One year ago, in November 2022, the final version of the Digital Markets Act (“DMA”)1 entered into force but only became applicable on 2 May 2023. The DMA aims to regulate via a number of conduct obligations the behavior of large digital companies which offer Core Platform Services (“CPS”) and meet the criteria to be designated as “gatekeepers” by the European Commission (“Commission”).
The DMA came as a response to the challenges raised by the special characteristics of the digital economy and mainly by digital platforms. The merger case Facebook/WhatsApp that was waved through without ado is only one proof that the ability of the EU’s antitrust law to tackle the digital challenges was limited. The introduction of Section 19a into the German Competition Act (GWB) as a new “gatekeeper provision” increased the pressure for the EU legislator to harmonize the rules designated to set stronger limits on big tech companies.
Not all undertakings active in the digital economy need to be concerned that they have to adjust their business behavior to the requirements of the DMA. Addressees of the DMA are only those undertakings that (i) have a significant impact on the internal market, (ii) offer an important gateway for business users to reach end users by providing one of the following ten CPSs listed in Art. 2 DMA: online search engines, online social networks, online intermediation services, video-sharing platform services, operating systems, web browsers, virtual assistants, cloud computing services, number-independent interpersonal communication services, and online advertising services, and (iii) enjoy an entrenched and durable position in their operations (or it is foreseeable that they will enjoy such a position in the near future).2 It is assumed that these three criteria are met when specific thresholds (quantitative criteria, especially regarding turnover/market value and number of users3) set forth in Art. 3(2) DMA are fulfilled.
Once the quantitative criteria are met, the company has to notify the Commission thereof without delay – in any event within two months after those thresholds are met – and provide it with the relevant threshold information. The Commission, having the exclusive competence for the designation of gatekeepers, has to assess the information to proceed with the designation within 45 working days.
In addition, the Commission may designate a CPS provider as a gatekeeper even if the quantitative criteria are not met. In that case, the Commission takes into account certain other factors (such as number of users, network effects and data driven advantages, scale and scope effects, user lock-in, conglomerate structure) and may conduct a market investigation. In this case, it is possible for the Commission to turn to the national competition authorities (NCAs) for their assistance.4
Following the designation decision, the gatekeeper has six months not only to comply with several behavioral obligations laid down in the DMA, but also to implement measures to ensure and demonstrate compliance with such obligations.5 The gatekeeper has to provide the Commission with a corresponding report as well as an independently audited description of any techniques applied for profiling of consumers.6 These obligations are only relevant for the CPSs listed in the designation decision and not for the entire services of the gatekeeper.
The European legislator has tried to ensure that the obligations are easy to understand and implement by describing them as precisely as possible. Many of the obligations reflect the outcome of the Commission’s proceedings against dominant digital companies, such as the Google Shopping case.7 The focus of the obligations lies on the one hand on the protection of the rights and interests of end users and on the other hand on those of business users.
As part of the obligations in favor of the end users’ interests, the gatekeepers have to ensure that they get the consent of the end users before processing, for the purpose of online advertising services, the personal data acquired when end users use third-party services that make use of a CPS of the gatekeeper. The consent is also needed before combining or cross-using personal data from the CPS with personal data obtained from any other service provided by the gatekeeper.8 The DMA also ensures that end users have the option of multi-homing: gatekeepers are not allowed to restrict end users, technically or otherwise, to switch between, and subscribe to different software applications and services that are being accessed by the use of the gatekeeper’s CPS.9 Gatekeepers should also facilitate a free of charge portability of the data provided or generated through their activity in the context of the CPS upon the end users’ request, and grant real-time access to such data.10 Moreover, gatekeepers should ensure that end users can easily change default settings on their operating system, virtual assistant and web browser that direct or steer them to products or services provided by the gatekeeper (e.g. by being prompted on their first use to choose from a list of available service providers).11
The DMA obliges gatekeepers not to prevent business users from offering the same products or services to end users via third-party online intermediation services or via their own direct online sales channel at prices that are different from the ones offered by the gatekeeper via its online intermediation services.12 In terms of ranking, related indexing and crawling, gatekeepers cannot treat their own services and products in a more favorable manner than similar services offered by a third-party and should apply transparent, fair and non-discriminatory conditions to such ranking.13 Moreover, when competing with business users, gatekeepers must not use any data that is not publicly available and that a business user has provided them within the context of its use of the relevant CPS.14
A new and far-reaching interoperability obligation for gatekeepers is also introduced with regard to number-independent interpersonal communications services, including basic functionalities such as end-to-end text messaging, sharing of images, voice messages, videos and other attached files, as well as voice and video calls.15
Last but not least, gatekeepers have the obligation to inform the Commission about concentrations prior to closing, where the merging parties or the target provide CPS or any other services in the digital sector or enable the collection of data, regardless of whether the concentration would actually be notifiable to the Commission or to NCAs under merger control rules.16 This obligation enables the Commission to review so-called “killer acquisitions” and is designed to facilitate the possibility of referrals under Art. 22 of the EU Merger Regulation.
The Commission is vested with a broad range of investigative, enforcement and monitoring powers, including opening of proceedings, sending requests for information, carrying out interviews and taking statements, conducting inspections (“dawn raids”), obliging gatekeepers to retain all documents deemed to be relevant to assess the implementation of and compliance with those obligations, and appointing an independent external expert and auditor.17 In case of systematic infringement of one or more of the obligations provided by the DMA, the Commission may impose on the gatekeeper behavioral or structural remedies which are proportionate and necessary to ensure effective compliance with the DMA.18
In case the Commission finds that a gatekeeper did not comply with one or more of its obligations, with remedies or interim measures imposed on them, or the legally binding commitments, it can adopt a non-compliance decision and impose fines of up to 10% of the gatekeeper’s worldwide annual group turnover.19 Additionally, the Commission may also impose fines of up to 1% of the worldwide annual turnover in case of, among others, failure to provide, within the set deadline, information required for assessing their designation as gatekeepers, the supply of incorrect, incomplete or misleading information, or failure to comply with the obligation to notify the Commission upon meeting the relevant thresholds.20
Although the Commission is the sole enforcement authority of the DMA, it is intended that NCAs work closely together to ensure a coherent, effective and complementary enforcement of the available legal instruments applied to gatekeepers.21 The Commission can seek assistance of the NCAs in case of market investigations, while the latter can themselves initiate investigations for possible violations of the DMA but must inform the Commission beforehand.22
Nevertheless, the enforcement of the DMA is not only the responsibility of the authorities. The courts of the member states can be entrusted with the private enforcement of the DMA. It is hence expected that the national provisions will be adapted so that actions for injunctions and damage claims can be easily brought before court. The German legislator has already ensured via the latest amendment of the Competition Act that the provisions facilitating private enforcement in antitrust cases extend to DMA-related actions, e.g., the binding effect of a final Commission decision finding a breach of obligations laid down in the DMA in follow-on damages proceedings before the German courts.23
After some intense discussions, the Commission designated the first six gatekeepers in September 2023. Specifically, 22 services operated by Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft were designated as CPS and are thus subject to the DMA’s prohibitions and obligations. At the same time, the Commission underlined the difficulty when trying to qualify a platform on the basis of its characteristics as one of the CPSs listed in Art. 2 Nr. 2 DMA, i.e., the Commission found after careful analysis that the TikTok platform has rather the characteristics of a social network than of a video-sharing platform. Among the first interesting findings is also the fact that some undertakings such as Alphabet, Microsoft and Samsung managed to successfully rebut the gatekeeper designation for their email and browser services, respectively by arguing that the designation did not “reflect the reality of the service”.
The DMA is the first of its kind in many respects, mainly because of its ex ante approach regarding the behavior of large online platforms that differs from the usual methods and approaches of European competition law. The designation mechanism of gatekeepers based on the fulfillment of quantitative criteria demonstrates the European legislator’s intention to introduce a regulatory instrument rather than an ex post enforcement instrument against dominant companies engaging in abusive conduct. The latter would require a time-consuming case-by-case analysis of the dominant position (including market definition) of the undertaking providing CPS.
Even if the period of six months for the designated gatekeepers to comply with the obligations stipulated in the DMA is not over, it can already be concluded from the statements of the Commission’s representatives, such as “No online platform can behave as if it was ‘too big to care’. We will be very, very strong on enforcement”24, that the Commission is determined to tackle the risks posed by big tech companies at any cost.
This publication is intended to highlight issues. It is not intended to be comprehensive nor to provide legal advice. Any liability which might arise from the reliance on the information is excluded.
Connect with us and stay informed. 
