Will the EU Digital Markets Act Rein In the Internet’s ‘Gatekeepers’?
A handful of US tech companies dominate the internet. These “gatekeepers” control platforms that millions of people use—and thousands of businesses depend on to reach their customers.
The EU’s Digital Markets Act (DMA) aims to create fairer market conditions and increased consumer choice. The law imposes strict rules on large companies and should benefit smaller players in the digital ecosystem.
This article explains who the DMA covers, how the law works, and whether it could achieve its objectives of a fairer online market.
The Gatekeepers
The DMA provides new rules for “gatekeepers”.
Gatekeepers are companies running large platforms across several EU countries—platforms that many businesses depend on to reach potential customers.
The DMA provides three main criteria for determining which companies are gatekeepers:
They have a significant market impact. They provide an important core platform service. They have an entrenched market position.
Companies meeting these criteria must notify the European Commission by early July 2023. Gatekeepers will likely include Meta, Amazon, Apple, Google, Meta and Microsoft.
Here’s a closer look at what sorts of companies are “gatekeepers”.
Significant Impact
A gatekeeper has a significant impact on the EU’s internal market.
A company is presumed to satisfy this condition if:
It had either:
- An annual turnover in the EU of at least €7.5 billion in each of the last three financial years, or
- An average market capitalisation of at least €75 billion in the previous financial year.
- It provides the same “core platform service” in at least three EU member states.
Core Platform Service
A gatekeeper provides a core platform service which is an important gateway for businesses to reach end-users.
A company is presumed to satisfy this condition if it meets both of the following conditions:
- It provides one or more of the following “core platform services”:
- Online intermediation service
- Online search engine
- Online social networking service
- Video-sharing platform service
- Number-independent interpersonal communications service
- Operating system
- Web browser
- Virtual assistant
- Cloud computing service
- Online advertising services, if the company also provides one of the above core platforms services
- It has at least:
- 45 million monthly active users in the EU, and
- 100,000 yearly active business users in the EU.
Entrenched and Durable Position
A gatekeeper has, or will likely soon have, an “entrenched and durable position”.
A company will be presumed to meet this condition if it has provided an “important gateway” core platform service (per the terms above) for at least the previous three years.
Requirements for Gatekeepers
The DMA should have a substantial impact on how gatekeepers operate in the EU.
The law provides both positive and negative requirements = "do"s and "don’t"s.
What Gatekeepers Must Do Under the DMA
Here are some of the DMA’s positive requirements for gatekeepers:
Interoperability
A key DMA requirement for gatekeepers is to enable “interoperability”.
Interoperability essentially means making a piece of software and hardware work with third-party software and hardware. This requirement is designed to stop gatekeepers from sealing off their products as a way to retain users.
For example, users of a gatekeeper’s messaging app will be able to use that app to communicate with people who are using different apps.
In the context of a phone or other device, interoperability means that users must be able to download third-party apps. Gatekeepers also cannot prevent third-party apps from asking the user if they would like to use the app by default.
This requirement could be particularly disruptive to a company like Apple, which has defended its closed ecosystem for many years.
Gatekeepers will also have to open up operating systems to other businesses, enabling them to access and control the operating system’s features—for free.
Gatekeepers can take necessary and proportionate measures to prevent any security incidents that might arise from interoperability.
Access to Data
A gatekeeper must allow free access to data in several different contexts.
For example, Meta will need to provide a way for advertisers and publishers to independently check the performance of their Facebook or Instagram ads - they won’t have to simply trust Meta’s own reports.
Other types of business users must also get free access to the data they generate on a gatekeeper’s platform, including personal data under certain conditions.
Gatekeepers must provide non-business users (“end-users”) with real-time access to their data, and make data available in a portable format so that users can easily switch platforms.
Off-Platform Sales
A gatekeeper must allow business users to make offers and sales outside of the gatekeeper’s platform.
For example, a third-party seller on an online marketplace can conclude a sale on the platform (where the gatekeeper will normally charge the seller a fee), or the seller can provide a link to its own website and conclude the sale there.
If a seller on a gatekeeper’s platform offers a cheaper price on its own website, the gatekeeper can’t stop the seller from promoting this cheaper price on the gatekeeper’s platform.
What Gatekeepers Must NOT Do Under the DMA
Here are some of the DMA’s negative requirements for gatekeepers.
Self-Preferencing
A gatekeeper cannot treat its own products or services more favourably than products and services offered by its business users.
So, for example, if a user searches for a photo app on Google Play, Google’s own Photos app won’t automatically appear above other apps in the search results. Restricting Off-Platform Communications
Similarly to the “off-platform sales” requirement explained above, gatekeepers cannot prevent end-users from communicating with business users outside of the gatekeeper’s platform.
Preventing Uninstalls
Gatekeepers must not prevent users from uninstalling pre-loaded apps.
This means users should be able to get rid of pre-installed “bloatware” on their phones, such as default marketplace, gallery, and search apps.
Privacy-Invasive Practices
Some of the most important DMA provisions relate to the data protection and privacy of end-users.
Gatekeepers will be largely prohibited from tracking users’ behaviour across different services without consent.
Such rules already arguably exist under the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive, but the DMA would bring clarity around where consent is required, and how platforms may use data collected from across their own services.
We’ll explore these provisions in more detail toward the end of this article.
Enforcement and Penalties
Fines against gatekeepers under the DMA can be very high:
- Up to 10% of annual global turnover.
- Up to 20% of annual global turnover for repeated violations.
- Periodic penalties of up to 5% of average daily global turnover.
Certain “last resort” remedies are also possible, such as forcing a gatekeeper to sell part of its business.
Will the Digital Markets Act Be Effective?
The main goals of the DMA include:
- Creating fairer market conditions for smaller businesses.
- Ensuring new companies can compete and innovate within the platform ecosystem.
- Providing users with more choice and flexibility when using online platforms.
Will the DMA achieve these goals?
Fairer Market Conditions
The search engine market is currently dominated by Google and, to a lesser extent, Microsoft. The DMA would treat these providers as gatekeepers, forcing search giants to offer clearer search engine choices to users and share data with smaller competitors.
Colin Hayhurst, CEO of the privacy-focused search engine Mojeek, says the provisions around default search engines in browsers and operating systems could be the “most significant part of the DMA”.
“The imposed choice architectures in gatekeeper browsers (such as search engine lists) are already a huge barrier to effective competition,” Hayhurst said.
The problem is made worse for competitors due to coordination between gatekeepers. Google, for example, reportedly pays billions to Apple each year to keep Google Search as the default search engine on Apple products.
This would be a positive move from the perspective of a company like Mojeek—which competes with some of the world’s largest tech firms despite needing to operate on their platforms.
But Hayhurst argued that the DMA falls short in one important area.
The regulation would require gatekeepers to share data about search queries in a way that Hayhurst fears could lead to smaller companies “cloning” large search engines and ultimately increasing revenue for tech giants.
Because some search providers provide results gleaned from Google and Microsoft, Hayhurst said that the “‘cloning’ of gatekeeper search results is already happening”.
“If you do not crawl the web, then you will not discover destinations which the gatekeepers have not covered. You will end up cloning their search results and rankings.”
Tracking and Privacy
Another important part of the DMA relates to the tracking of users’ activity on gatekeepers’ platforms.
Gatekeepers will only be allowed to rely on one of four of the GDPR’s “legal bases” for certain activities, namely:
- Combining data about users from across platforms (whether these platforms are owned by the gatekeeper or by third parties).
- Using data about users across different services owned by the gatekeeper.
So, for example, this would apply when Meta uses data about a person’s Instagram activity to target the person with ads on Facebook.
Gatekeepers can only do these things with the user’s consent—or under one of three other legal bases that are unlikely to apply in most circumstances (“legal obligation”, “vital interests”, and “public task”).
Notably, relying on the legal basis of “legitimate interests” for such activity is no longer permissible under the DMA.
There are some other important strings attached. For example, gatekeepers must not mislead users into providing consent, prompt users for consent more than once per year, and must allow business users to access certain information about users’ consent.
By restricting the ability of larger companies to combine and re-use personal data collected from across different platforms and websites, the DMA could achieve its goal of creating fairer competition in digital advertising and services.
But clearer and more targeted rules in this area might also achieve one of the EU’s longer-standing goals: Improving data protection and privacy for hundreds of millions of people across Europe.
Try Wide Angle Analytics!