Europe’s New Law Regulating Digital Gatekeepers in the Platform Economy: Digital Markets Act Now Effectively Final
The Council of the European Union recently published an updated and now effectively final draft version of Europe’s forthcoming landmark regulation for the digital economy, the Digital Markets Act (DMA). The DMA will require large digital platform companies to adhere to a long list of obligations and prohibitions, forcing many of them to significantly change the way they interact with consumers, business partners and competitors. Responding to criticism that ex post enforcement of competition law has not led to sufficiently fair and contestable digital markets, the EU is now turning to heavy-handed ex ante regulation of so-called “gatekeepers.”
The new draft consolidates all amendments to the European Commission’s (Commission) initial draft that were negotiated between the Council and the European Parliament and is therefore likely to be final, although formal votes are still to be taken later this summer. It is generally expected that the DMA will enter into force in October 2022 and start applying in April 2023. Under the timeline foreseen in the DMA, the summer of 2023 will be spent “designating” the gatekeeper companies and their covered digital services while gatekeepers will need to comply with the DMA’s substantive prohibitions and obligations as of spring 2024.
The DMA has the potential to fundamentally change the digital economy in Europe and beyond. The DMA challenges gatekeepers’ established business and monetization practices, poses significant legal compliance challenges and requires far-reaching changes to their technical infrastructure. For gatekeepers’ business partners and smaller competitors, the DMA is expected to bring new business opportunities. End customers will benefit from better control over their data and greater choice. That said, the DMA comes with high complexity, the team that will enforce the DMA at the European Commission (Commission) has not yet been set up, and more detailed guidelines remain to be published. There are still many open questions affecting the practical implementation of the DMA.
Application of the DMA to Core Platform Services of Digital Gatekeepers: The Designation Process
The DMA applies to so-called “gatekeepers” that operate at least one “core platform service” (CPS).
Core platform services. Article 2(2)1 defines 10 different types of CPS: online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services that are linked to another CPS. Connected televisions, which the European Parliament wanted to add, are not included in the final list.
Qualitative gatekeeper criteria. A company providing a CPS (CPS provider) will be considered a gatekeeper if the Commission finds by means of a formal designation decision that it meets the DMA’s gatekeeper criteria. Article 3(1) defines a gatekeeper as a company that (i) has a significant impact on the internal market, (ii) provides a CPS which is an important gateway for business users to reach end users, and (iii) enjoys, or is expected to enjoy in the near future,2 an entrenched and durable position in its operations. Article 3(8) enables the Commission to designate a company as a gatekeeper directly on the basis of these qualitative criteria, although this would first require a lengthy market investigation that takes account of factors like barriers to entry, user lock-in and other aspects. The Commission is unlikely to designate gatekeepers on the basis of only these qualitative criteria anytime soon.
Quantitative gatekeeper presumption criteria. Instead, the first round of gatekeepers will be designated on the basis of quantitative presumption criteria that look at the size of the CPS provider and number of its active users. Under Article 3(2), a company is presumed to satisfy the qualitative gatekeeper criteria of Article 3(1) under the following circumstances: (i) the company provides the same CPS in at least three EU Member States and, at a group-wide level, achieved an annual turnover of at least €7.5 billion within the EU in each of the last three financial years, or a market valuation or equivalent fair market value of at least €75 billion in the last financial year; and (ii) the CPS in question had, in each of the company’s last three financial years, at least 45 million monthly active end users established or located in the EU, and at least 10,000 yearly active business users established in the EU.3 CPS providers have to assess if they meet these quantitative presumption criteria and, if that is the case, self-report to the Commission under Article 3(3). This notification will normally be followed by a Commission decision designating the gatekeeper and each of its relevant CPS meeting the criteria as being subject to the DMA. Article 3(5) allows CPS providers to put forward rebuttal arguments to convince the Commission that despite meeting the presumption criteria they do not meet the qualitative gatekeeper designation criteria for an individual CPS. However, the hurdles for a successful rebuttal are high and the Commission only needs to consider such arguments in more detail if they “manifestly put into question” the presumption. Several procedural rules of the DMA and a threat of significant fines seek to encourage the CPS provider’s transparency and good faith cooperation with the Commission in the designation process.
Likely outcome of designation process. It is expected that Alphabet, Amazon, Apple, Meta, and Microsoft meet the quantitative presumption criteria with regard to several of their services. It remains to be seen which other companies will be designated as gatekeepers. An estimate of 15-20 companies has been suggested in the press, but this count may change and is in any event likely to increase over the years as more and more companies meet the quantitative presumption criteria. Gatekeeper designations will be made public and are specific to individual CPS so that a company may fall under the DMA for some of its CPS but not for others.
Key Obligations and Prohibitions of Designated Gatekeepers: Articles 5-7
Six months following its designation, a gatekeeper will have to comply with the far-reaching prohibitions and obligations set out in Articles 5 and 6 in respect of each of its CPS listed in the designation decision. The DMA’s prohibitions and obligations are largely inspired by behaviour of digital platform companies that the Commission and Member State competition authorities have investigated under competition law in the last several years, albeit with mixed real-life impact and under timelines considered inadequate for the fast-moving digital world. Under the DMA, these prohibitions and obligations apply to all gatekeepers and all types of CPS following the designation.
Article 5. Article 5 includes the following prohibitions and obligations:4
- Prohibition of data-mixing without consent (Article 5(2)): the gatekeeper shall not combine or cross-use personal data from a CPS with personal data from its other services, and shall not process for the purpose of providing online advertising services personal data of end users collected from third party business users of the CPS, in each case unless the user grants valid consent, which the gatekeeper can ask for only once per year;
- Prohibition of wide and narrow most-favoured nation clauses (Article 5(3)): the gatekeeper shall not prevent business users from offering, outside of its online intermediation service, the same products or services to end users at different prices or conditions than on its platform;
- Obligation to allow off-platform dealings—no anti-steering (Article 5(4)): the gatekeeper shall allow business users to promote their offers, receive payments and conclude contracts with end users outside the gatekeeper’s CPS;
- Obligation to allow on-platform use (Article 5(5)): the gatekeeper shall allow end users to access and use, through its CPS, content, subscriptions, features or other items by using the software application of a business user, including where these items have been acquired by the end users from the business user without using the gatekeeper’s CPS;
- Prohibition of hindering legal challenges to gatekeepers’ practices (Article 5(6)): the gatekeeper shall not prevent or restrict business users or end users from raising any issue of non-compliance with relevant EU or national law by the gatekeeper with relevant public authorities, including national courts;
- Prohibition of tying a CPS with ancillary services (Article 5(7)): the gatekeeper shall not require business users or end users of a CPS to use, offer, or interoperate with a gatekeeper’s identification service, web browser engine or payment service in the context of services offered by a gatekeeper’s business user through the gatekeeper’s CPS;
- Prohibition of tying different types of CPS (Article 5(8)): the gatekeeper shall not require business users or end users of a CPS to also use another CPS that has been listed in the designation decision or that meets the user number thresholds of the quantitative presumption expressed in Article 3(2)(b);
- Obligation of transparency towards advertisers (Article 5(9)): the gatekeeper shall provide, free of charge and on a daily basis, advertisers (or their authorized third parties) who are customers of its online advertising services with a range of detailed information on, broadly speaking, the use of its advertising services and payments from publishers and advertisers; and
- Obligation of transparency towards publishers (Article 5(10)): the gatekeeper shall provide, free of charge and on a daily basis, publishers (or their authorized third parties) who are customers of its online advertising services with a range of detailed information on, broadly speaking, the use of its advertising services and payments from publishers and advertisers.
Article 6. Article 6 includes the following prohibitions and obligations:5
- Prohibition of using business user data to compete with business users (Article 6(2)): the gatekeeper shall not use in competition with business users any data not publicly available which is generated or provided by those business users in the context of their use of the relevant CPS, including data generated or provided by the business users’ end customers;
- Obligation to offer configuration choices (Article 6(3)): the gatekeeper shall allow and technically enable end users to (i) easily un-install software applications on its operating system, (ii) change default settings on its operating system, virtual assistant and web browser that direct or steer end users to products or services provided by the gatekeeper, and (iii) provide end users choice screens, upon the first use, regarding the online search engine, virtual assistant or web browser that will be used by default;
- Obligation to open operating systems to third–party apps and app stores (Article 6(4)): the gatekeeper shall allow and technically enable the installation and use and access to competing third-party software applications or software application stores on its operating system;
- Prohibition of self-preferencing in rankings (Article 6(5)): the gatekeeper shall not treat more favourably in ranking and related indexing and crawling, its own services and products compared to similar services or products offered by third parties on its platform, and shall apply transparent, fair and non-discriminatory conditions to rankings and related indexing and crawling;
- Prohibition of blocking access from a platform to third-party apps and services (Article 6(6)): the gatekeeper shall not restrict the ability of end users to switch between, or subscribe to, different software applications and services to be accessed using the gatekeeper’s CPS;
- Obligation to offer interoperability with operating systems and virtual assistants (Article 6(7)): the gatekeeper shall allow providers of services and hardware far-reaching interoperability with, and related access to hardware and software features accessed or controlled via its operating system or virtual assistant;
- Obligation to offer advertising performance measuring tools and data (Article 6(8)): the gatekeeper shall provide advertisers and publishers, and third parties authorized by them, upon their request with access to performance measuring tools and sufficient data for advertisers and publishers to carry out their own verification of the ad inventory;
- Obligation to enable end user data portability (Article 6(9)): the gatekeeper shall provide end users and third parties authorized by them, upon their request and free of charge, with effective portability of data provided by the end user or generated through the end user’s activity on the CPS, including by the provision of continuous and real-time access to such data;
- Obligation to grant business users access to data resulting from their activity on the platform (Article 6(10)): the gatekeeper shall provide business users and third parties authorized by them, upon their request, free of charge with effective, high-quality, continuous and real-time access and use of data that is provided for or generated in the context of the use of the relevant CPS (or related services) by those business users and their end users;
- Obligation to grant competitors FRAND access to online search data (Article 6(11)): the gatekeeper shall provide, on fair, reasonable and non-discriminatory (FRAND) terms, competing online search engines with access to ranking, query, click and view data in relation to searches generated by end users on its online search engine;
- Obligation for app stores, search engines and social networks to deal with business users on FRAND general conditions of access (Article 6(12)): the gatekeeper shall apply and publish FRAND general conditions for business users’ access to software application stores, online search engines and online social networking services listed in the designation decision; and
- Prohibition of frustrating the termination of services (Article 6(13)): the gatekeeper shall not use disproportionate general conditions for terminating a CPS and not to make their exercise unduly difficult.
Article 7. Article 7 includes detailed rules requiring a designated gatekeeper providing number-independent interpersonal communication services to provide interoperability for the benefit of other providers of such services. Different types of sub-services will progressively fall under the interoperability obligation at different points in time.
Direct applicability with possibility of Commission guidance. Gatekeepers must ensure compliance with Articles 5, 6 and 7 without there being a need for any prior implementation act from the Commission. They can be fined or face other consequences if they fail to do so. Article 8 empowers the Commission either on its own initiative or upon request of the gatekeeper to specify by means of a decision and following an investigation involving also market testing the measures that a gatekeeper must implement to effectively comply with Article 6. To avoid the use of Article 8 for delaying tactics, Article 8(3) grants the Commission discretion in deciding whether to engage in such a process upon the gatekeeper’s request.6 However, separately from this formal guidance process under Article 8, the Commission is expected to be open to engaging in an informal dialogue with potential gatekeepers about how to achieve compliance with Articles 5, 6 and 7. It will generally be in a gatekeeper’s interest to make extensive use of this dialogue.
Annual compliance reports. On an annual basis, gatekeepers must provide the Commission with a detailed report that describes the measures taken by the gatekeeper to comply with Article 5, 6 and 7. Non-confidential summaries of these reports will be made public.
Additional Obligations of Gatekeepers
The DMA also imposes other obligations on designated gatekeepers. The most important ones are the following.
Information about planned transactions. Article 14 obliges gatekeepers to inform the Commission in advance of any intended transaction where the merging entities or the target of the transaction “provide core platform services or any other services in the digital sector or enable the collection of data.” This broad wording suggests that a gatekeeper will have to inform the Commission ex ante of almost any merger or acquisition transaction it engages in. While the DMA does not create merger control review powers, the Commission can use the information obtained under Article 14 to activate its review powers under the EU Merger Regulation (EUMR), notably in the context of the referral mechanism of Article 22 EUMR. Moreover, the Commission will share the information obtained under Article 14 with the Member States so they can assess whether national merger control review powers should be exercised for a given transaction. While the reporting obligation for transactions imposes a significant compliance burden on gatekeepers, several observers claim that a mere reporting obligation lacks teeth and that the European merger control system should be amended to more effectively control acquisitions by gatekeepers.
Annual audit of consumer profiling techniques. Article 15 requires gatekeepers to annually submit to the Commission an independently audited description of any techniques for profiling of consumers that the gatekeeper applies to or across its core platform services listed in the designation decision. The gatekeeper has to make an overview of that description publicly available.
Mandatory company-internal compliance function. Article 28 obliges designated gatekeepers to set up a company-internal compliance function that is independent from the operational functions of the gatekeeper.
Commission powers. The Commission is the key enforcer of the DMA. The DMA grants the Commission extensive investigative powers that are similar to the Commission’s enforcement powers under EU competition law, such as the possibility to conduct dawn raids. Member State competition authorities remain free to use national powers to investigate non-compliance of a gatekeeper with the obligations of Articles 5, 6 and 7 in their territories, but the Member States are not empowered to take any substantive decisions and the Commission can take over the procedure at any time.
Commission enforcement structure. While the exact enforcement structure within the Commission still has to be decided, it has been announced that it will combine structures of the Directorate-General for Competition, or DG COMP, and the Directorate-General for Communications Networks, Content and Technology, or DG CONNECT. The personnel resources required for an effective enforcement are still being discussed. Many observers are concerned about a shortage of staff that would lead to underenforcement.
High-level coordination group. Given the DMA’s links to other areas of law, Article 40 foresees the establishment of a high-level group for the Digital Markets Act, composed of existing European enforcement bodies and networks that deal with electronic communications, data protection, competition, consumer protection and audio-visual media. The high-level group will provide advice and expertise to the Commission.
Residual Member State powers. In addition to keeping the possibility to investigate potential infringements of Article 5 - 7 (but not to take substantive decisions), Member States generally remain free to enforce competition law against gatekeepers, although Article 1(6)(b) states that national competition rules prohibiting unilateral conduct (as opposed to agreements or mergers) can only be applied to gatekeepers to impose “additional obligations” on gatekeepers. The effect of this provision remains to be seen. Of particular practical relevance is the question whether the German Federal Cartel Office will be able to continue to apply Section 19a of the German Act against Restraints of Competition against gatekeepers. This provision, introduced only in 2021, enables the German national competition authority to act against large digital platform companies such as Alphabet or Meta without having to conduct traditional abuse of dominance investigations. Article 38 requires Member State competition authorities to coordinate with the Commission when applying national competition law (other than merger control) to gatekeepers.
EU Competition law. Separately, the Commission remains free to continue to apply EU competition law with regard to gatekeepers, although a key goal of the DMA is to reduce the need for evidence-heavy and time-consuming competition investigations.
High fines. Designated gatekeepers that do not comply with the DMA could face fines of up to 10% of their total worldwide turnover in the preceding financial year, with the fine increasing to up to 20% for repeat infringers.
Other consequences of infringements. If a designated gatekeeper systematically fails to comply with the DMA (i.e., the Commission has adopted within a period of 8 years three decisions against the gatekeeper under Article 29 finding non-compliance with the prohibitions and obligations of Articles 5 - 7), the Commission can open a market investigation for systemic non-compliance under Article 18 and, if necessary and proportionate, impose any behavioural or structural remedies or ban the gatekeeper from acquiring other companies for a certain period of time. At least in theory, such remedies could also comprise company break-ups.
Private actions. Moreover, private claimants can bring actions against non-compliant gatekeepers before the courts of EU Member States. There will be some need of clarification of the precise admissibility requirements for private claims, but available remedies should include damages and injunctions. As such, private enforcement could develop into a powerful tool for gatekeepers’ business customers and competitors to ensure gatekeepers comply with the DMA. Article 39 foresees cooperation of the Commission with Member State courts with regard to the application of the DMA. Article 42 clarifies that representative consumer actions can be brought for infringements of the DMA.
Impact on Gatekeepers and Non-gatekeepers
Gatekeepers. Potential gatekeepers should swiftly finalize their internal assessment of whether they meet the gatekeeper presumption criteria for any of their CPS and, if they do, start a dialogue with the Commission in preparation of submitting the required self-reporting notification to the Commission. In parallel, it will be in their interest to review each of the DMA’s obligations and prohibitions to assess whether compliance will require a change to their current commercial practices. This process potentially requires engaging in a dialogue with the Commission about the exact way of achieving compliance with some of the requirements. The potential risk of getting it wrong is significant. There is a clear desire of the European Parliament and the Council as the key legislative institutions and from the Commission as the key enforcer to make the DMA a success and to change the way digital markets operate, thus suggesting that the Commission will not shy away from invoking its enforcement powers.
Business partners. Current or potential business partners of gatekeepers may want to consider early on what a potential change to a gatekeeper’s business practice will mean for them. Generally, the DMA aims at providing more flexibility for these business partners. Understanding these changes at an early stage may be a key to generate significant value.
Competitors. Competitors of gatekeepers that are not themselves gatekeepers may see their competitive positions improved by the fact that they do not have to respect the obligations and prohibitions imposed by the DMA. They will also benefit from an increased ability of users to switch, including through multi-homing, from a gatekeeper CPS to competing services, and may be able to obtain intelligence on a gatekeeper’s business by invoking the DMA obligations as a business user, or on behalf of end users.
Consumers. Consumers will benefit in various ways if the digital economy becomes more contestable and fair. Some of the gatekeeper obligations will also more directly lead to greater consumer choice and flexibility, for example those that will make it easier for consumers to switch to other online services or multi-home.
Outlook. Once finally adopted, the DMA will be a legislative milestone. While its real-life impact remains to be seen over the coming years, it will significantly change how digital markets operate today. This creates risks for potential gatekeepers and opportunities for non-gatekeepers. Understanding the legal framework over the coming months will be important for all market players.
* This Advisory reflects the personal views of the authors and does not necessarily represent the views of the companies that the authors are advising with regard to the DMA.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Throughout this publication, and unless otherwise noted, all references are to the 11 May 2022 draft version of the DMA. Those familiar with prior drafts will notice that the DMA’s provisions have been renumbered in the May version. Pending formal adoption of the DMA, further changes to the text or paragraph numbering cannot be excluded.
Under Article 17(4), the Commission can designate companies that do not yet enjoy an entrenched gatekeeper position but are likely to do so in the near future as emerging gatekeepers, and impose on them a sub-set of the prohibitions and obligations that apply to gatekeepers. These situations are most likely to arise on markets that are close to a tipping point.
The Commission can take decisions under Article 8 also: (i) upon the gatekeeper’s request, with regard to the obligations under Article 7, and (ii) upon its own initiative, if the Commission suspects that the gatekeeper is trying to circumvent its obligations in the sense of Article 13, with regard to the obligations and prohibitions under Article 5 and 7.