By Jasper van den Boom & Sarah Hinck
This brief summary of the Microsoft workshops sheds light on its most important changes, some of the most relevant questions and answers from the Q&A session, and shares some general observations on Microsoft’s DMA compliance. These summaries are intended to represent facts and convey information on what was discussed during the workshops. They are not intended to provide normative considerations on whether the undertaking complies.
Opening remarks
Microsoft’s representatives spent little time on a detailed explanation of their overall compliance strategy. They opened the session by explaining that they operate – and have always operated – an open ecosystem with very few controls in place. They have explained that as a result, they do not have to make changes related to a number of provisions as their requirements are already features of their business model: Windows has always been interoperable, free to use and open; users can install any application or app store at any time from the internet, the Microsoft app-store or other third-party stores; users can open and close those apps and switch between them as they like; developers can promote discounts or offers through their apps, by linking to websites or however they please free of charge; users are free to access content, features and any type of information without restraints by Windows or Microsoft; and app developers can use any identification, web browser engine, or payment system of their choice for these apps.
This open approach has also been a part of their process in introducing compliance mechanisms. Microsoft explained that it has collected data and experiences through its Windows Insiders program, which can freely be joined by users worldwide. Here, users can use and test versions of Windows before they are officially rolled out, in this case the DMA compliant version of Windows 11. Microsoft has collected feedback from these Beta testers as to adapt their compliance strategy.
As a result of its open ecosystem, Microsoft argued, changes were limited. However, some changes were made to its Windows Operating System and LinkedIn Social Media, which were set out throughout the session.
Windows PC OS – Articles 5(2), 6(2), 6(3), 6(4), 6(7), 6(9) and 6(10)
The first session was divided into changes regarding Windows features and changes related to the use of data generated in using Windows. Here, the same structure is followed, starting with the discussion on features.
To comply with Art. 6(3) DMA, users are now allowed to uninstall the Cortana app, camera app, photos app, and Microsoft Edge. Microsoft noted that allowing for the uninstallation of Microsoft Edge required a significant technical effort and investment, as it was deeply integrated into Windows. As a result of their efforts, the Bing search app and Microsoft Edge can now be uninstalled.
Second, on configuring defaults as required by Art. 6(3) and 6(4) DMA, Microsoft has made changes mostly to browser defaults. Microsoft explained that in terms of setting defaults for applications or opening file types, users already have many options: users can select whether they want to open a new type of file one time with a certain app or set it as a default; users that install a new app will be prompted with the opportunity to set that app as a default when first opening a link; apps may introduce prompts in-app to link users to the Windows settings to set it as their default; and users can navigate to settings themselves to select defaults. In terms of web browser defaults, Microsoft was notified by its users that they required more granularity in selecting which types of defaults they set for different browsers. Microsoft therefore allows users to set different default browsers for opening http; https; .htm; and .html files. Microsoft did not introduce a browser choice screen, as the Edge web browser is not designated under the DMA.
Third, on Art. 6(7) DMA, Microsoft will open up Windows Search Box and Widget Board for third party participation. When users type something into the Search Box at the bottom of their screen, they can search for files locally or on the web. This web access point was reserved for Microsoft’s Bing prior to the DMA but will now be open for third-party search providers. Now, users can search the web through their search bar using a third-party search engine, irrespective of the web browser engine they decide to use.
The Widget Box has also been opened up for third-party participation, specifically the ‘online feed’ element of the Widget Box. This online feed shows apps or items that may interest users. Now, users are allowed to install third-party software to curate these suggestions. If users install third-party software, they can toggle between the Bing-based feed or the third-party feed. Whenever the feed is opened, the last-used feed will appear first, operating similarly as a default.
After discussing these features, Microsoft moved on to discussing the use of data. First, it explained its compliance changes regarding Art. 5(2). They emphasize that Diagnostics data is maintenance data, to detect bugs and other problems in Windows. They will now obtain consent for the cross-use of this data, which they deem essential for the functioning of this service.
Subsequently, they explained that with respect to Art. 6(2) DMA, they do not use diagnostics data in competition with users. This includes data on how applications are installed and used, but this data is isolated and only used for permitted uses. Finally, regarding Art. 6(9) and 6(10) DMA, Microsoft explained that they have launched a new API that gives access to diagnostics data to their business users. End-users can flip a toggle in settings which then allows data to be shared through this API. As a result, any software developer would have access to real-time diagnostics data if the user consented in this way.
In the Q&A, there were a number of questions by the competitors DuckDuckGo and Mozilla about how they could provide their services in the search bar and Widget Box. Microsoft retorted that it is up to search providers to develop applications, but that they will need time as the changes have just been made available and will only enter into effect after the next update. Some questions still related to the central role of Microsoft Edge, including the lack of a choice screen on web browsers, whether the Bing Search App would still function if Edge was uninstalled, and why users were prompted to reinstall Edge with the Windows 11 update. Microsoft’s representatives answered these questions in general terms, explaining that Bing can also be accessed from a browser and that they have removed Edge’s privileged position in many instances. There were also some questions on Windows S-mode, where Microsoft Edge and Bing remain the default, this is however a special mode that is aimed at preventing users to make any autonomous changes (e.g., for parental control purposes) and can easily be de-activated. Any system administrator will be able to switch S-mode off and make changes and then switch it back on.
The second part of the questions related to the use of data. Here, a representative for BEUC asked why the choice was made to use the term diagnostics data in the consent prompt, and not personal data. To this Microsoft replied that personal data was a term of art introduced by the GDPR, while diagnostics data was more easily understandable for users. The BEUC representative also asked about some details of providing consent, as some forms of collected information or services with which the data would be shared were not mentioned. Here, the Microsoft representative discussed Microsoft’s first, second and third layer of privacy policies and consent screens in-depth. There were few other questions related to specific topics, such as the availability of API documentation and the one-time fee charged by Microsoft, which did not lead to any new remarks or insights.
LinkedIn – Articles 5(2), 6(2), 6(5), 6(9) and 6(10)
In the second session, Microsoft explained its changes to LinkedIn. According to Microsoft, the LinkedIn service is not viewed as a single service, but as three distinct services: LinkedIn Services, LinkedIn Jobs, and LinkedIn Marketing Solutions. Microsoft argues that to comply with Art. 5(2) DMA it has introduced new consent prompts that are neutral, use clear consent language, and inform the user of their choice regarding data sharing. If users withhold consent, there will be no functionalities disabled or suppressed. Instead, the services will be equivalent but less personalized. Microsoft has explained for a non-consenting user, they will not use data related to their activities (posts, likes, comments) for LinkedIn Jobs. Instead, Microsoft only uses profile data (name, occupation, geography) to make sure that the recommended jobs are somewhat relevant geographically and in terms of expertise.
For Art. 6(9) DMA, Microsoft has built upon its existing data portability tools. The data that is ported will include LinkedIn data, but not data from other Core Platform Services. The data can be shared through a new API to facilitate real time access and secure data flows. There are two versions of the APIs: one for third parties and one for members to make sure members consent to the use of data by third parties. The terms of use are limited to standard industry practices, and third party developers must complete an entity verification to ensure security. After they have been granted access by Microsoft and consent by their users, third parties can build their own integration API.
On Art. 6(10) DMA, Microsoft explains that it already provides a range of data and metrics to its business users: Jobs users have the possibility to collect job applications or receive them directly through LinkedIn; learning management systems can be integrated with LinkedIn; recruiters can access a variety of data; and sales activities data can be accessed. Advertisers are likely provided with data on their campaigns, and Microsoft has a new tool to enhance access for advertisers to relevant data. Microsoft has introduced some changes to data use for their LinkedIn Pages services to make it real-time accessible, which again happens through an API in a similar manner as previously described.
On Art. 6(5) DMA, Microsoft explains that ranking happens on the basis of relevance, and ads that are shown are based on relevance and value. There is no downrate in ads and they are presented in a neutral way, just like job posts are shown on the basis of relevance to job seekers. Here, Microsoft sees no risk of non-compliance. Finally, on Art. 6(2), Microsoft explains that it offers various tools for reaching members and business users, which may lead to generating competitively sensitive data. However, Microsoft already had protections in place to ensure there is no cross-use of competitive data across its services. This data is only available to a small number of employees that have special training and can use it for a limited number of purposes.
The Q&A part of the session mostly related to the design of the choice screens, as observers wondered why the design and wording of these choice screens differed between Windows and LinkedIn. Microsoft argued that both the nature of these services is different, and that consent requirements under the DMA and GDPR are different. This would explain this variety in the choice screens. Users also asked whether the access to relevant data will only be valid after 48 hours. Here, Microsoft responded by explaining that for some data sets it will take up to 48h in the beginning to collect the data before access can be granted. As going forward, Microsoft will pull data sets on a regular basis, these 48h gaps will be reduced. It remains unclear how continuous authorization by end users for data access exactly works, but for this there are more details in the compliance reports. Other questions related to the role of advertising in data combinations and the impact on the monetization of ads as a result of the provisions, but here Microsoft argued there is still little to be said.
Observations
In line with its extensive compliance report, Microsoft’s representatives gave detailed explanations of what they have changed in their services. For most of these changes, we will have to wait for more users to update to the DMA compliant version of Windows 11 to see the real impact. For LinkedIn, the difference between pre- and post-DMA hinges mostly on less personalization in their advertisements, as expected. Overall, Microsoft seems confident in its compliance strategy in Windows and LinkedIn, but one may have to wonder if the DMA has properly captured Microsoft’s business models and activities in its scope, as most of the implemented changes are not groundbreaking.