EU Digital Markets Act comes into force on November 1, creating a new regulatory regime for big tech platforms | Skadden, Arps, Slate, Meagher & Flom LLP

The European Union’s Digital Markets Act (DMA) was published in the Official Journal of the EU on October 12, 2022. The legislation, which regulates large technology platforms, comes into force on November 1, 2022 (20 days after publication) and notification and review the process by which the European Commission (EC) will designate companies as “guardians” begins six months later, on May 1, 2023.

From that date, companies that meet the financial and user thresholds that give rise to a presumption of gatekeeper status have two months to report and comment on why gatekeeper status is not deserved (a rebuttal submission). The EC must decide gatekeeper status within 45 business days of receiving a company’s submission, and designated gatekeeper companies must comply with applicable DMA obligations within six months of the decision. CE designation.

The EC will soon launch a public consultation on the DMA implementing regulations, which will include a draft form for designation as a market guardian as well as other procedural rules. EU Competition Commissioner Margrethe Vestager has also suggested that the EC should organize workshops to collect the views of users, consumers and third parties regarding DMA compliance by major platforms.

Custodian Designation

The DMA sets rules defining and prohibiting unfair commercial practices perceived by large online platforms designated as important gatekeepers between European businesses and consumers. The law will apply alongside European and national competition law rules.

Unless a company presents substantiated arguments to demonstrate otherwise, a company is presumed to have gatekeeper status and fall under the scope of the DMA if it meets the following three criteria:

  1. It provides a basic platform service that serves as an important gateway for business users to reach end users. “Core platform service” includes any of the following: online intermediation services, online search engines, online social networking services, video sharing platform services , number-agnostic interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services and online advertising services (including any ad networks, ad exchanges and any other advertising intermediation).
  2. It has a significant impact on the EU internal market. The company has had an annual turnover of at least €7.5 billion in the EU in each of the last three financial years or an average market valuation of at least €75 billion in the past financial year, and it provides the same basic platform service for at least three Member States.
  3. He enjoys a position (established or expected) rooted and enduring. The company averages a minimum of 45 million monthly end users established or located in the EU and at least 10,000 annual business users established in the EU in each of the previous three fiscal years.

The DMA requires companies to self-assess whether they meet the access control criteria and notify the EC of their status within two months of meeting these thresholds. The DMA requires access control companies to comply with a set of obligations and prohibitions within six months of their designation as access controllers.

Prohibitions

The DMA prohibits access control companies from:

  • process personal data of end users collected from third-party services for the purpose of providing online advertising services without prior consent (Art. 5 (2) (a));
  • reuse personal data collected during one service for the purposes of another service without prior consent (Art. 5(2)(b)-(c));
  • prevent professional users from offering their products and services at different prices and conditions on their own sales sites, as well as on third-party platforms (that’s to say., broad and narrow parity clauses) (art. 5 (3));
  • prevent users from lodging complaints with public authorities (Art. 5(6));
  • compel users to use certain platform services (for example., payment systems, identification services, web browsers or technical services) (Art. 5(7));
  • requiring users to register/subscribe to other Main Platform services as a condition of using any of the Main Platform services (Art. 5(8));
  • use the non-public data of professional users to compete with them (Art. 6(2));
  • placing its own products or services above those of others (Art. 6(5));
  • prevent end users from switching between different applications and services (Art. 6(6)); and
  • establish disproportionate termination conditions for professional users; (s.6(13))

Obligation

The DMA requires that access control companies:

  • enable communication and access to content between business users and end users (Art. 5(4)(5));
  • ensure transparency of prices and fees in advertising intermediation services (Art. 5(9)-(10));
  • ensure that users can access their marketing or advertising performance data on the platform (Art. 6(8));
  • allow end users to easily change the default settings and/or uninstall any software application on an operating system (OS), except where this is essential for the proper functioning of the OS (Art. 6(3));
  • allow the installation and use of third-party applications or application stores that do not endanger the integrity of the device or the operating system (Art. 6(4));
  • enable effective interoperability with an operating system, hardware or software applications (Art. 6(7));
  • ensure the interoperability of the basic functionalities of instant messaging services with those of other platforms (Art. 7);
  • ensuring the portability of end-user data to other systems or applications (Art. 6(9));
  • provide professional users with real-time access to their data generated on the platform (Art. 6(10));
  • provide other online search engines with fair, reasonable and non-discriminatory (FRAND) access to ranking, query, click and view data generated by end users on its online search engines (Art. 6(11));
  • apply FRAND’s terms of access for business users to its software application stores, online search engines and online social networking services (Art. 6(12)); and
  • notify the EC of any acquisition involving core platform services, data collection or the digital sector, whether or not notifiable to the EC under the EU Merger Regulation (Article 14) .

The EC will have discretion to update the list of obligations and prohibitions through “delegated acts” (that’s to say., supplementary legislative acts resulting from the DMA), for reasons of fairness or to eliminate barriers to competition.

Within six months of their designation as gatekeepers, companies will also be required to annually submit to the EC and publish, in summary form, an independently audited description of all consumer profiling techniques that gatekeepers apply to or on their primary platform. services.

Additional compliance obligations include: appointing a compliance monitor within the organization; annual report and publication of the measures taken by the gatekeeper to comply with the obligations of conduct; and a requirement for management to review compliance at least annually.

Enforcement and Penalties

The EC will be the sole executor of the DMA, in close cooperation with EU Member State authorities, who may initiate national investigations and bring evidence to the attention of the EC to consider enforcement action. In addition, the EC will be able to impose sanctions and fines of up to 10% of a company’s annual worldwide turnover and up to 20% of this turnover in the event of repeated infringements.

In the event of systematic breaches of the rules (that’s to say., at least three violations in eight years), the EC may also impose behavioral or structural remedies on a company to ensure the effectiveness of the DMA’s obligations, including a ban on acquisitions relevant to the violation. Monitors can also face class action lawsuits from individuals and companies in national courts for non-compliance with DMA obligations.

The DMA will apply alongside European and national competition law rules.

Key dates

Key dates

Publication in the Official Journal
October 12, 2022

Coming into force
November 1, 2022
20th day following publication in the Official Journal (art. 54)

Application
Immediately and May 2023
Some provisions apply immediately
The other provisions, including art. 3 regarding the designation process, applies six months after entry into force (Art. 54(2))

Notification deadline for companies that meet the gatekeeper quantitative thresholds
July 2023
Monitors must self-assess and notify “without delay” and in any case within two months (Art. 3(3)) or from when the criteria are met

Decision to appoint the EC access controller
September 2023
45 working days after receipt of complete information (Art. 3(4))

Guardian obligations begin to apply
March 2024
Within six months of appointing the gatekeeper for a specific CPS (Art. 3(10))

Next steps if the notification includes a substantiated/compelling rebuttal

If sufficiently substantiated arguments are presented with the notification, the appointment can only be made after market investigation (Art. 3(5) para. 2).

But the EC has no obligation to initiate a market investigation, nor any deadline for doing so.

Moreover, there is no incentive for the EC to do so because Art. 14(1)(a) provides that it may exercise its investigative powers before initiating a market investigation.

Market survey

Duration: five months from the opening of the investigation, with preliminary findings to be communicated within three months

Note: The timetable is not binding – the ‘EC will endeavour’ (Art. 17(3)).

Caroline Janssens, Senior Professional Support Lawyer, contributed to this article.

Download PDF

About Ricardo Schulte

Check Also

ASCI extends code for online advertisements

The Advertising Standards Council of India (ASCI), the self-regulatory body for the advertising industry, plans …