The European Union (EU) will soon be handed sweeping new rules to regulate the conduct of the largest digital platforms with the long-awaited Digital Markets Act (DMA). Following 15 months of intense negotiations on amendments to the original Proposal, the presidents of the main EU institutions (the Parliament, Council, and Commission) reached a political agreement on the final text of the DMA on March 24, 2022. The final vote is planned for July 2022, with the rules expected to come into effect in October 2022. It is expected that designated gatekeepers will need to comply by early 2024.
The DMA is classified as a regulatory tool and will apply in parallel with the antitrust rules and other national-level enforcement efforts. The EU is also finalizing several other regulatory initiatives (the Digital Services Act, the Data Act, and the AI Act). Companies wishing to operate in Europe will have to navigate an increasingly complex web of rules and make compliance design a priority. In a “race to the bottom,” these rules could also set the de facto global standard for tech platforms, as other jurisdictions seek to model their own digital regulations on the EU’s example.
These rules have arguably been drafted in a vacuum, detached from commercial realities and other existing legislation. In particular, the interplay between the DMA and the General Data Protection Regulation (GDPR) seems poorly thought out and will most likely lead to significant challenges for companies; we expect that the future text will have significant unintended spillover effects on commercial partnerships with data use at their core.
While the final text is not expected to be available for at least a couple of months, this Wilson Sonsini Alert sets out our understanding of the key points.
Background
The DMA is part of a broader EU digital agenda that seeks to revamp the rules applicable to digital platforms, with the aim of ensuring Europe's global competitiveness and data sovereignty.1 It aims to address a perceived enforcement gap in digital markets and draws heavily on antitrust cases against the so-called GAFAM. The rules will capture tech giants such as Google, Apple, Meta, Amazon, and Microsoft, as well as around 15-20 other platforms (expected to include accommodation platform Booking and e-commerce giant Alibaba). The spillover effects for other companies will be significant, however.
For more information about the initial proposals and draft amendments, see the Wilson Sonsini Alerts here and here.
Timing
The new rules provide for a complex framework regarding their application. According to reports on the Final Text, the new rules would enter into force in October 2022, meaning that six months later the legislation will become applicable (around April 2023). Gatekeepers will then have two months within which to notify the European Commission (EC) that their services fall within its scope (so by June 2023). The EC has 45 days from that to formally designate a company as a gatekeeper. A gatekeeper would then have six months (from around August 2023) to comply with the rules, so the true “bite” of the rules would be felt around February/March 2024.
This means that companies that anticipate falling within the DMA’s scope have roughly two years to prepare but, in reality, compliance design may already need to start given the far-reaching nature of the obligations and impact on product design, in particular.
While the drawn-out timeline has been heavily criticized by those anxious to regulate the large tech platforms, it simply reflects the reality gap between political ideology and enforcement practicalities. Compliance will take time given the commercially intrusive nature of the rules, and the EC itself will also need time to ensure adequate resources are in place and to draft much-needed guidance for digital firms.
Scope
Under the DMA, while large tech platforms must self-assess and then notify the EC, the EC will be solely responsible for designating "gatekeeper" platforms that offer "core platform services" (CPS). These services will include search engines, app stores, online marketplaces, social networking platforms, cloud services, advertising services, web browsers, and voice assistants (with the latter two added during negotiations, but connected TVs are excluded).
The new text amends and increases the quantitative criteria for gatekeeper designation: a market capitalization of €75 billion (ca. $83 billion) or a turnover in the European Economic Area equal to or above €7.5 billion (ca. $8 billion); and 45 million monthly active end-users and 10,000 yearly business users.
If these are met, there is a rebuttable presumption that the company is a gatekeeper. However, even below the thresholds, the EC can still designate gatekeepers based on a market study, showing that a company has: i) a significant impact on the internal market; ii) a strong intermediary position; and iii) an entrenched and durable position in the market or it is foreseeable that it will enjoy such a position in the near future. The rebuttable presumption, the ability of the EC to designate gatekeepers below the threshold, and the qualitative criteria will lead to significant legal uncertainty as to how the DMA will apply in practice.
Obligations and Prohibitions
The DMA establishes a list of 18 obligations and prohibitions that gatekeepers will have to comply with. These rules are related to, amongst others, interoperability between platforms, data combination, data access by business users, and self-preferencing. Some key points are:
- Interoperability. Gatekeepers must not prevent interoperability, including by using technical protections, discriminatory terms, subjecting APIs to copyright, or providing misleading information. There is a new requirement that messaging services, like Meta’s WhatsApp and Facebook Messenger or Apple’s iMessage, must open up and interoperate with smaller developers. For group chats, this requirement will be rolled out over a period of four years. However, there will be no interoperability obligation for social networks. Very little thought appears to have gone into how this will apply in practice, as it could have significant ramifications for the privacy and security of electronic communications, with a potential to weaken end-to-end encryption.
The DMA also creates new requirements for operating systems to open up to third-party apps and to allow sideloading, which will impact companies that only currently permit app distribution via their platform. - Data Combination. Without the Final Text, it is unclear whether the last negotiations added other GDPR legal bases for data combination, but if not, gatekeepers must obtain valid GDPR end user consent before combining personal data with personal data from other services of the gatekeeper or third parties. If users do not consent, gatekeepers must provide service alternatives that do not require the same level of data combination or cross-use. This requirement could have a significant impact on platforms involved in digital advertising or combining data collected across products and services.
- Data Access by Business Users. With respect to data use and data sharing, the DMA apparently will require gatekeepers i) to disclose information about the use of their platform by their business users, and ii) to obtain end-user’s consent where such information contains personal data. This may have significant spillover effects, as it could restrict businesses’ ability to obtain partnership data from gatekeepers as obtaining end-users’ consent will be burdensome. The requirement of fair access for businesses to gatekeeper’s app stores will now also extend to search engines and social media networks.
- Self-Preferencing. The DMA will prevent gatekeepers from promoting their own services over the services of competitors or requiring the use of their digital payment service for app purchases. Relatedly, users must be offered a choice screen with competing services when first using a gatekeeper’s search engine, virtual assistant, or web browser.
Contrary to the proposals for a similar UK regime, the list of rules does not make a distinction between platform business models and is an inflexible, “one-size-fits-all” approach. The EC will have the power to conduct market studies and update the rules as needed.
Enforcement
The EC will have massive enforcement powers:
- Fines. It will be entitled to levy fines of up to 10 percent of the company's total worldwide annual turnover, and up to 20 percent in the case of repeated infringements.
- Remedies. Where there is systemic non-compliance (three infringements in eight years), the EC will be able to order conduct or structural remedies, including the break-up of companies and forced divestments. The restrictions it places on gatekeepers will be enforced directly in national courts and be subject to private enforcement and class actions.
- M&A. The EC can also ask gatekeepers to inform it of intended mergers, and temporarily block acquisitions if gatekeepers systematically fail to comply with the new rules.
However, there are serious questions over the EC’s ability to handle enforcement. The rules are fraught with legal uncertainty and each step in the process is likely to be subject to legal challenges, with gatekeepers likely to submit volumes of legal and economic submissions to rebut a gatekeeper designation. Each core platform service of a gatekeeper could be at issue, meaning one company could see parallel procedures for each CPS it operates (e.g., mobile operating system, voice assistant, and adtech unit in parallel reviews).
Gatekeepers are likely to wait until the last moment to submit designation notices and compliance notices, meaning the EC would be repeatedly hit with casework at the same time. The EC’s DMA team is anticipated to have around 20 staff this year, ramping up to an estimated 80 by 2025. EU lawmakers and Commissioner Vestager have publicly said that a budget increase and more staff are needed to adequately enforce the DMA.
A Tangled Web of Regulations
The EC recently repeated that DMA enforcement will be in parallel to “strong competition-law enforcement.” It remains to be seen how the DMA will interact with antitrust enforcement in practice.
In parallel to the DMA, the EU is finalizing rules for platform liability and content moderation (the Digital Services Act). The EU is also working on a new Data Act (which deals with non-personal data and includes data sharing obligations, and safeguards for data transfer), and the AI Act (which proposes a common regulatory and legal framework for artificial intelligence).
At a national level, other jurisdictions have either enacted similar ex ante rules (Germany) or are working on their own platform proposals (the UK and the U.S., for instance).
Given the overlaps between the various regulatory initiatives, tech platforms will need to take a more holistic approach to compliance design and may need to rebuild from the ground up to avoid the headache of tailoring product design, go-to-market, and commercial strategies for each jurisdiction.
Wilson Sonsini Insights
The DMA will profoundly change the way digital platforms operate. However, we expect significant challenges in court given the uncertainty around the DMA framework, lack of economic analyses, and absence of any guidance on the DMA’s application.
Companies active in the digital sphere should already begin planning for the DMA and the increasingly complex web of EU and national regulations. Compliance programs may need to be redesigned from the ground up and regulatory and policy teams briefed on the sweeping new rules, given the significant spillover effects for even smaller tech companies (particularly with regard to data sharing).
For more information, please contact Cédric Burton, Beau Buffier, or any member of the firm's privacy and cybersecurity or antitrust practices.
Deirdre Carroll and Laurine Signoret contributed to the preparation of this Wilson Sonsini Alert.
[1] The EU’s Digital Agenda’s core aspects are the DMA, the Digital Services Act (which addresses the liability of platforms for misinformation and user safety through new ex ante rules), the Data Act (which deals with data sharing obligations, safeguards for data transfer, and regulation of access by public bodies creating harmonized rules across the EU), and the AI Act (which proposes a common regulatory and legal framework for artificial intelligence).
