In March and April 2022, political agreement was reached on the legislative proposals for the Digital Markets Act (“DMA”) and the Digital Services Act (“DSA”) of the European Commission (the Commission). The aim of the DSA and DMA is to regulate digital service providers and to rein in large tech companies such as Amazon, Google, Apple and Meta. The Commission also presented a legislative proposal for a European Data Regulation (“Data Act”). The Data Act should facilitate the sharing of data within the digital economy. In this blog, we explain what the DMA, DSA and Data Act will entail for companies, what powers the competition authorities have in this respect, and why they will be making full use of those powers.
Background of the DMA, DSA and Data Act
On 15 December 2020, the Commission published its revolutionary legislative proposals for the DMA and the DSA. The proposed rules are part of the Commission’s digital strategy and aim to ensure that digital service providers compete fairly and that consumers have access to a wide range of safe online products and services. The European Parliament has already formally approved both the DMA and the DSA. All that now remains is for the Council of the European Union to formally adopt the DSA. Both legislative proposals will enter into force 20 days after publication in the Official Journal of the EU. The Commission expects to do so by the autumn of 2022 or in early 2023 at the latest.
Another part of the Commission’s digital strategy is its recent legislative proposal for a Data Act. This Data Regulation specifically relates to the data market and sets out new rules on the use of and access to data in all sectors of the European Union (“EU”). The legislative proposal is currently before the Parliament and the Council. The European Committee of the Regions and the European Economic and Social Committee both advised on the legislative proposal in June 2021. The European Parliament’s and Council’s approval are not expected before the end of 2022.
DMA: the gatekeepers
The DMA is specifically aimed at curbing the market power of what is known as “gatekeepers”. These are large providers of core platform services – such as large online marketplaces (Amazon), app stores (Apple), search engines (Google), social networks (Facebook), network browsers (Chrome) or virtual assistants (Alexa) – with an entrenched and durable position. To be designated as a gatekeeper by the Commission, a platform must meet the following cumulative criteria:
- it must offer a core platform service in at least three EU Member States;
- it must have generated an annual turnover of at least EUR 7.5 billion in the past three (financial) years or have achieved a market value of at least EUR 75 billion in the past financial year;
- it must have at least 45 million monthly end users in the EU; and
- it must have at least 10,000 business users in the EU.
The assessment of whether a company is a gatekeeper differs from the classic competition law test. In order to designate a company as a gatekeeper, the Commission need not first prove, for instance, the existence of a dominant position, anti-competitive behaviour or the company’s ability to act independently of competitors. Also, a gatekeeper may not put forward an efficiency defence. A gatekeeper may, however, argue and substantiate that it does not meet the criteria listed above. The company in question bears the burden of proof in that regard. An obligation to notify furthermore applies: a platform that meets the criteria must notify the Commission accordingly within two months.
Gatekeepers must meet a number of specific obligations. The Commission may furthermore supplement the list below on the basis of a market investigation (over a minimum period of 12 months):
- end users must be able to easily uninstall pre-installed software and apps;
- end users must be able to install third-party apps or app stores (side-loading);
- personal data may not be combined for targeted advertising (unless consent is given);
- end users must be able to unsubscribe from core platform services as easily as they subscribe to them;
- gatekeepers must be transparent about advertising performance and rates;
- business users must be given access to the data generated by a gatekeeper;
- gatekeepers must guarantee that third-party software can function properly on their platform.
DMA: Emerging gatekeepers
The DMA allows the Commission – after a market investigation – to designate companies as emerging gatekeepers: platforms that do not yet meet the gatekeeper criteria listed above. This applies to platforms that have a proven, but not yet durable, competitive position. When designating a company as an emerging gatekeeper, the Commission takes into account the size, activities and position of the online platform, entry barriers, and lock-in effects of business users.
In principle, platforms designated as emerging gatekeepers by the Commission need not comply with the obligations listed above that apply to gatekeepers. The Commission may impose only lighter obligations that are necessary to prevent the online platform in question from acquiring an entrenched and durable position. The Commission must decide within a reasonable period whether the platform will be designated as a gatekeeper after all. If not, all the obligations for the platform lapse. In principle, the status of emerging gatekeeper is therefore of a temporary nature. But the target group is relatively large: according to the Commission, more than 10,000 fast-growing online platforms are currently operating in the European Union.
Gatekeepers’ obligation to notify acquisitions
Gatekeepers must also notify the Commission of any proposed concentration (i.e. a merger or acquisition or the formation of a joint venture). This does not apply to emerging gatekeepers. This obligation to notify appears to be a concrete elaboration of the Commission's intention to review “killer acquisitions” and to prohibit them where necessary. Read more about this in this blog. The enforcement of the DMA has been almost exclusively assigned to the Commission and is comparable to the enforcement of the cartel prohibition (Article 101 TFEU) and abuse of a dominant position (Article 102 TFEU). An important addition to the Commission's enforcement arsenal is the fact that the Commission can demand access to the algorithm used by a gatekeeper. The Commission may furthermore:
- demand information, conduct interviews and carry out dawn raids;
- impose temporary measures (and in the event of non-compliance: enforce remedies or undertakings);
- impose (i) fines of up to 10% of the worldwide annual turnover; (ii) fines of up to 20% in the event of repeated infringements, or (iii) periodic fines of up to 5% of the average daily turnover;
- impose structural or behavioural measures (in the event of repeated infringements); or
- prohibit further mergers or acquisitions by a gatekeeper.
National competition authorities in the EU have announced that they also wish to play a role in the enforcement of the DMA. There appears to be little room for this at present, but the DMA allows three national competition authorities, such as ACM, to conduct a joint investigation in the EU and to request the Commission to continue that investigation. The Commission must then respond to such a request within four months. To allow the Commission to benefit from the expertise of national competition authorities, the Commission is also working together with a committee consisting of representatives from EU Member States and the Digital Markets Advisory Committee.
DSA: more responsibility for digital service providers and better protection for consumers
The DSA sets out new rules aimed in particular at stimulating innovation and growth of smaller online service providers. The DSA should also lead to greater transparency regarding digital services and better protection of fundamental rights of consumers. In principle, the DSA, unlike the DMA, applies to all digital services within the EU. The DSA distinguishes different types of digital service providers:
- network infrastructure providers: internet access providers and domain name registrars;
- hosting services: cloud computing and webhosting services;
- very large online search engines: more than 10% of the 450 million consumers in the EU;
- online platforms: online marketplaces, app stores, collaborative economy platforms and social media platforms;
- very large online platforms: more than 10% of the 450 million consumers in the EU.
On the basis of the DSA, the larger the digital service provider is, the more obligations will apply. More obligations will apply, for instance, to hosting services than to intermediary services. Also, very large online platforms will have more responsibilities than relatively small online marketplaces. The most important (new) measures in the DSA are:
- measures to counter illegal goods, services or online content: such as a mechanism that makes it easier for users to flag illegal content;
- measures to empower users and society at large: such as transparency obligations regarding the algorithms used by platforms;
- measures to assess and mitigate risks: such as safeguards for the protection of children and restrictions on the use of personal data;
- more monitoring and better enforcement by the Commission and Member States: such as the appointment of a Digital Services Coordinator in each EU Member State.
A list of all the DSA obligations per category of digital service provider can be found here.
The DSA enforcement mechanism consists of cooperation between the Commission and the EU Member States. EU Member States are obligated to appoint an (independent) Digital Services Coordinator. That coordinator must monitor the activities of small to medium-sized digital service providers. The Commission is responsible for the DSA supervision of the large online platforms and search engines. If the obligations under the DSA are breached, the Commission may impose fines of up to 6% of the digital service provider’s worldwide turnover. The DSA furthermore offers the possibility (via the court) to temporarily suspend the services of rogue platforms.
Addition to the DMA and DSA: the Data Act
In addition to the DMA and DSA, the Commission has presented a legislative proposal for a European Data Regulation. The Data Act aims to create a fair digital environment, stimulate a competitive data market and make data (from public authorities, businesses and individuals) more accessible. The EU defines data as a “non-competitive good”, like a television series or sunlight, which many people can access at the same time without the supply running out. Given this limitless potential of data, the Commission believes that regulation is required to ensure that data is not underused. The importance of the Data Act is underlined by the fact that it is expected to increase EU GDP by EUR 270 billion by 2028. Although the text of the Data Act is not yet final, the current version includes the following measures:
- measures to give consumers access to the data generated by them (data portability);
- measures to prevent abuse of imbalances in data-sharing agreements, in order to strengthen the negotiating position of small businesses;
- measures to give public authorities access to data held by private parties; and
- measures to enable switching between cloud services (interoperability).
The Data Act is primarily enforced by national authorities designated by the EU Member States. The Data Regulation includes the following enforcement instruments, among others: (i) a complaints mechanism; (ii) the power to investigate the provisions of the Data Act; (iii) the power to impose sanctions (fines and penalties); (iv) the enforcement of access to data in cases of exceptional necessity; and (v) the abolition of switching costs in data processing services.
ACM has now responded to the Data Act. According to ACM, which has conducted its own market investigation into cloud services, the interoperability of cloud services must be (better) safeguarded in the Data Act. The Data Act should make it possible, for instance, for companies to combine different cloud services and switch cloud services more easily (interoperability). In the coming months, ACM will further investigate competition problems in cloud services and whether these problems can best be tackled by current competition law or by new EU legislation, such as the DMA, DSA and Data Act. These investigations are in keeping with ACM’s current focus on interoperability and data portability.
Shift from ex post to ex ante regulation: increasing enforcement
It is clear that a new era is dawning for the competition-law supervision and the regulation of the digital economy. The DMA, DSA and Data Act are creating a shift from ex post to ex ante enforcement. The new legislation allows the Commission (and national authorities) to conduct market investigations in order to (i) designate a platform as a gatekeeper or emerging gatekeeper; and (ii) investigate compliance with the obligations under the DSA and the Data Act. The Commission and the EU Member States are likely to seize these new enforcement powers under the DMA, DSA and Data Act with both hands. The European Union is thereby reinforcing its global leadership as a regulator for large tech companies.
Although the DMA, DSA and Data Act are not yet in force, ex post enforcement instruments such as fines and orders subject to a penalty are still widely used by the Commission and national competition authorities. The various fines that the Commission imposed on Google are a case in point. The Commission furthermore recently demanded commitments from Amazon, TikTok and WhatsApp. The German competition authority also issued a warning to Facebook. The order subject to a penalty imposed on Apple is a recent example of enforcement by ACM. Although this ex post enforcement is having a significant impact, national competition authorities have stated that imposing ex ante measures is far preferable to ex post supervision of digital service providers/big tech. The DMA, DSA and Data Act are in keeping with this plea.
Even if the regulators themselves do not immediately make use of their new instruments, the DMA, DSA and Data Act will most likely make themselves felt immediately, because companies and consumers will be able to file complaints if the DMA, DSA or Data Act is breached: these bills provide for a complaint mechanism. Businesses will be able to submit complaints to gatekeepers (DMA), to Digital Services Coordinators (DSA) or directly to competent national authorities (Data Act). Online platforms, gatekeepers and emerging gatekeepers are forewarned!
Information on dawn raids by ACM can be found at invalacm.nl
