As the name implies, the DMA is targeted at large online platforms including those platforms that both consumers and businesses interact with and use on a daily basis including search engines, social networks, online advertising tech providers, cloud computing, and online messaging.
Globally, including in both the US and the EU, legislators and government bodies have raised concerns that large online platforms are able to “gatekeep” and engage in anti-competitive behavior negatively impacting both daily consumer life as well as businesses’ ability to operate. The DMA is the EU’s effort to open up a fairer online marketplace.
The DMA does not come alone. As noted in our previous alert, the DMA has been developed in close alignment with the Digital Services Act (“DSA”), together forming the “Digital Services Package”. The DSA applies to “digital services,” which broadly include intermediary services, hosting services, online platforms, and very large platforms. Once implemented and effective in January 2024, the DSA will set the standard for requirements related to fairness, transparency, and responsibility that online services must comply with. Related, the DMA focuses on regulating anti-competitive and monopolistic behavior in the technology and online platform (digital and mobile) industries. The DMA is on the forefront of a trend globally of looking to antitrust legislation as a way to regulate technology companies and online services.
On top of anti-competition rules and prohibitions, the DMA also further places personal data processing and data minimization principles on in-scope entities.
Some of the most important aspects of the DMA are that it will require—among many requirements—in-scope businesses to (1) allow end-users to unsubscribe from the online service just as easily as it is to sign up; (2) obtain consent from end-users if the in-scope business is tracking end-users outside of the actual online service for purposes of targeted advertising; and (3) allow third-party apps and app stores to interoperate with the businesses online service (e.g., can no longer require users to only use the in-scope business apps and app stores).
With the DMA officially adopted, below are some essential insights to help impacted entities prepare for the legislation’s implementation.
Who Does the DMA Impact?
Although the DMA is a component of the EU’s broad regulation of online platforms, it will only impose obligations on a small number of very large online platforms that act as “Gatekeepers”. This contrasts with the DSA, which will likely apply to a broader swatch of businesses operating online.
These Gatekeepers—under the DMA—are core online platforms, such as online search engines, marketplaces, and social networks, that offer gateway services between consumers and businesses that have become indispensable to thousands of businesses and millions of users. Some of those platforms exercise control over whole platform ecosystems in the digital economy and are structurally difficult to challenge or contest by existing or new market operators, irrespective of how innovative and efficient those market operators may be. As a result, the likelihood increases that the underlying markets do not function efficiently with respect to these entities.
Thus, the intent of the DMA (according to the EU governing bodies) is aimed at regulating these largely uncontestable platforms to circumvent such market failures, while also opening up the markets for broader competition to the benefit of businesses and consumers.
To qualify as a Gatekeeper, a company must fit within the DMA’s narrowly defined, quantitative, objective criteria. To achieve “Gatekeeper status” the company must meet the following:
(1) Significant impact on the internal market. The company must have an EU annual turnover above €7.5 billion, a market capitalization over €75 billion, and it must provide the same core platform service in at least three Member States;
(2) Provide a core platform service for business users to reach end users. The company must have at least forty-five (45) million active monthly end-users and ten thousand (10,000) yearly business users in the EU; and
(3) Durable and stable position in the market. The company must have an entrenched and durable position in the market, meaning that it is stable over time if the company met the criteria in point (2) above in each of the last three (3) financial years.
Platforms and businesses that meet these criteria are presumed to be a Gatekeeper and are required to inform the European Commission within two (2) months of meeting the thresholds. The Commission then designates the company as a Gatekeeper unless the company provides compelling evidence to the contrary. The Gatekeeper status is then re-evaluated every three (3) years.
Obligations and Restrictions
The DMA establishes obligations for Gatekeepers and outlines what Gatekeepers may no longer do.
The bulk of the DMA’s regulatory requirements revolve around allowing other businesses to promote their online offerings more easily to end-users on the Gatekeeper platforms and allowing end-users to access other—similar—online services and offerings from third-party businesses through the Gatekeeper’s platforms. It essentially boils down to requiring Gatekeepers to allow more direct access and communication between third-party businesses and consumers.
For example, the DMA obligates Gatekeepers to (i) allow third parties to interoperate with the Gatekeeper’s own services in certain situations, (ii) allow their business users to access the data that they generate in their use of the Gatekeeper’s platform, (iii) provide companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper, and (iv) allow their business users to promote their offer and conclude contracts with their customers outside the Gatekeeper’s platform.
Alternatively, Gatekeepers may no longer (i) treat services and products offered by the Gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the Gatekeeper’s platform, (ii) prevent consumers from linking up to businesses outside their platforms, (iii) prevent users from un-installing any pre-installed software or app, and (iv) track end users outside of the Gatekeeper’s core platform service for the purpose of targeted advertising, without effective consent.
Impact on Online Advertising
Importantly, the DMA also implements personal data and tracking-related regulations that closely align with the EU’s data collection principles originally set forth in the General Data Protection Regulation (“GDPR”).
Without obtaining an end-user’s specific consent, Gatekeepers are prohibited from (i) processing personal data for advertising purposes if the personal data comes from an end user’s interactions with a third party using the Gatekeeper’s online platform or service (e.g., the end-user has no direct connection to the Gatekeeper); (ii) combining personal data obtained from one core online platform service with the personal data obtained from third party services; (iii) using personal data obtained through one of the Gatekeeper’s core online platforms or services in the Gatekeeper’s other online platforms or services; and (iv) signing in end users to other services the Gatekeeper provides for the purpose of combining personal data.
The above prohibitions and consent requirements tie into the GDPR’s principle of data minimization—using the minimum amount of personal data and only for the purpose of which a business has informed the end-user.
Gatekeepers will need to build out consent mechanisms and procedures if they hope to continue the above data collection and processing practices for their own purposes and as a part of the services, they provide third parties (e.g., advertising and analytic services).
The European Commission, supported by the national competition authorities, will carry out enforcement of the DMA. The Commission will have the sole authority to initiate proceedings and make infringement decisions. The DMA sets maximum fines based on a percentage of a company’s global annual turnover. If a Gatekeeper fails to adhere to the requirements in the DMA, the Commission can impose fines of up to 10% of the company’s total global annual turnover, and up to 20% for repeated infringements. Additionally, the Commission can impose periodic penalty payments of up to 5% of the Gatekeeper’s average daily turnover. In the case of systematic infringements of the DMA obligations, the Commission also has the authority to impose additional remedies necessary to achieve compliance. These remedies can include behavioral and structural remedies such as the forced sale of parts of the business, or a prohibition on the acquisition of other companies in the digital sector, but in any case, must be proportionate to the offense committed.
The DMA will be applicable as of May 2023. This gives potentially affected entities roughly six (6) months to assess their Gatekeeper status and jump-start their compliance efforts. Once in effect, the DMA aims to provide a fairer online business environment and intends to create new opportunities for innovators and technology start-ups to compete in the online platform environment without having to comply with unfair terms and conditions limiting their development. Lastly, the DMA anticipates that consumers will have more and better services to choose from, more opportunities to switch their providers, direct access to services, and fairer prices. Put simply, the DMA plans to prevent Gatekeepers from using unfair practices toward the businesses and customers that depend on them to gain an undue market advantage.