Key takeaways:
- The Digital Markets Act (the “DMA”)—which designates and will regulate the largest online players as “gatekeepers”—passed the final hurdle in the EU legislative process this July.
- Companies meeting certain quantitative thresholds that enjoy an “entrenched and durable position” in a core platform service will be subject to far-reaching new obligations.
- The list of core platform services includes online intermediation services, social networks and operating systems, with gatekeepers subject to rules aimed at increasing transparency and competition in these markets.
- The DMA is set to take effect in early 2023 and will have a dedicated enforcement team at DG Connect within the European Commission.
The European Union (EU) reached a major milestone in July as part of its ongoing effort to transform the regulation of digital services in the bloc. The EU Digital Markets Act (DMA) – which designates and will regulate the big online players as “gatekeepers” – passed the final hurdle in the legislative process. It is now expected to enter into force in September and will apply six months later; i.e., from around March 2023. The DMA is just one part of a suit of reforms, including the EU Digital Services Act (DSA), covered on the Debevoise Data Blog here. We summarise some of the DMA’s key implications below.
Who Are the “Gatekeepers”? The DMA targets companies operating in the digital sector that provide a “core platform service” and enjoy (or will in the near future) an “entrenched and durable position” on the market. Core platform services are those having characteristics of “strong network effects, an ability to connect many business users with many end users […] [and] a significant degree of dependence of both business users and end users”. The European Commission (Commission) has the discretion to add to the agreed list, but the core platform services currently include:
- Online intermediation services (e.g., app stores);
- Online search engines;
- Social networks;
- Video sharing platform services;
- Interpersonal communication services (e.g., WhatsApp);
- Operating systems;
- Cloud services;
- Advertising services;
- Web browsers; and
- Virtual assistants (e.g., Siri or Alexa).
In addition, to be designated as a “gatekeeper” the following quantitative tests need to be met for each of the last three financial years: an annual turnover in the EU of at least €7.5 billion or a market valuation of at least €75 billion, as well as having on average (i) 45 million monthly active users and 10,000 business users in the EU, and (ii) providing the same “core platform service” in at least three EU Member States. (There was some advocacy during the legislative process for higher thresholds that would exclude smaller European providers, proposals described as “protectionist” by the US National Security Council, who also warned of a potential US-EU discord if they were implemented.)
The designation of gatekeeper status could well be controversial in certain cases. Although there is a presumption for companies meeting the quantitative thresholds, this can be rebutted under exceptional circumstances. Equally, even if a smaller company falls short of the numerical thresholds, it may still be designated as a gatekeeper by the Commission following a market investigation if it fulfils various qualitative criteria. ‘Emerging’ gatekeepers—those on a clear path to acquiring an entrenched and durable position—can also be designated, with the Commission given discretion on the scope of obligations to apply to this category.
What Are the New Rules Going to Be? The overarching objective of the DMA is to address structural level playing field issues the Commission considers exist in markets where “gatekeepers” are present, thereby facilitating greater competition and offering end users more choice. The intent is effectively to set the ground rules up-front instead of having to rely, as has been the case, on antitrust enforcement to correct imbalances after the event.
Some of the prohibitions and obligations will be put into effect by the businesses concerned without further debate. Those include stopping certain bundling and tying practices (e.g. requiring business users to use, offer or interoperate with gatekeeper services) and having to provide advertisers and publishers with information concerning prices and fees. The majority and the most substantive of the obligations, however, potentially apply in different ways to different companies. The DMA therefore provides a mechanism allowing businesses to request the Commission to engage in that determination and to agree the necessary measures. That process includes consulting with interested third parties.
As an example, one of the requirements is to ensure that the basic functionalities of instant messaging services are interoperable (i.e., enabling users to exchange messages, send voice messages or files across messaging apps). That will obligate companies such as Apple to make their messaging systems cross-compatible. Owing to the technical complications this would create with respect to end-to-end encryption, there will likely be a lengthy grace period to allow providers to make relevant adjustments. Though Apple has made iMessage work between devices, achieving this between providers brings with it an added degree of complexity. The DMA does not outline the level of cooperation it expects and issues between competing operating systems will need to be resolved.
Other requirements that may need dialogue between gatekeepers and the Commission include obligations such as not using competitors’ data to compete with them; allowing (e.g.) developers to use third-party payment platforms for app sales; and the prohibition against self-preferencing. The latter is particularly relevant given the focus of much of the Commission’s antitrust enforcement activity has been about abusive unilateral conduct, whether on search engines or retail platforms. The new rules would prevent gatekeepers to continue to engage in such leveraging techniques to the detriment of the competition.
Gatekeepers will also face a variety of restrictions on their ability to use personal data, including prohibitions on using third party service end users’ personal data for online advertising services or combining or cross-using personal data between services, without informed and freely given consent. Gatekeepers are also going to be forced to allow ‘side-loading’ on their platforms (i.e., a mobile operating system provider would have to allow users to install apps from sources other than its first party webstore, and allow developers use of third-party payment options).
Finally, a number of more consumer-focused measures around device neutrality are designed to allow end users to easily uninstall any pre-installed software applications and end any technical restrictions they may face when switching between apps and services accessed with the gatekeeper's operating system.
The Commission has also provided a notice requirement that it be told about M&A activity, irrespective of whether a transaction would be notifiable under the EU Merger Regulation or the equivalent national merger control rules. Again, it remains to be seen how this works in practice, but it at least opens the door to those same national competition authorities asking the Commission to review deals it might not otherwise have been able to investigate.
Who Enforces the Rules? The Commission will be the sole enforcer of the DMA and is anticipating dedicating a team of 150 individuals for that purpose. The Commission will get new powers of enforcement in this space, which are essentially modelled on its existing competition law powers. Those include the power to impose and accept binding commitments and levy fines of up to 10% of annual global turnover, or up to 20% in cases of repeat violations. If a gatekeeper systematically fails to comply with the DMA, the Commission can open a market investigation and, if necessary, impose more stringent behavioural or structural remedies such as divestments and bans on certain types of acquisitions. The Commission will also be able to impose interim measures against gatekeepers if there is a risk of serious and irreparable damage whilst an investigation is ongoing.
The more difficult question will be how the DMA will interface with other regulatory oversight, including at a national level. The individual EU Member States will not be able to impose further obligations on gatekeepers for the purpose of ensuring “contestable and fair markets” that cut across the DMA. However, conduct that infringes both the DMA and national competition law could well be subject to parallel investigations and/or private enforcement of the DMA’s obligations. The DMA therefore makes clear the expectation that the Commission and Member States shall work in close cooperation and coordinate their enforcement actions to avoid contrary decisions. A special Digital Markets Advisory Committee and a separate high-level group of interested European bodies are being created partly for that purpose. There is also the prospect of overlapping regulatory oversight between Supervisory Authorities responsible for enforcing the EU General Data Protection Regulation and the DMA’s personal data-related obligations.
The DMA will work alongside the DSA, which places additional responsibilities on online platforms and tech companies to police content, as part of a wider EU package to upgrade the current rules governing digital services.
What Comes Next? The Commission’s objective to change the competitive environment across a wide spectrum of online activity will be difficult to achieve and there may well be mixed outcomes for different platform services. One of the frequently heard criticisms of the DMA in that context is its potential (negative) impact on innovation. Moreover, the extent to which the big tech companies designated as gatekeepers choose to overhaul their strategy as regards the core platform services remains to be seen, although there is an obvious question about how effective even the DMA can be without a global consensus on the right approach to take.
The link to the resolution and final text can be found here, and the link to the Council of the EU’s press release can be found here.