The Digital Markets Act Deadline Has Arrived. What Does That Mean?

The Digital Markets Act (DMA) is one-half of the European Commission’s Digital Services Act Package, a set of new rules aiming to reform the European Digital Single Market. Whilst the other half of the Digital Services Act package, the Digital Services Act (DSA), aims to safeguard the fundamental rights of digital services users, the DMA aims “to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.” More precisely, the stated aim of the DMA is to improve the “fairness’ and ‘contestability” of digital markets.

As Friso Bostoen argues, the DMA attempts to complement competition law, where the law’s “poor track record in digital markets” necessitated a new approach to increase “speed and remedial action [which] have been pain points.” To do this, the DMA largely shifts the burden of proof away from regulators to prove an infringement and onto the designated ‘gatekeepers’ who must prove their compliance with the rules. If they do not, the DMA introduces heavy fines and the possibility of structural separations for repeated non-compliance.

The European Commission designated gatekeepers on September 6, 2023, and the six-month compliance period has ended as of March 6, 2024. This now means gatekeepers are expected to have made the necessary provisions to comply with the DMA. The main obligations and prohibitions are set out in Articles 5, 6, and 7 of the DMA, otherwise described as a set of do’s and don’ts. Key obligations and prohibitions under the DMA include:

• Limits on data collection and use. Gatekeepers are prohibited from cross-using or combining personal data from the relevant core platform service with other services. Gatekeepers also must not use any data generated through the activities of the gatekeeper’s business users to compete against them.
• Interoperability and consumer choice. Gatekeepers must allow interoperability of third parties with a core platform service, including allowing sideloading of apps and app marketplaces. Gatekeepers also must not technically restrict users' ability to switch apps or services using a gatekeeper operating system and allow users to uninstall applications from a core platform service. There is also a ban on self-preferencing.
• Transparency and data access. Gatekeepers must provide business users with real-time access to data generated within the gatekeeper’s core platform services, including transparency of ad-pricing and performance. Gatekeepers also must allow users to access their own generated data and transport their data out of a core platform service.

The DMA also bolsters existing merger rules, i.e., Article 22 of the EU merger regulation (EUMR). As pointed out by Dr. Christophe Carugati in Bruegel, with the DMA, “the Commission can therefore now review any merger, even those below national merger control thresholds.” This is expected to drastically increase the number of merger reviews conducted by the Commission, in recognition that mergers and acquisitions are a key driver to problematic concentration in the digital economy. The Commission now publishes a non-confidential summary of gatekeeper acquisitions on its website.

More generally, the DMA ‘gives the European Commission significant powers, similar to those under competition law’ as explained by Tara Kelly, Colin Monaghan, and Domhnall Breatnach for Mason Hayes & Curran LLP. For example, the Commission now has the power to open investigations, issue requests for information, interview individuals, carry out ‘dawn raids,’ and impose fines of up to 10%, or 20%, of worldwide turnover. The law also states that repeated infringements may result in structural breakups, although this is likely to be a last resort.

How do gatekeepers comply with the law?

The compliance function for the DMA is defined in Article 28, paragraph 1 as a function “which is independent of the operational functions of the gatekeeper and composed of one or more compliance officers, including the head of the compliance function.” Compliance officers are tasked with monitoring and advising on measures taken to comply with the DMA. There are also two transparency documents gatekeepers must now submit to the Commission, in addition to implementing an abundance of product changes to core platform services.

Reports on compliance

As of March 7, 2024, Article 11 of the DMA states gatekeepers are required to submit a report to the Commission describing “in a detailed and transparent manner the measures it has implemented to ensure compliance with the obligations laid down in Articles 5, 6 and 7.” Equally, in paragraph 2 of Article 11, gatekeepers must “publish and provide the Commission with a non-confidential summary of that report” with required annual updates and mandates the Commission make a non-confidential summary available on its website. Kelly, Monaghan, and Breatnach expect that going forward, “this transparency requirement is likely to facilitate third parties in making submissions to the European Commission and/or bringing legal action in the courts where they perceive a breach of the DMA has occurred.”

The Commission has created a compliance report template that further specifies what information is to be included in these reports. The goal of this report is to track the concrete changes that gatekeepers have made to their core platform services. For example, the template asks for information such as any technical/engineering changes made to an operating system (OS) functionalities. The requirement is useful when analyzing interoperability obligations such as those found in Article 7, paragraph 7. The report requires the gatekeeper to go into detail about how they will allow third parties to access functionalities of their operating systems, meaning that both the Commission and independent researchers, through access to the public non-confidential report, can scrutinize whether such changes are meaningful.

On March 7, 2024, the following compliance reports were posted to the Commission's website:

• Alphabet Inc.
• Amazon.com, Inc.
• Apple Inc.
• ByteDance Ltd.
• Meta Platforms, Inc.
• Microsoft Corporation

Reports on consumer profiling techniques

The reports on consumer profiling must describe all profiling techniques on any core platform service. Gatekeepers must submit this description for independent audit, and the reports should also contain the auditor's assessment of the completeness and accuracy of the description. Similar to the compliance report, the report and non-confidential report are due on March 7, 2024. A non-confidential version of the report will also be published on the Commission website.

The Commission has published a template for this report and specifies what descriptions of profiling must be included. Much of this report looks to assist in areas where GDPR enforcement has been lacking. For example, significant portions of this report are dedicated to requirements for gatekeepers to list “the specific purpose(s) pursued by each profiling technique(s);” descriptions of personal data categories, derived data from user activity, and “a description of personal data processed for profiling consumers applied to or across the designated core platform services (in particular, distinguish data and personal data originating from each of the gatekeeper’s services).”

The report also includes descriptions of data from third parties, what the retention period of personal data is, and what legal grounds gatekeepers are relying on for processing such data with reference to the EU General Data Protection Regulation (GDPR). This will be useful for assessing DMA provisions such as Article 5, paragraph 2, which explicitly bans processing, combining, or cross-using personal data derived from a core platform service with other services offered by the gatekeeper. As the report requires gatekeepers to declare the grounds of consent, the type of data, where it was generated, and so on, anticompetitive combining of data or unlawful use of “legitimate interest” for personal data collection and processing could be more easily identified

What changes have companies made?

Ahead of the March 6th deadline, gatekeepers have implemented a number of product and policy changes. The table below lists the changes gatekeepers have committed to making in order to comply with the DMA.

An early review of these changes indicates that the companies may not meet the law’s objectives of improving fairness and contestability. For instance, Alphabet is allowing consumers to de-link their Google Account from various core platform services, such as Google Maps and YouTube, presumably to meet requirements regarding a ban on combining data from different services. According to Google, the outcome of de-linking an account, means YouTube suggested videos will be less personalized and that Maps won’t save places on Search. Does this make the digital maps or video-sharing market more contestable and open to new competitors? Does it make those markets fairer for competitors who do not have the same data advantages as Google? Does it impact Google’s data advantage, which ultimately fuels its advertising dominance?

It remains to be seen what outcomes these changes may have, or if consumers will de-link accounts, or change their defaults. It also remains to be seen if the Commission will regard such changes as sufficient. Whilst the increased transparency and first steps towards some interoperability is a welcome and much-needed change, many of these surface-level changes may do very little in challenging market entrenchment and dominance, thus requiring the Commission to take more aggressive action to achieve the goals of the DMA.

Update 3/7/2024: The article was updated to include a list of non-confidential DMA compliance reports that were publicly posted.