The European Union (EU) will soon be handed sweeping new rules to regulate the conduct of the largest digital platforms with the long-awaited Digital Markets Act (DMA). Following 15 months of intense negotiations on amendments to the original Proposal, the presidents of the main EU institutions (the Parliament, Council, and Commission) reached a political agreement on the final text of the DMA on March 24, 2022. The final vote is planned for July 2022, with the rules expected to come into effect in October 2022. It is expected that designated gatekeepers will need to comply by early 2024.
The DMA is classified as a regulatory tool and will apply in parallel with the antitrust rules and other national-level enforcement efforts. The EU is also finalizing several other regulatory initiatives (the Digital Services Act, the Data Act, and the AI Act). Companies wishing to operate in Europe will have to navigate an increasingly complex web of rules and make compliance design a priority. In a “race to the bottom,” these rules could also set the de facto global standard for tech platforms, as other jurisdictions seek to model their own digital regulations on the EU’s example.
These rules have arguably been drafted in a vacuum, detached from commercial realities and other existing legislation. In particular, the interplay between the DMA and the General Data Protection Regulation (GDPR) seems poorly thought out and will most likely lead to significant challenges for companies; we expect that the future text will have significant unintended spillover effects on commercial partnerships with data use at their core.
While the final text is not expected to be available for at least a couple of months, this Wilson Sonsini Alert sets out our understanding of the key points.
Background
The DMA is part of a broader EU digital agenda that seeks to revamp the rules applicable to digital platforms, with the aim of ensuring Europe's global competitiveness and data sovereignty.1 It aims to address a perceived enforcement gap in digital markets and draws heavily on antitrust cases against the so-called GAFAM. The rules will capture tech giants such as Google, Apple, Meta, Amazon, and Microsoft, as well as around 15-20 other platforms (expected to include accommodation platform Booking and e-commerce giant Alibaba). The spillover effects for other companies will be significant, however.
For more information about the initial proposals and draft amendments, see the Wilson Sonsini Alerts here and here.
Timing
The new rules provide for a complex framework regarding their application. According to reports on the Final Text, the new rules would enter into force in October 2022, meaning that six months later the legislation will become applicable (around April 2023). Gatekeepers will then have two months within which to notify the European Commission (EC) that their services fall within its scope (so by June 2023). The EC has 45 days from that to formally designate a company as a gatekeeper. A gatekeeper would then have six months (from around August 2023) to comply with the rules, so the true “bite” of the rules would be felt around February/March 2024.
This means that companies that anticipate falling within the DMA’s scope have roughly two years to prepare but, in reality, compliance design may already need to start given the far-reaching nature of the obligations and impact on product design, in particular.
While the drawn-out timeline has been heavily criticized by those anxious to regulate the large tech platforms, it simply reflects the reality gap between political ideology and enforcement practicalities. Compliance will take time given the commercially intrusive nature of the rules, and the EC itself will also need time to ensure adequate resources are in place and to draft much-needed guidance for digital firms.
Scope
Under the DMA, while large tech platforms must self-assess and then notify the EC, the EC will be solely responsible for designating "gatekeeper" platforms that offer "core platform services" (CPS). These services will include search engines, app stores, online marketplaces, social networking platforms, cloud services, advertising services, web browsers, and voice assistants (with the latter two added during negotiations, but connected TVs are excluded).
The new text amends and increases the quantitative criteria for gatekeeper designation: a market capitalization of €75 billion (ca. $83 billion) or a turnover in the European Economic Area equal to or above €7.5 billion (ca. $8 billion); and 45 million monthly active end-users and 10,000 yearly business users.
If these are met, there is a rebuttable presumption that the company is a gatekeeper. However, even below the thresholds, the EC can still designate gatekeepers based on a market study, showing that a company has: i) a significant impact on the internal market; ii) a strong intermediary position; and iii) an entrenched and durable position in the market or it is foreseeable that it will enjoy such a position in the near future. The rebuttable presumption, the ability of the EC to designate gatekeepers below the threshold, and the qualitative criteria will lead to significant legal uncertainty as to how the DMA will apply in practice.
Obligations and Prohibitions
The DMA establishes a list of 18 obligations and prohibitions that gatekeepers will have to comply with. These rules are related to, amongst others, interoperability between platforms, data combination, data access by business users, and self-preferencing. Some key points are:
Contrary to the proposals for a similar UK regime, the list of rules does not make a distinction between platform business models and is an inflexible, “one-size-fits-all” approach. The EC will have the power to conduct market studies and update the rules as needed.
Enforcement
The EC will have massive enforcement powers:
However, there are serious questions over the EC’s ability to handle enforcement. The rules are fraught with legal uncertainty and each step in the process is likely to be subject to legal challenges, with gatekeepers likely to submit volumes of legal and economic submissions to rebut a gatekeeper designation. Each core platform service of a gatekeeper could be at issue, meaning one company could see parallel procedures for each CPS it operates (e.g., mobile operating system, voice assistant, and adtech unit in parallel reviews).
Gatekeepers are likely to wait until the last moment to submit designation notices and compliance notices, meaning the EC would be repeatedly hit with casework at the same time. The EC’s DMA team is anticipated to have around 20 staff this year, ramping up to an estimated 80 by 2025. EU lawmakers and Commissioner Vestager have publicly said that a budget increase and more staff are needed to adequately enforce the DMA.
A Tangled Web of Regulations
The EC recently repeated that DMA enforcement will be in parallel to “strong competition-law enforcement.” It remains to be seen how the DMA will interact with antitrust enforcement in practice.
In parallel to the DMA, the EU is finalizing rules for platform liability and content moderation (the Digital Services Act). The EU is also working on a new Data Act (which deals with non-personal data and includes data sharing obligations, and safeguards for data transfer), and the AI Act (which proposes a common regulatory and legal framework for artificial intelligence).
At a national level, other jurisdictions have either enacted similar ex ante rules (Germany) or are working on their own platform proposals (the UK and the U.S., for instance).
Given the overlaps between the various regulatory initiatives, tech platforms will need to take a more holistic approach to compliance design and may need to rebuild from the ground up to avoid the headache of tailoring product design, go-to-market, and commercial strategies for each jurisdiction.
Wilson Sonsini Insights
The DMA will profoundly change the way digital platforms operate. However, we expect significant challenges in court given the uncertainty around the DMA framework, lack of economic analyses, and absence of any guidance on the DMA’s application.
Companies active in the digital sphere should already begin planning for the DMA and the increasingly complex web of EU and national regulations. Compliance programs may need to be redesigned from the ground up and regulatory and policy teams briefed on the sweeping new rules, given the significant spillover effects for even smaller tech companies (particularly with regard to data sharing).
For more information, please contact Cédric Burton, Beau Buffier, or any member of the firm's privacy and cybersecurity or antitrust practices.
Deirdre Carroll and Laurine Signoret contributed to the preparation of this Wilson Sonsini Alert.
[1] The EU’s Digital Agenda’s core aspects are the DMA, the Digital Services Act (which addresses the liability of platforms for misinformation and user safety through new ex ante rules), the Data Act (which deals with data sharing obligations, safeguards for data transfer, and regulation of access by public bodies creating harmonized rules across the EU), and the AI Act (which proposes a common regulatory and legal framework for artificial intelligence).