Gatekeeper designation
The DMA imposes a detailed set of obligations and restrictions on companies designated as “gatekeepers”. To qualify as a gatekeeper, a business must meet the following criteria:
- The business must provide at least one so-called core platform service – the types of core platform services are enumerated in the DMA and include (a) online intermediation services; (b) online search engines; (c) online social network services; (d) video-sharing platform services; (e) number-independent interpersonal communication services; (f) operating systems; (g) web browsers; (h) virtual assistants; (i) cloud computing services; and (j) online advertising services, including advertising networks, exchanges and intermediation services, provided by an undertaking that provides any of the core platform services listed in (a) to (i).
Two of these services (web browsers and virtual assistants) were added to the list only at the end of the legislative process, reflecting recent findings in the EC’s sector inquiry into the consumer Internet of Things. Notably, the same company can be identified as the gatekeeper for several core platform services.
- Services are offered by a platform company that has a significant impact on the EU internal market – this is presumed where the platform company (a) has EU-wide group turnover of at least €7.5 billion in each of the last three financial years, or an average market capitalisation or equivalent fair market value of at least €75 billion in the last financial year; and (b) provides the same core platform service in at least three member states.
- The core platform service is an important gateway for business users to reach final consumers – this is presumed where the company operates a core platform service that, in the last financial year, had at least 45 million monthly active end users established or located in the EU, and at least 10,000 yearly active business users established in the EU. The DMA’s annex provides guidelines on how to identify and calculate end users and business users for each type of core platform service.
- The platform provider enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such position in the near future – this is presumed where the company met the thresholds under paragraph 3 above in each of the last three financial years. Where a platform provider does not yet enjoy such a position today, but will foreseeably enjoy such a position in the near future, the EC may apply a sub-set of the general obligations (see below) to the gatekeeper to ensure that the business concerned does not achieve an entrenched and durable position in its operations by unfair means.
Even if these thresholds are met, a business can present “sufficiently substantiated arguments” to demonstrate that – due to the circumstances in which the relevant core platform operates and based on qualitative criteria – it is, exceptionally, not to be qualified as a gatekeeper. This poses a significant burden of proof on platform providers, and it is likely to be a highly disputed issue in many gatekeeper designation processes before the EC. Conversely, if these thresholds are not exceeded, the EC can still assign gatekeeper status to platform providers based on an overall qualitative assessment following a market investigation.
Relevant qualitative criteria include (i) the size of the provider of core platforms services (in terms of turnover, market capitalisation, operations and position); (ii) the number of business users using the service to reach end users and the number of end users; (iii) network effects and data driven advantages, in particular in relation to the provider’s access to and collection of personal and non-personal data or analytics capabilities; (iv) scale and scope effects the provider benefits from (including with respect to data and, where relevant, its activities outside the EU); (v) business user or end user lock-in (including switching costs and behavioural bias that reduce the ability of business users and end users to switch or multi-home); (vi) a conglomerate corporate structure or vertical integration of a provider that, for instance, enables it to cross-subsidise, combine data from different sources or leverage its position; or (vii) other structural business or service characteristics.
Obligations (do’s and don’ts) for gatekeepers
Companies designated as gatekeepers must comply with a wide range of obligations (Do’s and Don’ts) under the DMA (Articles 5 to 7) that are designed to prevent gatekeepers from imposing unfair conditions on businesses and consumers and ensure the openness of important digital services in the EU.
The Do’s and Don’ts apply from six months of gatekeeper designation and relate to the following aspects:
- No combination of personal data without user consent (Art. 5(2)). Absent express user consent, gatekeepers are prevented from (i) processing the personal data of end users using third-party services that make use of a gatekeeper’s core platform service for the purpose of providing online advertisement services; (ii) combining or cross-using personal data from one of the gatekeeper’s core platform services with personal data obtained by other relevant services; and (iii) signing end users to other services of the gatekeeper in order to combine their personal data. Data processing may be justified, for instance, to comply with other laws, to protect users or to perform a task carried out in the public interest or exercise of official authority.
- No most-favoured-nation (MFN) clauses (Art. 5(3)). Online intermediation services (e.g., online marketplaces and app stores) must not prevent their business users from offering the same products or services to end users at different prices or on different terms on other platforms and their own websites.
- Obligations to enable customer choice and switching (Art. 5(4) and (5)). Gatekeepers must not restrict business users (including app developers) from promoting (free-of-charge) offers to and concluding contracts with end users that are acquired via the gatekeeper’s platform or other channels. Conversely, end users must be allowed to access content, subscriptions, features or other items though the gatekeeper’s core platform service by using the software application of a business user.
- Business users and end users must remain free to raise issues with authorities and courts (Art. 5(6)). Gatekeepers may not restrict business users or end users from bringing to the attention of a public authority or court any issue of non-compliance of any gatekeeper practice with the relevant EU or national law. Businesses and gatekeepers retain the right to lay down in their agreements the terms of use of lawful complaint-handling mechanisms.
- No tying with gatekeeper’s identification and/or payment services and/or web browser engines (Art. 5(7)). Gatekeepers must not require business users or end users to use an identification service, a web browser engine, a payment service or technical services that support the provision of the gatekeeper’s payment services (e.g., payment systems for in-app purchases) in the context of services provided by business users using the gatekeeper’s core platform services.
- No bundling of platform subscriptions or registrations (Art. 5(8)). It is prohibited for gatekeepers to require business users or end users to subscribe to, or register with, a core platform service as a condition for being able to use, access, subscribe to or register with any of the gatekeeper’s other core platform services.
- Transparency obligations towards advertisers and publishers (Art. 5(9) and (10), Art. 6(8)). Gatekeepers must disclose pricing information, remuneration data and the metrics on the basis of which prices and remuneration are calculated to advertisers and publishers upon their request and on a daily basis, free of charge. In addition, a gatekeeper is required to provide advertisers and publishers with free access to its performance measuring tools and the data necessary for them to carry out their own independent verification of their advertisement inventories.
- Use of data to compete (Art. 6(2)). Gatekeepers are prohibited from using non-publicly available data generated or provided by business users on its core platform services or the customers of those business users, to compete with those business users.
- Obligations to permit app uninstallation and change of default settings (Art. 6(3)). Gatekeepers must allow and technically enable end users to uninstall any apps from the gatekeepers’ operating system, but have the possibility to restrict uninstallation where this is essential for the functioning of the operating system or relevant device and cannot technically be offered on a standalone basis. Gatekeepers must also enable end users to easily change default settings on the operating system, virtual assistant and web browsers of the gatekeeper, including by way of a choice screen.
- Enabling installation of third-party apps and app stores (Art. 6(4). Gatekeepers must allow and technically enable the download, installation and effective use of third-party apps and app stores on their operating system. These apps and app stores must be accessible by means other than the gatekeeper’s core platform service. Gatekeepers must not prevent the app or app store from prompting end users to decide whether they want to set that app or app store as their default.
- No self-preferencing (Art. 6(5)). Gatekeepers must not treat their own services or products more favourably than similar third-party services or products in search rankings and related indexing and crawling.
- No restrictions on switching or multi-homing (Art. 6(6)). Gatekeepers must not restrict the ability of end users to switch or multi-home across different apps and services that are accessed through the core platform service.
- Interoperability for operating systems and virtual assistants (Art. 6(7)). Gatekeepers must allow third-party hardware and software providers, free of charge, effective interoperability with and access to the same hardware and software features accessed or controlled via the gatekeeper’s operating system and virtual assistant. In turn, gatekeepers are permitted to take strictly necessary and proportionate measures to ensure that interoperability does not compromise the integrity of the gatekeeper’s operating system, virtual assistant, hardware or software features.
- Data portability for end users (Art. 6(9)). Gatekeepers must provide end users, upon request and free of charge, with the effective portability of data (including personal data) they have provided or generated in the context of the use of the relevant core platform service to other platforms and to provide (free) tools to facilitate such portability effectively.
- Data access for business users (Art. 6(10)). Gatekeepers are required to provide business users (and third parties authorised by them), upon request and free of charge, with effective, high-quality, continuous and real-time access to data (including personal data) on their use of the relevant core platform services and the end users engaging with their products and services.
- Sharing of search data (Art. 6(11)). Online search engine gatekeepers are required to share anonymised ranking, query, click and review data for both free and paid search results with competing search engines, upon request and on fair, reasonable and non-discriminatory terms.
- Fair access to app stores, search engines and social networking services (Art. 6(12)). Gatekeepers must provide business users (including app developers) with fair, reasonable and non-discriminatory access to the gatekeepers’ app stores, online search engines and online social networking services designated as core platform services. Recital 62 of the DMA emphasises that this obligation does not establish an access right.
- Proportionate conditions for termination of use (Art. 6(13)). Gatekeepers must not have general conditions for terminating the provision of a core platform service that are disproportionate. They must also ensure that conditions for termination can be exercised without undue difficulty.
- Obligation to enable interoperability of messenger services (Art. 7). Upon request and free of charge, gatekeepers are required to make the basic functionalities of their messaging services interoperable with rival services. The scope of the obligation is designed to expand over time. Following gatekeeper designation, the obligation is limited to messaging and sharing of images, voice messages, videos and other attached files between two end users. Within two years of designation, it will expand to messaging and sharing in groups, and it will further expand to voice and video calls between two end users and in groups within four years of designation.
The above obligations on gatekeepers fall into two categories, namely (i) obligations that apply outright and where the EC ensures compliance via sanctions; and (ii) those obligations (Articles 6 and 7 above) where – in addition to sanctions – the EC can specify the concrete measures that the gatekeeper must implement to ensure effective compliance. The latter include, in particular, obligations relating to data access, interoperability, data portability and the use of data from business users in competing activities (see above). Specifying such implementation measures can be technically complex and the measures will vary depending on the type of core platform services offered by a gatekeeper. The EC is planning to publish related guidance in early 2023 (see below).
Ancillary obligations require designated gatekeepers (i) to report, within six months of gatekeeper designation, the measures they have implemented to ensure compliance with the above obligations and to submit an independently audited description of any techniques for profiling of consumers that they apply to the relevant platform services; (ii) to inform the EC of all concentrations (including acquisitions of sole or joint control over other businesses, joint ventures and mergers) involving businesses providing services in the digital sector, or enabling the collection of data; (iii) to introduce a compliance function that is independent from the gatekeeper’s operational functions; and (iv) not to circumvent the DMA rules.
Enforcement of the DMA
- Investigative/enforcement powers – the EC has the exclusive, centralised competence to enforce the DMA in the EU, in cooperation and close coordination with national competition authorities and courts in the EU. The EC’s far-reaching investigative powers (similar to the ones under EU antitrust rules) include the power to request or require information and data (including access to databases and algorithms), carry out interviews and take statements, conduct unannounced inspections (dawn raids) and, in case of urgency, impose interim measures.
- Fines and remedies – the EC can impose (i) fines of up to 10 per cent of the gatekeeper’s group turnover or 20 per cent, in case of repeated infringements (subject to a five-year limitation period); and (ii) behavioural or structural remedies in cases of systematic non-compliance (meaning at least three incidents of non-compliance decisions in the last eight years) that are proportionate and necessary to ensure effective compliance. The EC can also impose periodic penalty payments in certain circumstances.
- Appeals – the DMA explicitly provides that all enforcement decisions imposing fines or periodic penalty payments are subject to the unlimited jurisdiction of the Court of Justice of the EU under Article 261 of the Treaty on the Functioning of the European Union (TFEU), which grants the court the power to substitute their own appraisal for that of the EC and also to reduce or increase the fine or penalty payment imposed. Although not explicitly mentioned in the DMA, the EU courts also have the power to review the legality of all other EC acts (taken in the context of enforcing the DMA) “intended to produce legal effects vis-à-vis third parties” under Article 263 TFEU.
Timeline for compliance
The DMA will formally enter into force on 1 November 2022 and will apply from 2 May 2023
Businesses that meet the quantitative thresholds for a gatekeeper (see above) will have two months (i.e., by 3 July 2023 at the latest) to notify the EC about their potential gatekeeper status and the relevant core platform service. The EC then has 45 working days to issue a designation decision identifying the gatekeeper’s core platform services. Gatekeepers must comply with most DMA obligations six months after designation.
The EC is planning to publish guidance on the application of the DMA in the first quarter of 2023. The guidance is expected, amongst others, to address (i) the form and content of the technical measures that gatekeepers must implement to ensure compliance with key prohibitions against combining data and handling online advertising; (ii) operational and technical arrangements to ensure the interoperability of messenger services; (iii) the notification process for the designation of gatekeepers; (iv) the possibility of suspending obligations due to risks to their economic viability in the EU; (v) exemptions for public health and security reasons; and (vi) other procedural and reporting obligations under the DMA.2
Outlook and takeaways
Legal and technical challenges ahead – the DMA introduces an entirely new legal regime, and its enforcement will no doubt result in manifold legal disputes and technical implementation challenges. To begin with, at the designation stage, digital platforms that offer core platform services in the EU and exceed the quantitative thresholds will fight against gatekeeper status for their services for qualitative reasons. In the medium term, the EC is also likely to claim gatekeeper status for certain platforms even though they do not yet meet the quantitative thresholds for gatekeepers. Similarly, legal issues will arise in relation to specific obligations under the DMA and their specific scope of application to individual services and platforms, in particular where they are critical to a platform’s business model. Furthermore, the scope of the measures that gatekeepers will need to implement to ensure compliance can be technically complex. The guidance the EC is planning to publish in the first quarter of 2023 will (hopefully) shed further light on some of the legal and technical implementation challenges under the new regime.
Interplay with national antitrust enforcement – although the EC will be the sole enforcer of the DMA (and have the sole decision-making competence), the DMA enables national authorities to carry out initial investigations of potential DMA violations and initiate market investigations that may lead to additional gatekeeper designations or the introduction of new gatekeeper obligations. At the same time, however, national competition authorities will continue to take enforcement actions against platforms under antitrust laws or national platform regulations, subject to certain obligations to coordinate with the EC. In fact, the lack of decision-making powers under the DMA may actually incentivise them to do so. In particular, we expect to see significant enforcement at national level in relation to practices that are not listed in the DMA’s Do’s and Don’ts and against non-gatekeepers that have a dominant position. To this extent, it is likely that the Do’s and Don’ts will in practice serve as a blueprint for third parties to attack non-gatekeeper types of platform businesses under (national) abuse of dominance rules before national authorities and courts. At the EU level, enforcement of the DMA will supplement the EC’s antitrust and merger control enforcement in the digital sector.
Impact on M&A transactions – the new DMA will not directly affect the application of merger control rules in the EU; i.e., all M&A transactions will continue to be subject to EU and/or national merger control review provided they meet the relevant jurisdictional thresholds. The reporting duties under the new DMA do, however, require gatekeepers to inform the EC about all transactions, even if they do not meet the EU/national jurisdictional filing thresholds, and permit the EC to monitor all concentrations that could potentially harm competition in the EU. This will increase the likelihood of national competition authorities referring potentially critical transactions to the EC where the EU and member states’ jurisdictional thresholds are not met. In fact, since its release in March 2021, the EC’s new policy on merger referrals (so-called Art. 22 referrals) actively promotes national referrals of potentially problematic transactions that do not meet the EU/national jurisdictional merger review thresholds to the EC (including so-called killer acquisitions), in particular in the digital/tech space (see our prior alert on the EC’s new referral policy).
Enforcement success is not a given – while the DMA was adopted in record speed (by EU standards), it is not a given that its enforcement will be as effective and ultimately successful in light of the manifold legal and technical challenges ahead (see above). What is indeed certain is that the EC will require significant resources to apply and enforce the new regime (including dealing with third-party complaints and coordinating with member states) and to respect due process and defence rights. The new DMA team will compromise 80 officials (including a chief technology officer, whom the EC is currently seeking to hire), but resources are likely to become tight and pose a practical challenge for the EC once the formal gatekeeper designation process starts (in 2023) and the EC begins reinforcing and monitoring the DMA obligations (in 2024).3
Role model regime for regulatory enforcement outside the EU? – the legislative process has been followed closely by governments around the globe that are facing challenges when enforcing antitrust and other laws against platforms in the digital sector. DMA enforcement and its impact on competition in digital markets will be actively monitored, and governments outside the EU will potentially seek to replicate the EU’s new DMA regime and fine-tune it for local use in the future.
- Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828.
- Mlex, “Big Tech to get EU guidance in early 2023 on Digital Markets Act application”, 5 August 2022.
- Mlex, “EU Commission’s DMA team ‘eagerly’ awaiting reinforcements, Bacchiega says”, 21 September 2022.
In-Depth 2022-352