Digital Services Market Act – Time to get it Together

The Digital Markets Act (DMA) is a revolutionary piece of EU legislation designed to promote fairness and contestability in digital markets by placing requirements on platforms serving as ”gatekeepers” in the industry.

The DMA is a part of the EC’s comprehensive regulatory approach to uphold consumer rights and foster competition in the market for digital services. The Act will become operative on November 1, 2022. Gatekeepers will then have a six-month grace period until the DMA’s regulations take effect on May 2, 2023.

DMA aims to stop the top corporations in the IT industry from abusing their dominating position.

A Gatekeeper:

• has a significant impact on the internal market;
• is a provider of the core platform service, which is important for business users to reach the end users of the service;
• enjoys or in the future can be expected to enjoy an “entrenched and permanent position” in the market.

As one can guess, being a Gatekeepers comes with several obligations. According to Article 5, Gatekeepers cannot:

• combine personal data from the services with data collected through other services of the same Gatekeeper or a 3^rd party;
• offer the same products or services to end users through 3^rd party online intermediary services at prices and terms different from those offered by Gatekeeper
• direct or indirect prevent end users from initiating any protection procedures with respective authorities;
• require end users or business users to subscribe to, or register for any other service as a condition of accessing, registering, or using any of the Gatekeeper services.

Article 6, takes this a step further, Gatekeepers must:

• refrain from using any data that is not publicly available and that was generated by the activities of business users;
• allow end users to uninstall any pre-installed software applications on their underlying service without prejudice to Gatekeeper’s ability to restrict such uninstallation with respect to software applications that are necessary for the operation of the operating system;
• provide access to Gatekeeper’s performance measurement tools and in­formation needed by advertisers and publishers to perform their own independent verification of ad inventory to advertisers and publishers, at their request and free of charge, etc.

As a result of DMA being enacted, big tech businesses operating in Europe are entering a hard new phase since it will make Gatekeepers (and aspiring Gatekeepers) subject to more regulations and force them to fundamentally alter their business models. Businesses and people will look into the new policy and file lawsuits as a result.

Non-compliant Gatekeepers will be fined up to 10% of its total worldwide turnover – and up to 20% in the event of repeated violations.

The DMA is intended to complement EU and national competition law. Anti-cartel, anti-abuse of dominant position, and merger control laws are unaffected by the application of the DMA.

DMA deployment is coming at a difficult time for gatekeepers (and aspiring gatekeepers). For example, how can search engines negotiate and agree on FRAND terms for ranking, querying, clicking and displaying data with competitors? And how is such data anonymized? But as always, nothing is black or white. At the same time as the ‘Bit Un’s’ might find this stifling and unattractive. DMAs also offer opportunities for smaller core platform service providers and business users in their business relationships with gatekeepers.

The Metaverse today – Dicey market forecasts, and contradictory regulations regarding personal data protection

McKinsey predicts a market value of $5 trillion by 2030, Citi predicts up to $13 trillion, however Canalys disagrees and claims the metaverse is a B2B problem seeking for a solution that will eventually fail.

Investors in the platform include Microsoft, Meta, Google, Nvidia, Apple, Autodesk, and others. McKinsey consultants estimate that since 2021, a staggering $177 billion has been invested in the metaverse. By 2030, the market, according to this estimate, may be worth $5 trillion. Even more optimistic than before, the soothsayers at Citi predict that by the same year, the metaverse economy would be valued between $8 trillion and $13 trillion.

According to Gartner, by 2026, a quarter of us will spend at least an hour each day online, whether it be for work, play, socializing, or education. A third of businesses will have offerings prepared for the digital sphere. Most business-related initiatives are anticipated to be finished by 2025.

The Metaverse of interconnected spaces might become a reality at any time. After all, it’s all about the internet and the web. We are proficient in linking. The reason this isn’t occurring isn’t due to technical difficulties; rather, businesses aren’t trying to make this happen.

Operational concerns and contradictory regulations might be one reason.

Operational concerns and contradictory regulations regarding personal data protection in the metaverse

In the Metaverse, data about users’ psychophysical characteristics assumes a crucial role in two ways. On the one hand, there is the explicit user identification, and on the other, there is the potential to use the previously collected users’ psychophysical dataset as a source of to duplicate ”additional” inferable user information.

Putting the emphasis on users’ psychophysical data in the Metaverse

The link between regular physical reality and augmented virtual reality is strong within the Metaverse. As a result, when you sign up for the Metaverse and make you own avatar, your identity is duplicated. This necessarily involves processing a variety of personal data, including:

1. Personal data needed to create the avatar
2. information about a location
3. information about routines, passions, tastes, and views; and
4. Information on users’ psychophysical state, such as behavioral information (such as emotional reactions and social interactions) and information about how they move their bodies (such as their posture, gaze, gestures, facial expressions, and interpersonal proximity).

Regarding the first aspect, avatars use specialized technology to externalize people’s emotions and bodily movements. It includes aspects of behavior and physical movement that, in virtual reality, are collectively referred to as the ”human being.” Meaning that the GDPR is applicable in the Metaverse. In fact, unlike what occurs in physical reality, motions and gestures may qualify as personal data under Article 4(1) of the GDPR and be processed by the data controller in accordance with Article 4(2) of the GDPR.

When translated into the Metaverse, certain movements and/or behaviors may ”reveal” sensitive information about the person, such as medical conditions and physical impairments. This is in relation to the possibility of considering data processed in the context of the Metaverse as a source of ”further” inferable information relating to users. In the GDPR, ”inferred data” refers to data that can be further collected by examining human characteristics. Should this data disclose sensitive information, such as health information, the legal framework outlined in Article 9 of the GDPR with the associated processing limits and requirements would apply.

The standards for data protection and the accountability principle

It is possible, from the perspective of data protection, to rely on extraterritorial application – to a parallel virtual reality – of the GDPR in response to the current absence of any specific ex-ante European regulation governing the activities of users and businesses in the Metaverse, thereby implementing one of its core principles, namely, accountability.

This is a result of the processing operations stated above, which are being done in this context and cannot be exempt from regulation.

This principle states that organizations involved in the Metaverse must be regarded as data controllers since they choose the methods and objectives for processing personal data.

To maintain a sufficient degree of user-related personal data protection and, concurrently, to reduce the risk of potential security incidents and/or personal data breaches, a number of standards must be completed.

Practically speaking, the data controller is obligated to:

• Information notifications that describe the processing activity and the legal justification for processing and transferring personal data within virtual reality should be made available. When necessary and needed as a legal foundation for carrying out the processing, this is done to raise users’ knowledge and enable them to give informed permission
• Given the dynamic nature of virtual reality, when performing new processing activities for a different purpose (referred to as ”secondary use”) and/or additional processing based on the original purpose, allow for a systematic framing of those activities to ensure consistency of what was initially communicated to the user
• When developing systems and tools, consider the standards outlined in data protection laws in accordance with the concepts of privacy by design and by default
• Performing a DPIA (Data Protection Impact Assessment) will help you better understand the increased threats and risks related to managing the information assets granted to the Metaverse reality
• You’ll also be able to comply with the processing and distribution restrictions outlined in Article 9 of the GDPR with regard to special categories of personal data, such as health-related information.

Europe, regulating the Metaverse in a regulatory vacuum

An ad hoc legal framework appears to be required due to the quantity and variety of personal data involved in the processing operations implemented in today’s digital world. Such a framework should be designed to precisely control data flows inside the Metaverse and the increasingly pervasive interconnectedness between the virtual and real worlds.

However, there does not appear to have been any European involvement to date to establish suitable and specialized law in the area. The European Commission has up until recently denied any plans to investigate the Metaverse and to propose political measures and/or industry-specific legislation.

2023 might be a significant turning point in the development of this virtual world.

With so much money to be made, can the metaverse also be privacy friendly?

According to management consulting firm McKinsey & Co., the #metaverse promises to bring innovation to industries including education and e-commerce, with the potential to produce up to $5 trillion in economic effect by 2030. Early adopters must weigh the benefits against the privacy risks posed by their abundance of data points.

In terms of #data #privacy, new problems emerge. Anyone ”entering” a metaverse, for instance, should be aware of the types of personal data handled and how they are processed. Making sure organizations have authorization to collect data at various stages during a user’s experience is a hurdle for those who create extended reality devices or apps. The safeguarding of sensitive payment data is becoming increasingly important because significant sums could be made in the future in this industry. Financial services company Bloomberg Intelligence forecasts that the market will be worth roughly 800 billion US dollars by 2024. #Privacypros and #activists argue that information regarding a person’s bodily characteristics and movements should be given higher protections because it is sensitive data. How can this be reconciled into a metaverse that is both user friendly and protective of privacy?

The answer would be in the stars of the metaverse. However, as things are, as attorneys and analysts we can not only closely monitor the quick developments but also assist in shaping them.

Global Privacy Control – Automating Do Not Sell?

The #GPC promises to be one of the most complete systems created to provide people the authority to guarantee that their data is only gathered, shared, or sold after properly obtaining their consent for legislation that implements the opt-out method.

Today, we more or less assume that everything we do online may be monitored. Data are collected from a range of sources from the type of browser a user is using to the webpages they visit and how much time they spend on each one to the precise battery percentage on their device.

The majority of international data protection laws are designed to safeguard users and offer us control over how, by whom, and how our data are collected, processed, and received. These regulations and the growing public awareness of the right to privacy have resulted in the development of privacy tools and processes that make it easier for users to exercise their rights over their data.

After being ‘live’ for two years the ”Global Privacy Control” is one instrument that now appears to be gaining significance. What does the GPC mean, how does it work, and most importantly, does it have any legal standing as a proper means to exercise our right to privacy? 

What is a GPC?

The Global Privacy Control (GPC) is a global standard intended to convey a consumer’s privacy choices to data controllers and processors, announced at the World Wide Web Consortium (W3C) Privacy Community Group (Privacy CG) in April 2020. 

GPC is a browser-based #opt-out tool, that automatically notifies websites, advertisers, and publishers of users’ opt-out consent signals through HTTP signals. 

In January 2021, GPC made a major step toward it becoming enforceable under the California Consumer Privacy Act, after the then-AG of California, Xavier Becerra, tweeted that the GPC, would be acknowledged as a legitimate and legal opt-out/do-not-sell request as per #CCPA. As a result, GPC would need to be mandated detected, and honored by businesses to which the CCPA applies.

This was crucial because, because of the CCPA’s opt-out regime, the necessity to recognize and honor GPC as a worldwide opt-out would significantly increase Californian consumers’ privacy rights. 

A statement saying that covered firms ”shall accept user-enabled global privacy settings as a legitimate opt-out request” was added to the CCPA FAQ in July 2021. Later, further recommendations under CCPA Regulation section 999.315 regarding the handling of the ”request to opt-out” were published.

As a result, the GPC is now a viable way for Californians to refuse the sale of their personal information with a lot of support.

How Come It’s So Important?

Since then, the GPC has gained in popularity. But why precisely is it so crucial? Users might exercise their right to privacy by using the GPC, which is a streamlined one-step option. Once turned on, this signal will serve as a consistent signal of a user’s privacy desire. No scripts are launched or stored on your browser. No consent authentication is necessary. Most significantly, it complies fully with all significant privacy laws.

How does it function?

Every time a user connects to the internet, ”headers,” or little pieces of data, are sent along with the request. These headers provide details about the user’s browser, preferred language, screen size of their device, location, and other things. All incoming data from a user’s device will begin with a Sec-GPC-field-value = ”1” header as soon as the GPC signal is activated. The ”1” indicates that the user has explicitly forbidden all third parties from sharing or selling their data. After then, anytime a user views a website, the server will read this header as the first piece of data.

It has hitherto been up to the websites themselves to choose how servers react to headers like the Do Not Track. However, as the #Sephora case demonstrates, businesses covered by the CCPA may discover that they are required by law to obey all GPC signals.

There are certain restrictions, though. Organizations in other US jurisdictions outside the CCPA’s purview are not required by law or regulation to abide by GPC signals from non-Californian citizens, such Virginia and Colorado. 

The GPC or any other comparable mechanisms are not included in Virginia’s data regulation, which is set to take effect on January 1st, 2023. The necessity for a universal opt-out mechanism won’t be implemented until the following year. Contrarily, Colorado’s Privacy Act mandates that the state’s attorney general implement the necessary technical standards to provide widespread opt-out procedures.

Because the EU/EEA operates under an opt-in system, things are different t/here.

What’s next? 

What’s the best course of action moving forward for enterprises and users, at this point? Organizations may use the GPC to show their dedication to consumers’ privacy at a time when users are more aware of their data rights than ever before. 

What’s more, the GPC does not spell the end of enterprises’ ability to process user data in any way. According to several studies, most users do not mind some monitoring and behavioral targeting as long as it is done with knowledge.

How software can help

There is little doubt that privacy laws have fundamentally altered the way businesses conduct themselves. That is undeniably demonstrated by the #GDPR and how it has affected how businesses change their practices. While not all laws are as stringent or extensive as the GDPR, corporations are nevertheless required to protect consumers’ privacy and provide them with more control over their data.

The GPC signal promises to be one of the most complete systems created to provide people the authority to guarantee that their data is only gathered, shared, or sold after properly obtaining their consent for legislation that implements the opt-out method.

Organizations may find it challenging to comply with each key data regulation’s specific criteria unless they use automated solutions.

Languages – hindrance or help?

Having worked in other languages than my mother tongue since 1998, every time I learn something new I learn in a language other than my mother tongue. Meaning that I explain a flight path in English and French but can’t do it in Swedish. That I can speak about #GDPR and #privacy in English, but not in Swedish.

I consider myself fluent in English, but even so in instances like these I feel hampered by lacking language skills. There is also a question about the test creators, they are often created by English mother tongues, for English mother tongue. For obvious reasons the test creators are specialists in their area, but the test takers are not. Why isn’t that a factor? Yes, the test providers state prerequisites required for the tests but that is the factual background, languages don’t come into the picture.

How to solve that? Language tests to establish language proficiency? But will taking a test in a simplified language provide the same test? Won’t it give extra advantages to those test-takers compared to those test-takers taking the test in ”normal” language versions? Or can it said that 70% pass is 70% pass no matter what? It’s the language that is simplified, not the content.

Testing, and pausing and testing

The CompTIA package I bought has practice tests included. In my readings, I found that testing and pause is the best way to learn i.e. more learning than studying. And I like to learn so there is a reason for studying. In this case, I’d get a Security+ certificate with some knowledge behind the passing.

But, how long should the pause be to be efficient? 15 minutes? 15 days? Since I for some reason find this situation overwhelming, I have a tendency to procrastinate. Also, should you study just before making the practice test, so the testing becomes repetition?

So many questions, so few answers.

Show me the money!

Reading Global Knowledge’s report rather raised my mood showing a general trend of rising salaries across the entire IT industry. But of course, then came COVID-19 and things changed.

While average salaries rose in the first quarter of 2020. But according to Foote Partners some 505 tech certifications continued to decline in market value. Why is that? It’s difficult to say, but Foot Partners posit that as more get certified, less of interest it is. Supply and demand in other words…

The state of the matter is that no one seems to know whether it pays off or not. Every report I come across say something different and in the ensuing discussions about those reports, there is more point of views than people answering. I am a little surprised, however, that certifications that are generically applicable e.g. Project Management which is always a good thing to have, score so low.

Certs – waste of time? Or not.

Admittedly, my latest post was a bit of a downer. But the researcher in me wasn’t satisfied after all the answers I had received had all been highly personal. There’s’ nothing wrong with that, but as facts go personal feelings normally don’t count.

So what are the facts? Does certification pay?

Global Knowledge does annual research regarding certifications and salary. BTW @GlobalKnowledge, global contact forms shouldn’t have US states as a mandatory field… so I thought that report would be a good place to start.

The survey yielded 12,271 completed responses, with 54% coming from the United States and Canada and the remainder from countries around the world. The online survey was tabulated using IBM SPSS and Q Research software. Yes, it’s pro-COVID-19.

Many answers to my question on FB, came back and said that what really mattered was if you were good at your job. Certifications are secondary to that. /

Eighty-five percent of global IT professionals hold at least one certification, of which over half were earned in the past 12 months. Before COVID-19, 66% planned to get a new certification this year. Tech professionals still see the value of certifications and are pursuing them in various categories and technologies.

Certs – just a waste of time and money?

Having done a highly unscientific piece of research i.e. posting on Facebook, asking why people opted for professional certifications and if this investment paid off – it was rather depressing results. Not one, that answered at least, felt that certificates brought any value. If you started, out maybe, but having gained a number of years experience, certificates did nothing to either the CV or the wallet.

That is sad to hear. I hope it ain’t so…

How do you learn?

School, from 1st class all the way through university, was boring. Truly and utterly lacking in motivation. Teachers that had taught the same class for 20 years, never updating a syllable. Yes, I liked, still do, to learn new things. But what ever learning I walked away with, was almost a by-product of teaching.

I learned quick, and spent most of my time waiting for my peers to catch up with me in class. Bar mathematics, maths and anything related was difficult. But since I went to school when everyone was alike, teachers didn’t encourage you to do well. Nor did they seemingly care about anyone who had any type of learning disabilities. Looking back it’s a minor miracle that my generation can read and write.

Later, it later transpired that I have dyscalculia and that I needed glasses. But during the first 9 years in school I was ”just bad at maths.” And of course if all you hear is that you’re bad at something, it becomes the reality.  Just hearing that you’re good at something is a positive reinforcement. Well, at least it’s what I suppose.

Learning and studying

Also, school was all about studying, not learning. Thankfully more have caught on, a quick search on studying vs. learning – give 374’000’000 results and 985’000’000 results respectively. Because I remember those cramming hours, learning by heart, regurgitating then forgetting it forever. But at least you had a grade.

#Security+

Why am I freaking out so much over this?

Over the years, I’ve trained myself to do a sort of mental flow chart where I ask myself – based on the information I possess here and now; what is the worst that can happen? This then gives a basis of actions. Once I mentioned this to a colleague he said this is a classical coping technique, by mentioning and stating our fears they become manageable. Like pronouncing Voldemort instead of ”He Who Must Not Be Named. ” So what is the worst thing that can happen here and now? Failing the exam, which means a retake.

Nothing strange at all, it happens all the time. Why is it so scary?