On July 18, 2022, the long-awaited Digital Markets Act (DMA) received the final approval of the EU's co-legislators. The DMA will impose stringent far-reaching obligations on the largest digital platforms: the "gatekeepers." The regulation will give the European Commission (EC) significant new enforcement powers, including the ability to impose severe fines and remedies in case of non-compliance.

The DMA will profoundly change the way in which big tech platforms operate in the EU. It will capture the largest tech companies and potentially 15-20 other platforms such as Alibaba and Booking.com. It will also create complications for non-gatekeepers, as the rules will impact how data can be shared with a gatekeeper's commercial partners.

The DMA will apply in parallel with the antitrust rules and other national-level enforcement efforts. However, it is very clearly based on the EC's abuse of dominance cases, many of which are grounded in novel (and contested) theories of harm which have yet to be validated by the EU courts. As the DMA framework is fraught with legal uncertainty, we expect the new rules to be subject to multiple legal challenges from the outset.

The rules are expected to come into effect in October 2022, with gatekeepers having to notify the EC within two months starting as of Spring 2023, when most of the DMA's provisions become applicable. Once designated, gatekeepers will have to comply with the rules within six months (i.e., by the end of 2023 to early 2024). Companies that may be caught by the DMA and that wish to operate in Europe will have to navigate an increasingly complex set of rules and make compliance a priority. The rules could also set the de facto global standard for tech platforms, as other jurisdictions seek to model their own digital regulations on the EU's example.

Background

The DMA is part of a broader EU digital agenda to revamp the rules applicable to digital platforms, with the aim of ensuring Europe's global competitiveness and data sovereignty.¹ It aims to address a perceived enforcement gap in digital markets and draws heavily on past EC antitrust cases against the largest tech companies (some of which failed). The DMA also overlaps with other areas of law, including data protection law, and compliance with the DMA may affect companies' approach towards the General Data Protection Regulation (GDPR). To learn more about the data protection aspects of the DMA, please see Wilson Sonsini's Fact Sheet.

For more information about the initial proposals and draft amendments, see the Wilson Sonsini Alerts here and here. While the key elements remain broadly the same as outlined in the EC's original proposal, the political compromise between EU institutions saw some changes to the now-agreed text.

Who Needs to Care?

The DMA will apply to platforms offering Core Platform Services (CPS) that have been designated as gatekeepers by the EC.

• What is a gatekeeper?² There is a rebuttable presumption that a platform is a gatekeeper if it:
  • has a significant impact on the internal market: the company has an annual EEA revenue of at least €7.5 billion in each of the last three financial years, or its average market capitalization or equivalent fair market value is at least €75 billion (up from €6.5 billion and €65 billion in the original proposal), and it provides the CPS in at least three EU member states;
  • has a strong intermediary position: the company operates a CPS with at least 45 million monthly active end-users established or located in the EU, and has more than 10,000 yearly active business users established in the EU in the last financial year;³ and
  • has (or is expected to have) an entrenched and durable position in the market. This is presumed where the company meets the other two criteria in each of the last three financial years.

Even below these thresholds, the EC can designate gatekeepers based on a market study which demonstrates the above factors. In addition, the EC can impose certain obligations on companies whose competitive position is "proven but not yet sustainable" (i.e., on emerging gatekeepers).⁴

CPSs will include search engines, app stores, online marketplaces, social networking platforms, cloud services, advertising services, web browsers, and virtual assistants (with the latter two added by the EU Parliament during negotiations).

And it is not just the gatekeepers themselves that need to be concerned: any companies doing business with gatekeepers will be impacted by the DMA (e.g., "business users," such as advertisers or publishers, or online merchants). For instance, companies receiving information from gatekeepers (e.g., activity data about their end-users on the gatekeeper platform) will now be impacted by the DMA obligation to require end-user consent where personal data is involved. Non-gatekeepers will need to consider putting in place mechanisms, such as consent requirements in contracts with gatekeepers, to ensure continued access to data generated on a gatekeeper platform.

Gatekeeper Designation

Large tech platforms must self-assess and notify the EC within two months of crossing the thresholds. The EC will then be solely responsible for designating "gatekeeper" platforms offering CPSs. The EC will review the gatekeeper status designation regularly, at least every three years.

Each core platform service of a gatekeeper could be at issue, meaning one company could see parallel procedures for each CPS it operates (e.g., mobile operating system, voice assistant, and adtech unit in parallel reviews).

While the presumption of gatekeeper status can be rebutted, this is limited to "exceptional circumstances." The EC will consider only the elements that directly relate to the quantitative criteria; efficiencies or economic justifications will not be taken into account.

The rebuttable presumption, the ability of the EC to designate gatekeepers below the threshold, and the qualitative criteria will lead to significant legal uncertainty as to how the DMA will apply in practice. We expect designation to be controversial and subject to significant legal challenges.

Gatekeeper Obligations⁵

Gatekeepers will have to comply with a number of obligations, covering a wide range of issues including:

• Apps and App Stores. Gatekeepers will have to make significant changes to the distribution of their apps on their Operating Systems (OS), by:
  • allowing sideloading of third-party apps or app stores, and permitting those apps to be set as default. However, gatekeepers will be able to take "strictly necessary and proportionate" measures to protect the integrity of its hardware or OS (Art. 6(4));
  • allowing end users to easily uninstall apps (Art. 6(3));
  • Not restricting users from switching between, and subscribing to, different apps (Art. 6(6));
  • provide access to their app stores (and to search engines and social networks) at fair, reasonable, and non-discriminatory (FRAND) general conditions (Art. 6(12)); and
  • not requiring app developers to exclusively use the gatekeeper's in-app payment system in order to offer in-app purchases (Art. 5(7)).
• Anti-Steering. Gatekeepers will not be able to prevent business users from directing their consumers to alternative offers. They will have to allow developers distributing apps on their app stores to promote offers to end users free of charge and subsequently transact with these users without using the gatekeeper's services (e.g., the app store owner's in-app purchase solution, Art. 5(4)). End users will also be able to easily change default settings on the OS, virtual assistant, and web browser of the gatekeeper that direct or steer end users to products/services of the gatekeeper. Users must be offered a choice screen with competing services when first using a gatekeeper's search engine, virtual assistant, or web browser (Art. 6(3)).
• Gatekeeper Use of Data and Consent. The DMA goes further than the EU's General Data Protection Regulation (GDPR) by requiring gatekeepers to obtain end-users' GDPR consent in order to:⁶
  • combine or cross-use personal data from a CPS with personal data from other services offered by the same gatekeeper (e.g., by matching data sets that are tied to the same identifier);
  • combine personal data from a core platform service with third-party data (e.g., data collected from third-party websites via cookies or a software development kit);
  • process third-party data for advertising purposes; or
  • sign in end-users to multiple services offered by the gatekeeper in order to combine personal data (Art. 5(2)).
• Use of Platform Data. Gatekeepers will have to:
  • refrain from using, in competition with business users, any data that is not publicly available that is generated or provided by those users (including the customers of those users) through their use of the CPS or related services (Art. 6(2));
  • provide business users with access to data that is generated by them and their customers on the CPS or another service offered with, or supporting, the CPS (e.g., information about end users' interaction with the customer's page on the gatekeeper's platform). The data will need to be provided in a continuous, high-quality, and real-time manner (Art. 6(10)); and
  • provide rivals with access to user generated search data under FRAND conditions (Art. 6(11), which only applies to online search engines).
• Data Portability. The DMA strengthens the GDPR's right to "data portability." Gatekeepers should provide "effective portability" of the data provided by the user or that users generate when using gatekeepers' services, including through continuous and real-time access to the data (Art. 6(9)).
• Self-Preferencing. Gatekeepers will also be prohibited from treating their own services/products more favorably in ranking, indexing, and crawling. Gatekeepers will also have to conduct rankings under transparent, fair, and non-discriminatory terms (Art. 6(5)).
• Tying. Gatekeepers will be prohibited from requiring businesses or end users to use, offer, or interoperate with their identification services, web browser engines, payment services, and in-app purchase mechanisms (Art. 5(7)). They also cannot require end users to subscribe to further CPSs, as a condition for subscribing to any of their other CPSs (Art. 5(8)).
• Ad Transparency. Gatekeepers will have to provide advertisers and publishers with information about prices paid and remuneration received, together with the methodology under which the prices and remuneration were calculated (Arts. 5(9) and 5(10)). Gatekeepers will also have to provide advertisers and publishers with access to the performance measuring tools and data (Art. 6(8)).
• Interoperability. Gatekeepers will be required to:
  • ensure effective interoperability of gatekeepers' OSs or virtual assistants, hardware, and software (Art. 6(7)). Gatekeepers will be able to take "strictly necessary and proportionate" measures to protect their integrity; and
  • open up their number-independent interpersonal communication services (such as instant messaging services) and interoperate with other NI-ICSs (e.g., text messaging and sharing of images, voice messages, videos, etc., Art.7(1)). Gatekeepers will be able to take "strictly necessary and proportionate" measures to protect the "integrity, security, and privacy" of its services.

M&A

Gatekeepers will need to inform the EC (pre-closing) of any M&A transaction where one of the parties provides a CPS or any other services in the digital sector or that enable data-collection, regardless of whether it is notifiable under merger thresholds (Art. 14). The EC will be entitled to temporarily block further M&A activity by a gatekeeper in cases of systematic non-compliance with the DMA.

Gatekeeping the Gatekeepers

The EC will be the sole enforcer of the DMA and will have significant enforcement powers:

• Fines. It can levy fines of up to 10 percent of the company's total worldwide annual turnover, and up to 20 percent in the case of repeated infringements. It can also impose periodic penalty payments;
  • The final version of the DMA text also adds the potential for a fine up to 1 percent of the company's total worldwide turnover if they do not hire a compliance officer.
• Remedies. Where there is systemic non-compliance (three infringements in eight years), the EC will be able to order conduct or structural remedies, including divestiture and break-up of repeat offenders.

The EC has said it will need at least 150 staff members to enforce the DMA, almost twice the number it estimated when the rules were first proposed. The EC's DMA team is anticipated to have around 20 staff members this year, growing to around 80 by 2025. DMA enforcement will be shared between the EU's competition and digital departments.

Extraterritorial Application

Gatekeepers will be free to maintain their existing business models outside of the DMA scope (i.e., if the service at issue is not a CPS, or if it is being provided to business users established outside the EEA or consumers established or located outside the EEA). However, the EC can impose structural remedies for recidivist gatekeepers (i.e., in case of repeated infringements) and those can be global in scope (e.g., a prohibition on M&A).

Wilson Sonsini Insights

The DMA will profoundly change the way digital platforms operate. We expect significant challenges in court given the uncertainty around the DMA framework. The DMA obligations themselves are very clearly based on the EC's abuse of dominance cases, many of which are grounded in novel (and contested) theories of harm which have not been validated by the EU courts.

As noted in our previous Wilson Sonsini Alert, companies active in the digital sphere should already begin planning for the DMA and the increasingly complex web of EU and national regulations (including the Digital Services Act, the AI Act, and the Data Act). The DMA is particularly commercially intrusive and compliance programs may need to be redesigned from the ground up and regulatory and policy teams briefed on the sweeping new rules, given the potential impact on even non-gatekeeper companies (particularly with regards to data sharing). While U.S. and UK efforts to regulate are somewhat behind, some platforms may decide to already revise their business models on a global level to avoid the operational costs and headache of tailoring product design, go-to-market, and commercial strategies for each jurisdiction. This would result in the new EU rules setting the de facto global standard.

EC officials have indicated additional guidance will be provided and implementing regulations will be issued, but no timing has been given. In April 2022, the EC announced its intention to open a San Francisco base to engage with gatekeeper companies, which are based mostly in the broader Bay Area (see Wilson Sonsini Alert).

While the DMA is to the fore of platforms' concerns, traditional antitrust enforcement at both an EC and national level should not be overlooked—the EC and the UK's CMA have been particularly active, with parallel probes into Google and Meta's header bidding agreement, and with active investigations into Amazon, Apple, Google, and Microsoft. At the same time, Germany's Federal Cartel Office is forging ahead with its new DMA-esque powers, with probes into Meta, Apple, Amazon, and Google. One unknown is how the DMA will interact with antitrust enforcement, which will continue to apply in parallel, with national regulation (which can go beyond the DMA), and with the GDPR (in theory, data protection regulators, the EU Commission, and national antitrust agencies could probe data processing activities under GDPR, the DMA, or antitrust rules).

For more information, please contact Cédric Burton, Beau Buffier, or any member of the firm's privacy and cybersecurity or antitrust practices.

Laurine Signoret and Deirdre Carroll contributed to the preparation of this Wilson Sonsini Alert.

---

^[1]The EU’s Digital Agenda’s core aspects are the DMA, the Digital Services Act (which addresses the liability of platforms for misinformation and user safety through new ex ante rules), the Data Act (which deals with data sharing obligations, safeguards for data transfer, and regulation of access by public bodies creating harmonized rules across the EU), and the AI Act (which proposes a common regulatory and legal framework for artificial intelligence).

^[2]This is different from the standard legal test typically used under EU competition law, which focuses on establishing whether a player is "dominant" or whether an "essential facility" is at play. According to the EC, these concepts did not enable the EC to intervene in markets with a significant—but not yet dominant—player where there was a risk of the market tipping in favor of that company.

^[3]An annex to the DMA sets out a methodology and indicators for end-users/business users. Notably, “outlier figures” (i.e., figures that fall significantly outside the normal and foreseeable figures) are excluded from the calculation of monthly end users. For instance, outline figures can take the form of an unforeseen peak of drop in user engagement during one month of the year.

^[4]DMA, Art. 17(4) and Recital 74.

^[5]Some of the requirements are framed as being "susceptible of being further specified" and the DMA proposal envisages a future regulatory dialogue with gatekeepers to tailor those obligations and ensure their effectiveness and proportionality. This category includes requirements related to self-preferencing, interoperability, and certain data-related practices.

^[6]Such consent will need to comply with the GDPR standard for valid consent, including that consent should be informed and freely given. Under the GDPR, other legal bases would have been available (e.g., gatekeepers could combine or cross-use data where necessary to perform a contract, or where this is based on a company’s legitimate interests).