[Reading time: 10-15 minutes]
16 November 2023 was the last day to challenge ‘gatekeeper’ designation decisions, which have been made under the Digital Markets Act (‘DMA’) by the European Commission on 6 September 2023. Among six Big Tech giants (Amazon, Apple, ByteDance (TikTok), Meta, Alphabet Inc. and Microsoft) with twenty two core platform services falling under their ‘gatekeeper’ banner, three of them decided to appeal: Meta in relation to Meta Marketplace and Messenger services, TikTok and Apple. Besides that, the European Commission is currently investigating additional services like Microsoft’s Bing, Edge, and Apple’s iMessage to determine their ultimate DMA classification. Following their final designation, gatekeepers have time until 6 March 2024 to comply with the full list of do’s and don’ts under the DMA.
At the same time, smaller digital businesses have been given time until February 2024 to comply with new requirements stemming from the Digital Services Act (‘DSA’), the second cornerstone of the EU Digital Services Package (‘DSP’).
The DMA supports digital businesses by enabling them to compete equally with gatekeepers. At the same time, they face the need to comply themselves with obligations under the DSA, which focus on ensuring online security, transparency and protection of fundamental rights.
Below, we highlight the main obligations from the DMA (for gatekeepers) and DSA (for startups and SMEs) and the consequences of non-compliance. We also explore how companies can benefit from these new legal developments.
Digital Markets Act
‘Gatekeepers’
The DMA aims to ensure a fair and competitive digital economy, and to this end, it is designed by its very nature to control the largest participants on the Internet by imposing stricter rules on them. Therefore, the DMA concerns only platforms that are identified as ‘gatekeepers’ in relation to one or more ‘core platform services’ (CPS).
CPS are listed as online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services. Importantly, the DMA rules apply where CPS are offered or provided to businesses or end-users in the EU. This is regardless of the place of establishment or residence of the gatekeepers.
Consequently, the designation of gatekeepers is a nodal point of the DMA. Without getting into too much detail, both quantitative and qualitative criteria are taken into account when assessing who is a gatekeeper. The final decision in that scope rests with the European Commission. In its designation decision, it indicates which CPS serve as an important gateway for business users to reach end-users. With respect to each of these CPS, the gatekeepers have to comply with all of the do’s and don’ts laid down in the DMA. Adherence to those obligations must persist until the European Commission withdraws the gatekeeper status, and the Commission is obliged to reevaluate these designations at a minimum of once every three years.
Dos and don’ts
Primarily, the gatekeepers are required to:
- enable end users to uninstall pre-installed apps or change default settings that link to the gatekeeper’s services and offer selection screens for key services;
- enable end users to install apps from other developers or app stores that work with the gatekeeper’s operating system;
- allow end users to opt out of the gatekeeper’s CPS as easily as they signed up for it;
- allow third parties to interact with the gatekeeper’s services;
- provide companies advertising on the platform with access to the gatekeeper’s performance measurement tools and information necessary for them to conduct their independent operations;
and are prohibited from:
- using businesses’ user data when they gatekeeper competes with them on its platform;
- classifying their own products or services more favourably;
- requiring app developers to use their services (such as payment systems or identity verification) to appear in its app stores;
- tracking end users outside of the main platform for profiled advertising, without having acquired effective consent.
Additionally, gatekeepers offering messenger services must follow specific rules to ensure that basic features can work with other providers’ services. This requirement comes into play when other providers ask for access to a service and follows a step-by-step plan. For instance, simple features like text messages between two users must be ready to work as soon as the DMA is in effect. More complex features like group text messages need to be ready within two years, while advanced functionalities like audio and video calls between individual users or groups must be ready within four years from the designation decision.
Harsh sanctions for non-compliance
The European Commission will be the sole enforcer of the DMA. Gatekeepers who do not comply with the above-listed obligations can be fined up to 10% of their annual worldwide turnover, and for repeat offences up to 20% of worldwide turnover. Where gatekeepers consistently do not follow the DMA (meaning they break the rules at least three times in eight years), the European Commission can enforce behavioural or structural remedies or even temporarily ban a gatekeeper from entering into future transactions.
Strengthening the position of competitors
All of the above obligations apply only to gatekeepers, so their smaller competitors can expect a significant strengthening of their market position. It is believed that the new rules will (i) allow them more access to performance information on how their products or services are performing on the platforms; (ii) combat unfair rankings; (iii) support businesses in attracting consumers as they will no longer be locked in by gatekeeper platforms; and (iv) reduce barriers to entry on digital markets by promoting interoperability and data portability.
Although the European Commission has exclusive authority for enforcing the DMA, smaller competitors of gatekeepers can actively participate in creating a level playing field by two instruments. Firstly, the DMA establishes clear complaint mechanisms, enabling them to address unfair practices or anti-competitive conduct by gatekeepers. This provides them with a platform to voice their concerns directly to the European Commission or via national competition authorities. Secondly, given the DMA is directly applicable in the EU Member States, it is possible to enforce the DMA obligations in national courts, including through private damages actions.
Digital Services Act
Regulatory approach
Unlike the case of DMA, the scope of the DSA application is much wider and depends on multipolar classification rather than bipolar (gatekeeper/non-gatekeeper). Distinct responsibilities have been placed on various businesses based on their intermediary service type, scale, and influence. These duties are aimed to ensure that digital business services are provided in responsible manner and are not misused for unlawful activities. Specific obligations apply primarily to very large online platforms and very large online search engines, commonly known as VLOPs and VLOSEs, whereas very small platforms are largely exempt from the majority of their obligations. By adjusting the allocation of responsibilities within the online ecosystem according to platform size, the DSA guarantees proportionality of the regulatory burdens.
Four layers of digital businesses and their obligations
With those proportioned legal obligations, the DSA consists of four layers:
- Intermediary services offering network infrastructure, internet access providers, and domain name registrars must (i) establish two single points of contact, one for the recipients of the services and another to facilitate direct communication with the supervisory authorities, while providers not established in the EU but offering services in the EU will be required to designate a legal representative in the EU; (ii) explicitly and unambiguously describe in their terms and conditions any restrictions that they may impose on the use of their services, such as the content moderation policies, and to act responsibly in applying and enforcing those restrictions; (iii) for services aimed at minors, provide an explanation on the conditions and restrictions of use in a way that is understandable for them; and (iv) publish an annual report on content moderation.
- Hosting services such as cloud and web hosting services must (i) comply with all layer one obligations; (ii) implement a mechanism that allows third parties to notify the presence of allegedly illegal content; (iii) inform the person who filed a notification of the decision taken and the available redress mechanisms; (iv) provide a statement of reasons to the relevant user if a provider decides to remove information or suspend or terminate the provision of the services; and (v) inform the national authorities of any information giving rise to suspicions of serious criminal offences.
- Online platforms such as online marketplaces, app stores, collaborative economy platforms, and social media platforms must: (i) comply with all layer one and two obligations; (ii) publish the average monthly active recipients in the last six months on their online interface; (iii) treat notices filed by trusted flaggers (independent entities that have particular expertise in detecting illegal content) with priority; (iv) design their online interfaces in a way that enables users to make free and informed decisions (ban on dark patterns); (v) provide a high level of privacy, safety, and security for minors, including a prohibition on profiled advertising; (vi) set out in the terms and conditions the main parameters used in their recommender systems to suggest or rank the information presented to users; and (vii) arrange a certified out-of-court mediation mechanism for decisions concerning content moderation.
- Very large online platforms and very large online search engines, ie online platforms reaching at least 45 million active users in the EU, on top of all the above-listed requirements must adopt the most aggravated measures such as undergoing an annual independent audit into the DSA compliance, establishing a public repository on the online advertisements displayed in the past year, or providing to the competent authorities access to the data necessary to monitor the fulfilment of the DSA obligations. Last but not least, VLOPs and VLOSEs have to address any systemic risk stemming from the use of their platforms by effective and tailor-made mitigation measures (the definition of systemic risk includes almost any collective threat, eg illegal content, hate speech, privacy breaches and election interference).
Additionally, with the exception of those employing fewer than 50 individuals or generating annual revenues below 10 million euros, all platforms are also obliged to: (i) set up complaint and redress mechanisms; (ii) cooperate with so-called trusted flaggers; (iii) take measures against abusive notices; (iv) deal with complaints; (v) include the credentials of third-party suppliers; (vi) provide user-friendly and transparent online advertising.
Positive implications for smaller business
It is reasonable to assume that enforcing obligations stemming from the DSA will improve digital platforms’ transparency in content moderation, traceability and verifiability of traders, as well as reduce the manipulative design of online space and sensitive ad tracking. It brings twofold implications for smaller businesses.
On the one hand, smaller businesses must take action to adopt a well-designed platform interface, easy-to-use mechanisms for abusive notice, complaint and redress, and a streamlined set of processes regarding (transparent reporting of) content moderation. Moreover, they need to reconsider personal data collection policies and the use of cookies. Ultimately, the DSA will have a profound impact on the effectiveness of online campaigns.
On the other hand, smaller businesses will also benefit from this new set of rules. They will be provided with user-friendly and efficient tools to report unlawful activities that harm their trade, eg intellectual property rights infringements. Additionally, they will have access to both internal and external redress mechanisms, which will enhance their safeguards against unjust content removal by VLOPs and VLOSEs.
Conclusion
The DMA gives a clear advantage to smaller competitors. By leveling the playing field in digital markets, it allows them to compete with gatekeepers on equal terms. Moreover, they can contribute to the DMA enforcement by voicing their concerns regarding the practices of gatekeepers to the European Commission or national competition authorities, or by taking private damages actions in courts in various EU Member States. The former tool seems to be of particular importance. In the middle of January 2024, a coalition of firms including Spotify and Schibsted sent a letter to the European Commission, expressing their concern that the designated gatekeepers might not meet the deadline to adhere to the DMA provisions. Simultaneously, the head of the ACM, Martijn Snoep, confirmed that his agency has appointed seven staffers to handle the DMA enforcement since a large number of complaints from smaller competitors of gatekeepers is anticipated.
At the same time, while searching for DSA-compliant solutions, it is important to acknowledge that there is not just one single way for proper adherence. Specific factors like the type and model of an online business, the size of its operations, and the targeted users should be taken into account when determining compliance steps to be implemented. Therefore, to enhance legal certainty and facilitate business compliance processes, the ACM has drawn up its dedicated guidelines concerning DSA enforcement for each type of digital service provider. Those guidelines are now published for consultation.
Should you require any assistance with getting your business prepared for the Digital Services Package or would you like to file a complaint against a gatekeeper, we would be happy to help. Do not hesitate to contact us either by e-mail or phone.