The European Union’s co-legislators reached political agreement on a major reform of digital competition rules late yesterday which will introduce up-front obligations and restrictions (literally a list of ‘dos and don’ts’) on the most powerful Internet giants — enforced by the threat of substantial fines and other types of penalties if they fail to meet the requirements.
The Digital Markets Act (DMA) is the bloc’s response to systemic misbehavior in digital markets over many years.
The regulation has been informed by a string of major EU antitrust cases against tech giants like Amazon, Google and Apple, and an accompanying frustration that Big Tech’s dominance has simply continued to entrench itself, as cases take years to conclude, leaving abuse largely unchecked in the meanwhile.
The EU’s habit of letting tech giants define their own remedies even when they do (finally) get hit with antitrust enforcement — with only a general pronouncement that identified infringements must stop — has also allowed platforms plenty of wiggle room to keep stacking their hand. (Hence the Commission having to intervene again, years later, in the Google Android case to pressure Google to drop a paid auction model which rivals had declaimed as unfair from the start.)
The DMA proposes to flip this hindsight-riven dynamic by fixing conditions up front and applying an expectation of compliance with fixed rules of the road for giants that fall in scope, with the goal of ushering in a new era of more proactive and effective tech regulation. The bloc’s conviction is that an ex ante competition regime will supplement the usual ex post antitrust procedures to ensure that digital markets remain fair and contestable.
Despite EU policymakers spending long years mulling whether and then how exactly to act, a formal legislative proposal was only presented in December 2020 — so it’s taken less than 18 months for the EU’s institutions to reach agreement on a provisional text. That looks remarkably fast, underlining how much consensus there is around Europe on the need to reign in Big Tech’s market power.
The EU has also doubled down — agreeing yesterday to expand the DMA’s asks on Big Tech, including with a new interoperability obligation for messaging platforms.
Whether the regulation will actually succeed in boosting competition in digital markets that remain dominated by core platform services is really the €75BN+ question.
The EU argues that having a common set of rules across the single market for Big Tech will foster innovation, growth and competitiveness, as well as supporting the scaling up of smaller platforms, SMEs and start-ups — who it suggests will benefit from the existence of a single, clear framework at EU level.
But some experts have expressed doubt about this thesis — arguing that the best way to improve competition in digital markets might be by encouraging more direct competition between gatekeeping giants themselves, which isn’t how the Commission has configured its approach.
Whether the DMA will do what the EU hopes, and stop platform giants from unfairly throwing their weight around at the same time as firing up fresh competition and innovation, is likely to take longer to assess than the relatively short order it took for the bloc to agree on the detail of the new regime. But one thing is clear: Change it coming — and it’s coming relatively fast.
Read on for a breakdown of key developments in the compromise reached between the European Council, parliament and Commission yesterday…
Who will the DMA apply to?
The regulation will apply to intermediating platforms of a certain size and market cap which play a ‘gatekeeping’ role — meaning these are companies which get to set the ‘rules of play’ for other businesses and consumers via their platforms T&Cs and as a result of their market power.
Long standing examples given include search engines and social networks. Marketplaces and booking platforms also seem likely categories to fall in-scope.
The EU co-legislators also added virtual assistants and web browsers to the list, apparently with an eye on further future-proofing the regulation.
What are the criteria for being designated a gatekeeper?
The EU institutions agreed to meet in the middle on this: The law will apply to tech giants with a market capitalisation of at least €75BN or an annual turnover of €7.5BN (rejecting a slightly lower threshold the Commission originally proposed and a higher one proposed by some MEPs).
Companies must also have at least 45M monthly end users in the EU and 10,000+ annual business users.
Likely suspects to fall in scope include Apple, Amazon, Google and Meta (Facebook). The European booking platform giant, Booking.com, may also joint the ex ante club. As might the Chinese ecommerce giant Alibaba.
It will be the Commission’s job to designate gatekeepers so there will be something of a front-loaded sprint of work once the regime starts operating for the EU to identify all the gatekeepers (and see off any legal challenges to a designation) before a segue into the wider, ongoing work of monitoring, investigations and enforcements.
What must gatekeepers do and not do to comply with the DMA?
There’s a long list of requirements which the EU hopes will shape the behavior of market giants in a way that ensures digital market stay open and contestable (or, well, can be cracked open in cases where they may have already tipped).
Many of these have been maintained since the Commission’s original proposal — which we covered at the time here — or else have been strengthened and extended. A few new ones have also been added.
Articles 5 and 6 if the DMA are where these key lists appear.
One major new requirement introduced via the trilogue process is interoperability for messaging platforms.
This is focused on ‘basic’ functionality — such as the ability to send text messages, photos, video and files, rather than full feature parity. It will also start with one-to-one messaging; group chats will be phased in over two years and video calling/conferencing over four.
The way this will work is smaller messaging platforms will be able to request interoperability from gatekeepers (who will be obliged to provide it). But there is no obligation for such platforms to take up the entitlement; it’s their choice.
Their users would also need to choose to opt in to being able to send messages cross platform — and so users will not be forced to accept off-platform messages just because the service has elected to plug into the APIs of a gatekeeper. Hence the co-legislators talk about this being an “asymmetrical” interoperability requirement.
We understand there is no literal limitation in the DMA that would prevent a gatekeeper from requesting interoperability from another gatekeeper. But whether platform giants — such as Apple with its iMessage service or Facebook with Messenger — would choose to do so is a whole other question.
EU lawmakers emphasize that they are very focused on the security element of messaging interoperability — stipulating that all cross-platform comms must maintain the same level of security (so, for example, if it’s E2EE it cannot be lowered to a lesser level of encryption).
Beyond messaging, the bloc’s co-legislators only agreed to assess social media interoperability in the future — so for now that’s off the table, likely owing to perceived additional technical complexity.
They also agreed to set up a new high level advisor group to support the Commission with cross-cutting technical sectoral advice to support its work in areas like interoperability.
In another major new addition to the DMA stipulations, a parliamentary push to include limits on how personal data can be used for tracking ads survived the trilogue negotiations.
Moreover, there was further accord to ensure this issue will also be tackled in the DMA’s sister regulation, the more broadly applying Digital Services Act (which is still going through trilogue).
So the consensus here spans two separate (if linked) pieces of legislation. Which is notable given that the ads component was a late addition and given how much counter lobbying the tracking ads industry has done to try top evade limits.
As regards the DMA component of this, gatekeepers must gain explicit consent from users to combine their personal data for advertising — a provision that could finally force Meta (Facebook) to provide users in Europe with a choice not to be tracked and profiled when using its services.
There was also agreement between EU co-legislators on extending mandatory choice screens for consumers to pick their own preference of search engine, browser and virtual assistant — i.e. rather than gatekeepers being able to preselect or force use of their own products through bundling. Although lawmakers appear to have resisted calls to further widen the scope to other key services (such as email) as they were concerned about the risk of over-burdening the user experience.
Fair access rights to core services — originally in the DMA with a focus on third party developers and gatekeepers operating mobile app stores — has also been extended to cover search and social media.
This puts obligations on gatekeepers to be transparent about the terms they apply to business users and to offer a dispute settlement mechanism. (Idea being this will also help the Commission spot potentially unfair terms and/or behavior more quicker so it can tackle problems faster; but the Commission itself won’t be overseeing FRAND down to the level of an individual business’ Facebook page, for example.)
An obligation on mobile OSes to allow sideloading of apps and app stores has also been retained — but with some reworking to try to reach a compromise that balances consumer choice against security concerns like the risk of introducing malware (an argument that’s been repeatedly raised by tech giants like Apple in their lobbying against this provision).
The exact detail of this compromise isn’t clear but we understand it will involve somehow letting users define their own level of risk, such as by options available to them at the settings level.
Elsewhere, a ban on self-preferencing of gatekeepers’ own services, such as in content rankings they curate and present to users, remains intact; as does a stipulation that gatekeepers cannot block users from uninstalling preloaded apps, along with wider support measures to enable service switching — and plenty more besides.
What are the penalties gatekeepers face for non-compliance?
Fines of up to 10% of global annual turnover can be levied on a gatekeeper for a breach of the regime — or up to 20% for repeated breaches.
The latter refers to a situation of systemic non-compliance which, as we understand it, is being defined as at least three non-compliance decisions over a period of eight years. (It would also require a legal test to be carried out that indicates the gatekeeper in question has maintained or strengthened their position.)
The DMA’s penalty regime also allows for non-financial penalties in the case of system infringements, retaining the possibility that the Commission could order structural remedies, such as the break up of a gatekeeper’s business empire.
That said, the regime looks explicitly intended to avoid such a one-way outcome as this power is very much held in deferred reserve (as a nuclear option; more to scare that it’s there than to use), with the bulk of enforcement resources set to be directed toward achieving compliance with the up-front market rules.
Furthermore, the Commission is able to engage in a regulatory dialogue with gatekeepers to ensure they understand the rules and requirements — so it can also push platforms to make changes that help them avoid fines in the first place.
However — for those gatekeepers that do decide to thumb their noise at the EU’s ex ante competition rules — another interesting addition to the DMA’s penalty pot is the possibility that a gatekeeper could be temporarily banned from making mergers and acquisitions.
It’s a step that looks geared towards preventing the phenomenon of killer acquisitions. But how long such an M&A ban might last isn’t clear.
During a press conference today, competition commissioner and EVP Margrethe Vestager talked around the topic, making passing reference to the recent Google-Fitbit acquisition (which completed last year) — and to conditions the EU had accepted for allowing that to go ahead (including a time-limited ban on Google using Fitbit health data for ad targeting), going on to note that the EU has been trying to look into more big tech acquisitions to assess effects “on the ground” and has already increased its merger enforcement as a result of that.
The DMA putting sanctions on gatekeepers that limit their ability to do M&A is appropriate within a behavioral framework, Vestager argued, also pointing to how many European startups are getting snapped up by big tech. “This entire legislation deals exactly with the behavior of the gatekeeper and how to make sure that markets remains competitive and of course here mergers play a role as we see it in our specific merger control,” she added.
As part of general DMA reporting requirements, all gatekeepers are required to notify the Commission in advance of M&A too.
Who will enforce the DMA?
The European Commission itself will be the sole enforcer — but its original proposal has been amended to allow a bigger involvement for national authorities on the investigation side.
That may, at least in part, be a measure of how much (new) work the Commission is taking on with the DMA.
Some joint-working with Member State agencies with relevant expertise could help lighten the load and expedite enforcements.
That said, if a national authority starts an investigation which the Commission subsequently picks up we understand that the national probe would be expected to end.
The Commission says it expects to need to add around 80 people to deal with the DMA workload. Some of this headcount will come from redeploying existing staff, others will be new hires — the latter with a focus on beefing up its technical expertise.
When does the Commission expect the DMA to come into force?
Some time in October is said to be “likely” — though not set in stone — at this stage.
The provisional text still needs to be checked over to produce a final legal document (in all the various EU languages) for approval by the Council and Parliament (the latter in a plenary vote). But the main hurdle to EU legislation is the political negotiation which concluded witjh agreement yesterday.
There is a six month period allowed for Member States to transpose the pan-EU regime into national legislation. So it may be that 2023 will be when we see the real DMA fireworks.
What has the reaction been to the plan so far?
It’s been interesting to see how much shock/surprise and even horror greeted yesterday’s trilogue agreement announcement from US-based industry watchers — who seem not to have been paying attention to a flagship reform EU lawmakers proposed in detail years ago.
On the flip side, Europeans, both consumers and businesses, plus the myriad civil society groups that have been advocating for competition reform to untip digital markets for years, are sounding — broadly — supportive, while being very keen to remind the Commission that the best-crafted regulation is only as good as the quality of enforcement that accompanies it.
All eyes in the region will be on how the Commission executes on this sizeable challenge.
As regards more specific criticism, the measure that’s garnering the most criticism is the interoperability obligation for messaging apps — which is attracting flak from a technical and/or product experience point of view from some quarters, with concerns being raised about the potential impact on security or other safety specific processes which platforms may carry out in areas like abuse-monitoring or content moderation.
Concerns include that interoperability might introduce vulnerabilities and could also break delicate safety systems — at times combined with a strong dash of paranoia that the EU is trying to use competition reform as a pretext to, er, break strong encryption…
Again, though, it’s possible to find opposing technical views: The Europe-based messaging company Element — which develops apps atop the decentralized Matrix protocol — has been a keen proponent of interoperability from the start.
Albeit it was advocating for EU lawmakers to go further and adopt a standards-based approach, which would support more fully featured interoperability vs the open API route plus core functionality the Commission has opted for.
Even so, Element co-founder and COO, Amandine Le Pape, is still happy that (some) interoperability for messaging has been included in the DMA. “Any interoperability would be better than the current walled gardens,” she told us. “An open standard approach could come later, especially if it’s pushed bottom up by the industry which may eventually understand that by all speaking the same language it makes everyone’s life easier and more secure.”