On July 18, 2022, the long-awaited Digital Markets Act (DMA) received the final approval of the EU's co-legislators. The DMA will impose stringent far-reaching obligations on the largest digital platforms: the "gatekeepers." The regulation will give the European Commission (EC) significant new enforcement powers, including the ability to impose severe fines and remedies in case of non-compliance.
The DMA will profoundly change the way in which big tech platforms operate in the EU. It will capture the largest tech companies and potentially 15-20 other platforms such as Alibaba and Booking.com. It will also create complications for non-gatekeepers, as the rules will impact how data can be shared with a gatekeeper's commercial partners.
The DMA will apply in parallel with the antitrust rules and other national-level enforcement efforts. However, it is very clearly based on the EC's abuse of dominance cases, many of which are grounded in novel (and contested) theories of harm which have yet to be validated by the EU courts. As the DMA framework is fraught with legal uncertainty, we expect the new rules to be subject to multiple legal challenges from the outset.
The rules are expected to come into effect in October 2022, with gatekeepers having to notify the EC within two months starting as of Spring 2023, when most of the DMA's provisions become applicable. Once designated, gatekeepers will have to comply with the rules within six months (i.e., by the end of 2023 to early 2024). Companies that may be caught by the DMA and that wish to operate in Europe will have to navigate an increasingly complex set of rules and make compliance a priority. The rules could also set the de facto global standard for tech platforms, as other jurisdictions seek to model their own digital regulations on the EU's example.
Background
The DMA is part of a broader EU digital agenda to revamp the rules applicable to digital platforms, with the aim of ensuring Europe's global competitiveness and data sovereignty.1 It aims to address a perceived enforcement gap in digital markets and draws heavily on past EC antitrust cases against the largest tech companies (some of which failed). The DMA also overlaps with other areas of law, including data protection law, and compliance with the DMA may affect companies' approach towards the General Data Protection Regulation (GDPR). To learn more about the data protection aspects of the DMA, please see Wilson Sonsini's Fact Sheet.
For more information about the initial proposals and draft amendments, see the Wilson Sonsini Alerts here and here. While the key elements remain broadly the same as outlined in the EC's original proposal, the political compromise between EU institutions saw some changes to the now-agreed text.
Who Needs to Care?
The DMA will apply to platforms offering Core Platform Services (CPS) that have been designated as gatekeepers by the EC.
Even below these thresholds, the EC can designate gatekeepers based on a market study which demonstrates the above factors. In addition, the EC can impose certain obligations on companies whose competitive position is "proven but not yet sustainable" (i.e., on emerging gatekeepers).4
CPSs will include search engines, app stores, online marketplaces, social networking platforms, cloud services, advertising services, web browsers, and virtual assistants (with the latter two added by the EU Parliament during negotiations).
And it is not just the gatekeepers themselves that need to be concerned: any companies doing business with gatekeepers will be impacted by the DMA (e.g., "business users," such as advertisers or publishers, or online merchants). For instance, companies receiving information from gatekeepers (e.g., activity data about their end-users on the gatekeeper platform) will now be impacted by the DMA obligation to require end-user consent where personal data is involved. Non-gatekeepers will need to consider putting in place mechanisms, such as consent requirements in contracts with gatekeepers, to ensure continued access to data generated on a gatekeeper platform.
Gatekeeper Designation
Large tech platforms must self-assess and notify the EC within two months of crossing the thresholds. The EC will then be solely responsible for designating "gatekeeper" platforms offering CPSs. The EC will review the gatekeeper status designation regularly, at least every three years.
Each core platform service of a gatekeeper could be at issue, meaning one company could see parallel procedures for each CPS it operates (e.g., mobile operating system, voice assistant, and adtech unit in parallel reviews).
While the presumption of gatekeeper status can be rebutted, this is limited to "exceptional circumstances." The EC will consider only the elements that directly relate to the quantitative criteria; efficiencies or economic justifications will not be taken into account.
The rebuttable presumption, the ability of the EC to designate gatekeepers below the threshold, and the qualitative criteria will lead to significant legal uncertainty as to how the DMA will apply in practice. We expect designation to be controversial and subject to significant legal challenges.
Gatekeeper Obligations5
Gatekeepers will have to comply with a number of obligations, covering a wide range of issues including:
M&A
Gatekeepers will need to inform the EC (pre-closing) of any M&A transaction where one of the parties provides a CPS or any other services in the digital sector or that enable data-collection, regardless of whether it is notifiable under merger thresholds (Art. 14). The EC will be entitled to temporarily block further M&A activity by a gatekeeper in cases of systematic non-compliance with the DMA.
Gatekeeping the Gatekeepers
The EC will be the sole enforcer of the DMA and will have significant enforcement powers:
The EC has said it will need at least 150 staff members to enforce the DMA, almost twice the number it estimated when the rules were first proposed. The EC's DMA team is anticipated to have around 20 staff members this year, growing to around 80 by 2025. DMA enforcement will be shared between the EU's competition and digital departments.
Extraterritorial Application
Gatekeepers will be free to maintain their existing business models outside of the DMA scope (i.e., if the service at issue is not a CPS, or if it is being provided to business users established outside the EEA or consumers established or located outside the EEA). However, the EC can impose structural remedies for recidivist gatekeepers (i.e., in case of repeated infringements) and those can be global in scope (e.g., a prohibition on M&A).
Wilson Sonsini Insights
The DMA will profoundly change the way digital platforms operate. We expect significant challenges in court given the uncertainty around the DMA framework. The DMA obligations themselves are very clearly based on the EC's abuse of dominance cases, many of which are grounded in novel (and contested) theories of harm which have not been validated by the EU courts.
As noted in our previous Wilson Sonsini Alert, companies active in the digital sphere should already begin planning for the DMA and the increasingly complex web of EU and national regulations (including the Digital Services Act, the AI Act, and the Data Act). The DMA is particularly commercially intrusive and compliance programs may need to be redesigned from the ground up and regulatory and policy teams briefed on the sweeping new rules, given the potential impact on even non-gatekeeper companies (particularly with regards to data sharing). While U.S. and UK efforts to regulate are somewhat behind, some platforms may decide to already revise their business models on a global level to avoid the operational costs and headache of tailoring product design, go-to-market, and commercial strategies for each jurisdiction. This would result in the new EU rules setting the de facto global standard.
EC officials have indicated additional guidance will be provided and implementing regulations will be issued, but no timing has been given. In April 2022, the EC announced its intention to open a San Francisco base to engage with gatekeeper companies, which are based mostly in the broader Bay Area (see Wilson Sonsini Alert).
While the DMA is to the fore of platforms' concerns, traditional antitrust enforcement at both an EC and national level should not be overlooked—the EC and the UK's CMA have been particularly active, with parallel probes into Google and Meta's header bidding agreement, and with active investigations into Amazon, Apple, Google, and Microsoft. At the same time, Germany's Federal Cartel Office is forging ahead with its new DMA-esque powers, with probes into Meta, Apple, Amazon, and Google. One unknown is how the DMA will interact with antitrust enforcement, which will continue to apply in parallel, with national regulation (which can go beyond the DMA), and with the GDPR (in theory, data protection regulators, the EU Commission, and national antitrust agencies could probe data processing activities under GDPR, the DMA, or antitrust rules).
For more information, please contact Cédric Burton, Beau Buffier, or any member of the firm's privacy and cybersecurity or antitrust practices.
Laurine Signoret and Deirdre Carroll contributed to the preparation of this Wilson Sonsini Alert.
[1]The EU’s Digital Agenda’s core aspects are the DMA, the Digital Services Act (which addresses the liability of platforms for misinformation and user safety through new ex ante rules), the Data Act (which deals with data sharing obligations, safeguards for data transfer, and regulation of access by public bodies creating harmonized rules across the EU), and the AI Act (which proposes a common regulatory and legal framework for artificial intelligence).
[2]This is different from the standard legal test typically used under EU competition law, which focuses on establishing whether a player is "dominant" or whether an "essential facility" is at play. According to the EC, these concepts did not enable the EC to intervene in markets with a significant—but not yet dominant—player where there was a risk of the market tipping in favor of that company.
[3]An annex to the DMA sets out a methodology and indicators for end-users/business users. Notably, “outlier figures” (i.e., figures that fall significantly outside the normal and foreseeable figures) are excluded from the calculation of monthly end users. For instance, outline figures can take the form of an unforeseen peak of drop in user engagement during one month of the year.
[4]DMA, Art. 17(4) and Recital 74.
[5]Some of the requirements are framed as being "susceptible of being further specified" and the DMA proposal envisages a future regulatory dialogue with gatekeepers to tailor those obligations and ensure their effectiveness and proportionality. This category includes requirements related to self-preferencing, interoperability, and certain data-related practices.
[6]Such consent will need to comply with the GDPR standard for valid consent, including that consent should be informed and freely given. Under the GDPR, other legal bases would have been available (e.g., gatekeepers could combine or cross-use data where necessary to perform a contract, or where this is based on a company’s legitimate interests).