The Digital Markets Act is the european regulation EU 2022/1925 on contestable and fair markets in the digital sector which addresses the lack of contestability of core platform services, and imposes obligations on the undertakings designated as gatekeepers. In this article, we are going to introduce the key points of the Digital Markets Act: we start with contestability, what does it mean and the relation between the new discipline and competition law. We will then see what are the core platform services the regulation applies to, and when an enterprise qualifies to be designated as gatekeeper. Lastly: the Digital Markets Act mandates chat interoperability, between different providers of messaging apps. As this is meant to overcome the well known network effect, we will explain why it also poses risks for privacy and security.
- Contestability and competition
- What does the Digital Markets Act apply to?
- Obligations of gatekeepers
- Personal data
- Transparence obligation on advertising
- If the gatekeeper is a competitor of the business user
- Pre-installed applications and default settings
- Suspension of an obligation
- Exemption for public health and public security
- Information on planned concentrations
- Compliance function
- Market investigation
- Powers of the Commission
Contestability and competition
The market of digital services and particularly of core platform services is often dominated by few big companies, which benefit from certain characteristics of these services, take over the market and make it impossible or extremely hard for other players to compete.
The Digital Markets Act regulates certain conducts regardless of whether or not they amount to anti-competitive behaviours according to competition law: the lack of contestability doesn't necessarily imply a breach of competition law.
Moreoever, the enforcement of competition law in relation to dominance position or anti-competitive behaviours requires a complex and ex post analysis, whereas the Digital Markets Act aims to intervene quickly and possibly in advance whenever a company is likely to gain a position which would reduce the contestability of a digital service.
Undertakings ... emerge as gatekeeper by using some of the unfair conditions and practices regulated under this Regulation. In such a situation, it appears appropriate to intervene before the market tips irreversibly.Recital n° 26
What does the Digital Markets Act apply to?
The Digital Markets Act applies to core plaform services offered by the undertakings designated as gatekeepers by the European Commission; we are now going to see what these services are, and when a company qualifies to be designated as gatekeeper.
Core platform services
The core platform services are:
- online intermediation services
- search engines
- social networks
- video-sharing platform services
- number-independent interpersonal communications services;
- operating systems
- web browsers
- virtual assistants
- cloud computing services
- online advertising services
and are listed by the article 2 of the Digital Markets Act.
Why do core platform services lack of contestability?
The market of core platform services often lacks of contestability due to some characteristics which, if exploited, give to the undertakings providing those services, a disproportionate market and contractual power.
- extreme scale economies and a marginal cost for new users close to 0: that means the company can grow very fast;
ability to connect many business users with many end users: the company providing the service becomes a gateway for business users to end users;
- vertical integration;
- strong network effect.
The gatekeepers are big undertakings holding a disproportionate market power which enables them to reduce the contestability of core platform services and engage in unfair commercial practices.
The Commission designates an undertaking as gatekeeper if:
has a significant impact on the internal market, which is the case when:
annual Union turnover equal to or above EUR 7,5 billion in each of the last three financial years
- market capitalisation amounting to at least EUR 75 billion in the last financial year
- provides the same core platform service in at least 3 Member States.
- offers a service gateway for business users to reach end users, having at least 45 millions monthly active end users and 10000 business users in the European Union;
it enjoys an entrenched and durable position, in its operations, or it is foreseeable that it will enjoy such a position in the near future.
Designation of the gatekeeper
The undertaking reaching the thresholds is due to inform the Commission within 2 months; the Commission may require further information and proceed with the designation within the next 45 days. Should the undertaking fail to inform the Commission, or to provide the required information, the Commission designates the gatekeeper based on the available information.
There may be cases where meeting the thresholds is not enough to qualify as gatekeeper: this may happen when despite the thresholds, the undertaking still doesn't have a significant impact on the market, or the digital service it provides is still not a gateway or the undertaking does not enjoy an
entrenched and durable position. In these cases, the undertaking may provide documents demonstrating that, for some specific circumstances due to the particular core platform service, although meeting the quantitative thresholds, it does not qualify as gatekeeper.
The designation decision lists the core platform services for which the undertaking is designated as gatekeeper; the list can be updated, and new services added. The status of gatekeeper, and the obligation it entails, is limited only to the services listed in the designation decision. After the designation, or after a new service has been added to the list, the gatekeeper has 6 months to comply with the relevant obligations.
The status of gatekeeper is subject to review at least every 3 years: the Commission checks whether the gatekeeper still meets the requirements for the designation. If the Commission finds that the designation was based on facts which significantly changed, or information which turn out to be incomplete, incorrect or misleading, it may
reconsider, amend or repeal the designation decision.
Moreover, within 6 months after the designation, the gatekeeper is due to provide the Commission with a report describing the measures implemented to ensure compliance with the regulation.
Who are the gatekeepers in 2023?
On 6 September 2023 the Commission designated as gatekeepers the following companies:
They now have 6 months to comply with the obligations of the Digital Markets Act, with 2 exceptions for which the compliance is required immediately after the designation:
Obligations of gatekeepers
The Digital Markets Act provides a set of obligations to prevent the gatekeepers from exploiting their supremacy to reduce the contestability of digital services and impose unfair conditions on users.
We can start by saying that the gatekeeper shall not prevent:
- business users from promoting or selling their products:
- through different channels or applying different conditions than those of the gatekeeper;
- to end users who are not users of the gatekeeper;
- the end user from purchasing or consuming digital products from other suppliers;
- business or end users from
raising any issue of non-compliance with the relevant Union or national law by the gatekeeper with any relevant public authority
One of the advantages of the gatekeepers over non-gatekeeper competitors is the ability to collect a great amount of data; the gatekeeper shall not:
- make use of personal data of end users, for the purpose of providing online advertising services, collected through the services provided by third parties using the gatekeeper's core platform services. In other words: the gatekeeper may indirectly collect personal data through services offered by third parties; these data shall not be processed to provide online advertising services.
- combine personal data collected via different core platform services or any other service provided by the gatekeeper or by third party services.
sign in end users to other services of the gatekeeper in order to combine personal data.
These practices involving personal data are prohibited unless the user is given alternative options, has given consent and the consent is not required to have access to services or features.
Transparence obligation on advertising
The Digital Markets Act provides transparency obligations for online advertising services: the gatekeeper has to provide the advertiser, upon request, information on the advertisements placed by the advertiser concerning the price and fees paid by the advertiser, the
remuneration received by the publisher, the metrics used to calculate prices, fees and remunerations.
If the gatekeeper is a competitor of the business user
Sometimes the gatekeeper provides core platform services to business users and at the same time competes with them. This happens for instance when the gatekeeper provides a marketplace and then sells its own products on it, becoming a competitor of the business users who also sell their products on the same marketplace. This gives a clear advantage to gatekeepers over their users in at least 2 fields: access to data and ranking of products.
As to data, the regulation prohibits the gatekeeper from using the data produced or collected by business users, or their customers, while using the service:
click, search, view and voice data.
The gatekeeper shall not use, in competition with business users, any data that is not publicly available that is generated or provided by those business users in the context of their use of the relevant core platform services.Article 5 - paragraph 2
Another key issue is the ranking of products on search engines, application stores, video sharing platforms, social media feeds: a better ranking for a product means more visibility and better chances to sell it. The Digital Markets Act requires the gatekeepers not to promote their products by giving them a better ranking:
The gatekeeper shall not treat more favourably, in ranking and related indexing and crawling, services and products offered by the gatekeeper itself than similar services or products of a third party. The gatekeeper shall apply transparent, fair and non-discriminatory conditions to such ranking.Article 6 - paragraph 5
Pre-installed applications and default settings
Operating systems and electronic devices are sold with pre-installed applications, often produced by the same company which produces the operating system or the device. The gatekeeper is required to
allow and technically enable the user to un-install the default applications and replace them with software supplied by third parties. This possibility can be limited for those applications which are essential for the functioning of the operating system or device.
The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.Article 6 - paragraph 4
Same goes for default settings on the operating system, virtual assistant or web browser provided by the gatekeeper: often these products come with settings which enable by default other services or products offered by the gatekeeper. Now the user has to be shown alternative products or services produced by other companies so to easily set them as the default ones.
One of the factors reducing the contestability of digital services is the network effect: as the value of certain digital services depends on the number of people using them, people find impractical to switch to another digital product with less users. Messaging apps, social networks: changing means not to be able to connect with the people who use them. This keep users from choosing another product regardless of how superior it is, which frustrates the attempts made by competitors to offer a better product and to increase their market share.
Interoperability makes different products compatible with each other, so that users can communicate across different platforms and choose the one they prefer based on the quality of the product rather than how many people use it.
Therefore, the Digital Markets Act requires the gatekeeper to ensure the interoperability of operating systems, software products, devices, and
number-independent interpersonal communication services.
Interoperability of software and devices
An operating system or device provided by the gatekeeper needs to be capable of running software or playing content made by other companies: products need to be interoperable and ready to function with products or services provided by competitors.
The gatekeeper may restrict interoperability if that is neceessary to preserve the integrity of operating systems, software or devices, although the measures implemented to this aim need to be
strictly necessary and proportionate and
The aim of the obligations is to allow competing third parties to interconnect through interfaces or similar solutions to the respective features as effectively as the gatekeeper’s own services or hardware.Recital 57
The Digital Markets App mandates chat interoperability: the gatekeeper providing communication services, like a messaging app, is required to make it interoperable-ready and provide upon request the technical details needed to fully implement interoperability with another app.
Steps to interoperability:
- the gatekeeper publishes
a reference offer laying down the technical details and general terms and conditions of interoperability with its number-independent interpersonal communications services, including the necessary details on the level of security and end-to-end encryption.
- other providers may request interoperability with the app of the gatekeeper, with some or all of its features: the gatekeeper complies with the request within the next 3 months.
After the designation, the gatekeeper has some time to make its product interoperable, the term depending on the particular feature:
- soon after the designation: sharing messages, images, videos and other files between 2 users;
- within 2 years: sharing messages, images, videos and other files
within groups of individual end users; OR
between a group chat and an individual end user;
- within 4 years:
- voice or video calls between 2 users;
- voice or video calls between a group chat and an individual user.
Interoperability and security: article 7
According to article 7 of the Digital Markets Act:
The level of security, including the end-to-end encryption, where applicable, that the gatekeeper provides to its own end users shall be preserved across the interoperable services.Article 7 - paragraph 3
The gatekeeper shall collect and exchange with the provider of number-independent interpersonal communications services that makes a request for interoperability only the personal data of end users that is strictly necessary to provide effective interoperability.Article 7 - paragraph 8
The gatekeeper shall not be prevented from taking measures to ensure that third-party providers of number-independent interpersonal communications services requesting interoperability do not endanger the integrity, security and privacy of its services, provided that such measures are strictly necessary and proportionate and are duly justified by the gatekeeper.Article 7 - paragraph 9
The Digital Markets Act requires that interoperability must be achieved without reducing security and privacy: easier said, and mandated, than done, as interoperability does bring privacy and security risks. Let's see why.
To ensure interoperability between 2 apps is not an easy task and it adds a degree of complexity which may result in a security risk. Moreover, the technical solutions implemented for interoperability purposes need to be maintained over time: the development of a software product, like an app, requires constant updates particularly for security reasons. However, any update may break the interoperability: should the flow of updates, some of which may be security patches, slow down in order to preserve the interoperability? Would interoperability get in the way of the release of urgent security patches as soon as they are available?
Another issue about interoperability concerns trust:
- trust between providers of messaging services. Every product has its own security standards: it's hard to make 2 apps compatible with each other while keeping the same level of security for both. What's more, granting interoperability to another application may imply to share some of its security flaws. What the gatekeeper should do to make sure the interoperability will not reduce the security of its product? Maybe check all the code of the other app; this, however, may be too much even for the gatekeepers, not to mention that not all the providers would disclose their code.
- trust between users. Users choose the product they prefer and rely on its quality. If interoperability poses a security risk, the user should be concerned not only with the app of choice, but even with the ones the chosen app is interoperable with. That's worth noting that article 7, paragraph 7, makes interoperability an optional feature: the user may opt out. That seems, as of now, a wise choice.
Interoperability implies access to data: the apps interoperable with the ones I use have access to my data. As we have said for security, this also requires trust and multiplies the number of users affected by any incident involving privacy, like a data breach.
In conclusions, that will be important to see in which cases gatekeepers will be allowed to deny interoperability for security or privacy reasons, as allowed by article 7.
The Digital Markets Act prohibits any measure meant to circumvent the quantitative thresholds qualifying an enterprise as gatekeeper.
An undertaking providing core platform services shall not segment, divide, subdivide, fragment or split those services through contractual, commercial, technical or any other means in order to circumvent the quantitative thresholds laid down in Article 3(2)Article 13 - paragraph 1
Moreover, the gatekeeper shall not:
engage in any behaviour that undermines effective compliance with the obligations;
degrade the conditions or quality of any of the core platform services provided to business users or end users who avail themselves of the rights or choicesconferred by the regulation.
Where the gatekeeper circumvents or attempts to circumvent any of the obligations the Commission may adopt an implementing act specifying the measure that the gatekeeper needs to take in order to comply with the regulation.
Suspension of an obligation
The Commission may suspend an obligation if the gatekeeper demonstrates that, for exceptional circumstances, the compliance with a specific obligation would endanger the economic viability of its operation in the EU. The suspension is granted by a suspension decision, which specifies the circumstances justifying the suspension and sets a time limit: the suspension is given for the time necessary to address the threat to the gatekeeper's economic viability.
The conditions upon which the suspension is granted may change, making it no longer necessary: therefore, the Commission reviews the decision every year or more frequently, according to the schedule set in the decision. Based on the review, the Commission may confirm or remove, partially or entirely, the suspension.
Exemption for public health and public security
The gatekeeper may be exempted by the Commission from a specific obligation, upon its own request or by autonomous decision of the Commission, only on grounds of public health or public security. As we have seen for the suspension decision, the exemption decision is subject to review at least every year in order to check whether or not the exemption is still justified or should it removed, partially or entirely.
Information on planned concentrations
The gatekeeper has to inform the Commission about any concentration it is planning to implement according to the Regulation on the control of concentrations n° 139/2004 (Merger Regulation), if the subjects involved in the concentration:
provide core platform services or any other services in the digital sector;
enable the collection of data
regardless of whether the Commission or any national authority is to be notified about the merger according to the mentioned Merger Regulation.
The information provided by the gatekeeper ... shall at least describe the undertakings concerned by the concentration, their Union and worldwide annual turnovers, their fields of activity, including activities directly related to the concentration, and the transaction value of the agreement or an estimation thereof, along with a summary of the concentration, including its nature and rationale and a list of the Member States concerned by the concentrationArticle 14 - paragraph 2
The gatekeeper has to establish a compliance function
which is independent from the operational functions of the gatekeeper and composed of one or more compliance officers, including the head of the compliance function. The task of the compliance function is to monitor the compliance to the Digital Markets Act and to the decisions of the Commission, reporting directly to the management body of the gatekeeper on possible risks of non-compliance.
The Commission may conduct a market investigation to check whether:
- an undertaking meets the requirements to be designated as gatekeeper or a designation decision has to be integrated with additional core platform services;
- the gatekeeper
has engaged in systematic non-compliance: the breach of the regulation is considered systematic when the Commission has already issued against the gatekeeper 3 non-compliance decision over the previous 8 years;
- to add new core platform services to those listed by article 2 or identify new
practices that limit the contestability of core platform services or that are unfair and which are not effectively addressed bythe regulation.
A market investigation may be promoted by a number of Member States depending on the purpose of the proposed investigation:
- 3 or more Member States: an undertaking should be designated as gatekeeper;
- 1 or more Member States: the gatekeeper has systematically violated the regulation;
- 3 or more Member States: new core platform services should be added to those the regulation applies to or certain practices are not effectively addressed by the regulation.
Powers of the Commission
The Commission enforces the regulation and has investigative and monitoring powers such as:
- open proceedings to check violations or impose sanctions;
- take measures to monitor the compliance with the obligations of the gatekeepers, for instance imposing to store all the documents proving the compliance with the terms of the regulation or the decisions of the Commission;
- Request information from undertakings, including data and algorithms, by decision or simple request and in any case stating the legal basis and the purpose of the request;
- conduct inspections of an undertaking or association of undertaking;
- adopt interim measures against a gatekeeper suspected to have violated its obligations and there is
the risk of serious and irreparable damage for business users or end users(article 24);
- when under investigation for systematic non-compliance, the gatekeeper may offer committments to ensure the compliance with the regulation; in these cases,
Commission may adopt an implementing act making those commitments binding on that gatekeeper and declare that there are no further grounds for action(article 25);
The Commission adopts a non-compliance decision if it concludes that the gatekeeper does not comply with:
- the obligations of the gatekeeper;
- the measures specified by the Commission to ensure compliance with the obligations of the gatekeeper, or imposed during an investigation on systematic non-compliance according to article 18;
interim measures ordered pursuant to Article 24
commitments made legally binding pursuant to Article 25
The non-compliance decision may impose a sanction amounting to a percent of the gatekeeper's total worldwide turnover in the previous financial year:
- up to 10% if the failure to comply has been intentional or due to negligence;
- up to 20% if the gatekeeper has already been found responsible of the same infringements, for the same core platform service, by another non-compliance decision in the previous 8 years;
- up to 1% for failing to comply with information obligations or:
- supplying incorrect, incomplete or misleading information or failing to rectify them within the time limit given by the Commission;
- refusing to submit to an inspection;
- failing to introduce a compliance function.
The Commission may also impose on gatekeepers, undertakings and association of undertakings periodic penalty payments in order to compel them to comply with their obligations. The penalty may be up to the 5% of the average daily worldwide turnover in the previous year for each day of non-compliance.
In conclusion, a quick recap.
Core platform services have some features that allow their providers to turn into gatekeepers, as they:
- grow very fast;
- take over the market, achieving a de facto monopoly;
- achieve a disproportionate market and contractual power which enable them to impose unfair conditions on users.
The Digital Markets Act applies to
- the core platform services listed by article 2 WHEN
- provided by undertakings designated as gatekeepers by the Commission.
The Digital Markets Act provides for specific obligations for gatekeepers in order to keep them from taking over the market, reduce its contestability and engage in unfair commercial practices.
The first gatekeepers have been designated on 6 september 2023: they now have 6 months to comply with the regulation.
Founder of Avvocloud.net
Avvocloud is an Italian network of lawyers passionate about law, innovation and technology.Feel free to reach out for any info: send a message.
Thanks for reading!