A milestone was reached yesterday for the regulation of digital platforms: the Council of the European Union gave its final approval to the Digital Markets Act (“DMA”), following the European Parliament’s adoption of the legislative text in plenary on 5 July. The DMA, which will ensure the fairness and contestability of digital markets by setting out a list of “dos and don’ts” for designated gatekeepers, will change the regulatory landscape in the European Union (“EU”). The Regulation, proposed by the European Commission (“Commission”) in December 2020, was adopted in record time, following hundreds of amendments and intense negotiations between the co-legislators. It will now be published in the Official Journal of the EU and enter into force 20 days later.
The short timeframe within which the DMA was adopted indicates the legislators’ willingness to resolve matters that the existing competition law framework may arguably not address in an effective manner. A great job was done by the EU institutions in navigating through the problematic practices of platforms that act as unavoidable gateways between businesses and end users, and in setting rules for complex digital markets. However, the final text also leaves some big questions unanswered.
The designation of gatekeepers
How will the designation process work? At which level will designation occur? These questions need to be answered by the regulator in a timely manner in order to guide potential gatekeepers in their preparations for notification and compliance.
One important point pending clarification is the entity that will be designated as a gatekeeper. Will it be the parent undertaking or the provider of the core platform service that meets the thresholds? The text of the DMA is arguably unclear on this matter. This is because, in the final text, references to the “provider of core platform services” included in the Commission’s DMA proposal have been removed and replaced by references to the “undertaking providing core platform services”. Following the relevant case law, the DMA defines the term undertaking as “an entity engaged in an economic activity, regardless of its legal status and the way in which it is financed, includingall linked enterprises or connected undertakings that form a group through the direct or indirect control of an enterprise or undertaking by another.” Under this definition, the term “undertaking” could refer to either the provider of the core platform service or the parent company. The reference to “all linked enterprises or connected undertakings that form a group” may imply that the parent company will be designated. What is more, Article 3 of the DMA refers to the parent companyas the “undertaking” that must meet the criteria whereby it would qualify as a gatekeeper.
This is a matter with significant procedural implications. If the parent company is the designated gatekeeper, it will be expected to comply with a series of procedural obligations (e.g., notification, preparation of the compliance plan, establishment of a compliance function). The role of the core platform service provider in the designation process has yet to be clarified. A sensible approach would consist in both entities being involved in this process.
The relevant business users
How should the number of business users of a gatekeeper be calculated? This matter, which is linked to the geographic scope of the DMA, is currently unclear.
Both Article 1(2), setting out the DMA’s geographic scope, and Article 3(2)(b), establishing the quantitative thresholds for designation, state that business users must be “established in the Union”. Article 1(2) provides that, for the DMA to apply, business users must be established in the EU orend users must be established or located in the EU. However, Article 3(2)(b) sets out that, for a platform to qualify as a gatekeeper, it must have 10,000 yearly active business users established in the EU and 45 million users monthly active end users established or located in the EU. In light of the above, should potential gatekeepers only calculate business users established in the EU or should they also calculate business users established outside the EU when offering services to end users established or located in the EU?
The latter approach is the one followed by the EU’s General Data Protection Regulation (“GDPR”): the GDPR applies to data processing by a controller or processor established in the EU. However, the GDPR also applies to controllers or processors not established in the EU to the extent that they process personal data of data subjects who are in the EU. According to Recital 23 of the GDPR, what matters is “whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.” The GDPR explains that the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language may make it apparent that the controller or processor under consideration envisages offering services to data subjects in the EU (while mere accessibility of the controller’s or processor’s website in the EU, the provision of an email address or of other contact details, and the use of a language generally used in the third country where the controller is established are not sufficient factors to ascertain such intention).
Will the GDPR approach, whereby the location of the (end) user matters, be followed in the case of the DMA? If such an approach is followed, will it apply in the context of calculating user numbers and complying with the DMA obligations, or will it apply to, e.g., compliance but not notification? Assuming this approach applied to compliance (to the effect that business users outside the EU could benefit from the DMA), would this be in line with the principle of proportionality?
Enforcement of the DMA
The Commission will be the sole enforcer of the DMA, with national competent authorities assuming a supporting role. While information is slowly being revealed, it is still far from clear how enforcement will work. How will the enforcement teams be structured within the Commission? And will the Commission have sufficient resources for enforcement?
Initially, it was envisaged that 80 officials would shoulder the heavy task of monitoring gatekeepers and enforcing the DMA. Both the industry and Members of the European Parliament highlighted the need for ensuring that the Commission devotes adequate resources to the effective enforcement of the DMA. MEP Schwab, who led the DMA through the Parliament, reportedly stressed that without at least 150 dedicated staff, enforcement of the DMA will be a struggle for the Commission. MEP Schwab called for a separate enforcement team for each core platform service provided by a designated gatekeeper, stating that he has “two companies in mind where on every core platform service you will need to have a team. And that means you need a case handler, you need a manager, you need a data analyst … So you need easily ten people for one file … and that means that even the 150 [figure] is little.”
Commissioner Breton, in a post following the adoption of the DMA and the Digital Services Act (“DSA”) by the Parliament, gave us “a sneak peek at the future organization implementing the DSA & DMA.” Within the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”), dedicated teams will be organized around thematic domains, including societal, technical and economic aspects. The team focusing on societal aspects will handle issues such as risk assessments and audits, the technical team will be responsible for issues such as interoperability of messenger services, while the economic team will cover, among others, DMA-related unfair trading practices, such as data access or fair, reasonable and non-discriminatory (“FRAND”) conditions. A type of “programme office” will coordinate the close collaboration between the different teams and will handle international issues and litigation. Commissioner Breton also indicated that the staffing levels will increase and expertise will be built, particularly in data science and algorithms. Over 100 full time staff will form part of the DG CONNECT team devoted to the DSA and the DMA. For the DMA, DG CONNECT’s team will work alongside DG Competition, which will focus on the case handling.
It has also been reported that the Commission is “on the hunt for up to five specialist contractors to keep in check the power of companies such as Meta, Google, Amazon and Apple.” These experts will help the Commission when “confronted with information and conflicting arguments that can be highly technical and/or can require specific sectoral and legal expertise and knowledge to process and examine.”
The Commission has also reportedly “set up a structure to prepare for the effective enforcement of the DMA in a few months”, having already a joint task force in place to make sure that enforcement would be “fully operational from day one.”
But, concrete details about the enforcement mechanism have yet to be revealed.
The interplay between the DMA and other rules
The DMA will not apply in a vacuum; it will interact with existing EU and national rules that establish obligations for (gatekeeper) platforms. The DMA explicitly provides that the Regulation will apply “without prejudice” to several instruments, suggesting that all legislative instruments that govern the conduct of platforms (in the EU and domestically) will harmoniously co-exist and complement each other.
Indeed, there are cases where no tension is expected to arise because the instrument that may apply concurrently with the DMA regulates unrelated matters through provisions that do not contradict the DMA. For example, under the Copyright Directive, a video-sharing platform is required to obtain an authorization from right holders in order to communicate or make available to the public their works. The DMA does not tackle copyright-related matters, nor does it impose any obligations that could put in jeopardy the regime established by the Copyright Directive.
Yet, it is doubted whether the DMA will indeed apply without prejudice to (i.e., without detriment to any existing right or claim enshrined in) all the rules which have recently been revised or adopted to regulate platform practices. In certain cases (e.g., when it comes to the GDPR and the right to data portability it enshrines), the DMA may qualify as lex specialis, thereby prevailing over other rules. In other cases, based on the principle of supremacy of EU law, the DMA may override national rules that pursue objectives other than fairness and contestability (consider, for example, national rules that seek to protect media pluralism). What is more, it cannot be excluded that the implementation of the DMA may trigger the ne bis in idem principle in subsequent proceedings launched under competition rules (to the effect that those proceedings are discontinued). There may also be occasions where the DMA may render certain rules (e.g., rules introduced by the Platform-to-Business Regulation) devoid of purpose. In such cases, despite a “without prejudice” clause, the DMA would not necessarily complement (but could possibly endanger) the effectiveness of existing rules.
What will happen in all those cases where tension between the DMA and other rules arises? Will the answer be directly provided by the Court of Justice of the EU, or can we expect some guidance from the Commission’s services? This brings us to the last big question we wanted to raise: are interpretative guidelines needed once the DMA enters into force?
Undoubtedly, various interpretative issues will arise from the implementation of the DMA. As regards designation, though the DMA includes an Annex that sets out how gatekeepers should calculate the number of end and business users, the metrics identified are not always clear. For example, in the case of virtual assistants, the Annex states that gatekeepers should submit the “number of unique developers who offered at least one virtual assistant software application or a functionality to make an existing software application accessible through the virtual assistant during the year”. Does this mean that certification of a specific app by the gatekeeper platform is needed to qualify as “business user” or is that aspect not relevant? As regards compliance, most of the obligations included in the DMA reflect antitrust proceedings that concerned a specific platform employing a specific business model. How those obligations apply to other platforms that may differ significantly from the platform that has been subject to antitrust scrutiny will not be easy to determine. Other obligations that do not mirror the outcome of competition decisions, such as the provision mandating gatekeepers to grant access to data, raise their own set of challenges (e.g., what would qualify as “effective” data access that business users should be granted?).
Guidelines are important for two reasons. First, as we explained in a previous post, guidelines will contribute to the effective application of the rules, enabling both platforms and their business users to understand under what conditions a gatekeeper complies with the DMA. Secondly, the DMA recitals do not always do a great job interpreting the provision they refer to. In fact, on many occasions, they are limited to repeating the main text. And where recitals do provide some useful clarifications, it is recalled that there is a long line of case law whereby “recitals can help to establish the purpose of a provision or its scope [b]ut they cannot take precedence over its substantive provisions” and have no binding legal force.
The imminent entry into force of the DMA constitutes a significant step in the regulation of gatekeeper digital platforms, making the EU a frontrunner when it comes to digital regulation. As the countdown to the application of the DMA has started, big questions await their answers.
Co-authored by Konstantina Bania and Theano Karanikioti
Photo available on Unsplash