What is the Digital Markets Act (DMA)?
The Digital Markets Act (DMA) is part of the Digital Services Act package, that also includes the Digital Services Act (DSA).
The Digital Markets Act (DMA) affects “gatekeeper platforms” like Google, Amazon and Meta, and covers the need for user consent before processing personal data for targeted advertising. It is interesting that most of the companies that are affected by the EU Digital Markets Act and the EU Digital Services Act are based in the United States of America.
The DMA builds a digital level playing field with clear rights and rules for large online platforms (‘gatekeepers’), and ensures that gatekeepers do not abuse their position. Regulating the digital market at EU level creates a fair and competitive digital environment, allowing companies and consumers to benefit from digital opportunities.
Most provisions of the regulation apply from 2 May 2023 (Article 54, Entry into force and application). Some provisions apply from 1 November 2022.
6 September 2023 - The European Commission designates six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft
The six gatekeepers have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. In total, 22 core platform services provided by gatekeepers have been designated.
Under the DMA, the European Commission can designate digital platforms as ‘gatekeepers' if they provide an important gateway between businesses and consumers in relation to core platform services.
In parallel, the Commission has opened four market investigations to further assess Microsoft's and Apple's submissions arguing that, despite meeting the thresholds, some of their core platform services do not qualify as gateways:
Microsoft: Bing, Edge and Microsoft Advertising
Under the DMA, these investigations aim to ascertain whether a sufficiently substantiated rebuttal presented by the companies, demonstrate that services in question should not be designated. The investigation should be completed within a maximum of 5 months.
In addition, the Commission has opened a market investigation to further assess whether Apple's iPadOS should be designated as gatekeeper, despite not meeting the thresholds. Under the DMA, this investigation should be completed within a maximum of 12 months.
In addition, the Commission has concluded that, although Gmail, Outlook.com and Samsung Internet Browser meet the thresholds under the DMA to qualify as a gatekeeper, Alphabet, Microsoft and Samsung provided sufficiently justified arguments showing that these services do not qualify as gateways for the respective core platform services. Therefore, the Commission decided not to designate Gmail, Outlook.com and Samsung Internet Browser as core platform services. It follows that Samsung is not designated as gatekeeper with respect to any core platform service.
Next steps for designated gatekeepers
Following their designation, gatekeepers now have six months to comply with the full list of do's and don'ts under the DMA, offering more choice and more freedom to end users and business users of the gatekeepers' services. However, some of the obligations will start applying as of designation, for example, the obligation to inform the Commission of any intended concentration. It is for the designated companies to ensure and demonstrate effective compliance. To this end, they have 6 months to submit a detailed compliance report in which they outline how they comply with each of the obligations of the DMA.
The Commission will monitor the effective implementation of and compliance with these obligations. In case a gatekeeper does not comply with the obligations laid down by the DMA, the Commission can impose fines up to 10% of the company's total worldwide turnover, which can go up to 20% in case of repeated infringement. In case of systematic infringements, the Commission is also empowered to adopt additional remedies such as obliging a gatekeeper to sell a business or parts of it or banning the gatekeeper from acquisitions of additional services related to the systemic non-compliance.
In the future, additional companies could submit notifications to the Commission under the DMA, based on their self-assessment with respect to the relevant thresholds. In this context, the Commission maintains constructive discussions with all relevant companies.
According to Article 2 of the Digital Markets Act (DMA), ‘core platform service’ means any of the following:
(a) online intermediation services;
(b) online search engines;
(c) online social networking services;
(d) video-sharing platform services;
(e) number-independent interpersonal communications services;
(f) operating systems;
(g) web browsers;
(h) virtual assistants;
(i) cloud computing services;
(j) online advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by an undertaking that provides any of the core platform services listed in points (a) to (i).
According to Article 3 of the Digital Markets Act (DMA), an undertaking shall be designated as a gatekeeper if:
1. (a) it has a significant impact on the internal market;
(b) it provides a core platform service which is an important gateway for business users to reach end users; and
(c) it enjoys an entrenched and durable position, in its operations, or it is foreseeable that it will enjoy such a position in the near future.
An undertaking shall be presumed to satisfy the respective requirements in paragraph 1:
(a) as regards paragraph 1, point (a), where it achieves an annual Union turnover equal to or above EUR 7,5 billion in each of the last three financial years, or where its average market capitalisation or its equivalent fair market value amounted to at least EUR 75 billion in the last financial year, and it provides the same core platform service in at least three Member States;
(b) as regards paragraph 1, point (b), where it provides a core platform service that in the last financial year has at least 45 million monthly active end users established or located in the Union and at least 10,000 yearly active business users established in the Union, identified and calculated in accordance with the methodology and indicators set out in the Annex;
(c) as regards paragraph 1, point (c), where the thresholds in point (b) of this paragraph were met in each of the last three financial years.
According to Article 5 of the Digital Markets Act (DMA), Obligations for gatekeepers:
The gatekeeper shall not do any of the following:
(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
(c) cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
(d) sign in end users to other services of the gatekeeper in order to combine personal data, unless the end user has been presented with the specific choice and has given consent within the meaning of Article 4, point (11), and Article 7 of Regulation (EU) 2016/679.
Where the consent given has been refused or withdrawn by the end user, the gatekeeper shall not repeat its request for consent for the same purpose more than once within a period of one year.
3. The gatekeeper shall not prevent business users from offering the same products or services to end users through third-party online intermediation services or through their own direct online sales channel at prices or conditions that are different from those offered through the online intermediation services of the gatekeeper.
4. The gatekeeper shall allow business users, free of charge, to communicate and promote offers, including under different conditions, to end users acquired via its core platform service or through other channels, and to conclude contracts with those end users, regardless of whether, for that purpose, they use the core platform services of the gatekeeper.
5. The gatekeeper shall allow end users to access and use, through its core platform services, content, subscriptions, features or other items, by using the software application of a business user, including where those end users acquired such items from the relevant business user without using the core platform services of the gatekeeper.
7. The gatekeeper shall not require end users to use, or business users to use, to offer, or to interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper’s core platform services.
8. The gatekeeper shall not require business users or end users to subscribe to, or register with, any further core platform services, as a condition for being able to use, access, sign up for or registering with any of that gatekeeper’s core platform services listed pursuant to that Article.
9. The gatekeeper shall provide each advertiser to which it supplies online advertising services, or third parties authorised by advertisers, upon the advertiser’s request, with information on a daily basis free of charge, concerning each advertisement placed by the advertiser, regarding:
(a) the price and fees paid by that advertiser, including any deductions and surcharges, for each of the relevant online advertising services provided by the gatekeeper,
(b) the remuneration received by the publisher, including any deductions and surcharges, subject to the publisher’s consent; and
(c) the metrics on which each of the prices, fees and remunerations are calculated.
In the event that a publisher does not consent to the sharing of information regarding the remuneration received, the gatekeeper shall provide each advertiser free of charge with information concerning the daily average remuneration received by that publisher, including any deductions and surcharges, for the relevant advertisements.
10. The gatekeeper shall provide each publisher to which it supplies online advertising services, or third parties authorised by publishers, upon the publisher’s request, with free of charge information on a daily basis, concerning each advertisement displayed on the publisher’s inventory, regarding:
(a) the remuneration received and the fees paid by that publisher, including any deductions and surcharges, for each of the relevant online advertising services provided by the gatekeeper;
(b) the price paid by the advertiser, including any deductions and surcharges, subject to the advertiser’s consent; and
(c) the metrics on which each of the prices and remunerations are calculated.
In the event an advertiser does not consent to the sharing of information, the gatekeeper shall provide each publisher free of charge with information concerning the daily average price paid by that advertiser, including any deductions and surcharges, for the relevant advertisements.
Can gatekeepers just ignore DMA?
Companies that do not comply with the new obligations risk fines of up to 10% of their worldwide turnover, or up to 20% of their worldwide turnover in case of repeat offence.
If a gatekeeper systematically fails to comply with the DMA, the Commission can open a market investigation and, if necessary, impose behavioural or structural remedies.
To ensure a high degree of harmonisation in the internal market, the European Commission is the sole enforcer of the regulation.
To make sure that gatekeepers have a clear understanding of what rules they have to abide by, the European Commission can decide to engage in regulatory dialogue.
An advisory committee and a high-level group will assist and facilitate the work of the European Commission.
According to Article 28 of the Digital Markets Act (DMA), Compliance function:
1. Gatekeepers shall introduce a compliance function, which is independent from the operational functions of the gatekeeper and composed of one or more compliance officers, including the head of the compliance function.
2. The gatekeeper shall ensure that the compliance function referred to in paragraph 1 has sufficient authority, stature and resources, as well as access to the management body of the gatekeeper to monitor the compliance of the gatekeeper with this Regulation.
3. The management body of the gatekeeper shall ensure that compliance officers appointed pursuant to paragraph 1 have the professional qualifications, knowledge, experience and ability necessary to fulfil the tasks referred to in paragraph 5.
The management body of the gatekeeper shall also ensure that such head of the compliance function is an independent senior manager with distinct responsibility for the compliance function.
4. The head of the compliance function shall report directly to the management body of the gatekeeper and may raise concerns and warn that body where risks of non-compliance with this Regulation arise, without prejudice to the responsibilities of the management body in its supervisory and managerial functions.
The head of the compliance function shall not be removed without prior approval of the management body of the gatekeeper.
5. Compliance officers appointed by the gatekeeper pursuant to paragraph 1 shall have the following tasks:
(a) organising, monitoring and supervising the measures and activities of the gatekeepers that aim to ensure compliance with this Regulation;
(b) informing and advising the management and employees of the gatekeeper on compliance with this Regulation;
(c) where applicable, monitoring compliance with commitments made binding pursuant to Article 25, without prejudice to the Commission being able to appoint independent external experts pursuant to Article 26(2);
(d) cooperating with the European Commission for the purpose of this Regulation.
6. Gatekeepers shall communicate the name and contact details of the head of the compliance function to the Commission.
7. The management body of the gatekeeper shall define, oversee and be accountable for the implementation of the governance arrangements of the gatekeeper that ensure the independence of the compliance function, including the division of responsibilities in the organisation of the gatekeeper and the prevention of conflicts of interest.
8. The management body shall approve and review periodically, at least once a year, the strategies and policies for taking up, managing and monitoring the compliance with this Regulation.
9. The management body shall devote sufficient time to the management and monitoring of compliance with this Regulation. It shall actively participate in decisions relating to the management and enforcement of this Regulation and ensure that adequate resources are allocated to it.
Understanding the Digital Markets Act (DMA).
Digital services in general and online platforms in particular play an increasingly important role in the economy, in particular in the internal market, by enabling businesses to reach users throughout the Union, by facilitating cross-border trade and by opening entirely new business opportunities to a large number of companies in the Union to the benefit of consumers in the Union.
At the same time, among those digital services, core platform services feature a number of characteristics that can be exploited by the undertakings providing them. An example of such characteristics of core platform services is extreme scale economies, which often result from nearly zero marginal costs to add business users or end users.
Other such characteristics of core platform services are very strong network effects, an ability to connect many business users with many end users through the multisidedness of these services, a significant degree of dependence of both business users and end users, lock-in effects, a lack of multi-homing for the same purpose by end users, vertical integration, and data driven-advantages.
All these characteristics, combined with unfair practices by undertakings providing the core platform services, can have the effect of substantially undermining the contestability of the core platform services, as well as impacting the fairness of the commercial relationship between undertakings providing such services and their business users and end users.
In practice, this leads to rapid and potentially far-reaching decreases in business users’ and end users’ choice, and therefore can confer on the provider of those services the position of a so-called gatekeeper.
At the same time, it should be recognised that services which act in a non-commercial purpose capacity such as collaborative projects should not be considered as core platform services for the purpose of this Regulation.
A small number of large undertakings providing core platform services have emerged with considerable economic power that could qualify them to be designated as gatekeepers pursuant to this Regulation. Typically, they feature an ability to connect many business users with many end users through their services, which, in turn, enables them to leverage their advantages, such as their access to large amounts of data, from one area of activity to another.
Some of those undertakings exercise control over whole platform ecosystems in the digital economy and are structurally extremely difficult to challenge or contest by existing or new market operators, irrespective of how innovative and efficient those market operators may be. Contestability is reduced in particular due to the existence of very high barriers to entry or exit, including high investment costs, which cannot, or not easily, be recuperated in case of exit, and the absence of, or reduced access to, some key inputs in the digital economy, such as data. As a result, the likelihood increases that the underlying markets do not function well, or will soon fail to function well.
Market processes are often incapable of ensuring fair economic outcomes with regard to core platform services. Although Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) apply to the conduct of gatekeepers, the scope of those provisions is limited to certain instances of market power, for example dominance on specific markets and of anti-competitive behaviour, and enforcement occurs ex post and requires an extensive investigation of often very complex facts on a case by case basis. Moreover, existing Union law does not address, or does not address effectively, the challenges to the effective functioning of the internal market posed by the conduct of gatekeepers that are not necessarily dominant in competition-law terms.
Gatekeepers have a significant impact on the internal market, providing gateways for a large number of business users to reach end users everywhere in the Union and on different markets. The adverse impact of unfair practices on the internal market and the particularly weak contestability of core platform services, including the negative societal and economic implications of such unfair practices, have led national legislators and sectoral regulators to act.
A number of regulatory solutions have already been adopted at national level or proposed to address unfair practices and the contestability of digital services or at least with regard to some of them. This has created divergent regulatory solutions which results in the fragmentation of the internal market, thus raising the risk of increased compliance costs due to different sets of national regulatory requirements.
Therefore, the purpose of this Regulation is to contribute to the proper functioning of the internal market by laying down rules to ensure contestability and fairness for the markets in the digital sector in general, and for business users and end users of core platform services provided by gatekeepers in particular. Business users and end users of core platform services provided by gatekeepers should be afforded appropriate regulatory safeguards throughout the Union against the unfair practices of gatekeepers, in order to facilitate cross-border business within the Union and thereby improve the proper functioning of the internal market, and to eliminate existing or likely emerging fragmentation in the specific areas covered by this Regulation.
Moreover, while gatekeepers tend to adopt global or at least pan-European business models and algorithmic structures, they can adopt, and in some cases have adopted, different business conditions and practices in different Member States, which is liable to create disparities between the competitive conditions for the users of core platform services provided by gatekeepers, to the detriment of integration of the internal market.
By approximating diverging national laws, it is possible to eliminate obstacles to the freedom to provide and receive services, including retail services, within the internal market. A targeted set of harmonised legal obligations should therefore be established at Union level to ensure contestable and fair digital markets featuring the presence of gatekeepers within the internal market to the benefit of the Union’s economy as a whole and ultimately of the Union’s consumers.
Online intermediation services, online search engines, operating systems, online social networking, video sharing platform services, number-independent interpersonal communication services, cloud computing services, virtual assistants, web browsers and online advertising services, including advertising intermediation services, all have the capacity to affect a large number of end users and businesses, which entails a risk of unfair business practices. Therefore, they should be included in the definition of core platform services and fall into the scope of this Regulation.
Online intermediation services can also be active in the field of financial services. For the purposes of this Regulation, the definition of core platform services should be technology neutral and should be understood to encompass those provided on or through various means or devices, such as connected TV or embedded digital services in vehicles. In certain circumstances, the notion of end users should encompass users that are traditionally considered business users, but in a given situation do not use the core platform services to provide goods or services to other end users, such as for example businesses relying on cloud computing services for their own purposes.
Having a very high number of business users that depend on a core platform service to reach a very high number of monthly active end users, enables the undertaking providing that service to influence the operations of a substantial part of business users to its advantage and indicate, in principle, that that undertaking is an important gateway.
Active end users and business users should be identified and calculated in such a way as to adequately represent the role and reach of the specific core platform service in question. The Commission will be empowered to adopt delegated acts to amend this Regulation, by updating the methodology and the list of indicators used to determine the number of active end users and active business users.
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.