DMA enforcement — Data combination consent and self-preferencing probes

The European Commission used its March 25, 2024 enforcement action to test whether designated gatekeepers actually gate data use in line with the Digital Markets Act (DMA). Investigations focus on Alphabet’s steering restrictions and search ranking treatment, Apple’s choice screens and anti-steering design, and Meta’s “pay or consent” model that could violate Article 5(2) limits on combining personal data across services without valid consent.

Gatekeepers and firms relying on their platforms need monitoring and evidence routines that prove consent-based data combination, non-discriminatory interoperability, and transparent default settings.

Compliance implications for data sharing and consent controls

• Data use separation. Article 5(2) requires explicit user consent before combining personal data from core platform services with third-party data or other services the gatekeeper provides; the probes underscore the need for auditable consent logs, independent opt-out flows, and default settings that do not bundle consent.
• Interoperability access. Article 6(7) obliges gatekeepers to make real-time data and feature interoperability available on fair terms. Platform teams should inventory APIs, latency SLAs, and access request responses to show non-discriminatory treatment compared with first-party products.
• Anti-steering readiness. Article 5(4) prohibits restrictions that prevent business users from informing customers about cheaper offers. Compliance teams should test referral links, pricing disclosures, and app store policies to demonstrate anti-steering compliance alongside data portability support.

Operational steps for privacy and platform teams

• Consent verification. Implement purpose-level consent receipts and automated deletion of linked identifiers when users revoke consent, aligning with EDPB Guidelines 05/2020 on consent and the DMA’s Article 5(2) expectations.
• Cross-service data maps. Maintain up-to-date inventories showing which datasets flow between services, the lawful basis for each combination, and any differential retention periods so auditors can validate minimisation and purpose limitation.
• Default configuration audits. Review onboarding flows, cookie banners, and cross-product prompts to ensure refusals are as easy as acceptance, documenting A/B tests and dark-pattern checks requested by DG COMP investigators.

What to monitor next

• Commitments and interim measures. The Commission may impose behavioural remedies or interim measures if initial findings reveal risks of irreparable harm; legal teams should scenario-plan for mandated changes to consent flows or API access policies.
• Template updates. Vendors and app developers dependent on gatekeeper platforms should refresh data processing agreements to clarify data-sharing boundaries, audit rights, and incident notification tied to DMA obligations.
• National coordination. Expect coordination with data protection authorities where consent or transparency overlaps with GDPR enforcement, increasing the need for harmonised records of processing activities and user communication archives.

Sources

• European Commission press release on DMA non-compliance investigations (25 March 2024)
• Regulation (EU) 2022/1925 (Digital Markets Act)

Platform, privacy, and commercial teams should treat the investigations as a template for the evidence EU enforcers will expect around consent-driven data use and interoperability provisioning.