Digital Markets Act enters into force: a roadmap for “gatekeeper” digital platforms
Related news and insights
Blog Post: 20 November 2023
Blog Post: 17 November 2023
Publications: 16 November 2023
Blog Post: 09 November 2023
The DMA introduces new rules for the digital economy. In particular, it will require online platforms acting as “gatekeepers” in digital markets to comply with wideranging obligations.
The European Commission (EC) put forward initial proposals for the new framework in December 2020 (see our alert). After more than a year of heavy negotiations on the detail of the rules, the European Parliament and the Council of the EU reached a political agreement in March 2022 (see our alert). The DMA received final approval in July 2022 and applies from 2 May 2023, with some exceptions which apply from 1 November 2022 (eg the EC’s powers to adopt delegated acts) and from 25 June 2023 (eg provisions concerning representative actions brought against infringements by gatekeepers). Recently, the EC adopted the Implementing Regulation (Regulation (EU) 2023/814) covering the procedural aspects of the regime.
The DMA will sit alongside the Digital Services Act (DSA), which has a wider scope and provides obligations for digital services that act as intermediaries in connecting consumers with goods, services, and content. While the DMA aims to ensure fair and contestable digital markets, the DSA focuses on ensuring online safety and transparency and protecting fundamental rights. The DSA received final approval on 4 October 2022 and entered into force on 16 November 2022. It will become applicable from 17 February 2024 (with some exceptions).
For the largest digital service providers, the regulation will become applicable four months after the EC has designated them as very large online platforms or very large search engines. You can read more about the DSA in our alert.
“Gatekeepers” of “core platform services” are in scope
The DMA will apply only to platforms that are identified as “gatekeepers” in relation to one or more “core platform services” (CPS).
CPS are listed as online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services and online advertising services (only if they are also offered by platforms providing any of the other CPS listed above).
The rules apply where CPS are offered or provided to businesses or end-users in the EU. This is regardless of the place of establishment or residence of the gatekeepers.
A firm will be designated as a gatekeeper if it passes a three-limbed test based on qualitative criteria. The DMA provides for quantitative thresholds above which there is a rebuttable presumption that a limb is met.
Qualitative and cumulative limbs
Rebuttable presumption quantitative thresholds
The CPS provider has a significant impact on the internal market
|The CPS provider (a) has achieved annual EU turnover equal to or above EUR7.5bn in each of the last three financial years; or (b) has had average market capitalisation or equivalent fair market value of at least EUR75bn in the last financial year; and it provides the same CPS in at least three Member States|
It is an important gateway for business users to reach end-users
|It provides a CPS that in the last financial year has had at least:
(a) 45 million monthly active end-users established or located in the EU; and (b) 10,000 yearly active business users established in the EU
It enjoys an entrenched and durable position in its operations, or it is foreseeable that it will enjoy such a position in the near future
|The rebuttable presumption thresholds for Limb 2 were met in each of the last three financial years (an “emerging gatekeeper”)|
Gatekeeper designation roadmap
CPS providers will have to assess themselves whether they meet the quantitative thresholds to be identified as a gatekeeper. If they do, they will have to notify the EC within two months from the date the DMA becomes applicable (by 3 July 2023 or from the point that they start to meet the criteria, if later). Further notifications are required if the thresholds are met subsequently in relation to other CPS.
According to the implementing rules, CPS providers will be able to engage in pre-notification discussions with the EC. Similar to the EU merger control procedure, it is envisaged that CPS providers will use a dedicated form (Form GD) for their notifications. This will require detailed information, including an exhaustive list of all the CPS offered by the notifying company and “any plausible alternative delineation” of each of these CPS, plus all data necessary to assess the quantitative thresholds.
CPS providers meeting the quantitative thresholds have the opportunity to rebut the presumptions and submit substantiated arguments with their notification to demonstrate that, due to the exceptional circumstances in which they operate, they should not be designated as a gatekeeper.
After receiving a notification with the relevant information, the EC will have 45 working days to decide whether to designate the firm as a gatekeeper (6 September 2023 at the latest). The implementing rules provide that the clock will start once the EC receives a complete notification or when it informs the party that the requested information is no longer necessary.
Where a CPS provider meets the qualitative but not the quantitative thresholds, the EC can conduct a market investigation to assess whether to designate it as a gatekeeper, taking into account factors such as its size, number of users, network effects and its access to data.
In the designation decision, the EC will indicate which CPS serve as an important gateway for business users to reach end-users. With respect to each of these CPS, the gatekeepers will have to comply with all of the dos and don’ts laid down in the DMA within six months from their designation (6 March 2024 at the latest). They can apply for the suspension of particular obligations but the EC will only grant this exceptionally. In relation to “emerging gatekeepers”, the EC may declare that only some of the obligations are applicable.
Compliance with the DMA’s obligations must continue until such time as the EC removes the gatekeeper designation. The EC must review designations at least every three years.
Dos and don’ts for gatekeepers
Two categories of obligations
The DMA provides for two broad categories of gatekeeper obligations. The first category is framed so that gatekeepers can comply without the need for the EC to specify any further details. It includes the following obligations:
- not to process, for online advertising purposes, the personal data of end-users of third-party services supplied through the gatekeeper’s platform without the end-user’s consent
- not to combine or cross-use the personal data of end-users across CPS or between CPS and other services or sign in end-users to other services in order to combine personal data, without the end-user’s consent
- not to impose either ‘wide’ parity clauses (restricting business users from offering lower prices and better conditions on any other online sales channels) or ‘narrow’ parity clauses (restricting business users from offering lower prices and better conditions on their own sales channels)
- to allow business users, free of charge, to communicate and promote their products and services (including under different conditions) to end-users acquired via the gatekeeper’s CPS (or through other channels) and to conclude the contracts with those end-users
- to allow end-users to access and use through the gatekeeper’s CPS, content, subscriptions, features or other items by using the software application of a business user, including those acquired outside of the gatekeeper’s CPS
- to refrain from stopping business users or end-users from raising the issue of gatekeeper non-compliance with EU or national laws with the relevant public authorities or national courts
- not to require end-users or business users to subscribe or register with any other of the gatekeeper’s CPS as a condition for using one of the gatekeeper’s CPS
- not to require end-users to use, or business users to use, offer, or interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper’s CPS
- to provide advertisers and publishers (or their authorised third parties) to which a gatekeeper supplies online advertising services, on request and free of charge, with information on a daily basis concerning the price and fees (including any deductions and surcharges) paid by the advertiser and publisher, as well as the amount of remuneration (including any deductions and surcharges) paid to the publisher, and the metrics on which each of the prices, fees and remunerations are calculated for the publishing of a given advertisement and for each of the relevant advertising services provided by the gatekeeper
The second category of obligations are those “susceptible to be further specified”, meaning that the EC can give further clarity on whether a gatekeeper’s proposed method of implementing the obligations is sufficient (which the EC can investigate either on its own initiative or at the request of the gatekeeper). These include obligations:
- not to use non-publicly available data acquired by the gatekeeper in relation to business users using a gatekeeper’s CPS to then compete with those business users
- to allow and technically enable end-users to easily uninstall any software applications or change default settings in the gatekeeper’s operating system, virtual assistant and web browser
- to allow and technically enable the installation and effective use of third-party software applications or software application stores and to allow them to be accessed by means other than the gatekeeper’s relevant CPS, as well as relating to the setting of downloaded software applications or stores as default (subject to certain carve-outs relating to safety measures)
- not to treat more favourably in ranking and related indexing and crawling, services and products offered by the gatekeeper itself compared to similar services or products of third parties and to apply transparent, fair and non-discriminatory conditions to such ranking (self-preferencing)
- not to technically or otherwise restrict end-users from switching between and subscribing to different software applications and services accessed under a gatekeeper’s CPS
- to allow hardware and service providers and business users, free of charge with effective interoperability and access to the same hardware or software features that are accessed or controlled via the operating system or virtual assistant of the gatekeeper (subject to certain carve-outs relating to safety measures)
- to provide advertisers and publishers and their authorised third parties, on request and free of charge, with access to the gatekeeper’s performance measuring tools and the data necessary for advertisers and publishers to carry out their own independent verification of the advertising inventory
- to provide end-users or their authorised third parties, on request and free of charge, with effective portability of data (including tools to facilitate the effective exercise of such data portability) provided by the end-user or generated through its activity
- subject to personal data restrictions, to provide business users, or their authorised third parties, on request and free of charge, with effective, high-quality, continuous and real-time access to and use of aggregated and non-aggregated data (including personal data), that is provided for, or generated in the context of, the use of the relevant CPS (or services provided together with or in support of the relevant CPS) by those business users and the end-users engaging with the products or services provided by those business users
- to provide any third-party providers of online search engines, on request, with access on fair, reasonable and non-discriminatory (FRAND) terms to ranking, query, click and view data in relation to free and paid searches generated by end-users on the gatekeeper’s online search engines, subject to the anonymisation of personal data
- to apply FRAND general conditions of access for business users to the gatekeeper’s software application stores, online search engines and online social networking services (the gatekeeper must publish general conditions of access, including an alternative dispute settlement mechanism)
- not to impose disproportionate general conditions for terminating the provisions of CPS and ensuring that these conditions are exercised without undue difficulty
Obligations for interoperability of messenger services
Gatekeepers providing messenger services are subject to specific obligations to make basic functionalities interoperable with the services of other providers.
This obligation will apply when requested by third-party providers and will be implemented in a gradual timeline. Some basic functionalities have to be made interoperable from the entry into force of the DMA (eg text messages between two individual users). Interoperability obligations in relation to other functionalities must be available within two years (eg group text messages) or four years (eg audio and video calls between two individual users or groups of end-users) from the designation decision.
Merger notification system – but not a fully-fledged review process
Gatekeepers will be obliged to inform the EC of all transactions: (i) where the parties provide CPS or any other services in the digital sector; or (ii) which enable the collection of data. The information must be submitted before closing, although there is no requirement for the deals to be formally approved. However, the EC is required to pass the information received on to the national competition authorities (NCAs).
Significantly, the DMA explicitly notes that the NCAs may use this information to request the EC to review a transaction under Article 22 of the EU Merger Regulation. The recent General Court ruling in Illumina/GRAIL is important in this regard. The Court confirmed that the EC has the right to accept Article 22 referrals of belowthreshold transactions from NCAs (see our alert for more details).
Time will tell how many deals involving gatekeepers will result in referral requests as a result.
In addition to the above, the DMA imposes several ancillary obligations on designated gatekeepers.
These include a requirement to report to the EC on the measures that a gatekeeper has implemented to ensure compliance with the obligations.
Gatekeepers must also set up a compliance function, which should be independent from the companies’ operational functions.
EC powers and enforcement
The DMA provides the EC with a broad market investigation tool allowing it to: (i) proactively investigate whether a CPS provider should be designated as a gatekeeper or identify the core platform services to be listed in a designation decision; (ii) revise and update the scope of the concept of the CPS (eg whether new services should be added) or the list of obligations; and (iii) investigate systematic non-compliance with gatekeeper obligations.
The EC will also have other extensive investigative powers similar to those granted to it under EU antitrust rules. In particular, the EC can request information, carry out interviews and conduct onsite inspections. Businesses under investigation will have the right to access the EC’s file, the right to be heard and the right for decisions to be transparent.
Harsh sanctions for non-compliance
Gatekeepers who do not comply with their obligations under the DMA can be fined up to 10% of their annual worldwide turnover. Significantly, the EC may impose a fine of up to 20% of worldwide turnover for repeat offences.
In addition, the EC may impose fines on undertakings, including gatekeepers, of up to 1% of their annual worldwide turnover for procedural breaches, eg failure to comply with notification obligations or provide requested information. In certain cases, the EC may also impose periodic penalties.
Where gatekeepers systematically fail to comply with the DMA (ie at least three violations in eight years), the EC can open a market investigation and, if necessary, impose behavioural or structural remedies. In such cases, the EC even has the power to ban gatekeepers from entering into future transactions for a limited time period.
Finally, to prevent an urgent risk of serious and irreparable damage for business users or end-users, the EC can impose interim measures. If during the investigation the gatekeeper offers binding commitments that ensure compliance with the relevant obligations, the EC may close its investigation and make the commitments binding.
The EC as sole enforcer
Following much discussion, negotiation and resistance from some Member States (eg Germany), the DMA provides that the EC will be the sole enforcer of the DMA.
The key challenge for the EC will be to ensure there are sufficient and qualified staff having the right skills (including IT experts and data scientists) to efficiently and effectively implement and enforce the regime. The EC’s impact assessment initially proposed around 80 staff members to enforce the DMA. The EC has now established a new department within the Directorate General for Competition (DG COMP) dedicated to digital platforms. This consists of three separate investigative units and houses 32 officials, who will enforce the DMA and conduct antitrust investigations in the tech sector. We understand that the Directorate General for
Communications Networks, Content and Technology (DG CNECT) will work with DG COMP on DMA matters. The EC also plans to engage a chief technology officer who will focus on data. It remains to be seen how the enforcement will look in practice.
Unlike under EU antitrust rules, the DMA will not be enforced by Member States. However, that does not mean that Member States and their NCAs have no role. The framework provides for close cooperation and information exchange between the EC and NCAs. The EC may consult an NCA where appropriate on any matter relating to the application of the DMA. It may also ask one or more NCAs to assist it in a market investigation or inspection.
- At least three Member States can request the EC to open a market investigation into whether a particular CPS provider should be designated as a gatekeeper or whether the list of CPS should be extended.
- NCAs (acting via the European Competition Network) will have a voice through the “High-Level Group” (established in March 2023), which consists of bodies and networks of national regulators that provide the EC with relevant advice and expertise.
- NCAs may conduct investigatory steps with a view to determining the non-compliance of a gatekeeper with the DMA and can report their findings to the EC.
More generally, NCAs will still be able to enforce national and EU antitrust rules or national digital regulations against digital platforms. But they will have to coordinate their actions with the EC.
Finally, given the DMA will be directly applicable in the Member States, it will be possible to enforce the DMA obligations in national courts, including through damages actions.
No more antitrust enforcement in digital markets?
It remains to be seen how in practice the DMA will interact with other regimes including the EU and national antitrust regimes or private litigation. It is, however, very unlikely that we will see the EC stop taking antitrust enforcement action against digital platforms. Executive Vice President Vestager was clear when announcing the proposals for the DMA that the EC would continue its ongoing antitrust cases and that its enforcement action could inform future versions of the DMA. Indeed, the DMA explicitly provides that it is without prejudice to the application of EU or national antitrust rules, including merger control rules, and is intended to complement those rules.
Recent judgments of the European Court of Justice (ECJ) in C-117/20 bpost and C-151/20 Nordzucker will also likely strengthen the EC’s resolve to apply the DMA and EU antitrust rules in parallel. The ECJ held that it is legitimate for companies to be sanctioned under both sectoral rules and antitrust law. However, the case law specifically requires that clear and precise rules are in place that make the accumulation of proceedings and sanctions foreseeable, that there is sufficient coordination between the investigating authorities, and that the overall penalties imposed correspond to the seriousness of the infringements.
The DMA will have a significant impact on the operation of digital platforms. However, despite the final rules being agreed, many uncertainties remain.
In the gatekeeper designation process, for example, it is unclear whether the EC will actively designate those CPS providers which do not meet quantitative thresholds or whether potential gatekeepers will in practice be able to successfully contest the presumption that meeting the quantitative thresholds satisfies the designation requirements when the EC should take into account only those elements which directly relate to the quantitative criteria. There are also a number of doubts over the gatekeeper’s obligations, such as how to understand and apply self-preferencing restrictions or FRAND terms in giving access for business users to app stores, search engines and social networks.
Some procedural aspects also remain uncertain. Although the provisions in the implementing rules on opening of proceedings, the right to be heard and access to file are at first glance similar to the procedures in antitrust investigations, there are some notable omissions. These could impact parties’ procedural rights. For example, the Implementing Regulation does not provide for oral hearings, nor does it envisage a hearing officer. There is also no procedure regarding third parties’ complaints. The DMA provides that the EC may adopt guidelines on any aspects of the rules. It is to be hoped that the authority will take the opportunity to clarify uncertainties in order to assist gatekeepers in the implementation of their obligations. In this respect, the EC is holding technical workshops to address specific practical questions related to compliance.