Online Search Engines and Browsers: A significant compliance measure involved the introduction of new choice screens for online search engines (OSEs) and browsers on devices that preinstall Google Search or set Google Chrome as the default browser. This measure aligns with the DMA's mandates under Article 6(3), emphasizing user choice and flexibility.
Google Chrome Chapter
Pre-DMA Compliance: Prior to the DMA's adoption, Google Chrome already complied with multiple DMA articles, demonstrating Google's long-standing commitment to user privacy and choice. The report specifies that certain DMA articles do not apply to Google Chrome, indicating a tailored approach to compliance based on the service's characteristics.
Post-DMA Implementation:
Enhancements for User and Business User Experience: Despite pre-existing compliance, Google Chrome has implemented additional measures to prepare for the DMA, including technical changes to facilitate the implementation of the browser-level OSE choice screen. These measures underline Google's proactive stance in adapting to regulatory changes and enhancing the user experience.
Introduction of New Controls and Policies: To ensure compliance with the DMA, Google Chrome has introduced new controls for cross-service exchanges of personal data and developed a Google-wide policy and compliance training program. These initiatives are designed to unify pre-existing controls into a comprehensive, DMA-compliant framework.
Choice Screens for Online Search Engines: A significant step towards compliance has been the introduction of choice screens for online search engines (OSEs), allowing users to select their preferred search engine directly within Google Chrome. This feature is part of Google's commitment to user choice and flexibility, in line with DMA requirements.
Google Maps Chapter
Pre-DMA Compliance: Before the DMA's enactment, Google Maps already complied with several DMA articles, such as Articles 5(4), 5(5), 5(6), 5(7), 5(8), 6(2), 6(5), 6(6), 6(10), and 6(13). However, Articles 5(9), 5(10), 6(3), 6(4), 6(7), 6(8), 6(11), 6(12), and Art. 7 are not applicable to Google Maps, reflecting a nuanced approach to compliance based on the specific service features and functionalities.
Post-DMA Implementation:
Personal Data Controls: Google Maps has developed new controls for cross-service exchanges of personal data to comply with Art. 5(2) of the DMA.
Business User Contract Policies: New processes and policies ensure that Google’s contracts with Google Maps' business users do not restrict their ability to offer products or services through their direct online sales channels, aligning with the principles of openness and fairness as required by the DMA.
Google-wide Policy and Compliance Training: A comprehensive policy and training program has been introduced, incorporating pre-existing controls into a framework that is compliant with Article 6(2) of the DMA.
Data Portability Enhancements: New functionality has been added to Google Maps to enhance existing data portability opportunities, facilitating easier access and transfer of data as stipulated under Art. 6(9) of the DMA.
Google Play Chapter
Pre-DMA Compliance: Before the DMA's implementation, Google Play was largely compliant with its provisions due to its open ecosystem principles. Nonetheless, additional steps were taken to fully adhere to the DMA, reflecting Google's ongoing commitment to enhancing user and business user experiences within its platforms.
Pre-DMA Compliance:
Development of New Controls and Policies: To meet DMA obligations, Google Play has established new controls for the cross-service exchange of personal data and policies to ensure business user contracts don't restrict their ability to offer products or services through direct online sales channels or at different conditions through Google Play .
Introduction of the External Offers Program: This program allows developers to present promotional messages and hyperlinks for external offers on their sites where users can contract for those offers. Developers need to inform users that they are transacting outside the app without the security and safety that Google Play provides .
Fee Adjustments: Google Play has adapted its fee model under the External Offers program, which includes a time-limited fee for "initial acquisition" and a fee for ongoing services provided by Google Play, such as security services, app updates, and monetization support .
General Conditions of Access: In preparation for Art. 6(12), Google Play has published its EEA general conditions of access, incorporating an EU-based Alternative Dispute Settlement Mechanism (ADSM), ensuring the platform's general conditions are fair, reasonable, and non-discriminatory (FRAND) .
Google Search Chapter
Pre-DMA Compliance: The changes implemented by Google Search were initiated in January 2024, with a focus on testing and refining the new designs to address any potential issues and to onboard business users effectively . These measures are assessed in combination rather than individually, creating a new framework that offers additional choices for end-users and multiple new opportunities for various business users to surface in Google's results.
Pre-DMA Compliance:
Introduction of New Features and Designs: Google Search has undergone extensive changes to its search result pages. These changes include the removal of features that could potentially limit competition, as well as the introduction of new opportunities for third-party vertical search services (VSSs) and direct suppliers .
Enhanced Formats for Free Web Results: New enhanced formats for individual free web results have been developed for VSSs and direct suppliers, improving their visibility and the presentation of their services, offers, and inventory. These formats, optional for use, include images, star ratings, prices, and the ability to include carousels showcasing the business's inventory .
Removal of Reserved Links and Entry Points: Google Search has removed reserved links to separate Google services within search results and entry points to these services in the Google Search menu bar, ensuring that Google services only appear in result links if similar third-party services are treated in a non-discriminatory manner .
Deprecating Specific Functionality: Certain functionalities, like the Google Flights unit on the search results page, have been deprecated as part of the effort to comply with the DMA, ensuring a fair and balanced presentation of search results .
Google Shopping Chapter
Pre-DMA Compliance: Google Shopping was largely compliant with DMA regulations prior to their implementation, given its non-restrictive contracts with business users that allow for product and service offerings through their direct online sales channels. Notably, Articles such as 5(9), 5(10), and others related to specific obligations do not apply to Google Shopping, illustrating a nuanced approach to compliance based on the service's characteristics.
Pre-DMA Compliance:
Introduction of New Data Controls: Google has developed new controls for cross-service exchanges of personal data to ensure compliance with Article 5(2) of the DMA.
Google-wide Policy and Compliance Training: To unify pre-existing controls into a DMA-compliant program, Google introduced comprehensive policy and training initiatives. This aligns Google Shopping with Article 6(2) requirements and beyond, demonstrating Google's proactive approach to adherence.
Enhancement of Data Portability: Google has added functionalities to Google Shopping to expand upon existing data portability opportunities. This move aligns with Article 6(9) of the DMA, ensuring that business users and end users can manage and transfer their data with ease.
YouTube Chapter
Pre-DMA Compliance:Before the DMA's enactment, YouTube was already compliant with several of its articles, thanks to its fair, transparent, and equal ranking conditions applied to all audiovisual content. However, Articles such as 5(3), 5(9), 5(10), and others related to specific obligations do not apply to YouTube, reflecting a tailored approach to compliance based on the service's unique features and functionalities.
Pre-DMA Compliance:
Development of New Data Controls: Google has implemented new controls for cross-service exchanges of personal data, addressing requirements under Article 5(2) of the DMA. This move is part of a broader effort to enhance data privacy and user control over their personal information on YouTube .
Unified Google-wide Policy and Compliance Training: To ensure consistency across its services, Google has introduced a comprehensive policy and compliance training program. This program integrates pre-existing controls into a DMA-compliant framework, signifying a unified approach to meeting the DMA's standards .
Enhancement of Data Portability Opportunities: Recognizing the importance of data portability, YouTube has introduced new functionalities to improve existing opportunities for data transfer. These enhancements align with Article 6(9) of the DMA, facilitating easier access and management of data for both business users and end users .
Google's DMA Compliance Workshop
Google has showcased a proactive approach towards complying with the DMA, specifically adhering to the EC’s regulatory templates under Article 11 and Article 15. This commitment was evident in their detailed compliance (211 pages) and consumer profiling reports, which align with the EC's expectations for transparency and adherence to the DMA’s goals of promoting contestability and fairness in digital markets.
Google, as a major digital gatekeeper with eight core platform services designated by the EC, including Google Search and Google Shopping, has taken significant steps to align its operations with the DMA's requirements.
Google’s comprehensive engagement with the DMA's requirements demonstrates a proactive stance towards regulatory compliance, addressing key areas such as user choice, data sharing and anti-steering measures.
Despite Google's efforts, feedback from stakeholders highlights areas of contention, particularly concerning the effectiveness of self-preferencing measures and the integration of stakeholder feedback into compliance strategies.
Google’s approach to compliance is characterized by ongoing adjustments and dialogue with regulators and stakeholders. This iterative process is crucial for addressing complex regulatory requirements and adapting to the dynamic digital market landscape.
Google’s initiatives indicate a commitment to compliance but also underscore the need for continued refinement of its strategies to fully align with the DMA’s goals of ensuring fairness, contestability and consumer protection in digital markets.
In summary, Google's engagement with the DMA regulations reflects a significant effort to align its operations with the new regulatory framework. However, the effectiveness of these measures and the incorporation of stakeholder feedback remain critical for achieving the DMA's objectives. Google's approach to compliance, especially with Google Shopping, cleverly dodges the tough spots, leaving obvious gaps unaddressed. There is a long road ahead!