ARTICLE
19 August 2025

AI And The EU Digital Markets Act

W
WilmerHale

Contributor

WilmerHale logo
WilmerHale provides legal representation across a comprehensive range of practice areas critical to the success of its clients. With a staunch commitment to public service, the firm is a leader in pro bono representation. WilmerHale is 1,000 lawyers strong with 12 offices in the United States, Europe and Asia.
Explore Firm Details
The European Union's Digital Markets Act's (DMA) stated aim is to complement European Union competition rules to ensure contestable and fair markets in the digital sector by imposing specific obligations on "gatekeepers".
United States Privacy
Frédéric Louis,Anne Vallery, and Itsiq Benizri
Your Author LinkedIn Connections

The European Union's Digital Markets Act's (DMA) stated aim is to complement European Union competition rules to ensure contestable and fair markets in the digital sector by imposing specific obligations on "gatekeepers". Gatekeepers are designated large platforms providing Core Platform Services (CPS), such as online search engines, social networks, operating systems, marketplaces, or online advertising services.

AI is currently not considered a CPS under the DMA. The European Commission may propose that the EU legislature add AI to the list of CPS following a market investigation. The Commission seems hesitant to do so due to the lack of clarity regarding what the exact designation should be and what entities would qualify as a gatekeeper, particularly since AI is frequently embedded within broader services. It remains to be seen whether the Commission will address AI-related issues more explicitly in the future. It appears that this may happen when the DMA undergoes a first review in 2026.

Meanwhile, the Commission takes the position that AI may be covered by the DMA when integrated into a gatekeeper's CPS, such as a search engine or virtual assistant using AI.

This blog post provides a brief overview of the DMA provisions that may be relevant to AI.

Combining and Cross-Using Data

The DMA assumes that gatekeepers may leverage the large volumes of data flowing through their CPS to raise barriers to entry. It might be argued that this assumption also applies to gatekeepers using data flowing through their CPS to (further) train and develop AI models, the engines that drive the functionality of AI systems (such as chatbots).

If a CPS already includes an AI system, such as a search engine using a generative AI function, the European Commission may argue that the gatekeeper may also use the data obtained through such a system to strengthen its position on the market to the detriment of smaller AI players.

There may also be a risk that the DMA could be interpreted as restricting gatekeepers from using combined and cross-used personal data collected through AI systems to train or improve their AI models, thereby leveraging their competitive advantage provided by the AI systems they offer. This, however, would assume that AI models may qualify as a CPS, which remains unclear at the moment.

  • Personal Data. Gatekeepers cannot combine individuals' personal data from one CPS with personal data from some of their own other or third-party services. Likewise, gatekeepers cannot cross-use personal data from one CPS in their separate services, and vice-versa (Article 5(2) DMA). These restrictions do not apply if the individuals concerned have consented to the processing of their personal data for such purposes. However, obtaining valid consent under the GDPR is extremely challenging, largely due to the restrictive and controversial interpretation of consent requirements by European data protection authorities and the European Commission.
  • Business Data. Gatekeepers cannot use in competition with business users any data that is not publicly available and that is generated or provided by those business users in the context of their use of the CPS or the services provided together with, or in support of the CPS, including data generated or provided by the customers of those business users. For example, a gatekeeper offering marketplace services and selling its own products on the same marketplace may not use business users' sales data on the marketplace to train its own AI sales functions. The consent exemption mentioned above does not apply here (Article 6(2) DMA).

Self-Preferencing (Article 6(5) DMA)

It might be argued that gatekeepers must ensure that AI systems used for ranking purposes comply with the DMA. The DMA prohibits gatekeepers from favoring their own services and products over similar ones offered by third parties in ranking, indexing, and crawling. Gatekeepers must apply transparent, fair, and non-discriminatory conditions to such ranking.

Data Access

Certain players might try to argue that they can use DMA data access rights to obtain the data they need to develop their own AI models.

  • Business Users. The DMA requires gatekeepers to provide business users, upon request, with free, high-quality, and real-time access to data provided for or generated in the context of the use of the CPS or the services provided together with, or in support of the CPS, including data generated or provided by the customers of those business users (Article 6(10) DMA).
  • Providers of Online Search Engines. Gatekeepers must provide providers of online search engines, upon request, with access on fair, reasonable, and non-discriminatory (FRAND) terms to ranking, query, click, and view data in relation to free and paid searches generated by end users on the gatekeeper's search engine (Article 6(11) DMA).

To address data protection issues, appropriate safeguards must be implemented when the data to be shared includes personal data. User consent is necessary for business users' access requests. Anonymization is required when addressing data access requests from providers of online search engines.

Notifying Transactions (Article 14 DMA)

Gatekeepers are required to inform the European Commission of any intended concentration prior to its implementation where the merging entities or the target provide CPS or any other services in the digital sectors or enable the collection of data, irrespective of whether it needs to be notified under EU or national merger rules. A significant proportion of these notifications thus far concern acquisitions of AI companies by gatekeepers (see our previous blog post on AI and mergers for more details).

Enforcement

The European Commission can adopt non-compliance decisions and order gatekeepers to cease and desist from non-compliance (Article 29 DMA).

The European Commission can also fine non-compliant companies up to 10% of their global annual turnover and impose daily penalties of up to 5% of average daily turnover (Article 30 DMA). In March 2025, two gatekeepers were fined €500 million and €200 million for breaching DMA obligations. These decisions have been challenged before the EU courts.

The authors would like to thank Ioannis Dellis for his assistance in preparing this alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Frédéric Louis
Frédéric Louis
Photo of Anne Vallery
Anne Vallery
Photo of Itsiq Benizri
Itsiq Benizri
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More