The EU Digital Markets Act - a focus on gatekeeper obligations and sanctions
What key obligations will the Digital Markets Act (DMA) impose on online platforms designated as gatekeepers?
The key takeaways
Under the provisions of the DMA, published in the EU's Official Journal on 12 October 2022, 'gatekeeper' platforms will be more restricted in the practices they can use in relation to their core platform services directed towards business users and customers.
The stated intention is that this will provide innovators and tech start-ups with new opportunities to compete and innovate in the online platform environment.
The DMA codifies many elements of prior competition enforcement cases taken by the Commission — whether this will support the digital technology sector in Europe or, in fast-moving and dynamic digital markets, end up adversely affecting innovation incentives remains to be seen.
The Background
To keep pace with rapid changes to digital technologies, services and systems, the European Commission presented a digital services package comprising the Digital Services Act (DSA) and the DMA in December 2020. For further discussion of the DSA see our earlier post here.
In early 2022, the Council and the European Parliament reached provisional agreement on the DMA, which was subsequently endorsed by EU Member States’ representatives. On 18 July 2022, the European Council formally adopted the DMA.
Having been published in the Official Journal of the European Union on 12 October 2022, the DMA will enter into force in the spring of 2023 and the Commission is gearing up for enforcement as soon as the first notifications come in.
The development — a summary of DMA obligations on gatekeepers
This landmark legislation brings in a new regulatory 'ex-ante' regime for digital markets (rather than relying on existing ex-post enforcement tools). It comes at a time when multiple countries are looking at how best to address the regulation of digital markets.
The DMA applies to core platform services provided or offered by 'gatekeepers' to business and end-users established or located in the EU, irrespective of their place of establishment or residence and irrespective of any national law otherwise applicable to their service. It aims to ban certain practices used by online platforms which act as digital 'gatekeepers' to the single market, by imposing various obligations on them.
The DSA concepts of 'online platforms' and 'very large online platforms' are not used. Instead, to qualify as a 'gatekeeper' under the DMA an online platform must:
a) have a significant impact on the internal market — i.e. it achieves an annual turnover in the EU of or greater than EUR 7.5 billion in each of the last three financial years, or its average market capitalisation or equivalent fair market value amounted to at least EUR 75 billion in the last financial year, and it provides the same core platform service in at least three EU Member States;
b) provide a 'core platform service' which acts an important gateway for business users to reach customers and other end users — i.e. in the last financial year has at least 45 million monthly active end users and at least 10,000 yearly active business users established or located in the EU; and
c) currently enjoy an entrenched and durable position or will do in the near future—this criterion is met if the user thresholds in b) above are met in each of the last three financial years.
Core platform services include: online platform-type services, search engines, social networking services, video-sharing platform services, number-independent interpersonal communications (NI-IC) services (instant voice, text, image and file messaging), operating systems such as MS Windows, web browsers, virtual assistants, cloud computing services like Google Cloud or Microsoft Azure and online advertising services. This list may expand or change over time.
Gatekeepers satisfying these requirements need to notify the Commission within 2 months after the above thresholds are met. The Commission will then designate them as a gatekeeper within 45 days of receiving this information.
Once designated, a gatekeeper needs to comply with certain obligations in respect of each of its core platform services. Obligations are either immediately and strictly applicable (under Article 5) or are susceptible to further specification (Article 6 and 7 obligations) by the Commission. The Commission will deal with further specification by opening proceedings and declaring measures which must be implemented within 6 months to ensure effective compliance. The gatekeeper can also request a determination of whether measures it intends to implement will ensure compliance with Articles 6 and 7.
Obligations for gatekeepers are split into activities they can and can't engage in.
They must not:
Use of data
- cross-use or combine personal data obtained from their core platform service or from third parties who advertise on their service with data obtained from another of their services, without permission
- use, in competition with business users, data provided by those users as a result of them using the core platform services
Self-preferencing
- prevent business users from offering, at the same or different prices or conditions, the same products or services to end users through direct or third party online sales channels
- make access to core platform services conditional on each other
- more favourably rank their own products and services in search results
- require end users to use the gatekeeper's operating systems such as payment systems for in-app purchases or other features, for services that business users provide using the gatekeeper’s core platform services
Switching, leaving and complaining
- restrict the ability of end users to switch between different apps and services, including Internet access services
- operate under Ts&Cs that make it difficult for users to leave their platform or service
- prevent business or end users from raising the non-compliance of the gatekeeper with the appropriate authority
They are under an obligation to:
Interoperability
- over a period of time provide the necessary technical interfaces to make their NI-IC services such as instant voice, video, text and image messaging and file sharing interoperable with third party NI-IC services, while preserving security such as end-to-end encryption where appropriate
Data access
- provide end users with real time access to and effective portability of data provided by the end user or generated through the activity of the end user
- grant business users real time access to data generated by them and by end users from their use of the core platform service, and provide third party search engines access to ranking, query, click and view data
Advertising
- be transparent with the advertisers and publishers that they supply with online advertising services about the price and fees paid by advertisers, publisher remuneration and the metrics on which prices, fees and remuneration are calculated. They must also provide them with access to the gatekeeper's performance measuring tools and data to enable them to assess and verify the gatekeeper's performance in relation to the core platform services provided
Apps and app stores
- offer business users fair access to the gatekeeper's app stores, online search engines and social networks
- allow end users to easily un-install pre-loaded software apps and change default settings that direct or steer end users to products or services provided by the gatekeeper
- enable the installation and use of third party software apps or software app stores interoperable with the gatekeeper's operating system and allow them to be set as the default
Enforcement lies with the Commission rather than national authorities. Where it meets the relevant gatekeeper thresholds, if a gatekeeper fails to notify the Commission in accordance with DMA requirements it can be fined 1% of its total (preceding year) worldwide turnover. If a gatekeeper does not comply with its key obligations or measures ordered by the Commission, the Commission can impose fines of up to 10% of its total worldwide turnover in the preceding financial year, or up to 20% in cases of repeated non-compliance. In cases of 'systematic non-compliance' with gatekeeper obligations, the Commission may impose behavioural or structural remedies on the gatekeeper to ensure compliance.
The DMA stipulates that it protects different legal interests to those protected by competition law. It is to be applied in a complementary way and without prejudice to Articles 101 and 102 TFEU, corresponding or other national competition rules. This means that national authorities are not permitted to make decisions that run counter to Commission decisions made under the DMA. When it comes to enforcement, the Commission expects close cooperation and coordination with Member States.
The right of business users and end users, including whistleblowers, to raise concerns about unfair practices by gatekeepers such as 'discriminatory access conditions, unjustified closing of business user accounts or unclear grounds for product de-listings' is provided for in the DMA. Gatekeepers may not prevent or restrict business users or end users from raising any issue of non-compliance with any relevant public authority, including national courts. Consequently, any practice that would inhibit or hinder users in raising their concerns, e.g. use of confidentiality clauses in agreements or other written terms, is prohibited.
As the DMA is an EU regulation, gatekeeper obligations can be enforced directly in national courts. This will facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers.
Next steps
As an EU regulation, the DMA is directly applicable across the EU without the need for any further legislation. After being published in the Official Journal of the EU, the DMA will enter into force twenty days after publication; it will start to apply six months later. Gatekeepers will have a maximum of six months after they have been designated to comply with their new obligations.
Any practical tips
Preparation will be key for all affected by the DMA. Consumers, businesses and platforms looking to capitalise on the changes involving increased choice and interoperability may look to create new business models.
Gatekeepers that operate in the EU will have much to prepare for which will require careful review of the detail of the DMA's articles and cooperation with the Commission. The obligations may be subject to various interpretations, therefore further implementing acts and guidance will be key in aiding platforms to navigate the DMA and comply with other potentially applicable legislation such as the DSA. Gatekeepers are also expected to ensure that measures they adopt to comply with their obligations comply with the EU GDPR, the EU ePrivacy Directive, legislation on cyber security, consumer protection, product safety, as well as with accessibility requirements and EU and national competition regimes.
What's on the horizon
How new practices evolve in digital markets following the DMA's implementation will also continue to be watched carefully from a competition enforcement perspective. While there is a significant emphasis on the new ex-ante regime under the DMA, existing competition enforcement remains important. Competition enforcement tools are likely to continue to be deployed in digital markets, albeit possibly with newer theories of harm than those previously seen in the Commission's prior enforcement cases.
Other jurisdictions may look to mirror certain aspects of the DMA regime which may be seen as a 'blueprint' in some respects. The US is also considering legislation to address concerns in digital markets and the UK's Digital Markets Unit (currently within the CMA only in 'shadow' form) still awaits its formal statutory powers.
Some jurisdictions may instead favour a much lighter touch regulatory regime—there have been recent suggestions that the UK's digital regulation may move towards being more 'pro-innovation'. Given that it is not constrained by the DMA's framework (which envisages the Commission as sole enforcer and not the national competition authorities), post-Brexit the UK may choose to forge a different path in its approach to promoting the tech sector and addressing any issues in digital markets.
With varying policy approaches in the offing, whether the suggested 'fluid' sharing of information between enforcement authorities would in reality lead to a trend of further global and cooperative enforcement (as suggested by Olivier Guersent in a speech given on 10 October 2022) is questionable.
All in all, and notwithstanding the greater coordination between regulators that has been seen recently, tech companies may face very different regulatory regimes in different countries for what are often global business models.
Stay connected and subscribe to our latest insights and views
Subscribe Here