The EU's Digital Markets Act - an overview

The European Commission has been working on the realisation of the Digital Single Market since 2014. To this end, it has created a new field of law - "digital regulatory law". This also includes competition law regulation of digital markets in the form of the Digital Markets Act (DMA). Here we provide an overview of the DMA as approved by the European Council and the European Parliament in July 2022.  Minor changes may still be made before the DMA is published in the Official Journal.

DMA and relation to EU competition law

In the perception of the Commission, existing EU competition law was not sufficient to cope with the alleged risks to competition posed by large internet companies. On the one hand, factual monopolies in certain digital markets should be regulated. On the other hand, market failures due to special features of digital markets such as network effects and data aggregation are to be counteracted. In the opinion of the Commission, current EU competition law is too cumbersome to counter these assumed risks. 

Accordingly, the DMA follows a different approach from existing EU competition law which remains fully in force. Thus, there are overlaps with EU competition law as well as differences which should be noted and may help in understanding and applying the DMA. Both regimes want to ensure fair competition and contestable markets and are to be used side by side to safeguard competition. Articles 101 and 102 TFEU, as well as the preventive Merger Regulation (ECMR) remain applicable in parallel pursuant to Article 1(6) DMA. The regulations in the DMA are, in fact, in many cases taken out of competition law cases. However, national competition law must not, according to Article 1(6)(b) of the DMA, impose additional obligations to those in the DMA. A case in point is Section 19a of the German Act against Restraints of Competition which is designed to deal with dominant big tech companies and which will likely be neutralised or – at least – significantly narrowed in scope by the DMA.

Gatekeepers

Against this background, the European Union has chosen to regulate certain large online companies, designated as "gatekeepers" under the DMA. A digital company is considered a gatekeeper under Article 2(1) DMA (all references are to the DMA unless otherwise stated) if it operates a "core platform service" under Article 2(2) (eg online search engines, online social networking services, cloud computing services). 

In addition, the company must have:

• a significant impact on the internal market
• provide a core platform service which is an important gateway for business users to reach end users, and 
• enjoy an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future. 

These criteria are presumed if the company achieves an annual Union turnover of at least EUR 7.5 billion in each of the last three financial years or has an average of at least EUR 75 billion market capitalisation or fair market value in the last financial year and provides the same core platform service in at least three Member States. 

In addition, the core platform services must have reached 45 million active end users per month and 10,000 active business customers per year established or located in the European Union in the last financial year. 

The third condition “entrenched and durable position” is presumed to be met if the above mentioned user numbers were achieved in each of the previous three financial years. As soon as a provider of core platform services reaches these thresholds, it must report this to the Commission or face a fine. The Commission then decides whether the provider is a gatekeeper or - exceptionally – not in accordance with Article 3(4). 

Core platform service providers that do not meet the thresholds can also be classified as gatekeepers. For more details see our recent article.

Restrictions and obligations of gatekeepers 

Unlike current EU competition law, the DMA does not contain a blanket clause and only provides limited means to justify prohibited behaviour in Article 8 and 9. 

However, Articles 5 to 7 impose a series of obligations and restrictions on gatekeepers that are binding six months after their gatekeeper designation. In order to provide some flexibility, the Commission can add to or adapt these in accordance with Article 12(1).

Article 5

Designated gatekeepers shall, in accordance with Article 5 DMA, without the need for a further specification,  

• without explicit consent (not to be sought more than once a year): not process personal data of end users for advertising purposes if end users use the service of a third party which in turn uses a core platform service of the gatekeeper (for example, data that accumulates when Siri is used to control household appliances), not merge personal data of end users that have arisen from the use of different core platform services or the services of third parties (following the reasoning behind the Bundeskartellamt's 2019 Facebook decision and the fine imposed on Facebook by the EC in 2017), not cross-use personal data of end users from one core platform service in another core platform service, and not sign in end users of a core platform service to another service in order to combine the end users' personal data.
• not prevent business customers from offering their products and services on third-party platforms at different conditions and prices 
• allow business customers, free of charge, to communicate with end users - who are existing customers of the business customer - via the core platform services, to make offers to them and to conclude contracts (although there is a question as to whether and what proof the gatekeeper can demand to demonstrate only existing customers are actually being addressed)
• allow end users to access content, subscriptions, features and other items purchased by the business customer via the core platform service if this involves the use of the business customer's software 
• refrain from discouraging end users or business customers in any way from complaining to the competent public authorities, whereby in the case of business customers the agreement of a dispute resolution mechanism shall be permitted 
• refrain from obliging end users or business customers to use or - in the case of business customers - to offer a specific identification service, web browser engine or payment service or a corresponding technical service (eg for in-app purchases)
• refrain from requiring end users or business customers to sign up for another core platform service that reaches 45 million end users per month and 10,000 business customers per year or is registered as a core platform service by the Commission in order to use the gatekeeper’s core platform service 
• in the case of digital advertising, provide to any advertiser, publisher or service provider of any of the aforementioned persons, free of charge, on a daily basis, information about each advertisement placed by the advertiser, the price and fees paid by that advertiser, the remuneration received by the publisher and the measure on which the individual prices and remuneration fees are calculated. If the advertiser or publisher does not agree to the disclosure of the information, the average price paid by the advertiser shall be indicated.

Article 6

Article 6 requirements may be subject to further specification for particular gatekeepers and core platform services by the Commission in accordance with the procedure set out in Article 8.  Under Article 6, gatekeepers are to be obliged to

• refrain from competing with business customers using a core platform service by using non-public data (the ban of this practice stems from the Amazon Marketplace investigation)
• make it easy for end users to remove pre-installed software and to change the default settings in the operating system regarding the use of virtual assistants, web browsers and to choose from a list of alternative offers 
• allow and technically enable the installation of third-party software or stores from any source, although this does not prevent the gatekeeper from taking cybersecurity measures 
• refrain from giving preferential treatment to their own offers 
• refrain from restricting the ability of end users to switch between and subscribe to different software applications and services that can be accessed via the core platform service 
• allow service and hardware providers, by way of interoperability, to use the same scope of services available to an operating system or virtual assistant identified as a core platform service without payment 
• provide advertising providers, publishers and third parties commissioned by them with access to the gatekeeper's performance measurement tools and the information they need to carry out their own independent review of the advertising inventory, free of charge, upon request. The data must be processable by the recipients 
• ensure effective portability of data generated by the activity of a business user or end user 
• provide business users and third parties engaged by them, free of charge, with effective, high quality, continuous and real-time access to, and use of, aggregated and non-aggregated data provided or generated in connection with the use of the relevant core platform services by those business users and the end users using the products or services offered by those business users 
• grant third party online search providers access to ranking, query, click and view data relating to free and paid searches generated by end users on the gatekeeper's online search engines on fair, reasonable and non-discriminatory terms upon their request grant fair and non-discriminatory general conditions for business users' access to app stores, search engines and social networks 
• not make the termination of core platform services unreasonably difficult.

Article 7 – the interoperability requirement

Finally, a new and far-reaching interoperability obligation for gatekeepers providing number-independent interpersonal communications services (messaging services) is introduced under Article 7. In very simplified terms, the gatekeeper must interoperate with competing messaging services under certain conditions, so that, for example, a user of the gatekeeper's service can send a message or notification to the user of a competing service - but this should not interfere with the end-to-end encryption of the communication, a technical point that can be expected to lead to significant disputes. More generally, the DMA contains very demanding interoperability obligations. and technical questions still need to be clarified. 

Whether the comprehensive catalogue of obligations and restrictions in the DMA will have the desired effect remains to be seen. If they prove to be insufficient, Article 12 DMA provides for a supplement to the catalogue of obligations by means of a delegated act. 

Procedure

The DMA classifies the duties of conduct under Article 5-7 DMA into those that are considered "self-executing" (Article 5) and others that are "susceptible to further specification" under Article 8 (namely Articles 6 and 7). The gatekeeper must independently develop a concept for the adequate implementation of the conduct obligations. The DMA provides the Commission with various instruments for monitoring these measures and requires the gatekeepers to notify the Commission of measures taken. 

Article 8 provides that the gatekeeper may request the Commission, or the Commission may on its own initiative, open proceedings to assess whether the gatekeeper’s measures to ensure compliance with Articles 6 and 7 are effective (so-called regulatory dialogue). Within six months after the initiation of such proceedings, the Commission may specify concrete measures in relation to the obligations set out in Article 6 which the gatekeeper concerned must implement if the measures it has taken to date do not ensure effective compliance with the DMA requirements.

Article 9 provides for an exemption from the Article 5-7 obligations under the DMA in exceptional cases. Article 9(3) also provides for urgency decisions by which the Commission can provisionally suspend certain DMA obligations even before the main decision is taken by the Commission. Furthermore, the obligations laid down in Article 5, 6 or 7 can also be waived for the protection of public health and public safety in accordance with Article 10.

Anti-circumvention

Article 13 prohibits circumvention of the gatekeeper's obligations under the DMA and allows the Commission to examine whether there is circumvention. Specifically, companies are prohibited from "splitting" central platform services with the purpose of falling below the Article 3(2) quantitative thresholds. If the Commission suspects this is happening, it may request further information from the relevant companies in order to uncover possible circumvention. If the suspicion is confirmed, the splitting does not (or will no longer) prevent the Commission from designating the company as a gatekeeper. Whether circumvention can only be assumed if the avoidance of the status as a gatekeeper was the sole reason for the division, or whether it is sufficient if this was only one of several motives, could still require judicial clarification in future. 

Articles 13(3-4) further stipulate that the gatekeeper must effectively comply with the obligations under Article 5-7 of the DMA. Specifically, the gatekeeper is obliged to facilitate business users’ compliance with privacy law if personal data is involved in fulfilling the DMA obligations towards business users. The exercise of the rights by business users and end users under Articles 5 to 7 of the DMA must not result in penalties (such as poorer quality) or be made unreasonably difficult. In all these cases, the Commission can issue orders further specifying the obligations of the gatekeepers. 

The prohibition on circumvention is flanked, among other things, by monitoring and information gathering powers of the Commission and is subject to self-monitoring by the gatekeepers themselves. Gatekeepers must appoint compliance officers who monitor compliance independently of the operational business and have the ability to enforce compliance.

Merger control of the gatekeepers

Under Article 14, gatekeepers will be obliged to inform the Commission of a proposed concentration involving other companies from the digital sector or which are active in data collection. This obligation exists irrespective of whether the merger would be notifiable to the Commission or a national competition authority under the relevant merger control rules. 

This is intended to enable the Commission to monitor market developments in the digital sector and to become aware of 'killer acquisitions' (large corporations swallowing up hopeful start-ups with little turnover, but a lot of potential at an early stage). Article 14(5) explicitly refers to Article 22 ECMR, so that competition authorities of the Member States can ask the Commission to examine such mergers within the framework of the ECMR. This means that killer acquisitions, in particular, can be examined via the mechanism of Article 22 ECMR even if the thresholds of the ECMR or national merger control regimes are not exceeded. 

Sanction mechanisms of the DMA

If a gatekeeper fails to comply with Articles 5-7 they may be fined up to 10% of the worldwide group turnover in the preceding financial year. Repeated violations of the DMA's rules of conduct may even result in fines of up to 20% of worldwide group turnover in the preceding financial year. In addition, the Commission may impose periodic penalty payments of up to 5% of the daily worldwide group turnover of the gatekeeper in the preceding financial year in the event of non-implementation of orders.

In the event of systematic violations of the DMA's rules of conduct, the Commission may, pursuant to Article 18 DMA (ie on the basis of a market investigation), adopt behavioural and structural remedies. In addition, in the event of systematic violations, the gatekeeper can be prohibited from carrying out mergers in relevant sectors, at least for a limited period of time. Systematic infringement is presumed if the Commission has adopted at least three infringement decisions under the DMA within an eight year period. These sanction options are flanked by comprehensive powers to verify compliance with the DMA through requests for information (RFIs), interrogations and inspections.

Private enforcement of the DMA

It is debatable to what extent business users and end users can also enforce the obligations under the DMA as private enforcement is not explicitly dealt with in the DMA. However, Articles 42 and 53 enable consumers to enforce their rights via the Representative Action Directive. While the legislator intended to give consumers the possibility of asserting their rights under the DMA, the legislation is silent on the rights of business users or non-consumers. The legislation focuses on enforcement of the DMA by public authorities as standard. As a consequence, Article 39 provides for a mechanism of cooperation between the Commission and national courts to ensure consistent application of the DMA, comparable to Article 15 of Regulation (EC) No. 1/2003. In this context, national courts are not allowed to take decisions that contradict the decisions of the Commission under the DMA.

Responsibility

The Commission is given exclusive competence to apply the DMA in order to ensure uniform enforcement throughout the Union. However, Member States may also authorise their respective national competition authorities to investigate possible violations of the DMA and to forward the results of their investigations to the Commission.

Timeline for compliance

The DMA passed the European Parliament on 5 July 2022 and the Council on 18 July 2022 and will shortly be published in the Official Journal of the European Union. 20 days after publication, the DMA will enter into force and will be applicable in essential parts six months later. Some organisational provisions will enter into force on 25 June 2023.

The decisive factor will be the designation of the first gatekeepers as they are obliged to comply with the requirements of Article 5 to 7 six months after their designation. 

What actual effect the DMA will have will depend on how it is enforced. However, the DMA has the potential to significantly shift the balance of power in digital markets in favour of smaller companies.  Hopefully the DMA will not overshoot the mark, which could happen, for example, if companies are unnecessarily designated as gatekeepers or because behavioural obligations are imposed that ultimately do not promote competition at all. Getting the balance right will be the crucial factor in determining whether or not the DMA achieves the Commission's aims.