Digital Markets Act: Developments since its proposal
Following the European Commission’s initial proposal of the Digital Markets Act (DMA) in December 2020, its adoption by the European Parliament in March 2022 and the entry into force on November 1, 2022, the DMA will finally apply from May 2, 2023. The DMA contains a list of obligations and prohibitions, subject to fines, that core platform services (CPS) provided by so-called gatekeepers must comply with in their daily operations. CPS should therefore be assessed at an early stage regarding whether or not they fall within the scope of regulation of the DMA.
As is set out in the following, the DMA poses significant business challenges for (potential)
gatekeepers, which should be addressed in a legally sound, comprehensive and systematic manner in order to prevent disruptions to the relevant businesses.
What does the DMA regulate?
The DMA is part of the European Digital Strategy, which aims to prevent gatekeepers from imposing unfair conditions on businesses and consumers and to ensure that key digital markets, in particular those to which gatekeepers could potentially leverage their market power, remain open for competition. The DMA complements the Digital Services Act, the planned Data Act, the Data Governance Act and other existing EU legislation such as the GDPR, the P2B Regulation or the Digital Content Directive.
To which undertakings does the DMA apply?
The DMA applies to the core platform services (CPS) of gatekeepers operating in the digital economy across sectors to the extent they supply its services to commercial or to private end users established or residing in the European Union.
The DMA identifies 10 types of CPS in the digital economy:
- Online intermediation services,
- Online search engines,
- Online social networking services,
- Video sharing platform services,
- Number-independent interpersonal communication services,
- Operating Systems,
- Web browsers,
- Virtual assistants,
- Cloud computing services, and
- Advertising services
However, a platform providing a CPS is not automatically considered as a gatekeeper within the meaning of the DMA. To become an addressee of the DMA regulation requires explicit designation by the European Commission:
For the purposes of the DMA, a company will be designated as a gatekeeper if it (i) has a significant impact on the internal market, (ii) provides a CPS that serves as an important gateway to end users for commercial users, and (iii) has an established and lasting position with respect to its activities or is likely to acquire such a position in the near future.
An undertaking shall be presumed to
(i) have a significant impact on the internal market if it has achieved in each of the last three financial years an annual turnover within the Union of at least EUR 7,5 billion or has an average market capitalisation or equivalent market value of at least EUR 75 billion in the last financial year and provides the same CPS in at least three EU Member States;
(ii) provide a CPS that serves as an important gateway to end users for commercial users where it provides a CPS which in the last financial year had at least 45 million monthly active end users established or resident in the Union and at least 10.000 annual active business users established in the Union, identified and calculated in accordance with the methodology and indicators set out in the Annex to the DMA;
(iii) have an established and lasting position if the thresholds set out in (ii) above have been met in each of the three preceding financial years.
What follows from designation as a gatekeeper?
Once designated as a gatekeeper, several extensive substantive obligations will apply to the relevant undertaking. The vast majority of obligations and prohibitions (Arts. 5, 6, and 7 DMA) must then be complied with no later than 6 months after designation.
For instance, the DMA includes the following obligations:
Restrictions on gatekeepers’ use of personal data of end users:
A gatekeeper shall not
(a) process, for advertising purposes, the personal data of end users using third-party services that use the gatekeeper’s CPS unless the end user has consented,
(b) combine personal data from its CPS with personal data from any other gatekeeper-provided services or third-party services,
(c) cross-use personal data from its CPS in other gatekeeper-provided services and vice-versa, and
(d) sign-in end users to other gatekeeper-provided services in order to combine personal data.
A gatekeeper shall not prevent business users from offering their goods or services available to end users on other third party platforms or through their own direct online sales channels at prices or on terms, which are different from those offered through the online intermediation services of the gatekeeper.
A gatekeeper must allow business users to contact, promote offers to, and contract with end users through the gatekeeper or other channels, free of charge.
Access to or registration with any of the gatekeeper’s CPS must not be made conditional to the use of the gatekeeper’s other CPS.
The gatekeeper shall not require end-users to use, or business users to offer or interoperate with, any identification service, web browser engine or payment service, or technical services supporting the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by business users using that gatekeeper’s CPS.
Gatekeepers are prohibited from self-preferencing their own services over those of third parties, i.e. they must apply transparent, fair and non-discriminatory terms to the ranking and related indexing of all offered services and products.
A number-independent interpersonal communications service operated by a gatekeeper must provide an interoperability interface to other services.
Gatekeepers must appoint independent compliance officers to ensure that the gatekeeper complies with the DMA.
What should potential gatekeepers do next?
Companies should assess whether they meet the thresholds for the classification of gatekeepers. From 2 May 2023, potential gatekeepers will then have two months (until 3 July 2023 at the latest) to notify the European Commission whether their CPS exceed the quantitative thresholds.
In this context, the undertaking providing CPS will have the possibility to provide, in its notification, duly substantiated arguments that it does not fulfil the requirements of a gatekeeper, even though it may meet the relevant thresholds.
Once the Commission has received the complete notification, it will have 45 working days to assess whether the undertaking in question meets the criteria of a gatekeeper or not. The Commission will then designate as “gatekeepers” those companies which meet the thresholds of the DMA on the basis of information provided by the companies themselves and / or following a market investigation.
Within six months of being designated as a “gatekeeper”, a company must then comply with the obligations set out in the DMA.
What are the risks of fines?
Failure to comply with one of the many new obligations can result in severe penalties for the platform operator concerned. For example, where a (potential) gatekeeper negligently or intentionally fails to comply with an obligation under Arts. 5, 6 or 7 DMA, the Commission may impose fines of up to 10% of the total worldwide turnover of the gatekeeper in the preceding financial year.
In addition, if the (potential) gatekeeper commits an identical or similar infringement of an obligation under Arts. 5, 6 or 7 DMA within the preceding eight years, the Commission may impose fines on the gatekeeper of up to 20% of its total worldwide turnover in the preceding financial year.