The power structures in digital markets are currently the subject of the attention of legislators in various jurisdictions. This has been triggered by the rising market power of a few large digital companies (“Big Tech”), which are challenging the competitive structure of digital markets. In this article, we will focus on the European Union’s approach to regulating Big Tech – the Digital Markets Act (“DMA”). With fines up to an equivalent of 20 percent of the global turnover in case of intentional/negligent failure to comply with the DMA’s core obligations, it is essential for affected companies to familiarize themselves with the DMA and to take the necessary precautions to ensure compliance with the DMA, especially as the DMA itself provides specific compliance obligations that must be implemented. This article provides a brief overview of the DMA and focuses on specific measures that affected companies can incorporate into their compliance programs to ensure that they do not breach the (core) obligations of the DMA.
By Christian Ritz, Benedikt Weiß & Tobias Kleinschmitt[1]
I. INTRODUCTION
The power structures in digital markets are currently the subject of the attention of legislators in various jurisdictions. This has been triggered by the rising market power of a few large digital companies (“Big Tech”), which are challenging the competitive structure of digital markets. The first legal acts are already in force (e.g. Section 19a of the German Act against Restraints of Competition), others are about to become effective (Digital Markets Act) or are currently subject to the legislative dialog (UK Advice of the Digital Markets Taskforce, U.S. draft legislation of the Antitrust Subcommittee of the Judiciary Committee of the U.S. House of Representatives).
In this article we provide a practical overview of the Digital Markets Act (“DMA”) and give some guidance on a DMA compliance concept. With fines up to an equivalent of 20 percent of the global turnover in case of intentional/negligent failure to comply with the DMA’s core obligations, it is essential for companies affected by the DMA to take the necessary precautions to ensure compliance with the DMA, especially as the DMA itself provides specific compliance obligations that must be implemented.
In the following, we will give a brief overview of what the DMA is (II), explain who is affected by it (III) and highlight what obligations companies should expect (IV). We will then provide some practical guidance on how to ensure compliance with the DMA (V) before turning to the consequences of non-compliance (VI).
II. WHAT IS THE DMA?
In this chapter, we provide a very brief summary of the DMA (II.A), explain the reasons for its creation (II.B), before turning to the timing and implementation of the DMA (II.C).
A. A Very Short Summary of the DMA
The DMA is the European Union’s approach to regulating the market power of the largest digital corporations (so-called gatekeepers).[2] Companies that are classified as gatekeepers under the DMA must comply with the obligations defined in the DMA. These obligations are aimed at maintaining competition in digital markets. If the obligations are not complied with, the DMA enables the European Commission (“Commission”) to take countermeasures and impose fines.
B. Reasons for Creating the DMA
The goal of the DMA is to “contribute to the proper functioning of the internal market by laying down rules to ensure contestability and fairness for the markets in the digital sector.”[3] Recital 5 of the DMA clarifies that
“market processes are often incapable of ensuring fair economic outcomes with regard to core platform services. Although Art. 101 and 102 […] TFEU apply to the conduct of gatekeepers, the scope of those provisions is limited to certain instances of market power, for example dominance on specific markets and of anti-competitive behaviour, and enforcement occurs ex post and requires an extensive investigation of often very complex facts on a case by case basis.”
The underlying assumption of the DMA is that the classic instruments of ex-post competition law interventions are not sufficiently suitable to deal with the competitive challenges of digital platforms and therefore require the introduction of complementary ex ante regulation.[4]
C. Timeline and Implementation of the DMA
The DMA was published in the Official Journal of the European Union on October 12, 2022.[5] It will enter into force on the twentieth day following the publication, i.e. on November 1, 2022.[6] Following that, it will take six months to apply, taking up to May 2023.[7] Then, the designation process will start, which might take up to the second half of 2023. Finally, the duty to comply with the core obligations imposed on designated gatekeepers will begin six months after the designation decision by the Commission. [8] Companies should therefore prepare to be bound by the core obligations of the DMA starting as of the first half of 2024.
III. WHO IS AFFECTED BY THE DMA?
The DMA is applicable to certain undertakings designated as gatekeepers by the Commission. Below we provide an overview of the requirements that must be met to become a gatekeeper (3.1, 3.2 and 3.3) and the specific procedure for designation provided in the DMA (3.4 and 3.5), which is generally initiated by undertakings meeting these requirements notifying the Commission thereof (notification procedure).
A. Requirements for Becoming a Gatekeeper and the Presumption under Art. 3 (2) DMA
Art. 3 (1) DMA determines that an undertaking shall be designated as a gatekeeper if (a) it has a significant impact on the internal market , (b) it provides a core platform service, which is an important gateway for business users to reach end users, and (c) it enjoys an entrenched and durable position, in its operations, or it is foreseeable that it will enjoy such a position in the near future.
Given the rather complicated and new terminology it is worth shedding some light by explaining the practical meaning of terms such as “core platform service,” “gatekeeper” and “business and end users,” which are the main requirements for establishing which companies will have to prepare themselves to be affected by the DMA.
Some of these requirements are subject to a (rebuttable) presumption, which is based on fulfilling certain quantitative thresholds.[9] Due to the rather vague terminology of the qualitative criteria mentioned above, it can be assumed that this presumption will be of central importance for the designation as a gatekeeper. However, some requirements remain subject to a purely qualitative determination – this particularly applies to the requirement of offering a core platform service.
- Significant Impact on the Internal Market
An undertaking shall be presumed to have a significant impact on the internal market, where (1) it achieves an annual Union turnover equal to or above EUR 7,5 billion in each of the last three financial years, or where its average market capitalisation or its equivalent fair market value amounted to at least EUR 75 billion in the last financial year, and (2) it provides the same core platform service in at least three Member States.[10]
The term “undertaking” follows the terminology used in EU competition law. Therefore, undertaking means an entity engaged in an economic activity, regardless of its legal status and the way in which it is financed, including all linked enterprises or connected undertakings that form a group through direct or indirect control of an enterprise or undertaking by another.[11]
- Core Platform Service
For the second requirement of the designation as a gatekeeper two conditions must be met. First the undertaking has to provide a core platform service, which second has to constitute an important gateway for business users to reach end users.
(i) Provision of a Core Platform Service. Services that qualify as core platform services within the meaning of the DMA are listed in Art. 2 (2) lit. a-j DMA.[12] This list includes, among others, online intermediation services, search engines and social networking services. Art. 2 (3)-(15) DMA contains definitions of these services and therefore provides useful guidance in determining their precise scope.
(ii) Constitution of an Important Gateway. The fact that the core platform service constitutes an important gateway for business users to reach end users is presumed where the core platform service in the last financial year has on average at least 45 million monthly active end users established or located in the Union and at least 10.000 yearly active business users established in the Union.[13]
The number of users is identified and calculated in accordance with the methodology and indicators set out in the DMA Annex. This analysis is based on the definition of “end users” and “business users” in Art. 2 (20) and (21) DMA. In order to identify and calculate the number of “active end users” and “active business users” the Annex refers to the concept of “unique users.” The concept of “unique users” encompasses “active end users” and “active business users” counted only once, for the relevant core platform service, over the course of a specified time period (i.e. month in case of active end users, and year in case of active business users), no matter how many times they engaged with the relevant core platform service over that period. This is without prejudice to the fact that the same natural or legal person can simultaneously constitute an “active end user” or an “active business user” for different core platform services.
In contrast to the calculation of the turnover thresholds, the user numbers are not determined at the level of the undertaking, but for each individual core platform service. Where an undertaking offers several services that qualify as core platform services, the number of users has to be determined separately for each of them.
(iii) Entrenched and Durable Position
An entrenched and durable position is presumed where the thresholds concerning the provision of a core platform service within the above meaning have been met in each of the previous three financial years.[14] However, it is sufficient that it is foreseeable that the undertaking will enjoy such a position in future.
B. Refutability of the Presumption
The presumption in Art. 3 (2) DMA can be rebutted if an undertaking presents sufficiently substantiated arguments with the notification that it does not satisfy the requirements listed in Art. 3 (1) DMA due to the circumstances in which the relevant core platform service operates, despite meeting all quantitative thresholds.[15]
The DMA does not specify what circumstances may be considered sufficient to rebut the presumption. In our view, it seems reasonable to use the criteria of Art. 3 (8) DMA as a guidance, as these provide general qualitative criteria for the classification of an undertaking as a gatekeeper and should equally serve the purpose of contesting a gatekeeper position.
C. Gatekeepers Beyond the Presumption under Art. 3 (2) DMA
The Commission may also designate an undertaking as a gatekeeper where the presumption is not applicable.[16] The following criteria are to be taken into account when making such a decision[17]:
- the size, including turnover and market capitalisation, operations, and position of that undertaking;
- the number of business users using the core platform service to reach end users and the number of end users;
- network effects and data driven advantages, in particular in relation to that undertaking’s access to, and collection of, personal data and non-personal data or analytics capabilities;
- any scale and scope effects from which the undertaking benefits, including with regard to data, and, where relevant, to its activities outside the Union;
- business user or end user lock-in, including switching costs and behavioural bias reducing the ability of business users and end users to switch or multi-home;
- a conglomerate corporate structure or vertical integration of that undertaking, for instance enabling that undertaking to cross subsidise, to combine data from different sources or to leverage its position; or
- other structural business or services characteristics.
These criteria give the Commission much more discretion in classifying an undertaking as a gatekeeper than the hard quantitative criteria of the presumption.
Nevertheless, it can be assumed that the application of the DMA will in fact remain limited to the largest digital companies: Art. 3 (8) DMA, last subparagraph, emphasizes that the Commission shall take into account the foreseeable developments in relation to the elements listed in Art. 3 (2) DMA, including any planned concentrations involving another undertaking providing core platform services or providing any other services in the digital sector, when carrying out an assessment under Art. 3 (8) DMA. It can therefore be assumed that Art. 3 (8) DMA is intended for cases in which the thresholds in Art. 3 (2) DMA have not yet been exceeded, but where it seems likely that they will be exceeded.
D. The Designation Procedure
Companies do not immediately become gatekeepers because they fulfil the criteria mentioned above. Rather, the Commission has to take a corresponding decision to designate them as gatekeepers (the so-called designation decision). This procedure is decisive, as many and the most important obligations under the DMA only bind the respective undertaking after the designation decision.
The standard procedure provided for in the DMA is that companies exceeding the thresholds defined in Art. 3 (2) DMA notify the Commission thereof within two months after reaching them.[18] The Commission has to consider the submission of the undertaking in an appropriate manner and then make a decision regarding the designation as gatekeeper within 45 working days.
However, the Commission may also designate gatekeepers that reach the thresholds of Art. 3 (2) DMA but fail to notify the Commission thereof within the time period mentioned above. In this case, the Commission must set a deadline for companies to provide the required information. When the undertaking then provides the information or fails to do so by the end of the deadline, the Commission will make the designation decision within 45 working days of the expiry of the submission deadline. Failure to comply with the notification obligation in Art. 3 (3) DMA entitles the Commission to designate an undertaking as a gatekeeper, based on the information available to the Commission.
When the Commission decides to designate gatekeepers according to the procedure in Art. 3 (8) DMA, the procedure will generally not be started by a notification of the gatekeeper (since the notification obligation is restricted to cases where the qualitative thresholds of Art. 3 (2) DMA are attained), but by the Commission. In such a case, the Commission will generally have to open a market investigation.[19] If such an investigation is to be opened, the Commission has to inform the undertaking concerned within 6 months after opening the investigation.[20]
E. Review of the Gatekeeper Status (Art. 4 DMA)
The Commission may, upon request or on its own initiative, reconsider, amend or repeal at any moment a designation decision by using the procedure laid out in Art. 4 DMA.
IV. WHICH OBLIGATIONS ARISE FROM THE DMA?
Once classified as gatekeeper, companies will face a broad range of obligations under the DMA. In order to minimize risks and avoid significant fines, compliance with these obligations is key. It would exceed the scope of this article to delve into the depths of the contents of these obligations, which is why we provide only a brief overview of them below.
Chapter 3 of the DMA defines the practices of gatekeepers that limit contestability or are unfair and at the same time contains the core obligations of the DMA (Art. 5-7 DMA). Compliance with these obligations has to be ensured within six months after the core platform service has been listed in the designation decision.[21]
A. Brief Overview of the DMA’s Core Obligations
The DMA’s core obligations are laid down in Art. 5-7 DMA. Examples of such obligations are the prohibition of parity clauses in Art. 5 (3) DMA, the prohibition on self-preferencing in rankings in Art. 6 (5) DMA or the obligation to ensure data portability for end users in Art. 6 (9) DMA. The difference between the obligations under Art. 5 and 6 DMA on the one hand and the obligations under Art. 7 DMA on the other hand is that the former are general obligations for all designated gatekeepers, whereas Art. 7 DMA provides specific obligations for gatekeepers that provide number-independent interpersonal communications services. Art. 7 DMA is separated from Art. 5 and 6 DMA, because it is using a staggered implementation process to address the time it might take for services to ensure interoperability on a technical level.
B. The Clarification Option
The gatekeeper may request the Commission to engage in a process to determine whether the measures that the gatekeeper intends to implement or has implemented to ensure compliance with Art. 6 and Art. 7 are effective in achieving the objective of the relevant obligation in the specific circumstances of the gatekeeper.[22] However, such a clarification will be without prejudice to the powers of the Commission under Art. 29-31 DMA.[23] It can therefore be assumed that the process under Art. 8 (3) DMA will be non-binding.
V. ENSURING COMPLIANCE WITH THE DMA: PRACTICAL IMPLEMENTATION
It is important to integrate DMA-specific compliance measures into the company’s existing compliance program.
Especially for (potential) gatekeepers, DMA-specific risks must be sufficiently anticipated and accounted for by a customised compliance concept with specific and clear responsibilities as well as effective processes and corresponding (process) guidelines.
This is particularly important given that the DMA specifically requires a gatekeeper to provide the Commission with a report describing in a detailed and transparent manner the measures it has implemented to ensure compliance with the obligations laid down in Art. 5-7 DMA within 6 months after the company’s designation.[24] This report has to be updated at least annually. It has to include a non-confidential summary, which will be made publicly available by the Commission.
If a designation is likely (or has already taken place), assessments should be carried out with a particular view on a company’s platform service and past practices to better understand which of the DMA’s core obligations need to be observed.
Once this is clear, particular attention should be paid to a clear communication of the legal requirements within the company. This includes the drafting of guidelines and manuals (e.g. a DMA handbook), but also the offering of training courses that explain the requirements of the DMA to the employees.
The employees of a company should also have a contact person for questions concerning the DMA, so they can be provided with reliable support. In this respect, it can only be emphasised that it is particularly important for the compliance department to have adequate staffing and financial resources for these tasks.
This is particularly true as gatekeepers are obliged to introduce a DMA-specific compliance function.[25] How exactly this compliance function is to be organized, staffed, and monitored is described in considerable detail in Art. 28 DMA. In principle, the monitoring body must be independent of the operational business of the undertaking and must be equipped with sufficient monetary and human resources and authority to monitor the gatekeeper’s compliance with the provisions of the DMA.[26] Gatekeepers have to communicate the name and contact details of the head of the compliance function to the Commission.[27]
The introduction of a monitoring function does not relieve management of the task of approving and reviewing periodically, at least once a year, the strategies and policies for taking up, managing and monitoring the compliance with this the DMA.[28] Sufficient time has to be devoted to the management and monitoring of compliance with this Regulation.[29]
Control, monitoring and reporting mechanisms should be implemented to immediately detect and stop DMA violations. In this regard, Art. 15 of the DMA should be taken into account. It requires gatekeepers to submit an audited description of any techniques for profiling of consumers that the gatekeeper applies to or across its core platform services and to update it annually. As for reporting mechanisms, a designated helpline or whistleblowing tool should be implemented to allow employees or third parties such as business users or end users to report (potential) violations of DMA.
All compliance measures should be carefully documented in order to be able to present them to the Commission in the event of corresponding enquiries.
VI. WHAT ARE THE CONSEQUENCES OF NON-COMPLIANCE?
The far-reaching powers of the Commission and the possibility of imposing extensive fines highlight the particular importance of effective compliance with the DMA’s obligations.
A. Public Enforcement
The public enforcement of the DMA falls within the responsibility of the Commission. It decides on the designation of an undertaking as a gatekeeper, conducts investigations and imposes fines and other measures. The national competition authorities only play a supporting role in this respect; the DMA does not give them any powers of intervention of their own vis-à-vis the companies.
The Commission is empowered to impose fines on companies that violate the DMA’s obligations. The potential amount of fines for violations is determined by Art. 30 DMA:
- Fines equivalent to 10 percent of the global turnover in case of intentional/negligent failure to comply with obligations laid down in Art. 5-7 DMA or other obligations listed in Art. 30 (1) DMA.
- Fines equivalent to 20 percent of the global turnover in case of repetitive infringement of Art. 5-7 DMA (for specific requirements see there).
- Fines equivalent to 1 percent of the global turnover in case of intentional or negligent failure to comply with the obligations listed in Art. 30 (3) DMA. This includes, among others, the failure to introduce a compliance function in the way described above.
The definition of the undertaking also applies to the calculation of fines. A legal/formal separation of the entity providing the core platform service will therefore not avoid the calculation of fines based on the turnover of the undertaking in the sense of Art. 2 (27) DMA.
B. Private Enforcement
The DMA does not explicitly mention the possibility of private enforcement. It therefore remains to be seen how private parties can sue for compensation under the DMA and whether private enforcement will be possible at all.[30]
VII. CONCLUSION
The DMA’s new terminology and regulatory technique poses significant challenges for companies when it comes to compliance. However, particularly in view of the serious consequences of violations, great importance should be attached to careful compliance with its requirements.
Companies falling (potentially) within the scope of the DMA will need to ensure compliance with the relevant DMA obligations by incorporating DMA-specific compliance measures into their existing compliance programs, in particular through the implementation of clear and specific responsibilities, processes and (process) guidelines. Finally, it will be key to ensure clear and diligent documentation of the respective compliance measures in order to be prepared for potential future information requests or challenges by the Commission.
[1] Christian Ritz, LL.M. (USYD) is a Partner for Antitrust, Compliance & Investigations, Benedikt Weiß, LL.M. (Aberdeen) is an Associate, and Tobias Kleinschmitt is a Legal Trainee in Hogan Lovells’ Antitrust & Competition team based in Munich/ Berlin.
[2] Despite the term “act,” the DMA is a regulation within the meaning of Art. 288 (2) TFEU (see Eifert et al.: Taming the Giants, Common Market Law Review 58: 987-1028, 2021).
[3] See DMA recital 7.
[4] Achleitner in NZKart 2022, 359.
[5] https://eur-lex.europa.eu/legalcontent/DE/TXT/?uri=uriserv%3AOJ.L_.2022.265.01.0001.01.DEU&toc=OJ%3AL%3A2022%3A265%3ATOC.
[6] See Art. 54 DMA.
[7] See Art. 54 DMA.
[8] See Art. 3 (10) DMA: Compliance with Art. 5, 6 and 7 within six months after the designation decision.
[9] Art. 3 (2) DMA.
[10] Art. 3 (2) DMA.
[11] Art. 2 (27) DMA.
[12] The list in Art. 2 (2) DMA is exhaustive. If an undertaking provides services that are not covered, the DMA is not applicable.
[13] See Art. 3 (2) lit. b DMA.
[14] See Art. 3 (2) lit. c DMA.
[15] See Art. 3 (5) DMA.
[16] See Art. 3 (8) DMA.
[17] See Art. 3 (8) lit. a-g DMA.
[18] Art. 3 (3) DMA.
[19] Art. 17 DMA.
[20] See Art. 17 (2) and Art. 16 (3) lit. a DMA.
[21] Art. 3 (9-10) DMA.
[22] Art. 8 (3) DMA,
[23] Art. 8 (4) DMA.
[24] See Art. 11 (1) DMA.
[25] Art. 28 (1) DMA.
[26] Compare Art. 28 (1), 28 (2) DMA.
[27] Art. 28 (6) DMA.
[28] Art. 28 (8) DMA.
[29] Art- 28 (9) DMA.
[30] Karbaum/Schulz in NZKart 2022, 107 (111).