Clifford Chance

The EU has reached agreement on the Digital Markets Act (DMA), the new EU legislation regulating online services. Companies designated as "gatekeepers" will likely need to comply with the DMA's prohibitions and obligations in the second half of 2023.

A mere 15 months after the European Commission published its legislative proposal for the DMA, the Council and European Parliament have agreed the final text. This far-reaching regulation, aimed at ensuring fair and contestable markets, will impose a set of substantial prohibitions and obligations on a handful of large digital companies. The relative speed of the legislative process reflects a political consensus across the EU on the need to regulate the tech sector.

The final agreed text has not yet been released, but here is our understanding of the key points.

Scope

The DMA targets online "gatekeepers" that provide "core platform services" (CPS).

To be designated a gatekeeper, a company must have a significant impact on the market and act as "an important gateway for business users to reach end users". This is determined, in the first instance, through a set of quantitative thresholds, including primarily: (i) annual turnover / average market capitalisation (€7.5 billion / €75 billion respectively); and (ii) number of business users (10.000 annually) and end users (45 million monthly active users) in the EU of a specific CPS.

Companies that meet the quantitative thresholds are presumed to be gatekeepers, but can provide arguments to rebut that presumption. Only a handful of companies, the likes of Google and Facebook, are expected to be caught although it is possible that one or two European / non-US companies may also meet the thresholds.

The DMA will only apply to CPS provided by the gatekeepers. The DMA includes an exhaustive list of CPS such as app stores, online marketplaces, digital advertising, search engines, social media and video-sharing platforms, operating systems, messaging services, cloud services, web browsers and voice assistants.

Prohibitions and obligations

Contrary to ad hoc competition law investigations, the DMA will impose a set of ex ante prohibitions and obligations that gatekeepers will need to comply with. The Commission does not need to establish dominance or anticompetitive effects before it can intervene to require compliance.

The obligations and prohibitions do not make any distinction between different gatekeeper business models, which may give rise to enforcement challenges in the future.

The list of dos and don'ts is broadly based on competition law cases that the Commission has pursued in the past or is currently pursuing.

By way of example, gatekeepers will only be able to combine personal data sourced from a CPS with data from any other gatekeeper's services or from third-party services if they have obtained legitimate consent from the user. This will affect primarily companies active in digital advertising, particularly Google and Facebook, who use the combination of data to gain an advantage in targeted advertising.

Gatekeepers will be required to allow sideloading of apps and third-party app stores on their operating systems. This obligation should impact Apple in particular, because it currently only allows app distribution on iOS via its App Store.

There is also an obligation for search engine gatekeepers to provide rivals with access on fair, reasonable and non-discriminatory (FRAND) terms to user-generated search data. So, Google would be required to share virtually all data generated by its users on its search engine.

Enforcement and fines for non-compliance

The Commission will be the sole enforcer of the DMA and will be able to impose fines up to 10% of the gatekeeper's annual worldwide turnover, or 20% in the event of repeated non-compliance.

For systematic non-compliance (three infringements in eight years), the Commission can impose additional remedies. These might include behavioural or even structural remedies, such as obliging a gatekeeper to sell a business, or parts of it (i.e., selling units, assets, intellectual property rights or brands).

National competition authorities will also be able to open investigations into possible infringements and transmit their findings to the Commission.

Open questions

The DMA is "complementary" to competition law enforcement and will apply in parallel. It remains to be seen how the two systems will coexist going forward

The real challenge now is to ensure that the DMA is enforceable, effective, and applied fairly. To do so, the Commission will need to draw on substantial resources with the right profiles and sector expertise – the Commission's initial provision for 80 full-time equivalents by 2025 might be underestimating the size of the task.

Under the DMA, the Commission is empowered to adopt different implementing acts and guidelines to provide clarity on detailed points of implementation of the DMA, which should facilitate assessment and compliance by gatekeepers.

Besides the DMA, other jurisdictions have enacted (Germany) or are developing (UK) new legal frameworks targeting tech companies. The EU is also expected shortly to adopt the Digital Services Act (DSA) and the Commission recently presented a proposal on a new Data Act. There might be substantial overlaps between these proposals and the new obligations on gatekeepers under the DMA, creating a complex compliance matrix for digital companies to navigate.

Next steps

Now that the DMA has been agreed at the political level, the text must be formally adopted by the co-legislators (European Parliament and Council) – this could happen as early as June. After adoption it will be published in the Official Journal of the EU and enter into force 20 days later. The Commission estimates this could be around October 2022.

The DMA will start applying six months after its entry into force and it will then take another couple of months to start designating the first gatekeepers. Once designated, gatekeepers will have a few months to comply with the prohibitions and obligations. It is therefore likely that gatekeepers will need to be fully compliant in the second half of 2023.

In the last few months of 2022, we are likely to see a flurry of activity from (and lobbying of) the Commission, as it prepares to enforce this substantial piece of legislation.