The EU Digital Markets Act – The Holy Grail of Big Tech Regulation?
The EU Digital Markets Act – The Holy Grail of Big Tech Regulation?
On July 18, 2022, the European Council formally adopted the “Regulation on contestable and fair markets in the digital sector”, also referred to as the “Digital Markets Act” or “DMA”. This marks the final step for this new legislation to come to life. The DMA comes with high hopes and aspirations. The EU Commission’s Executive Vice President Margrethe Vestager described it as a “global movement”, and she wishes that the EU’s “take on [digital markets] will inspire all over the planet”. In fact, there is already other legislation aimed specifically at Big Tech companies and their market conduct, but the DMA is the first pan-European initiative to do so. We describe its key elements and give an outlook on the further implementation.
The DMA is not a piece of competition legislation, but part of the EU’s framework of regulatory laws. It follows a two-step approach. First, the DMA sets certain criteria to identify “gatekeeper” companies. Second, it sets specific rules for the “core platform services” of those gatekeepers. The DMA thereby provides for a framework of specific behavioral obligations targeted to a limited number of addressees and use cases. Those obligations are self-executing, i.e., they do not require further activation by any regulator. And, being drafted as an EU Regulation (not as a Directive), the DMA also requires no further implementation into Member State law. Subject to certain transition periods (see below), the DMA will hence take immediate effect once finally adopted.
The DMA applies to designated “core platform services” offered by “gatekeepers”.
The DMA includes a list of 10 “core platform services”:
Services not listed as “core platform services” are out of scope of the DMA, even if they are provided by a company that meets the “gatekeeper” criteria.
The DMA only applies to “gatekeepers”.
Gatekeepers are defined as (i) having a significant impact on the EU’s internal market, (ii) providing a core platform service which is an important gateway for business users to reach end users, and (iii) enjoying an entrenched and durable position in its operations either now or in the foreseeable future.
Further to this rather general definition, the DMA provides certain presumptions for the gatekeeper definition to be satisfied. Those presumptions largely relate to the size of the relevant undertaking. An undertaking shall meet the gatekeeper criteria if it had (i) an EU-wide turnover of at least EUR 7.5 billion in each of the last three financial years, or (ii) a market capitalization of at least EUR 75 billion in the last financial year, and if it has (iii) at least 45 million monthly active end-users and at least 10,000 business users in the EU for at least one core platform service in the last financial year.
Once a company (or group of companies) meets the gatekeeper criteria, it must come forward and notify the Commission accordingly. The notice must be given no later than two months after the relevant thresholds are met. The Commission will then review the facts presented and issue a decision to formally designate the gatekeeper status. This shall happen without undue delay and at the latest 45 working days after receiving the complete submission from the gatekeeper company. In this designation decision, the Commission will also specify which core platform services (one or more) of the relevant gatekeeper shall actually be subject to the DMA’s obligations.
Following certain transition periods (see #9 below), 13 positive obligations and nine prohibitions will apply to gatekeeper companies and their respective core platform services.
While some obligations apply to all types of core platform services, others affect only a specific kind of services (e.g., only search engines). All obligations are self-enforcing, but they are split between a “black list” (Article 5) and a “grey list” (Article 6). While the “black list” obligations take immediate effect, the ones on the “grey list” first allow for a regulatory dialogue. Here the Commission can open a proceeding to determine whether the gatekeeper complies with the relevant obligations, and within six months specify the measures needed to comply with these obligations. The gatekeeper can request such a procedure to verify that its measures comply. This specification mechanism does not exist for obligations on the “black list”.
The key obligations include:
Prima facie, the DMA’s substantive obligations are self-executing. Gatekeeper companies must comply with the relevant provisions that govern their relevant core platform services without any further involvement from a regulator. However, regulatory enforcement will become an issue where a gatekeeper is found not to comply with any of the DMA’s obligations, either in full or in part.
After quite a political struggle, the Commission evolved from the trilogue discussions as the “sole enforcer” of the DMA. Member State authorities, not much to their liking (and the German Bundeskartellamt had been particularly vocal in that regard), will not play an active role in enforcing the DMA. Their part is limited to supporting the Commission’s investigations, in particular during the information-gathering phase.
Non-compliance with the DMA’s obligations can be sanctioned with regulatory decisions, depending on the nature of the violation at hand:
The Commission may also impose fines for non-compliance with the DMA’s substantive obligations or with behavioral remedies or commitments made by the gatekeeper. The fine can amount to up to 10% of the gatekeeper’s worldwide annual group turnover. It can be even up to 20% in case of repeat offenders, i.e., where, within a period of eight years, the Commission finds that the gatekeeper violated the same or similar obligations relating to the same core platform service for the second time. Furthermore, if a gatekeeper fails to comply with certain reporting and transparency obligations, such as notifying its gatekeeper status to the Commission, this can result in fines of up to 1% of its total worldwide annual turnover.
In addition, the DMA is subject to private enforcement. Competitors, suppliers, or customers of a gatekeeper company can bring action in Member States’ civil courts seeking injunctive relief and potentially also damages. For example, this could result in anti-discrimination claims where a third party accuses a gatekeeper of preferencing its own offerings. To the extent allowed by Member State civil procedural laws, this may also include class-action-type proceedings, brought, for example, by consumer rights organizations.
Despite the urging of some political stakeholders, including some Member State competition authorities, the DMA does not provide for any limitations on “killer acquisitions” by gatekeeper companies. Nevertheless, there are still some ramifications on gatekeeper M&A activity:
The DMA is without prejudice to the application of EU competition law, i.e., Articles 101 and 102 TFEU. Also, in relation to gatekeeper companies, the DMA will not replace legacy competition law, but rather supplement it. Or, as EU Commissioner Margrethe Vestager put it when presenting the DMA: “The two approaches are complementary—both will remain necessary. […] No one should expect the new regulatory instrument to replace Article 101 and 102 enforcement actions.” In fact, many DMA obligations are modelled after cases where the Commission thus far has applied legacy competition law.
Discussions about regulating Big Tech do not only take place at the pan-European level. Several EU Member States have already taken their own steps in that respect. In January 2021, for example, Germany enacted an amendment to its national competition act. It addresses “undertakings with paramount significance for competition across markets” with obligations that largely resemble those under the DMA.
The DMA now governs its own interplay with such Member State laws:
Depending on the qualification of relevant Member State laws as regulatory or competition law, this leaves either no room at all for such laws to co-exist with the DMA, or only limited room around the edges of the DMA’s scope.
To the extent the DMA does leave any room at all for Member State laws to apply to gatekeepers (see before), some limitations still apply:
Following its formal adoption by the EU institutions, the DMA will now be published in the EU’s Official Journal and enter into force 20 days thereafter. However, it will likely not take full effect before mid-2024. First, there is a six-month transition period before most of the DMA’s provisions will actually apply. If a company meets the gatekeeper thresholds, it will then have another two months to notify the Commission accordingly. Following such notification, the Commission has 45 working days to decide on the company’s gatekeeper designation. And, once the designation decision is in place, the affected gatekeeper will have another six months for its designated core platform services to comply with the DMA’s substantive provisions.
The DMA sets the scene for a new era of European tech regulation. It will have an immediate impact on any company that offers at least one core platform service in the EU and meets the gatekeeper criteria. Those companies are facing substantial organizational and operational challenges to ensure compliance with the new rules. But the DMA’s impact goes beyond its immediate addressees. Customers, suppliers, and competitors of the relevant gatekeeper companies may want to use the DMA’s provisions to their own advantage, for example by raising data access or anti-discrimination claims. Nevertheless, considering the different grace periods until the DMA takes full effect, but also its broad use of unspecified legal terms, it will still take some time until many of the DMA’s substantive obligations are fully fleshed out.