In the course of providing certain “core platform services” for business users to reach their end users online, very large digital platform operators (“gatekeepers”) act as private rule-makers and may create ‘bottlenecks’ and ‘choke points’ that limit access, unfairly exploit data for their own purposes and/or impose unfair conditions on participants. Therefore, the EU has introduced the Digital Markets Act (DMA)) to control gatekeepers’ practices that either fall outside the existing EU competition controls or cannot be effectively addressed by those rules. Member state’s regulators cannot go further than the DMA restrictions and the restrictions must be applied consistently throughout the EU. Gatekeepers can be fined up to 20% of worldwide revenue for breaches. The DMA will start to apply in May 2023 and gatekeepers will have six months to comply, once they have been designated. Please get in touch if you have queries or concerns about compliance or your rights.
Which platforms are gatekeepers?
A platform can be designated as a 'gatekeeper' in relation to a specific 'core platform service' if it satisfies the following criteria (unless it can prove otherwise):
- It has a significant impact on the internal market, which is presumed where the undertaking to which it belongs has either an annual EU turnover of at least €7.5bn in each of the last three financial years, or average market capitalisation/value of at least €75bn in the last financial year, and provides a core platform service in at least 3 member states;
- It operates a core platform service that serves as an important gateway for business users to reach end users, which is presumed where the service reaches user thresholds of 45m monthly active EU-based end users and 10,000 yearly active EU-based business users in the last financial year; and
- It enjoys, or will enjoy, an entrenched and durable position in its operations, which is presumed where the user thresholds were met in each of the last 3 financial years.
What gatekeeper services are affected?
A “core platform service” means any of the following:
- online intermediation services;
- online search engines;
- online social networking services;
- video-sharing platform services;
- operating systems;
- web browsers;
- virtual assistants;
- cloud computing services;
- number-independent interpersonal communication services (NIICS) – e.g. WhatsApp, Messenger, and other online communications services that do not actually connect using public telecoms number plans (even if your mobile number might be used as an identifier), but the DMA will not apply to other electronic communications networks defined in the European Electronic Communications Code;
- advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by a provider of any of the core platform services listed above.
Such service providers must notify the European Commission within two months after those thresholds are met (with any argument that the related criteria should not apply), but failure to do so does not prevent the Commission from designating these providers as gatekeepers, either then or following a market investigation.
Designation may change if there has been a substantial change or error in any of the facts on which it was based and Commission must also review the designation at least every three years. The Commission must maintain a public list of gatekeepers and their affected core platform services.
Obligations on gatekeepers
Specific requirements are aimed at protecting various types of participant from adverse practices in the course of their use of gatekeepers’ designated core platform services, regardless of whether the relevant practice is contractual, commercial, technical or of some other nature.
Gatekeepers must publish general conditions of access, including an alternative dispute resolution mechanism, and cannot terminate a core platform service on conditions that are disproportionate. Participants in the service must be able to exercise their rights to terminate without undue difficulty.
Gatekeepers need end users’ fully informed consent (as per GDPR) to process their personal data for online advertising; combine or cross-use it with personal data from any other services provided by the gatekeeper or a third-party services; or sign the end user into to other services of the gatekeeper to combine their personal data. Where an end user’s consent has been refused or withdrawn, the gatekeeper may only make one more request for the same consent for a year.
End users must be able to un-install any pre-installed software applications on a gatekeeper’s core platform service (but a gatekeeper may preserve applications that are essential for the functioning of the operating system or device where such applications cannot technically be offered on a standalone basis by third-parties).
Gatekeepers must not technically restrict end users from subscribing for or switching between applications and services using the operating system, including choice of Internet access provider.
End users must have effective portability of the data generated through their activity and be given the tools to achieve that, including continuous and real-time access.
A gatekeeper must not make the exercise of end users’ rights unduly difficult or degrade the quality or condition of any of the core platform service provided to end users who exercise their rights.
A gatekeeper must submit any techniques for profiling of consumers to an independent audit within six months of using them.
- not prevent business users from offering the same products or services to end users through third-party online intermediation services or their own direct online sales channel at prices or conditions that are different from those offered through the gatekeeper’s service;
- allow business users, free of charge, to communicate and promote offers to end users acquired via its core platform service or through other channels and conclude contracts with those end users, regardless of whether and for what purpose they use the core platform service;
- allow end users to access and use content, subscriptions, features or other items through its core platform services, by using the software application of a business user (including where those end users acquired such items from the relevant business user) without using the core platform services of the gatekeeper;
- not directly or indirectly prevent or restrict business users or end users from raising any issue of non-compliance of any kind by the gatekeeper with any relevant public authority or courts (without prejudice to the right of business users and gatekeepers to specify lawful complaints-handling processes);
- in the context of business users’ services using the gatekeeper’s core platform service, not require end users or business users to use, offer, or interoperate with the gatekeeper’s own identification service, web browser engine or payment service (or technical services that support payment services, including systems for in-app purchases);
- not require business users or end users to subscribe to, or register with, any further designated core platform services as a condition for being able to use, access, sign up for or registering with any of that gatekeeper’s designated core platform services;
- not use in competition with business users any business data not publicly available that is provided by or generated through activities by their use of the core platform services or related services (including data generated or provided by the business users’ customers).
- provide business users with effective portability of the data generated through their activity and the tools to achieve that, including continuous and real-time access.
- provide business users (or their authorised third parties), free of charge:
- effective, high-quality, continuous and real-time access and use of aggregated or non-aggregated data, that is provided or generated in the use of the relevant core platform service by those business users and their end users engaging with their products;
- provide access and use for personal data only where directly connected with the use effectuated by the end user in respect of the products of the business user through the core platform service with the end users’ consent.
- apply fair and non-discriminatory general conditions of access for business users to its software application store (where designated).
- not make the obtaining of consents by a business user more burdensome than for its own services.
- not make the exercise of business users’ rights unduly difficult or degrade the quality or condition of any of the core platform service provided to business users who exercise their rights.
- submit any techniques for profiling of consumers to an independent audit within six months of using them.
Gatekeepers must provide on request to each advertiser to which it supplies online advertising services (or their authorised third parties) daily and free of charge:
- information on each advertisement placed, the price and fees paid, remuneration received by the advertising publisher and the basis of calculation. If a publisher of advertising does not consent to the sharing of information regarding its remuneration, the gatekeeper shall provide the advertiser with the daily average remuneration received by that publisher, including any deductions and surcharges;
- access to the gatekeeper’s performance measuring tools and the information necessary for advertisers to carry out their own independent verification of the advertisement inventory, including aggregated and non-aggregated data.
Gatekeepers must provide:
- on request to each publisher to which it supplies online advertising services (or their authorised third parties) daily and free of charge information concerning the display of each ad from the publisher’s inventory, the remuneration received and fees paid by that publisher, the price paid by the advertiser and the basis of calculation. If an advertiser does not consent to the sharing of such information, the gatekeeper shall provide the daily average price paid by that advertiser for the relevant ad, including any deductions and surcharges.
- access to the gatekeeper’s performance measuring tools and the information necessary for publishers to carry out their own independent verification of the advertisement inventory, including aggregated and non-aggregated data.
Third Party Software Providers
- allow the installation and effective use of third-party software applications or software application stores using, or interoperating with, the gatekeeper’s operating systems and allow those applications or stores to be accessed by means other than via that gatekeeper (subject to proportionate measures to ensure those applications or stores don’t endanger the integrity of the gatekeeper’s systems).
- not treat the gatekeepers’ own group products more favourably in ranking and related indexing and crawling, than similar third party products; and apply fair and non-discriminatory conditions to such ranking.
- allow third party service and hardware providers, free of charge, effective interoperability with (and access for the purposes of interoperability) the same hardware and software features accessed or controlled via the gatekeeper’s designated operating system or virtual assistant as are available to the gatekeepers own services or hardware.
- provide, on request, to any third party online search engine providers access on fair, reasonable and non-discriminatory terms to the gatekeeper’s data on ranking, query, click and view relating to free and paid search results generated by the gatekeeper’s end users (subject to anonymisation of personal data).
A relevant gatekeeper must make the basic functionalities of its NIICS interoperable with the NIICS of another provider offering or intending to offer such services in the EU, by providing the necessary technical means that facilitate interoperability, upon request and free of charge. The gatekeeper must publish a ‘reference offer’ specifying the technical details and conditions of interoperability, including necessary details on security and end-to-end encryption which must be preserved across the interoperable services. Any NIICS provider may then request interoperability for some or all of the basic functionalities, and the gatekeeper has three months to render those functionalities operational. Only the personal data of end users that is strictly necessary to provide effective interoperability may be collected and exchanged.
Over time, a relevant gatekeeper must at least make the following functionalities interoperable where it provides those functionalities to its own end users:
- Basic functionalities: within three months of request:
- end-to-end text messaging between two end users;
- sharing of images, voice messages, videos and other attached files in end-to-end communication between two end users;
- Group functionalities: Within 2 years from designation:
- end-to-end text messaging within groups of individual end users;
- sharing of images, voice messages, videos and other attached files in end-to-end communication between a group chat and an individual end user;
- End-to-end voice and video calls: Within 4 years from the designation:
- end-to-end voice calls between two individual end users;
- end-to-end video calls between two individual end users;
- end-to-end voice calls between a group chat and an individual end user;
- end-to-end video calls between a group chat and an individual end user.
The Commission has vast powers to ensure compliance with the DMA, including monitoring, imposing conditions and fines, obtaining reports, granting exemptions on public interest grounds (health and security) and undertaking market investigations.
The types of services and restrictions covered by the DMA reflect many of the complaints and concerns generated in the course of the explosive growth of various ‘tech giants’ over the past fifteen years or so. The Commission has been very assertive on the wider competition front, so it seems likely to use these powers actively. This should go a considerable way toward addressing various ‘externalities’ that were simply left for the market or regulators to address. Perhaps some business models that were choked off might now regenerate, albeit in digital form.
At the same time, gatekeepers may feel aggrieved that the enormous benefits that have accrued to them from a relentless commitment to solving users’ problems and creating genuinely useful services from launch not so long ago are already being unfairly curtailed or shared with businesses that have not had to make that journey or commitment.
At any rate, it remains to be seen whether the gatekeepers will comply quietly or continue what seems to have been an endless game of cat-and-mouse…
Please get in touch if you have queries or concerns about compliance or your rights.