Understanding the Digital Markets Act

While our clients are unlikely to face restrictions as a result of the Digital Markets Act (given who the Act targets), we are covering it as it is essentially one of the strongest anti-competitive laws ever passed affecting the digital industry. This could in turn present new opportunities for start-ups and smaller firms seeking to compete with established digital players.

Overview

Regulation (EU) 2022/1925, commonly referred to as the Digital Markets Act (DMA), was adopted on 14 September 2022 and published in the Official Journal on 12 October 2022, entering into force on 1 November 2022. This Regulation establishes a comprehensive framework for regulating large digital platforms designated as "gatekeepers" by imposing directly applicable obligations and prohibitions on their conduct in relation to business users and end users, and is likely to have ripple effects across the EU’s digital market. The Regulation applies to ten categories of "core platform services" and becomes applicable from 2 May 2023 for most provisions, with gatekeepers required to comply with their obligations within six months of designation. Article 1(1) stipulates that the purpose of the Regulation is "to contribute to the proper functioning of the internal market by laying down harmonised rules ensuring for all businesses, contestable and fair markets in the digital sector across the Union where gatekeepers are present".

The Digital Markets Act emerged from sustained concerns regarding the market power accumulated by large technology platforms and the perceived inadequacy of traditional competition law enforcement in addressing structural problems in digital markets. The Commission's proposal in December 2020 followed several years of market investigations, stakeholder consultations, and reports documenting practices by large platforms that foreclosed competition and imposed unfair conditions on business users. These practices included the use of data generated by business users to compete against them, self-preferencing in ranking and search results, restrictions on business users' ability to offer better terms on alternative platforms or through direct sales channels, and the tying of services such as payment systems and browsers to core platform services.​

The fundamental rationale for the Regulation rests on the observation that certain digital markets exhibit distinctive characteristics that enable the entrenchment of dominant positions. Network effects, whereby the value of a platform to users increases with the number of other users, create significant advantages for incumbent platforms and raise barriers to entry for potential competitors. Data advantages accumulated through the provision of core platform services enable gatekeepers to improve their services and to enter adjacent markets with informational advantages that rivals cannot replicate. Ecosystem dependencies and high switching costs lock users into particular platforms, reducing competitive pressure and enabling gatekeepers to extract rents from business users who lack viable alternatives.​

The Regulation seeks to address these concerns through a regulatory framework that imposes obligations on gatekeepers before they engage in harmful conduct, rather than relying on case-by-case investigations and sanctions after anticompetitive practices have already occurred and caused harm. However, this regulatory model has also raised questions regarding whether the obligations imposed are sufficiently precise to avoid interpretive disputes, whether the designation criteria will capture all platforms whose conduct warrants regulatory scrutiny, and whether regulatory intervention may stifle innovation or impose costs that ultimately harm consumers.​

Material Provisions of the Act

The most material provisions of the Digital Markets Act are arguably Article 2, which establishes the definitional framework including the concept of core platform services; Article 3, which sets out the criteria and procedures for designating gatekeepers; Article 5, which contains directly applicable obligations and prohibitions; Article 6, which establishes obligations susceptible to further specification by the Commission; and Article 7, which addresses interoperability of messaging services.

Article 2(2) defines core platform services as "any of the following: (a) online intermediation services; (b) online search engines; (c) online social networking services; (d) video-sharing platform services; (e) number-independent interpersonal communications services; (f) operating systems; (g) web browsers; (h) virtual assistants; (i) cloud computing services; (j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i)".

Article 3(1) establishes the qualitative criteria for gatekeeper designation, providing that "an undertaking shall be designated as a gatekeeper if: (a) it has a significant impact on the internal market; (b) it provides a core platform service which is an important gateway for business users to reach end users; and (c) it enjoys an entrenched and durable position, in its operations, or it is foreseeable that it will enjoy such a position in the near future". These criteria are operationalised through quantitative thresholds in Article 3(2), which establish that an undertaking shall be presumed to satisfy the requirements where "it achieves an annual Union turnover equal to or above EUR 7,5 billion in each of the last three financial years, or where its average market capitalisation or its equivalent fair market value amounted to at least EUR 75 billion in the last financial year, and it provides the same core platform service in at least three Member States" and where "it provides a core platform service that in the last financial year has at least 45 million monthly active end users established or located in the Union and at least 10,000 yearly active business users established in the Union" and where "the thresholds in point (b) were met in each of the last three financial years".​

These thresholds are calibrated at levels that clearly point to a small number of very large global technology companies, reflecting a deliberate policy choice to focus regulatory resources on platforms whose market power and strategic significance warrant the imposition of extensive obligations. Undertakings meeting these thresholds must notify the Commission within two months, whereupon the Commission designates them as gatekeepers within 45 working days. Article 3(5) permits undertakings to present "sufficiently substantiated arguments to demonstrate that, exceptionally, although it meets all the thresholds in paragraph 2, due to the circumstances in which the relevant core platform service operates, it does not satisfy the requirements listed in paragraph 1", though the evidentiary burden for rebutting the presumption rests with the undertaking. Article 3(8) grants the Commission discretion to designate as gatekeepers undertakings that do not meet the quantitative thresholds but nonetheless satisfy the qualitative criteria in Article 3(1), taking into account factors including "network effects and data driven advantages", "business user or end user lock-in, including switching costs", and "conglomerate corporate structure or vertical integration".​​

Article 5 contains obligations that apply directly upon designation without requiring further specification by the Commission. Article 5(2) prohibits gatekeepers from combining personal data across services for advertising purposes without explicit consent, stipulating that the gatekeeper "shall not do any of the following: (a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper; (b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services; (c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and (d) sign in end users to other services of the gatekeeper in order to combine personal data, unless the end user has been presented with the specific choice and has given consent". This provision addresses a core competitive concern regarding large platforms that offer multiple services: the ability to combine user data across services enables highly precise advertising targeting and creates informational advantages in adjacent markets that rivals cannot replicate.​​

Article 5(3) prohibits most-favoured-nation clauses, providing that "the gatekeeper shall not prevent business users from offering the same products or services to end users through third-party online intermediation services or through their own direct online sales channel at prices or conditions that are different from those offered through the online intermediation services of the gatekeeper". Such clauses have been employed by platforms to prevent business users from offering lower prices or better terms elsewhere, thereby foreclosing competition and preventing consumers from benefiting from more favourable conditions on alternative platforms. Article 5(4) addresses anti-steering restrictions, requiring that "the gatekeeper shall allow business users, free of charge, to communicate and promote offers, including under different conditions, to end users acquired via its core platform service or through other channels, and to conclude contracts with those end users, regardless of whether, for that purpose, they use the core platform services of the gatekeeper". This provision targets practices whereby gatekeepers restrict business users from informing customers about better terms available outside the gatekeeper's platform or from establishing direct relationships with customers.​​

Article 5(7) prohibits tying of ancillary services, stating that "the gatekeeper shall not require end users to use, or business users to use, to offer, or to interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper's core platform services". This obligation is particularly relevant to mobile application stores that mandate use of proprietary payment systems on which the gatekeeper levies commissions, a practice that has been the subject of considerable controversy and litigation.​​

Article 6 establishes obligations that may be further specified by the Commission through implementing acts. Article 6(2) prohibits gatekeepers from using non-public data generated by business users to compete against them, providing that "the gatekeeper shall not use, in competition with business users, any data that is not publicly available that is generated or provided by those business users in the context of their use of the relevant core platform services". The provision clarifies that this prohibition extends to "any aggregated and non-aggregated data generated by business users that can be inferred from, or collected through, the commercial activities of business users or their customers, including click, search, view and voice data". This addresses practices whereby platforms use sales data, search queries, and browsing patterns from business users to inform the development, pricing, and marketing of the platform's own competing products.​​

Article 6(3) addresses pre-installation and default settings on operating systems, requiring that "the gatekeeper shall allow and technically enable end users to easily un-install any software applications on the operating system of the gatekeeper" and "to easily change default settings on the operating system, virtual assistant and web browser of the gatekeeper that direct or steer end users to products or services provided by the gatekeeper". The provision further mandates that gatekeepers present users with choice screens "at the moment of the end user's first use of an online search engine, virtual assistant or web browser" to select which service "the operating system of the gatekeeper directs or steers users by default". This obligation targets the practice of pre-installing proprietary applications and setting them as defaults, which confers substantial competitive advantages by exploiting user inertia and behavioural biases favouring defaults.​

Article 6(4) requires gatekeepers to permit third-party application distribution, stipulating that "the gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper". This obligation, which mandates so-called "sideloading" of applications, directly challenges the closed ecosystem model whereby certain mobile operating systems restrict application distribution to a single proprietary store. The provision includes a qualification that "the gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper". The scope and application of this security exception will likely prove contentious, as gatekeepers may argue that extensive screening measures are necessary to prevent malware and fraudulent applications, whilst business users contend that such measures effectively replicate the control currently exercised through proprietary app stores.​​

Article 6(5) prohibits self-preferencing, stating that "the gatekeeper shall not treat more favourably, in ranking and related indexing and crawling, services and products offered by the gatekeeper itself than similar services or products of a third party" and that "the gatekeeper shall apply transparent, fair and non-discriminatory conditions to such ranking". The requirement for "transparent, fair and non-discriminatory" treatment leaves considerable scope for interpretive disputes, as gatekeepers may argue that favouring higher-quality services, even when those services happen to be their own, comports with fairness, whilst business users contend that any differential treatment based on affiliation constitutes discrimination.​​

Article 7 establishes specific obligations for number-independent interpersonal communications services, requiring designated gatekeepers to "make the basic functionalities of its number-independent interpersonal communications services interoperable with the number-independent interpersonal communications services of another provider offering or intending to offer such services in the Union, by providing the necessary technical interfaces or similar solutions that facilitate interoperability, upon request, and free of charge". Article 7(2) establishes a phased implementation timeline, requiring interoperability for end-to-end text messaging and file sharing between two users following designation, extending to group messaging within two years, and to voice and video calls within four years. Article 7(3) stipulates that "the level of security, including the end-to-end encryption, where applicable, that the gatekeeper provides to its own end users shall be preserved across the interoperable services". This interoperability requirement raises complex technical and security challenges, as different messaging platforms employ varying encryption protocols, data retention policies, and feature sets, and the requirement to maintain end-to-end encryption across interoperable services may prove particularly difficult to implement where requesting providers do not employ comparable security architectures.​​

Potential Impact on the Largest Technology Companies

The Digital Markets Act has far-reaching implications for the largest technology companies operating in the European Union, particularly those that provide multiple core platform services and meet the quantitative thresholds established in Article 3(2). Based on publicly available information regarding revenues, market capitalisation, and user numbers as of 2022, several undertakings appear virtually certain to be designated as gatekeepers following the Regulation's entry into application in May 2023.​

Alphabet, through its provision of Google Search, the Android operating system, Google Play, YouTube, and advertising services, operates multiple core platform services that appear to satisfy designation criteria. Google Search commands an overwhelming market share in online search across the European Union, with independent measurements suggesting that over 90% of search queries in most Member States are conducted through Google's service. Android is deployed on the majority of smartphones sold in Europe, whilst Google Play functions as the primary application distribution channel for Android devices. YouTube operates as the dominant video-sharing platform in the Union, and Google's advertising services intermediate vast quantities of online advertising through its advertising exchange, network, and other intermediation services. Under the DMA, Google will be required to cease practices including pre-installing Google Search and Chrome as default applications on Android devices without providing users with choice screens pursuant to Article 6(3), favouring Google's own services such as Google Shopping, Google Maps, or Google Flights in search results pursuant to Article 6(5), and combining user data across Search, YouTube, Gmail, Maps, and other services without explicit consent for advertising purposes pursuant to Article 5(2). The prohibition on data combination may prove particularly consequential for Google's advertising business, which has historically leveraged data from multiple services to provide highly targeted advertising.​​

Apple faces significant implications regarding iOS, the App Store, and Safari. The company has maintained strict control over application distribution on iOS devices, with developers required to distribute applications exclusively through the App Store and to use Apple's in-app purchase system for digital goods and services, on which Apple levies a commission of up to 30%. Apple has also restricted developers from informing users within applications about alternative purchasing options available outside the App Store or on other platforms. Article 5(4) and Article 5(7) will require Apple to permit business users to communicate freely with customers about alternative purchasing options and to refrain from requiring use of Apple's payment system. Article 6(4) will require Apple to permit installation of applications from sources other than the App Store, a practice referred to as sideloading. Article 6(3) will require Apple to enable users to uninstall pre-installed applications such as Safari and to change default applications more easily. Apple has defended its App Store policies as necessary to ensure security, privacy, and quality control within the iOS ecosystem, arguing that permitting sideloading and alternative payment systems will expose users to malware, fraudulent applications, and privacy violations. The company has suggested that the security exception in Article 6(4), which permits gatekeepers to take measures "strictly necessary and proportionate" to ensure that third-party applications "do not endanger the integrity of the hardware or operating system", may require screening mechanisms for sideloaded applications, though business users contend that such mechanisms would effectively replicate the control Apple currently exercises.​​

Meta Platforms operates Facebook, Instagram, WhatsApp, and Messenger, each of which likely qualifies as a core platform service. Facebook and Instagram function as online social networking services, whilst WhatsApp and Messenger qualify as number-independent interpersonal communications services. Article 5(2) will prohibit Meta from combining user data across these services without explicit consent, a practice that has been central to the company's advertising-based business model. Meta currently constructs detailed user profiles for advertising purposes by combining data from user activity across Facebook, Instagram, WhatsApp (to the extent metadata rather than message content is collected), and external websites and applications that employ Meta's tracking technologies such as the Facebook pixel. The requirement to obtain separate consent for data combination may reduce the precision of Meta's advertising targeting, potentially affecting the prices advertisers are willing to pay and thereby impacting the company's revenues. Article 7 will require Meta to ensure interoperability of WhatsApp and Messenger with competing messaging platforms, enabling users of rival services to exchange messages, images, files, and eventually voice and video calls with WhatsApp and Messenger users. Meta has indicated that implementing interoperability whilst maintaining end-to-end encryption presents complex technical challenges, particularly where requesting providers employ different encryption protocols or retain messages on servers rather than solely on user devices, though critics suggest that such concerns may be overstated and that technical solutions exist to enable secure interoperable messaging.​​

Amazon operates both a dominant online marketplace and cloud computing services through Amazon Web Services. The marketplace functions as an online intermediation service, whilst AWS qualifies as a cloud computing service. Article 6(2) prohibits Amazon from using non-public data generated by third-party sellers on its marketplace to compete against them. This provision directly addresses Amazon's practice of analysing sales data, search queries, and customer reviews from third-party sellers to inform the development, pricing, and marketing of Amazon's own private-label products. Competition authorities in both the United States and Europe have investigated this practice, with the European Commission opening a formal antitrust investigation in July 2019 examining whether Amazon's use of seller data violates Article 102 TFEU, an investigation that remained ongoing as of 2022. Article 6(5) requires Amazon to refrain from treating its own products more favourably in ranking than those of third-party sellers and to apply "transparent, fair and non-discriminatory conditions" to ranking. Third-party sellers have documented instances in which Amazon's private-label products appeared prominently in search results despite having fewer reviews or lower ratings than competing products from third parties, suggesting that factors other than relevance and quality influenced ranking outcomes.​​

Microsoft is likely to be designated as a gatekeeper with respect to the Windows operating system, the LinkedIn social networking service, and potentially its cloud computing services through Azure. Windows qualifies as an operating system, whilst LinkedIn constitutes an online social networking service. Microsoft's experience as the subject of antitrust enforcement in both the United States and Europe during the 1990s and 2000s, particularly regarding bundling of Internet Explorer with Windows and interoperability obligations imposed through the Commission's 2004 decision, may inform the company's approach to DMA compliance. Microsoft has publicly expressed support for aspects of the DMA's regulatory approach, particularly provisions requiring interoperability and data portability, positioning itself as a more cooperative and open platform compared to certain competitors. Whether this reflects genuine alignment with the Regulation's objectives or strategic positioning to contrast itself with rivals and to deflect regulatory scrutiny from its own practices remains subject to debate.​​

ByteDance, the Chinese company operating TikTok, has experienced rapid growth in monthly active users in Europe, with estimates suggesting that TikTok exceeded 100 million monthly active users in the Union by mid-2022, potentially meeting the threshold in Article 3(2)(b). TikTok functions as both a video-sharing platform service and potentially an online social networking service. TikTok's algorithmic recommendation system, which personalises content feeds based on user engagement patterns and has proven extraordinarily effective at retaining user attention, operates with limited transparency regarding the data inputs, ranking factors, and personalisation mechanisms employed. Article 6(5) requires gatekeepers to apply "transparent, fair and non-discriminatory conditions" to ranking, which may require TikTok to provide users and business users with greater visibility into how content is selected, prioritised, and recommended. Additionally, concerns have been raised regarding TikTok's data practices and the extent to which user data collected in Europe may be accessible to ByteDance's operations in China, though such concerns relate primarily to data protection and security considerations that fall largely outside the scope of the DMA.​​

It ought to be acknowledged that smaller technology companies and business users dependent on gatekeeper platforms have advocated vigorously for rigorous enforcement of the DMA, viewing the Regulation as creating opportunities for competition previously foreclosed by incumbent practices. Alternative application stores for iOS and Android devices, competing search engines such as DuckDuckGo and Ecosia, rival messaging platforms such as Telegram and Signal, and European software developers and online retailers have expressed support for provisions requiring choice screens, data portability, interoperability, and prohibitions on self-preferencing and use of business user data. These firms contend that they have been disadvantaged by gatekeeper practices including discriminatory access conditions, opaque ranking systems that favour gatekeeper services, sudden changes to platform terms of use, and limited recourse when their access is restricted or their offerings are demoted. The DMA's obligations may enable these firms to compete more effectively if users are presented with genuine choices rather than defaults determined by gatekeepers and if gatekeepers are prevented from leveraging their control of core platform services to advantage their own offerings in adjacent markets.​

Daniel C. is one of the two founders of Autran Group. He is a graduate of Florida International University, with a Bachelor’s Degree in History and Anthropology. Daniel is also the founder and director of Ancestral Whispers, a non-profit organisation dedicated to furthering the study of archaeogenetics and human prehistory. Asides from his pursuit of the humanities, Daniel is also highly passionate about geopolitics and its potential impacts on business, having ventured into the import-export field himself. Armed with a strong understanding of cross-cultural differences, originally cultivated by both his international background and socio-historical knowledge, Daniel’s expertise is critical to navigating our ever-changing world at Autran Group.

Takamaro H. is one of the two founders of Autran Group. Having previously lived in seven countries, he brings a global perspective to our firm; one which is vital in being able to understand the implications of the constant state of flux that our world finds itself in. He is personally invested in the intersection of law and business, and regularly researches novel developments in the legal field. Takamaro created Autran Group after his experience in creating and managing import-export businesses, wherein he observed that there was a gap in relation to companies’ ability to manage geopolitical and regulatory shifts. Apart from his legal and business interests, Takamaro is also highly passionate about history and linguistics; besides his native English and Japanese, Takamaro also speaks French, Italian and Russian, with a moderate command of Spanish and Chinese.