Jun 12022

The Digital Markets Act Is Almost Here: 10 Things to Know About the EU’s New Rules for Big Tech

Patrick J. Harrison, Monika Zdzieborska, Ken Daly, Fiona Shajko and Maarten Meulenbelt
, , , , ,

As regulators around the world fiercely debate new ways to oversee competition in the digital sector, the EU is on the brink of formally approving a landmark new law. The Digital Markets Act (DMA) will impose a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and give the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.

Once it comes into force, the DMA is set to revolutionize the way in which so-called Big Tech is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. Given the far-reaching nature of the DMA obligations, their effects will likely be felt globally.

There is a lot to digest, so below is our breakdown of the top 10 key points you should know about the EU’s new rules.

1. Key dates and next steps

Now that political agreement has been reached on the text of the DMA, all that remains is formal approval by the two co-legislators (European Parliament and Council). The DMA could enter into force as early as October 2022, with gatekeepers having to comply with the respective obligations and prohibitions by February 2024. The expected timetable is as follows:

  • October 2022: The DMA enters into force.
  • April 2023: The DMA becomes applicable (i.e., after a six-month transition period).
  • June 2023: Deadline for notifications to the Commission on whether the undertaking meets the criteria and falls within the definition of “gatekeeper.”
  • August 2023: Commission designates companies as gatekeepers.
  • February 2024: Designated companies have to comply with the obligations and prohibitions laid out by the DMA.

2. Scope and objectives

The stated purpose of the DMA is to ensure “contestable and fair” digital markets by imposing strict obligations on so-called gatekeepers — a status that is presumed where a company provides a “core platform service” in at least three EU Member States and meets a number of quantitative criteria (including EU turnover of at least €7.5 billion or a market capitalization of at least €75 billion and 45 million monthly active end users and 10,000 yearly active business users in the EU).1 To ensure the progressive nature of the obligations, a category of “emerging gatekeeper” is also provided for to enable the Commission to impose certain obligations on companies whose competitive position is “proven but not yet sustainable.”2

3. Designation Process

Companies would be obliged to notify the Commission without delay (and in any event within two months) of meeting the quantitative thresholds. The Commission then has 45 working days to designate the company as a gatekeeper. While there is scope to rebut the presumption of gatekeeper status, this would be limited to exceptional circumstances. Importantly, when undertaking such an assessment, the Commission will consider only the elements that directly relate to the quantitative criteria; efficiencies or economic justifications will not be taken into account. The Commission will review the gatekeeper status designation regularly, at least every three years.

4. Obligations

Within six months of being designated a gatekeeper, companies would be obliged to comply with a number of obligations and prohibitions. The DMA distinguishes between (i) “self-executing” obligations and (ii) obligations that are “susceptible of being further specified,” meaning that the Commission would have the ability to further detail the precise measures a particular gatekeeper must take to comply with the overarching obligation in context. The wording of some obligations gives rise to a number of interpretative issues. As such, the full scope of the obligations will likely become clear only once the Commission starts to enforce the DMA.

Among others, the obligations and prohibitions limit gatekeepers’ ability to

  • use and combine personal data. Gatekeepers will not be able to process (for advertising purposes), combine or cross-use personal data, unless the user has been given the specific choice and has provided GDPR-grade consent. Where consent is refused or withdrawn by the end user, the gatekeeper will not be able to repeat the request for consent within a period of one year.
  • determine the ranking of its own and third parties’ offerings. Gatekeepers will need to apply transparent, fair, and nondiscriminatory conditions to ranking (including display, rating, linking, or voice results) and ensure that their own products and services are not treated more favorably than similar third-party offerings.
  • negotiate certain conditions with business users. For example, business users must be free to (i) negotiate different/more favorable conditions with other companies; (ii) communicate and conclude contracts directly with end users; (iii) easily terminate their contracts with gatekeepers; and (iv) access data generated in their use of gatekeepers’ platforms.
  • impose certain (access and other) restrictions on end users. For example, end users must be able to easily (i) change any preinstalled and default settings, (ii) switch between and subscribe to different services, and (iii) access and port their data.

In addition, gatekeepers will be subject to a number of interoperability and information sharing obligations, including a requirement to (i) ensure effective interoperability of gatekeepers’ operating systems, hardware, and software; (ii) open up their NI-ICS (such as instant messaging services) and interoperate with other NI-ICSs, including text messaging and sharing of images, voice messages, videos, etc.; and (iii) provide advertisers and publishers with access to ad performance measuring tools and information on prices, fees, and remuneration.

5. Mergers

The DMA will require gatekeepers to inform the Commission of all intended acquisitions of tech companies or any transactions that enable the collection of data. This would allow the Commission to review the gatekeeper’s status (i.e., identify additional core platform services) and also monitor broader contestability trends in the digital sector (and therefore whether new gatekeeper obligations should be considered). In addition, the information will be relayed to national competition authorities (NCAs), which may use it for the purpose of national merger control rules or indeed the EU’s merger control rules, as the DMA makes explicit reference to Article 22 of the EU Merger Regulation (EUMR), which allows NCAs to request the Commission to examine acquisitions under the EUMR.

6. Sanctions

Under the DMA, the Commission will be empowered to impose severe sanctions for noncompliance, including fines of up to 10% — and, in the event of repeated infringements, up to 20% — of a gatekeeper’s worldwide turnover. In the case of systematic infringements (i.e., where the gatekeeper violates the rules at least three times in eight years), the Commission may impose any behavioral or structural remedies proportionate and necessary to ensure effective compliance, including a ban on further acquisitions relevant to the infringement, or even operational and ownership separations.

7. Enforcement and coordination of proceedings between the Commission and NCAs

The DMA is without prejudice to the application of EU and national competition rules (including national tech competition regimes), which creates the potential for overlap and inconsistency in enforcement between the DMA on the one hand and competition rules (including DMA-like competition law obligations at national level) on the other hand.

Recognizing this tension, the DMA puts the Commission in charge of the implementation and enforcement of the DMA, meaning that the Commission will have the sole authority to open formal proceedings, adopt an infringement decision, and impose relevant remedial measures under the DMA. While NCAs may enforce their own national competition rules against — and impose obligations on — gatekeepers, they are required to inform the Commission of the first formal investigative measure and, subsequently, of any decision to be imposed on the gatekeeper. When enforcing their own national competition rules, NCAs can also conduct investigations into possible noncompliance with the gatekeeper obligations affecting their own territory. However, the role of NCAs is limited to supporting the Commission as the sole enforcer of the DMA. As such, NCAs are obliged to report on any relevant findings to the Commission and cease any investigations into possible noncompliance with the DMA as soon as the Commission opens formal proceedings. The DMA also explicitly obliges the Commission and NCAs to coordinate to ensure that the principles of proportionality and ne bis in idem (protection against double jeopardy) are observed.

8. Interplay with other regulatory frameworks

Given the cross-disciplinary reach of the DMA, it will be also important to ensure its consistent application alongside other regulatory regimes, in particular data privacy and consumer protection. To ensure a consistent regulatory approach across different regulatory instruments, the DMA provides for the creation of a High-Level Group for the DMA comprising the following bodies (a) the Body of European Regulators for Electronic Communications, (b) European Data Protection Supervisor and European Data Protection Board, (c) European Competition Network, (d) Consumer Protection Cooperation Network, and (e) European Regulatory Group of Audiovisual Media Regulators. Among others, the role of the High-Level Group will be to provide the Commission with advice and expertise with a view to ensuring a consistent regulatory approach.

9. Civil damages actions

Civil damages actions against gatekeepers are explicitly foreseen in the DMA, which provides that the collective redress mechanism set out in the EU’s Representative Actions Directive3 can be used in respect of any infringement of the DMA that harms (or may harm) the collective interests of consumers. The DMA further explains (in recitals) that “[c]onsumers should be entitled to enforce their rights in relation to the obligations imposed on gatekeepers under this Regulation through representative actions.” In its DMA Q&A document, the Commission confirmed that gatekeeper obligations can be enforced directly in national courts that will “facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers.”4

10. Involvement of third parties

Unlike under EU competition law, the DMA does not prescribe any specific complaint mechanism, including formal time limits or procedural rights (such as access to file) for complainants. While third parties may inform NCAs or the Commission about any practice or behavior by gatekeepers that may fall foul of the DMA, the relevant authority retains full discretion as regards the appropriate action to take and is under no obligation to follow up on the information received.

Interested third parties will, however, be able to provide comments at various stages of enforcement actions that are initiated, including (i) prior to the Commission’s specifying measures that the gatekeeper must implement to effectively comply with certain obligations; (ii) prior to the adoption of any commitments to remedy noncompliance; (iii) after a market investigation examining whether to expand the list of core platform services or gatekeeper obligations; and (iv) prior to the adoption of any additional implementing provisions.

“Core platform services” comprise (a) online intermediation services; (b) online search engines; (c) online social networking services; (d) video-sharing platform services; (e) number-independent interpersonal communication services (NI-ICS); (f) operating systems; (g) web browsers; (h) virtual assistants; (i) cloud computing services; and (j) online advertising services, including any advertising networks, advertising exchanges, and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in (a) to (i). This list could be expanded following a market investigation under Article 19.
Council of the European Union, Digital Markets Act (DMA): agreement between the Council and the European Parliament, March 25, 2022; available here.
3 Directive (EU) 2020/1828 of the European Parliament and of the Council of November 25, 2020, on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC; available here.
4 European Commission, Questions and Answers: Digital Markets Act: Ensuring fair and open digital markets, April 23, 2022, available here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Patrick J. Harrison

London

pharrison@sidley.com

Monika Zdzieborska

London

mzdzieborska@sidley.com

Ken Daly

Brussels

kdaly@sidley.com

Fiona Shajko

London

fshajko@sidley.com

Maarten Meulenbelt

Brussels

mmeulenbelt@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.