Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Information firewall between platform and own first-party business units

information-firewall-platform-business-unitsDomain: competitionType: mixed

Description

Information firewalls between a platform's marketplace operations and its own first-party business units are what hybrid platforms build to keep merchant-side data out of the hands of the people designing the first-party products that compete with those merchants. The competition concern is concrete and easy to articulate: when a platform has access to seller-by-seller pricing, conversion-rate, return-rate, customer-demographic, and demand-curve data across its marketplace, it has a structural information advantage in deciding which categories to enter itself, where to price the first-party entries, and which features to ship. Whether that information advantage is unlawful depends on the jurisdiction and the conduct theory, but the question now sits squarely in the path of the EU Digital Markets Act's data-use prohibition for gatekeepers, the FTC's monopolization theory in its Amazon case, and the European Commission's Amazon Buy Box settlement that produced the operational template most enforcement bodies are now working from. The regulatory anchors decompose into four parts. DMA Article 6(2) imposes an ex-ante prohibition on designated gatekeepers using non-public business-user data (or data from those business users' customers) generated in the context of the core platform service to compete with those business users; the Commission has been explicit that this is not a balancing test but a structural prohibition. TFEU Article 102 sits underneath as the older dominance-theory anchor, with the Amazon Buy Box Article 9 commitment decision (Case AT.40703, December 2022) functioning as the practical playbook every EU platform with both marketplace and first-party offerings now studies. In the US, the FTC's Amazon complaint advances the cross-business-unit-data-use theory under Sherman Act Section 2 and FTC Act Section 5, with the DOJ's parallel Google ad-tech case pursuing structurally similar arguments in a different sector. In the UK, the Competition Act 1998 Chapter II analysis runs alongside the DMCC Act 2024 strategic-market-status regime, which will produce conduct requirements that operationalize the data-use prohibition on a per-designated-firm basis. The operational system covers six pieces. Access controls on merchant data, enforced at the warehouse-table level rather than at the application-API level, because the application-API level can usually be circumvented by a sufficiently determined analyst. Role separation between marketplace and first-party teams, with the separation captured in HR records, IAM groups, and access-decision logs. Audit logs of cross-team data access, retained long enough to support any plausible regulatory investigation. A written data-handling policy that names the prohibited uses in specific terms rather than gesturing at them abstractly. An annual attestation from first-party product leads that lets the company show the first-party roadmap was not informed by the prohibited data. And periodic third-party review of the controls, which several large platforms have adopted prophylactically because the alternative is having the controls reviewed by a regulator instead. The piece operators find hardest is that the architecture frequently pre-dates the policy. The analytics warehouse was built once, for everyone, and now access boundaries have to be retrofitted that the original design did not contemplate. The retrofit cost is usually larger than first-pass estimates suggest, because the access boundaries need to hold under both deliberate circumvention attempts and the more common pattern of inadvertent access through tables that have been joined together so many times that the merchant-identifying columns have been forgotten. Planning for the warehouse re-architecture in advance of any imminent regulatory deadline is materially cheaper than doing it under a Commission Article 18 information request.

Required by (4 regulations)

  • US Antitrust (Platforms)

    US framework: information-firewall arguments arise in monopolization-theory cases under Sherman Act §2 and in FTC Act §5 unfair-methods cases. The FTC's Amazon complaint (2023) and the DOJ's Google ad-tech case have both raised cross-business-unit data-use concerns.

    Sherman Act, 15 U.S.C. §2; FTC Act, 15 U.S.C. §45

  • UK Competition (Platforms)

    UK framework: cross-business-unit data use is analyzed under Competition Act Chapter II and increasingly under SMS conduct requirements. The CMA's mobile-ecosystems work and the foreseeable application of conduct requirements to designated firms make this a near-certain area of attention for any UK platform with both marketplace and first-party offerings.

    Competition Act 1998 c.41 Chapter II; DMCC Act 2024 c.13

  • EU Competition (Platforms)

    EU framework: cross-business-unit data use analyzed under TFEU Article 102 dominance theory; Amazon Buy Box (Case AT.40703) Article 9 commitments (December 2022) provide the operational template. For DMA gatekeepers, Article 6(2) DMA imposes an ex-ante prohibition on using non-public business-user data to compete with those business users.

    TFEU Article 102; Commission Decision of 20 December 2022 in Case AT.40703

  • EU DMA

    DMA Article 6(2) — ex-ante prohibition on using non-public business-user data (or data from their customers) generated in the context of the core platform service to compete with those business users.

    Regulation (EU) 2022/1925

    Source →

Fulfilled by (2)

  • outside-counsel · partial · medium effort · $$$
    Antitrust counsel typically scopes the prohibited cross-team data uses and the attestation language. The access-control mechanics and the data-architecture work that sits underneath are in-house engineering.
  • In-house build · full · high effort
    The warehouse re-architecture and access boundaries are typically the largest engineering cost in the program.

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • data-access policy naming prohibited cross-team uses
  • role-based access control implementation against merchant data
  • audit log of cross-team data access
  • annual attestation from first-party product leads
  • data-handling training records for first-party teams

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn