European Union: Digital Markets Act – Overview

The Digital Markets Act (DMA) is a ground-breaking piece of EU regulation, imposing rules on platforms acting as "gatekeepers" in the digital sector, and aiming to ensure fairness and contestability in digital markets. The main obligations and prohibitions in the DMA apply from 7 March 2024 to the designated gatekeepers, and therefore we take this opportunity to update our overview of the DMA.

What is the DMA? In summary, it aims to improve contestability and fairness of digital markets, by imposing obligations and prohibitions on "gatekeepers" that provide "core platform services" (CPSs) and are designated as such by the European Commission (Commission).

Designations to date. The Commission has designated the following gatekeepers/services so far:

• Alphabet: Google Play, Google Maps, Google Shopping, Google Search, YouTube, Android, Chrome and Alphabet's online advertising service
• Amazon: Amazon Marketplace and Amazon Advertising
• Apple: AppStore, iOS and Safari
• ByteDance: TikTok
• Meta: Facebook Marketplace, Facebook, Instagram, WhatsApp, Facebook Messenger and Meta Ads
• Microsoft: LinkedIn and Windows PC OS

ByteDance has appealed its designation, and Meta and Apple have appealed the designation of certain of their services. These appeals do not suspend the gatekeepers' obligations to comply with the DMA.

The Commission has found that a number of CPSs (Gmail, Outlook.com, Samsung Internet Browser, iMessage, Bing, Edge and Microsoft Advertising) which met the thresholds were not "important gateways" and therefore did not designate them.

The Commission is also currently considering recent notifications by Booking, ByteDance (for its advertising service) and X; and has an ongoing investigation into Apple's iPadOS.

20+ obligations/prohibitions. Designated gatekeepers will have to, amongst other things, allow interoperability, data access, competing app stores, off-platform purchasing, and uninstallation of preinstalled software; and must not cross-use data without consent, self-preference in rankings, or have most-favoured-nation (MFN) clauses, in each case in relation to their CPSs. The selection here is non-exhaustive and does not catch the nuance in some of the obligations and prohibitions.

Regulation alongside competition law. The DMA represents a radical change in approach to enforcement in the digital sector. It introduces ex ante regulation of the digital gatekeepers. Whilst it is largely influenced by EU competition law policy including existing infringement decisions and investigations, it will operate alongside, and not replace, existing EU competition rules.

Who needs to be aware of it? The DMA will be of interest not just to those companies designated as gatekeepers (or who may be in future), but also to those using their services. Further, companies and advisors not active in the EU should still be aware of this key development as it is likely to influence competition authorities and legislators outside the EU as they look at how they can best regulate large digital platforms.

Part of a wider refresh of enforcement in the digital sector. The DMA is a key part of a range of new EU regulations for the digital ecosystem "Shaping Europe's digital future" – a key policy for the Commission. These include the Digital Services Act (DSA) and the proposed AI Act (see our posts here and here), as well as the Data Act and Data Governance Act. The Commission has also amended various of its block exemptions and guidelines to reflect, amongst other things, developments in the digital sector (see our posts here, here and here). The EU is not alone in its approach, and for example the UK is also seeking to implement a new ex ante regime for online platforms with 'strategic market status' (see our post here).

In this post we outline key aspects of the DMA at a high level. If you would like to discuss the DMA or any of these developments in more detail, please do not hesitate to get in touch.

Criteria to be a gatekeeper

Not all large digital companies are in scope, and not even all those that may be considered 'dominant' under EU competition law.

The DMA catches only those companies that provide a CPS and satisfy the criteria set out in Article 3(1) of the DMA. They must:

1. have a significant impact on the internal market;
2. provide a CPS which is an important gateway for business users to reach end users; and
3. enjoy an entrenched and durable position (or it is foreseeable that they will do so in the near future).

The DMA defines a CPS as: online intermediation services (e.g. marketplaces, app stores etc.), online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services provided by an undertaking that provides any of the other CPSs.

To determine if the criteria in Article 3(1) are met, the DMA sets out rebuttable presumptions in Article 3(2), in the form of quantitative thresholds. A provider of a CPS will be presumed to:

• have a significant impact on the internal market if it provides the same CPS in at least three EU Member States, and (at a company level) achieves at least EUR 7.5 billion (US$ 8.3 billion) turnover in the EU in each of the last three years or has a market capitalisation of EUR 75 billion (US$ 83 billion) in the last year;
• provide a CPS which is an important gateway if in the last financial year the CPS has at least 45 million monthly active end users established or located in the Union and at least 10,000 yearly active business users established in the EU;
• hold an entrenched and durable position if it met the thresholds in the bullet above in each of the last three financial years.

The criteria in Article 3(1) may also be met by qualitative elements set out in Article 3(8). These include size, including turnover and market capitalisation, operations and position; number of business users using the CPS to reach end users and the number of end users; network effects and data driven advantages; any scale and scope effects from which the undertaking benefits; business user and end user lock-in; conglomerate corporate structure or vertical integration, or other structural or service characteristics.

It is notable that the criteria do not relate to 'market power', and whilst many of the obligations and prohibitions in the DMA are modelled on competition law abuses of dominance, it is not necessary that a gatekeeper holds a dominant position, and a company in a dominant position will not necessarily be a gatekeeper.

Designation process

Gatekeeper status is not automatic – designation by the Commission is required before a company is subject to the DMA's obligations and prohibitions on its behaviour.

Where a company satisfies the quantitative thresholds in Article 3(2), it must inform the Commission without delay and in any event within two months after the thresholds are met. The notification must be made on the "Form GD" (see further the Implementing Regulation). In practice the Commission has also engaged in discussions with potential gatekeepers prior to notification.

Following receipt of the necessary information, the Commission has 45 working days to decide whether to designate the potential gatekeeper as a gatekeeper. In that decision it must also list the relevant CPSs the gatekeeper provides which are individually an important gateway for business users to reach end users.

Importantly, the quantitative thresholds in Article 3(2) provide a rebuttable presumption of designation. A potential gatekeeper may present "sufficiently substantiated arguments to demonstrate that, exceptionally, although it meets all the [quantitative thresholds], due to the circumstances in which the relevant core platform service operates, it does not satisfy the requirements listed in [the criteria for designation]". If the Commission decides that the potential gatekeeper presented sufficiently substantiated arguments that manifestly call into question the presumption, it will open a market investigation and conclude within 5 months whether to designate the gatekeeper. (In practice, it may also decide that a market investigation is not necessary and proceed to conclude that the criteria for designation are not met.)

As noted above, the Commission may also designate a company as a gatekeeper even though it does not satisfy the quantitative thresholds. This may be the case if it considers that the criteria are met under the qualitative elements. In such case, the Commission must conduct a market investigation and reach a decision within 12 months.

If a potential gatekeeper does not hold an "entrenched and durable position", the Commission may designate it as an "emerging gatekeeper" if it is expected to hold this position in the near future. A more limited set of obligations applies to an emerging gatekeeper, aimed at ensuring that it does not achieve a gatekeeper position in an unfair manner.

Designations/ investigations to date

On 5 September 2023 the Commission designated the first set of gatekeepers under the DMA and listed their CPSs which it considered individually are an important gateway for business users to reach end users.

The Commission's press release can be found here, and the designation decisions here.

Appeals

ByteDance has appealed its designation, and Meta and Apple have appealed the designation of certain of their services. In each case the appeals are to the EU General Court, and do not suspend the gatekeepers' obligations to comply with the DMA.

ByteDance also applied for interim measures from the Court, seeking suspension of the decision. However, on 9 February 2024 the President of the General Court dismissed the application, on the basis that ByteDance had failed to demonstrate the urgency required for an interim order in order to avoid serious and irreparable damage.

Investigations

At the same time as those first designation decisions, the Commission opened four market investigations to further assess Microsoft's and Apple's submissions that, despite meeting the quantitative thresholds, Bing, Edge and Microsoft Advertising (for Microsoft) and iMessage (for Apple) are not important gateways for business users to reach end users. It closed these investigations on 13 February 2024, finding that Microsoft and Apple should not be designated with respect to those CPSs. It "will continue to monitor the developments on the market with respect to these services, should any substantial changes arise."

On 5 September 2023 the Commission also opened a market investigation to further assess whether Apple should be designated a gatekeeper with respect to iPadOS. That CPS did not meet all the quantitative thresholds (Article 3(2)), but the Commission concluded that there were grounds to consider that it may meet the criteria for designation (Article 3(1)) on the basis of the qualitative elements (Article 3(8)). It therefore opened a market investigation and has up to 12 months to reach a decision on whether to designate it.

What was not designated?

In its decisions on the first set of gatekeeper designations, on 5 September 2023, the Commission concluded that, although Gmail, Outlook.com and Samsung Internet Browser met the quantitative thresholds to be gatekeeper services, Alphabet, Microsoft and Samsung had provided sufficiently justified arguments to show that these services did not qualify as important gateways for business users to reach end users and therefore (without opening a market investigation) concluded that they should not be designated.

It appears from the designation decisions that no potential gatekeepers submitted notifications with respect to virtual assistants or cloud computing services. Therefore, no CPS in these categories is currently designated under the DMA.

Ongoing designations/ investigations

On 1 March 2024, Booking, ByteDance and X submitted notifications to the Commission that they meet the qualitative threshold under the DMA. This triggers the Commission's 45 working day review to decide if they should be designated as gatekeepers, and which services to list as important gateways in the designation decisions. ByteDance's new notification relates to TikTok Ads (it is already designated a gatekeeper with respect to TikTok as an online social network).

As noted above, the Commission also has an ongoing market investigation into iPadOS.

The substance of the DMA: what behaviour is caught?

Following designation, a gatekeeper has six months to comply with the prohibitions and obligations set out in Articles 5, 6, and 7 of the DMA. The compliance date for those gatekeeper services designated in September 2023 was 7 March 2023.

In summary, the "do's and don'ts" include the following:

• Use of personal data: a gatekeeper must not process (for providing online advertising services), combine or cross use personal data of end users obtained via its CPS unless the user grants a valid consent
• Use of business data: a gatekeeper must not use, in competition with business users, any data not publicly available generated or provided by business users in the context of their use of its CPS
• MFNs: a gatekeeper must not impose wide or narrow MFN clauses, e. it must allow business users to offer the same products/services to end users through third party platforms, or their own platforms, at prices/conditions different from those on the gatekeeper's platform
• Interoperability: a gatekeeper must allow providers of services and hardware with interoperability with hardware and software features accessed or controlled via its operating system or virtual assistant (where designated as a CPS), and must ensure interoperability for number-independent interpersonal communications services to its designated service
• Access: a gatekeeper must allow, and technically enable, the installation and use of, and access to, competing third-party apps or app stores on its operating system. It must also not restrict the ability of end users to switch between, or subscribe to, different apps and services accessed using its CPS
• Anti-steering provisions: a gatekeeper must allow business users to promote their offers and conclude contracts with customers outside its CPS
• On-platform use: a gatekeeper must allow an end user to access and use, through its CPS, content, subscriptions, features or other items in a business user's app, including where these items have been acquired from the business user without using its CPS
• Tying: a gatekeeper must not require business users or end users to use, offer, or interoperate with a gatekeeper's identification service, web browser engine or payment service in the context of the business users' services offered through the CPS, and must not require users to subscribe to, or register with, any of the gatekeeper's other CPSs listed in its designation decision or meeting the quantitative criteria as a condition for being able to access its CPS
• Configuration choice: a gatekeeper must allow and technically enable end users to (i) easily un-install software applications on its operating system, (ii) easily change default settings on its operating system, virtual assistant and web browser that direct or steer end users to products or services provided by the gatekeeper, and (iii) provide end users choice of online search engine, virtual assistant or web browser to be used by default
• Access to data: A gatekeeper must give business and end users effective and immediate access to data they have provided or which is generated by their activities on its CPS. Search engines must provide competitors with access on FRAND terms to ranking, query, click and view data
• Data portability: a gatekeeper must provide end users, upon their request and free of charge, with effective portability of data provided by the end user or generated through the end user's activity on its CPS
• Self-preferencing: a gatekeeper must not treat more favourably in ranking, and related indexing and crawling, its own services and products compared to similar services or products offered by third parties on its platform, and must apply transparent, fair and non-discriminatory conditions to rankings and related indexing and crawling
• Transparency: a gatekeeper must provide its advertisers and publishers with detailed information on the use of its advertising services and payments from publishers and advertisers
• Notification of mergers: under Article 14 DMA a gatekeeper must inform the Commission of all intended concentrations (within the meaning of the EU Merger Regulation (EUMR)) where the target provides a CPS or any other digital or data collection services. The obligation applies regardless of whether the concentration meets the EUMR or any national merger control thresholds. This does not automatically trigger a merger control review, but we expect the Commission to use this provision to alert it to transactions it may seek to review under its revised approach to Article 22 EUMR (see our briefing here).

A note of caution is warranted here: the above summary is not exhaustive and does not catch the nuances in some of the prohibitions/obligations. In addition, while gatekeepers must comply with the prohibitions/obligations, they may request guidance from the Commission as to measures they should implement to ensure effective compliance with some of the prohibitions/obligations.

The Commission has been engaging with gatekeepers and other stakeholders with respect to compliance. This has been in bilateral and multilateral meetings, and also in a series of public workshops which (to date) have discussed data-related obligations, app store related provisions, interoperability between messaging services, and the prohibition on self-preferencing.

Notices and Guidelines

The Commission has adopted an Implementing Regulation setting out detailed arrangements for the conduct of certain proceedings under the DMA (for further details see our blogpost here). It has also published templates for various reports and submissions. To date it has not published any notices or guidelines on the interpretation of the DMA but has indicated that it may do so in future.

Compliance reports and workshops

Gatekeepers are required to submit annual compliance reports to the Commission. The template provided by the Commission requests detailed information to enable the Commission to assess the gatekeepers' compliance. Gatekeepers must also publish non-confidential summaries, with the first set of reports published 7 March 2024 (reports available here).

The Commission announced that in late March 2024 it will hold a series of public workshops. These aim to promote transparency and dialogue, and to allow competitors, consumers and civil society to provide feedback on the gatekeepers' proposed compliance solutions.

Gatekeepers must also submit annual independently audited descriptions of any techniques for profiling of consumers relating to their CPSs, and publish an overview of these.

Who enforces the DMA?

The Commission enforces the DMA, not national authorities. However, national authorities can open investigations and are expected to work closely with the Commission.

Within the Commission, enforcement is primarily by DG COMP (which has established a new Directorate J), with involvement from DG CNECT.

There is also an expectation that private litigants will be able to bring 'enforcement' actions in national courts (including by way of class actions).

Sanctions/ interim measures

For breaches of the prohibitions/obligations in the DMA, the Commission may impose fines of up to 10% of the gatekeeper's annual worldwide turnover for the first infringement, and up to 20% for repeated infringements. Additionally, the Commission may impose periodic penalty payments per day of up to 5% of the gatekeeper's daily turnover.

The Commission can also adopt interim measures, if it proves serious and irreparable damage.

Can the Commission impose remedies?

Only if the gatekeeper has engaged in systematic non-compliance. If the Commission identifies three infringements in eight years, it can open an investigation following which, if it finds systematic non-compliance, then it can impose "any behavioural or structural remedies which are proportionate and necessary to ensure effective compliance". This could include a ban on M&A activity or even a break-up.

Investigatory powers and rights of defence

The DMA gives the Commission an array of investigatory powers. These are similar in most cases to those of the Commission under existing competition law. In some cases, parties' defence rights are narrower due to the shorter timelines for investigations provided for in the DMA compared to competition law investigations. As noted above, the Commission has adopted an Implementing Regulation setting out detailed arrangements for the conduct of certain proceedings under the DMA.

Key investigatory powers include:

• Requests for the provision of necessary information from companies; as well as conducting interviews with personnel of the companies (where the person consents)
• Inspections, similar to the dawn raids conducted in competition law cases. The Commission can enter and/or seal the premises, examine books and records, take copies, request explanations, request access to, for example, IT systems, algorithms and data-handling practices and can request assistance from external experts or national authorities in order to carry out the inspections
• Market investigations in order to identify gatekeepers that otherwise would not have been identified based on the quantitative thresholds and to determine if new services or practices should fall under the DMA

Defence rights for gatekeepers (and potential gatekeepers) include:

• The right to be heard, including to challenge the Commission's enforcement and sanction measures, and the right to access the file
• The right to good administration, which refers to impartial, fair and reasonable treatment of a case, as well as provision of a reasoned decision
• The right to safeguard professional secrecy, including by requesting non-disclosure of information in a Commission decision or respecting EU legal privilege

What role for complainants?

Involvement in the Commission's enforcement

The DMA provides that any third party, including business users, competitors or end-users, may inform a national authority, or the Commission directly, about any practice or behaviour by gatekeepers that falls within the scope of the DMA. However, the DMA does not provide a formal complaints mechanism or rights for complainants during an investigation. Nevertheless, it does envisage that the Commission may consult third parties at various points in its investigations.

Can complainants bring private enforcement actions?

As noted above, we expect this to be a part of 'enforcement' of the DMA. The DMA also contains provisions on co-operation between the Commission and national courts.

In addition, the DMA envisages class actions. It provides that affected third parties may bring civil damages actions against infringements that harm the collective interests of consumers in line with the EU's Representative Actions Directive.

Interim and final injunctions may also be available to private litigants, depending on the procedural rules of the jurisdiction in which they bring the claim.

What role for Member States/ National Competition Authorities?

While the Commission has the sole authority to enforce the DMA, it can request assistance from national authorities while conducting investigations. In addition, a national authority can initiate an investigation into possible non-compliance with the DMA on its own territory (but may not take a substantive decision).

As noted below, national competition authorities will still be able to enforce competition law. They will also be able to enforce other rules imposing obligations on gatekeepers beyond the scope of the DMA.

The Digital Markets Advisory Committee established under the DMA consists of representatives from the Member States. The Commission must consult the advisory committee before taking various decisions.

The Commission has also established a High Level Group on the DMA. This is composed of 30 representatives nominated from the Body of the European Regulators for Electronic Communications (BEREC), the European Data Protection Supervisor (EDPS) and European Data Protection Board, the European Competition Network (ECN), the Consumer Protection Cooperation Network (CPC Network), and the European Regulatory Group of Audiovisual Media Regulators (ERGA). The High Level Group can provide the Commission with advice and expertise with the aim of ensuring that the DMA and other sectoral regulations applicable to gatekeepers are implemented in a coherent and complementary manner.

What role for the Courts?

Commission decisions under the DMA are subject to review by the EU Courts. This includes decisions on the designation of gatekeepers, as well as decisions relating to non-compliance including fines and periodic penalty payments. As noted above, to date Apple, ByteDance and Meta have appealed designation decisions, and ByteDance applied (unsuccessfully) for interim measures on the same.

National courts will have a role in enforcement of the DMA where, as noted above, a litigant brings a private enforcement action.

How does the DMA affect existing competition law?

The DMA is without prejudice to EU and national competition law, meaning that both the Commission and national competition authorities remain free to conduct competition law investigations.

There is an overlap between some of the DMA prohibitions/obligations and existing EU and national competition law. During a recent speech, Competition Commissioner Margrethe Vestager underscored that "the DMA and antitrust enforcement are complementary", emphasising also that "because every conduct cannot fall into the DMA's neatly defined prohibitions, antitrust enforcement will continue to break new grounds".

However, in some situations, the Commission (and private litigants) may find it easier to bring cases under the DMA than existing competition law, and therefore the DMA may become the favoured route to address some behaviour by gatekeepers.

How is the DMA "future proofed" against rapid changes in digital markets?

The Commission can review and update the obligations/prohibitions in the DMA through delegated acts, and can propose to the EU legislators that amendment be made to the list of CPSs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.