Skip to Content

What does the DMA mean for Free Software iPhone & Android developers? 

I) What DMA obligations can Free Software developers rely on to facilitate switching, specially related to data interoperability and portability?II) Does the DMA shift power?III) Regulatory and community responses needed to preserve software freedom in the mobile ecosystem

Written version of Data Rights’ interventions during the FOSDEM 2026 panel with the European Commission’s DMA enforcement team on interoperability and portability. 

DMA stands for Digital Markets Act, the EU's law to reform how competition law applies to companies that have a dominant position on digital markets. The goal of the DMA is to unlock ways for competitors (for or non-profits) to access users, features and data in order to offer competing products in fairer conditions. 

A warm thank you to the Free Software Foundation Europe (FSFE) for organising this panel!


A few words on Data Rights. Data Rights aims to fight data exploitation, and seeks to empower people vis-à -vis big tech. For us, doing so requires to support DMA enforcement, with the help of competing projects' expertise. 


I) What DMA obligations can Free Software developers rely on to facilitate switching, specially related to data interoperability and portability?

First, let’s start with definitions. Put simply, interoperability and portability differ, in that:

  • Interoperability: Communication between two systems (hardware or software). Can be a two-ways flow. 
  • Portability: One-way transfer of data, like websites comparing plane prices, or tools enabling to send an email if you type a certain hashtag on a social media. These usages are great because data is synchronised.
    • The GDPR created the right to data portability in 2016, but in a way that made it a one-off data transfer. In practice this meant that users were getting a data dump, rarely usable. 
    • DMA requires data portability to be, when technically feasible, in real time. This is called dynamic portability. This means that flows of data would be synchronised.


To be more specific, by law the DMA requires that competitors benefit from:

1 ) Easy access to data

  •  Portability - DMA art. 6(9) & 6(10)
    • Free
    • Authorised by user
    • Tool(s) must be provided by Gatekeeper
    • When technically feasible, portability has to be continuous and real-time. 
      • /!\ Careful about "technically feasible", this practical wiggle room given by the DMA is prone to being abused by Gatekeepers. It is fundamental to question what dominant market players say to check whether it is true. Even if it were to be true today, it might no longer be true tomorrow. Competitors must be ready to be strong on their understanding of what is technically feasible. 
    • Data covered:
      • Data given by users
      • Data generated by users
  • Interoperability by design - DMA art. 6(7)
    • Free - which means no hidden costs. You need to invest in a lot of unexpected work before benefitting from interoperability? You might be dealing with illegal behaviour aiming to slow you down or make to give up.
    • Effective - no hidden barriers once technical conditions for interoperability are met. 
    • Your software or hardware cannot be treated less favourably than it's equivalent, internal to the gatekeeper. This is the equal-treatment principle.

These two disruptive rights are reinforced by two other categories of obligations:


2 ) Strongly defined access rights

  • In the context of interoperability, access must also be given to APIs, interfaces and important documentation. Indeed, without access interoperability could not be by design (art. 6(7))
    • /!\ The notion of what constitutes important information is bound to be specified with time. For instance, any information that turns out to create cybersecurity risks when missing is bound to fall into that bucket. Indeed Google's omission of important information when rolling out updates leads developers to reverse engineer new features and changes. Their code might not be as strong as the unpublished one, thereby creating necessary cybersecurity risks. 
  • Access to usage and performance data, in real-time and continuous - DMA art 6(8) & (10)
    • /!\ The goal of this category is to ensure that Gatekeepers can no longer out compete you throught the data they get from your work. 
    • Types of data
      • Aggregated & non aggregated
      • data created through interactions with users
      • >> This is a lot of data, and does also cover any data related to advertisement. Naturally, we strongly recommend ads that involve low processing of personal information, if any. 
    • As per art. 6(12), data has to be high quality, machine readable, provided on fair, reasonable & non discriminatory terms. Seek legal clarification if you feel this might be relevant to you. 
      • Hopefully these terms will gradually be associated with open standards and formats, when feasible. Data Rights aims to help. 


3 ) Anti lock-in art. 5(3), 5(4), 5(5), 5(7), 5(8), 6(4), 6(6), 6(7)

  • The DMA ensures that developers can no longer be forced to only use the Gatekeeper's payment system, identity management ecosystem & app store. You can now inform your users of marketing opportunities, and their ability to pay on your own website, even at a different price, and using your own payment system. 
  • Alternative app stores cannot be blocked
  • Catch-all prohibition to restrict the switching of users art article 6(6). This clause ensures that the DMA is future proof, able to adapt to emerging formes of abuse? 

II) Does the DMA shift power?

(This section was not presented during the panel, in the interest of time.)


1 ) Theory

In theory, yes, absolutely. Its sanctions can reach up to 10% of a Gatekeeper's global turnover, 20% in case of repeated violations. To give an idea, the GDPR was considered as a game changer and its sanctions can reach 2% of global turnover, 4% in case of repeated violations. The DMA is much more agressive as it is a competition tool, ie. it touches on behaviour that harms the economical fabric of a society. 

Besides, the strength of the GDPR is being ridiculed by Ireland's refusal to conduct strong enforcement. This failure of the GDPR does not exist with the DMA, as its enforcement is in the hands of the European Commission as well as competitors (for and non-profit) suing before their national competition authority.

That said, the GDPR has started to bring on systemic change. For instance, it has led to Meta being prevented from connecting the personal data of its users between its different platforms, Whatsapp, Facebook and Instagram. This prohibition was generalised in the DMA, to apply to all Gatekeepers. And remember, the DMA applies to Gatekeepers, and who are the "gatekeepers" will evolve. The may be many more companies treated as Gatekeepers in a year, compared to today. Moreover, the numbers of services of Gatekeepers that are covered by the DMA is also a notion that can evolve. For instance, originally Apple's iOS was the only operating system covered. Now iPadOS is also covered. This is why we do not list the companies and services covered by the DMA - that list is in constant evolution.

Here is the list!


2 ) Practice

Just like the GDPR, the DMA's impacts cannot be felt overnight. It creates frustration. Yet it is important to take a step back - the Internet represents a revolution similar to the industrial revolution. Our societies have not adapted to the industrial revolution in 5 or even 10 years. Change can be brutal as much as it can also be slow and incremental.

What is more, the enforcement of the DMA is a challenge unprecedented for institutions and civil society: shifting power requires expert understanding of technical tools that keep on being updated, usually not publicly. Plus, it is no longer just about competition law and technical expertise, but also about how data should be protected and used, bringing in the huge tensions around data extraction feeding surveillance capitalism and real user empowerment rather than pathetically unclear consent forms. The reality is that many of the gatekeepers targeted by the DMA are so powerful today because they have built their empires on violating data protection rules for decades, which makes them hugely hard to tackle today because they developed an edge nobody could legally develop today. This is very much the challenge with AI, as the market is new but those that have a data edge are those that are advantaged to win the race.

 That said, being a competition tool is the DMA's strength (e.g. fines), but also it’s core weakness. It exists to lower the power of monopolistic players. It does not ensure we have healthy markets where we have at least 4 players always competing to offer us the best service at the best value, through business models that don’t expose us to constant data breaches, surveillance and insurers buying data from brokers to make sure they don’t offer cheap insurance to the most vulnerable.


3 ) Private enforcement has a role to play!

As mentioned above, the DMA is enforced by the European Commission, referred to as public enforcement, and competitors, referred to as private enforcement.  

The DMA is a competition law tool. Key players are the market players with most power (Gatekeepers), and projects that compete with them. It is important to note that such market players can be non-profits. In many cases projects that build an alternative tool are protected by the law. Meaning they can look to force the big players to respect the law in court. This is particularly true in the context of the DMA, as it has been written to ease contestability, that is to say, to make it easier to show abuse. In turn, this makes court cases cheaper. For individual developers, going to court is not an option, but for bigger projects or unions, it may be worth drawing projections. 

The control shift is also done through alternative players’ careful documentation of how they are treated, how their rights are not respected. They can then go to court or to the European Commission and the evidence brought can enable judges or the Commission to sanction Gatekeepers. 

Of course, a difficulty is that in the case of iOS and Android app developers, alternative competitors might not be able to speak freely due to the power of Apple and Google on their work, e.g. via not reiterating the validations of an app, or modifying the API. Which is why the European Commission's DMA enforcement team is welcoming any one reaching out to them. Data Rights is very happy to help make that connection, if helpful. 

That said, if your project would rely rather on data portability, for instance with data transfers from publicly available data, competitors may be a critical actor to consider private enforcement in court as it may be a strong way to further define what good data portability looks like from a open rights perspective.  

In any case, as the DMA is a competition tool, the diversity of competitors is uniquely positioned to participate to shifting the control from Gatekeepers.



III) Regulatory and community responses needed to preserve software freedom in the mobile ecosystem

The GDPR planted the seed of change with the creation of the right to data portability. Yet users had to fend for themselves once they would have received their data, if they even did. The DMA brings developers, non-profit projects and companies to the rescue. 

Now what is needed is enforcement & governance. 

1 ) Enforcement

European Commission

  • Investigations, sanctions, information of competitors and users about their rights

Free and Open Source & NGOs community

  • The Free and Open Source community needs to 
    • Understand its rights and inform its users. 
    • Testing and document the friction when exercising rights, or even the mere observations that something weird happens when seeking interoperability/portability. In the same way, it is important to document fails and partial fails. Indeed, this is the core of evidence, and there is no enforcement without evidence. Even if it is to alert the European Commission on a suspected issue - its enforcement team needs evidence to move efficiently.
    • Seek help of NGOs to know the landscape of competitors and unions. Importantly, many NGOs need to build stronger ties with competitors to hone their technical understanding of what good interoperability/portability looks like. If your project has resources it can afford to spare, consider making a donation to NGOs seeking to foster DMA enforcement. The ecosystem is small at the moment. 
  • NGOs need to
    • Get used to talking with DMA competitors, even if they are for-profits. Gatekeeper competitors are the key to unlocking new business models for the internet. They are the key to a digital economy that is less focussed on extractivism and, potentially, less harmful for citizens and the planet. 
    • Research what are the Gatekeeper services users wish to migrate from in priority. Data Rights is curently working on this.


2 ) Governance

European Commission

  • The Commission has started to create governance guidance due to Apple's nefarious compliance with developers' access rights. This is a step in the right direction. Guidance will need to remain as technology neutral as possible to remain future proof. Data Rights enjoins the Commission to stir recommendations towards stable open standards as much as possible, to ensure long terms freedom of users against lock-ins. 

NGOs

  • NGOs should monitor court cases across the EU to offer help in cases presenting the opportunity to obtain a ruling that interprets the DMA and/or the GDPR (in the context of its art. 20 on data portability) in a way that establishes EU-wide standardisation. For instance, standardisation in Gatekeeper processes or technical requirements, such as an obligation to release ported data in two formats, one that is generally commonly used and an open one.