The EU Digital Markets Act – The Holy Grail of Big Tech Regulation?

On July 18, 2022, the European Council formally adopted the “Regulation on contestable and fair markets in the digital sector”, also referred to as the “Digital Markets Act” or “DMA”. This marks the final step for this new legislation to come to life. The DMA comes with high hopes and aspirations. The EU Commission’s Executive Vice President Margrethe Vestager described it as a “global movement”, and she wishes that the EU’s “take on [digital markets] will inspire all over the planet”. In fact, there is already other legislation aimed specifically at Big Tech companies and their market conduct, but the DMA is the first pan-European initiative to do so. We describe its key elements and give an outlook on the further implementation.

1. Regulatory Approach

The DMA is not a piece of competition legislation, but part of the EU’s framework of regulatory laws. It follows a two-step approach. First, the DMA sets certain criteria to identify “gatekeeper” companies. Second, it sets specific rules for the “core platform services” of those gatekeepers. The DMA thereby provides for a framework of specific behavioral obligations targeted to a limited number of addressees and use cases. Those obligations are self-executing, i.e., they do not require further activation by any regulator. And, being drafted as an EU Regulation (not as a Directive), the DMA also requires no further implementation into Member State law. Subject to certain transition periods (see below), the DMA will hence take immediate effect once finally adopted.

2. Scope

The DMA applies to designated “core platform services” offered by “gatekeepers”.

Core Platform Services

The DMA includes a list of 10 “core platform services”:

• Online intermediation services (e.g., online marketplaces)
• Online search engines
• Online social networking services
• Video-sharing platform services
• Number-independent interpersonal communication services (e.g., messengers)
• Operating systems
• Web browsers
• Virtual assistants
• Cloud computing services
• Online advertising services

Services not listed as “core platform services” are out of scope of the DMA, even if they are provided by a company that meets the “gatekeeper” criteria.

Gatekeepers

The DMA only applies to “gatekeepers”.

Gatekeepers are defined as (i) having a significant impact on the EU’s internal market, (ii) providing a core platform service which is an important gateway for business users to reach end users, and (iii) enjoying an entrenched and durable position in its operations either now or in the foreseeable future.

Further to this rather general definition, the DMA provides certain presumptions for the gatekeeper definition to be satisfied. Those presumptions largely relate to the size of the relevant undertaking. An undertaking shall meet the gatekeeper criteria if it had (i) an EU-wide turnover of at least EUR 7.5 billion in each of the last three financial years, or (ii) a market capitalization of at least EUR 75 billion in the last financial year, and if it has (iii) at least 45 million monthly active end-users and at least 10,000 business users in the EU for at least one core platform service in the last financial year.

Designation Process

Once a company (or group of companies) meets the gatekeeper criteria, it must come forward and notify the Commission accordingly. The notice must be given no later than two months after the relevant thresholds are met. The Commission will then review the facts presented and issue a decision to formally designate the gatekeeper status. This shall happen without undue delay and at the latest 45 working days after receiving the complete submission from the gatekeeper company. In this designation decision, the Commission will also specify which core platform services (one or more) of the relevant gatekeeper shall actually be subject to the DMA’s obligations.

3. Key Obligations

Following certain transition periods (see #9 below), 13 positive obligations and nine prohibitions will apply to gatekeeper companies and their respective core platform services.

While some obligations apply to all types of core platform services, others affect only a specific kind of services (e.g., only search engines). All obligations are self-enforcing, but they are split between a “black list” (Article 5) and a “grey list” (Article 6). While the “black list” obligations take immediate effect, the ones on the “grey list” first allow for a regulatory dialogue. Here the Commission can open a proceeding to determine whether the gatekeeper complies with the relevant obligations, and within six months specify the measures needed to comply with these obligations. The gatekeeper can request such a procedure to verify that its measures comply. This specification mechanism does not exist for obligations on the “black list”.

The key obligations include:

• Data access and data use: The DMA recognizes data as a key resource to compete in digital markets, and a source of market power for gatekeepers. In particular,
  • gatekeepers must not combine or cross-use personal data from their core platform service with other services, or process end-user personal data from third-party services that use a core platform service of the gatekeeper for advertising purposes (Art. 5(2));
  • gatekeepers must grant business users access to data of end-users that was generated or provided for when the business users engage with end-users via the gatekeeper’s core platform service (Art. 6(10));
  • gatekeepers must grant third-party search engines access to search data, such as ranking, query, click, and view data (Art. 6(11));
  • gatekeepers must not use any proprietary data that is generated or provided by their business users to compete with these business users (Art. 6(2));
  • upon request, gatekeepers must provide end-users with effective portability of their data, including real-time access (Art. 6(9)); and
  • gatekeepers must supply advertisers and publishers with daily information about the pricing and the underlying metrics of their advertising services (Art. 5(9) and Art. 5(10)), and grant them access to related performance measuring tools and data to allow for verification of their metrics (Art. 6(8)).
• Self-preferencing and bundling: The DMA wants to mitigate the risk that gatekeepers use the strong market position of their core platform services to favor their other services, or to place competing services and end-users at a disadvantage. In particular,
  • search engine providers with gatekeeper status must not rank their own services higher than competing services when displaying search results (Art. 6(5));
  • gatekeepers must not require users to use, offer, or subscribe to a gatekeeper’s identification, web browser, payment, or other technical service in the context of services that business users provide via the gatekeeper’s core platform service (Art. 5(7));
  • gatekeepers must not make the use of their core platform services conditional to subscribing to, or registering with, other core platform services that the gatekeeper offers (Art. 5(8));
  • gatekeepers must not make it unnecessarily difficult for users to terminate or unsubscribe from the gatekeepers’ core platform service (Art. 6(13)), or to raise non-compliance issues with the relevant authorities (Art. 5(6));
  • gatekeepers must not prevent business users from offering their products or services through other channels at different or similar conditions (Art. 5(3)), and from communicating these offers to end-users through a gatekeeper’s core platform service (Art. 5(4)); and
  • gatekeepers must offer fair, reasonable, and non-discriminatory (FRAND) access for business users to their search engine, social networking, and app store services (Art. 6(12)).
• Interoperability: The DMA requires gatekeepers to allow for certain interaction between core platform services and the services of competing providers. In particular,
  • gatekeeper providers of number-independent interpersonal communications services (e.g., messaging or video calling applications) must ensure that the basic features of their services are interoperable with similar services of third-party providers, following a staggered timetable from text messaging and content-sharing up to group video calls four years after the gatekeeper designation (Art. 7);
  • gatekeepers must not prevent users from using content or other items on the gatekeeper’s core platform service that the user obtained outside of that service (Art. 5(5)), which also applies to users switching software applications and other services, including internet access services (Art. 6(6));
  • gatekeepers who control an operating system or a virtual assistant as a core platform service must grant to third-party services the same access to hardware and software features as to their own services (Art. 6(7)); and
  • gatekeepers must allow end-users to easily change the default settings on, and uninstall software from, the gatekeeper’s operating system, and allow the installation of third-party software and software stores (Art. 6(3) and Art. 6(4)).

4. Enforcement

Prima facie, the DMA’s substantive obligations are self-executing. Gatekeeper companies must comply with the relevant provisions that govern their relevant core platform services without any further involvement from a regulator. However, regulatory enforcement will become an issue where a gatekeeper is found not to comply with any of the DMA’s obligations, either in full or in part.

After quite a political struggle, the Commission evolved from the trilogue discussions as the “sole enforcer” of the DMA. Member State authorities, not much to their liking (and the German Bundeskartellamt had been particularly vocal in that regard), will not play an active role in enforcing the DMA. Their part is limited to supporting the Commission’s investigations, in particular during the information-gathering phase.

Non-compliance with the DMA’s obligations can be sanctioned with regulatory decisions, depending on the nature of the violation at hand:

• Where it finds a gatekeeper to have violated its core platform service obligations, the Commission shall adopt a non-compliance decision within 12 months from the opening of its investigation. With the decision, the Commission shall order the gatekeeper to cease and desist with the non-compliance, i.e., to change its relevant business practices within an appropriate deadline.
• The Commission may also investigate whether a gatekeeper has engaged in systematic non-compliance of its DMA obligations. Systematic non-compliance will require that the gatekeeper has been subject to at least three “regular” non-compliance decisions (see above) in the preceding eight years. The Commission may then impose behavioral or structural remedies to ensure an effective DMA compliance going forward.

The Commission may also impose fines for non-compliance with the DMA’s substantive obligations or with behavioral remedies or commitments made by the gatekeeper. The fine can amount to up to 10% of the gatekeeper’s worldwide annual group turnover. It can be even up to 20% in case of repeat offenders, i.e., where, within a period of eight years, the Commission finds that the gatekeeper violated the same or similar obligations relating to the same core platform service for the second time. Furthermore, if a gatekeeper fails to comply with certain reporting and transparency obligations, such as notifying its gatekeeper status to the Commission, this can result in fines of up to 1% of its total worldwide annual turnover.

In addition, the DMA is subject to private enforcement. Competitors, suppliers, or customers of a gatekeeper company can bring action in Member States’ civil courts seeking injunctive relief and potentially also damages. For example, this could result in anti-discrimination claims where a third party accuses a gatekeeper of preferencing its own offerings. To the extent allowed by Member State civil procedural laws, this may also include class-action-type proceedings, brought, for example, by consumer rights organizations.

5. Impact on M&A Activity

Despite the urging of some political stakeholders, including some Member State competition authorities, the DMA does not provide for any limitations on “killer acquisitions” by gatekeeper companies. Nevertheless, there are still some ramifications on gatekeeper M&A activity:

• A gatekeeper must inform the Commission of any intended acquisition of a target company that provides core platform services or any other services in the digital sector, irrespective of whether the transaction triggers a merger filing requirement at the EU or Member State level. The Commission may then still initiate merger control proceedings under the EU Merger Regulation even if the relevant filing thresholds are not met.
• Where it finds a gatekeeper to have engaged in systematic non-compliance with its core platform service obligations, the Commission may prohibit the gatekeeper to acquire any other companies that provide such core platform services or any other services in the digital sector. Such prohibition must be limited in time and meet a specific proportionality test.

6. Interplay with EU Antitrust Law

The DMA is without prejudice to the application of EU competition law, i.e., Articles 101 and 102 TFEU. Also, in relation to gatekeeper companies, the DMA will not replace legacy competition law, but rather supplement it. Or, as EU Commissioner Margrethe Vestager put it when presenting the DMA: “The two approaches are complementary—both will remain necessary. […] No one should expect the new regulatory instrument to replace Article 101 and 102 enforcement actions.” In fact, many DMA obligations are modelled after cases where the Commission thus far has applied legacy competition law.

7. Interplay with Member State Laws

Discussions about regulating Big Tech do not only take place at the pan-European level. Several EU Member States have already taken their own steps in that respect. In January 2021, for example, Germany enacted an amendment to its national competition act. It addresses “undertakings with paramount significance for competition across markets” with obligations that largely resemble those under the DMA.

The DMA now governs its own interplay with such Member State laws:

• Where national law, like the DMA itself, qualifies as regulatory law to ensure contestable and fair markets, Member States shall not impose any further obligations on gatekeepers, in order to avoid the fragmentation of the internal market, as the DMA explicitly states. Member State regulatory law that targets Big Tech will hence be superseded by the DMA.
• On the other hand, the DMA does generally not affect national competition law. However, Member States may only apply their national competition law to non-gatekeeper companies, or to impose on gatekeepers additional obligations that do not yet result from the DMA.

Depending on the qualification of relevant Member State laws as regulatory or competition law, this leaves either no room at all for such laws to co-exist with the DMA, or only limited room around the edges of the DMA’s scope.

8. Interplay with Member State Enforcement

To the extent the DMA does leave any room at all for Member State laws to apply to gatekeepers (see before), some limitations still apply:

• Member State competition authorities must closely cooperate with the Commission during their own proceedings against gatekeeper companies. They must inform the Commission when launching an investigation, and before imposing any obligations on a gatekeeper under national competition law. Contrary to the suggestion of some stakeholders during the trilogue negotiations, however, the Commission does not have the right to veto any measures taken by Member State authorities against gatekeepers.
• Member State courts, when dealing with private enforcement cases on the basis of the DMA, shall not give a decision that runs counter to a Commission decision adopted under the DMA. Even more so, they must also “avoid” (if necessary, by staying their own proceedings) giving decisions that would conflict with future Commission decisions in pending investigations. The DMA acknowledges that Member State courts can seek preliminary rulings from the Court of Justice for the EU, but this is still a significant interference with the autonomy of Member State courts.

9. Entry into Force

Following its formal adoption by the EU institutions, the DMA will now be published in the EU’s Official Journal and enter into force 20 days thereafter. However, it will likely not take full effect before mid-2024. First, there is a six-month transition period before most of the DMA’s provisions will actually apply. If a company meets the gatekeeper thresholds, it will then have another two months to notify the Commission accordingly. Following such notification, the Commission has 45 working days to decide on the company’s gatekeeper designation. And, once the designation decision is in place, the affected gatekeeper will have another six months for its designated core platform services to comply with the DMA’s substantive provisions.

10. Conclusion

The DMA sets the scene for a new era of European tech regulation. It will have an immediate impact on any company that offers at least one core platform service in the EU and meets the gatekeeper criteria. Those companies are facing substantial organizational and operational challenges to ensure compliance with the new rules. But the DMA’s impact goes beyond its immediate addressees. Customers, suppliers, and competitors of the relevant gatekeeper companies may want to use the DMA’s provisions to their own advantage, for example by raising data access or anti-discrimination claims. Nevertheless, considering the different grace periods until the DMA takes full effect, but also its broad use of unspecified legal terms, it will still take some time until many of the DMA’s substantive obligations are fully fleshed out.