Microsoft’s DMA Compliance Workshop – The Power of No: The (Odd) New Kid on the Block
The Digital Markets Act (DMA) became entirely applicable on 7 March 2024. By then, the gatekeepers issued their compliance reports documenting their technical solutions and implementation of the DMA’s provisions under Article 11 DMA as well as their reports on consumer profiling techniques as required under Article 15 DMA (see here).
During the last week, I have covered the workshops organised by the European Commission (EC) per each of the gatekeepers under The Power of No series, where the representatives of the undertakings have met with stakeholders to grind their compliance strategies and solutions. This blog post covers the sixth (and last!) workshop organised by the EC for assessing Microsoft’s compliance solutions. A full review of the rest of the workshops can be found here on Apple’s, Meta’s, Amazon’s, Alphabet’s and ByteDance’s participation.
Comprehensive compliance reports – a ‘summarised’ version?
Microsoft’s compliance reports adjusted just to the highest of requirements that the European Commission placed when issuing its regulatory template around Article 11 DMA. First, it strictly followed the design of the regulatory template in providing the technical solutions for the DMA’s compliance per each CPS and each provision. As a result, Microsoft’s compliance reporting obligations have crystallised into two different documents: a 164-page long compliance report for Microsoft’s Windows PC OS and a 244-page long compliance report for Microsoft’s LinkedIn.
As opposed to other gatekeepers that interpreted their obligations under Article 11 DMA as to publish a summarised non-confidential version of its compliance report (let’s recall Amazon’s and Apple’s short compliance reports in terms of breadth), Microsoft cannot be blamed on the same count. Instead, Microsoft’s transparency in delivering its compliance solutions to the public is nothing short of impeccable. The devil is, however, in the details and, perhaps, a summarised version of the compliance reports could facilitate end user comprehension of the gatekeeper’s actual technical implementation of the regulation. Building upon this same effort, the post aims to review Microsoft’s presentation of its technical solutions to comply with the DMA both for its operating system Windows PC OS and its online social networking CPS.
Windows PC OS: small tweaks within an ‘open’ digital environment
Microsoft mainly presented its compliance solutions for the configuration of defaults within its systems relating to its obligations abiding by Articles 6(3) and 6(4) as well as to how it processes personal data related to the operating system’s maintenance pursuant to the safeguards placed by Articles 5(2) and 6(2) DMA.
On the note of the negative obligations that the regulatory instrument imposes upon Microsoft, the gatekeeper established that it was making uninstallable a wide array suite of apps that it formerly engrained as defaults for the operating system. By this token, Windows has modified its Camera, Cortana and Photos apps to ensure that they can be uninstalled by the end users if they wish to do so, and it has also re-engineered its default settings so that both Edge and Bing may be uninstalled with ease in the EEA. Related to the prior bundling of the Windows experience to Bing and Edge, the gatekeeper established that it already enables third-party applications to interoperate with the search box displayed on the Taskbar on Windows 10 (moving from its exclusive catering via Bing-supported services) as well as with the (news) feed extensibility of the Windows 11 Widgets Board (which was formerly backed by Edge’s browsing experience).
On the side of the positive obligations that the DMA compels the gatekeeper to introduce in relation to default settings, the undertaking presented three different ways in which the end users could modify those. First, the end user is presented with an ‘Open With’ dialogue box to select whether she wants to change the defaults relating to particular links or file types. For instance, whether the end user wants to open all PDFs with Adobe or with other apps that have been downloaded by the end user prior to the prompt being displayed. To this end, Windows responded to questions from the participants that the box was not designed to be an installation mechanism to ensure, for instance, that other browser engines may be presented to the end user without having to install them (as some other gatekeepers have done when supporting those same screens on the mobile environment). Instead, the ‘Open With’ dialog was thought through by the gatekeeper bearing in mind that it is a default mechanism. That is to say, it can only serve end users with the purpose of selecting a particular app as a default from the suite of apps that it has already installed on the laptop.
Second, the application running on Windows may prompt the user to set the application as the default holder and then the end user is routed to the settings configuration to make the change. Asked by participants to the workshop, Microsoft’s representatives confirmed that the default could not be managed (since Windows 7, they raised) and configured through the third-party application’s user experience and how to be done directly through the settings configuration. Third, end users can easily navigate to the settings configuration directly to make the change in their default holders, both by application and by file type.
Furthermore, Microsoft’s representatives also presented all the technical safeguards that it has embedded in relation to the processing of its Diagnostic Data. According to the gatekeeper, this is the type of data that receives the most focus on the operating system and it is collected by Windows to determine whether the OS is operating as designed (in other words, it is maintenance data). Therefore, the gatekeeper has designed an additional prompt to ask whether end users wish to consent to the combination and cross-use of this personal data with other personal data processed by Microsoft’s services as required by Article 5(2) DMA. If the end user does not render consent, then Windows will not stop processing and cross-using Diagnostic Data altogether, but it will only collect the required Diagnostic Data from the PC OS so to ensure that it runs as designed.
Asked by BEUC on the wording used in the prompt referring to information (and not personal data), Microsoft responded that the prompt is displayed within a layered approach of consent so that users can access more available information on the processing of personal data via selecting the ‘more details’ option, the privacy statement and further links that describe the processing of personal data relating to Diagnostic Data. Some of the questions from the participants in the workshop also revolved around the degree of customisation of the prompt and Microsoft reiterated that it did not have a long list of designated core platform services, so its consent mechanism should not delve into so much detail in this instance. On a separate note, Microsoft’s representative was also adamant in defending that Windows PC OS personal data is not combined or cross-used with personal data belonging to its core platform service, LinkedIn.
On the side of Article 6(2) DMA, Microsoft has introduced additional safeguards to isolate Diagnostic Data related to the running of third-party applications from its own data. In that respect, Microsoft confirmed that it would only aggregate Diagnostic Data coming from third parties and then make that data available to the public so that these pieces of data could not be interpreted as non-public data used in the context of competing with its business users.
LinkedIn: data-related obligations and an abundance of caution
Microsoft’s LinkedIn CPS was designated by the Commission as an online social networking service. Thus, the same challenges were posed to it when thinking about its compliance solutions against the background of the cross-subsidisation of its services via the personalisation of advertising. As opposed to Meta, which designed the pay-or-OK model to allow end users to consent to the processing of personal data or to refuse consent based on the charging of a subscription fee, LinkedIn’s consent prompt is designed to comply with Article 5(2) does provide the end user with an equivalent experience if consent is not granted.
By this token, LinkedIn presented the prompt it designed in a neutral manner (by displaying both the accept and reject buttons in the same colour and font) to offer end users the choice to consent or not to the cross-using of personal data across its services. To that end, end users may directly accept the data combination so that, in that case, the CPS will be catered to the end user as usual.
However, if the end user rejects consent by selecting to connect none of the services provided by LinkedIn, then the user experience will be less personalised, but no functionality will be suppressed from LinkedIn. For instance, end users will still be able to use its Jobs and Learning functionality as they already did, but the results delivered to the end user in terms of content will be less personalised to the end user’s interests or activity based on his interaction with the CPS. Additionally, LinkedIn will no longer combine the CPS personal data for building and training its relevance models displayed across its services. For example, the Jobs recommendations will no longer be trained on CPS data such as the LinkedIn members’ list of companies followed, but on more general data deriving from the end user’s location or employer displayed on his personal profile. In a similar vein, consumers may also choose to accept the cross-using of some services as opposed to others. Throughout its presentation, the gatekeeper maintained that it would always deliver an equivalent user experience even if consent was not granted in full or in part.
As a response to the questions from the stakeholders, LinkedIn argued that it already showed prompts to end users in the past relating to the implementation of EU data protection regulation to ask them whether they wanted to be delivered with personalised advertising on the social network. Therefore, the choices that end users had already made on that prompt, which applied to LinkedIn’s data layers and infrastructure to comply with the GDPR, would still be honoured on top of the existing prompt for compliance with the DMA. In this particular sense, the DMA- nor the GDPR-related prompts would decrease the number of ads that will be displayed to end users on their feeds, but the underlying data sustaining them would fundamentally change with the end user’s choices.
In terms of the data portability implementation for both end users and third parties, LinkedIn introduced two dedicated pathways to gain access to data for both types of end users via two distinct versions of APIs. However, Microsoft’s statement revolved around the technical implementation of its dedicated API relating to third-party access which will be granted upon the third party’s direct verification by LinkedIn and agreement to comply with the terms of use specific to the API. According to LinkedIn, upon previous experience with third parties that had already engaged with them to seek access, the verification process could be completed in 2-4 days. Once entity verification is complete, then the third party will be provided an API access token and will be able to build integration with the CPS. Following integration, the last step of the process will lie with third parties, who will have to present a prompt to end user so that they consent to their data being called by the API for their concrete application. Within the displaying of this box, the end user will be presented with the set of data which the third party will need to call from the API, without the possibility of fine-tuning what data he would want to be omitted from the portability solution.
In Microsoft’s own words, it did not downrank any of the ads of its competitors nor did it uprank any of its own ads within the feeds of its members, so it already complied with the DMA’s self-preferencing prohibition under Article 6(5). Furthermore, the only implementation of the regulation related to the elimination of the ‘Jobs You Might Be Interested In’ (JYMBII) module from the end user experience on LinkedIn in the EEA. By doing that, LinkedIn will no longer show a display of jobs that users may be interested in directly on their feeds but will cater to that same functionality via the Jobs functionality with the underlying choices that the end users may have performed when presented with the Article 5(2) compliance solution.
Key takeaways
Microsoft’s presentation of its compliance solutions was performed in an understandable and constructive manner (as opposed to some of the other gatekeepers, one could say!) so that end and business users could easily comprehend the ulterior implications of one’s choices when interacting with the gatekeeper’s products. Bearing in mind Microsoft’s compliance workshop, re-engineering some of its products and services is not a major hurdle hindering the DMA’s effective compliance and application.
As the compliance workshops come to an end (and this ‘The Power of No’ series with it), this last tenet provides a glimmer of hope within the European Commission’s expected enforcement around the DMA which may be fast-moving and cross-cutting, as it has already demonstrated by opening five distinct non-compliance procedure against some of Alphabet’s, Apple’s and Meta compliance plans.