On October 12, 2022, the Digital Markets Act (DMA) was published in the Official Journal of the EU, thereby creating a new framework for regulating the European Union’s digital market.[1] The DMA seeks to prohibit certain unfair business practices by establishing rules and obligations for entities known as “gatekeepers,” which are large online platforms whose services have a significant impact on the EU internal market.[2]
The DMA works in conjunction with its sibling law, the Digital Services Act (DSA), to create an online environment designed to protect the fundamental rights of users and to establish a level playing field for economic growth.
However, the DMA — like the DSA and the General Data Protection Regulation (GDPR) — can apply internationally to companies based outside of the EU, so all large online platforms should be aware of what the DMA could mean for businesses that qualify as gatekeepers.
Background
On December 15, 2020, the DMA was proposed by the European Commission to the European Parliament and to the Council of the EU, alongside the DSA.[3] The DMA and the DSA seek to actualize Ursula von der Leyen’s call to regulate the EU’s digital market, thereby upgrading the liability, safety, and fairness of digital platforms.[4]
On March 24, 2022 — after years of negotiations — the Parliament, the Council, and the Commission reached a consensus on key provisions, including the interoperability provisions for large messaging platforms and noncompliance penalties.[5] The text of the DMA was then made public on May 22, 2022.[6]
From there, the DMA moved swiftly through the legislative process: on July 5, Parliament formally adopted it;[7] on July 19, the Council formally adopted it;[8] on September 14, the DMA was signed into law;[9] and on October 12, the adopted text was published in the Official Journal of the European Union, thereby setting it to come into force twenty days later.[10]
To whom does the DMA apply?
The DMA applies to “gatekeepers” that provide or offer “core platform services” to users in the Union, irrespective of whether the gatekeeper is located or established in the EU.
A “core platform service” is broadly defined to include a wide range of Internet infrastructure and services, including:
- Online search engines;
- Online social networking services;
- Video-sharing platform services;
- Operating systems;
- Web browsers;
- Cloud computer services;
- Online advertising services;
- And more.
Given how broadly the DMA defines core platform services, the core question for most entities is whether their services reach enough EU individuals to establish them as a gatekeeper under the law.
A “gatekeeper” is an entity that meets all of the following:
Statutory criteria: | Presumed satisfied if: |
|
|
|
|
|
|
The DMA puts the onus on companies and other entities to determine for themselves whether they satisfy the above requirements to be labeled a gatekeeper under the law. If an entity makes such a determination, they must notify the European Commission within two months after the thresholds are met. However, even if an entity fails to make such a notification, the Commission can determine for itself whether an entity is a gatekeeper.
Can the Digital Markets Act apply to entities outside of the EU?
Yes.
The DMA applies to any gatekeeper that provides or offers core platform services to users in the Union, irrespective of whether the gatekeeper is located or established in the EU.
However, providing or offering a core platform service is not sufficient in itself to establish an online platform as a covered gatekeeper. The online platform must satisfy all three of the bullet points above. And as the explanatory presumptions for each bullet demonstrate, the online platform must have a substantial number of EU users (e.g., 45 million monthly active end users in the EU).
Thus, online platforms must be vigilant in monitoring the number of monthly users in the EU, because qualifying as a gatekeeper appears to hinge on the platform’s userbase reach. Of course, tracking this data must be done appropriately and with careful consideration, given that the online platform would also have to comply with the GDPR’s data minimization and purpose principles.
Does the DMA treat all gatekeepers equally?
No.
The DMA prescribes a number of prohibitive and mandatory actions on all gatekeepers. These include:
- Not combining personal data from the core platform service with personal data from any other core platform services, any other services provided by the gatekeeper, or with personal data from third-party services (Art. 5(2)(b)).
- Not requiring users to sign in to other services in order to combine personal data (Art. 5(2)(d)).
- Allowing business users, free of charge, to promote their offers and conclude contracts with customers outside the gatekeeper’s platform (Art. 5(4)).
- Providing companies advertising on the platform with the daily information, free of charge, concerning each advertisement placed on the core platform (Art. 5(9)-(10)).
However, per Article 8, some obligations are subject to specification. The Commission, either on its own initiative or based on a submission by a gatekeeper, can open a procedure that will lead to the Commission specifying some measures that the gatekeeper must adopt in order to effectively comply with the DMA. The provisions subject to specification are found in Articles 6 and 7, and they include:
- Allowing third parties to interoperate with the gatekeeper’s own services in certain situations (Art. 6(7)).
- Allowing business users to access the data they generate in their use of the gatekeeper’s platform (Art. 6(10)).
- Providing companies advertising on the platform with the tools necessary for advertisers and publishers to carry out their own independent verification of advertisements hosted by the gatekeeper (Art. 6(8)).
- Not preventing users from uninstalling any pre-installed software or app, if they wish to (Art. 6(3)).
- Not treating services and products offered by the gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform (Art. 6(5)).
- Not preventing consumers from linking up to businesses outside their platforms (Art. 6(6)).
This means that, while all gatekeepers must adhere with the DMA’s obligations, some gatekeepers may have specific instructions on how to satisfy the requirements within the context of that gatekeeper’s unique situation.
Are the enforcement penalties harsher than the GDPR?
Yes.
Under the DMA, if the gatekeeper intentionally or negligently fails to comply with certain requirements, the Commission may impose a fine of up to 10% of the gatekeeper’s worldwide turnover in the preceding financial year. By contrast, GDPR violations can result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher.
And it’s worth recalling that gatekeepers are, by definition, extremely large companies serving multi-millions of users, so the company’s annual worldwide turnover would presumably be large as well.
What are the next steps for the DMA?
Within two months of May 2023, companies providing core platform services must notify the Commission and provide all relevant information for determining whether the company qualifies as a gatekeeper. The Commission will then have two months to decide whether to make such a designation. If a company is deemed a gatekeeper, the company will have six months to comply with the DMA’s rules and obligations.
[1] https://www.skadden.com/insights/publications/2022/10/eu-digital-markets-act-enters-into-force
[2] https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en
[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0842
[4] https://digital-strategy.ec.europa.eu/en/policies/digital-services-act-package
[5] https://www.engadget.com/europe-digital-markets-act-005742387.html
[6] https://www.consilium.europa.eu/en/press/press-releases/2022/03/25/council-and-european-parliament-reach-agreement-on-the-digital-markets-act/
[7] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment
[8] https://www.consilium.europa.eu/en/press/press-releases/2022/07/18/dma-council-gives-final-approval-to-new-rules-for-fair-competition-online/
[9] https://twitter.com/EP_SingleMarket/status/1570062248961363969
[10] https://www.consumerprivacyworld.com/2022/10/dma-eu-publishes-the-new-digital-markets-act/