A Compliance Guide for the EU's Digital Markets Act
About two and a half centuries ago, Adam Smith wrote, "People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices." In recent years, big tech companies seem to have strived to live up to that prediction.
While some say competition is better than regulation, so far there's been little competition either against these entrenched businesses with deep pockets. In this context, by enacting the Digital Markets Act, the European Union (EU) has taken a decisive step in preventing anti-competitive behaviors in the digital space.
What is this act? To whom does it apply? What are its compliance obligations? How can you use technology to become compliant? Find out all the details in this article.
What Is the EU Digital Markets Act?
In the online world, a small number of technology companies have accumulated enormous market power, enjoy entrenched positions, and serve as crucial hosting platforms that can dictate over other businesses.
The EU in Brussels terms such powerful and large online platforms as gatekeeper platforms. The Digital Markets Act (DMA) is a competition law, enacted in 2022 by the European Parliament, that prescribes structural remedies to prevent gatekeepers from enjoying unfair business advantages and imposing restrictions on other online businesses.
The DMA applies to all businesses in the digital sector operating in any of the member states of the European Economic Area (also called the internal market) and is regulated solely by the European Commission (EC). Along with the Digital Services Act (DSA), the DMA ensures that online digital ecosystems are safe and fair for users and businesses in the EU.
In the next section, we explore the companies that may be impacted by this antitrust law.
Which Businesses Are Impacted by the DMA?
The Digital Markets Act currently regulates 10 online services at risk of unfair business practices by large existing gatekeepers. These services, called core platform services, are:
- Online intermediation services and online marketplaces, like Apple's App Store and Shopify
- Online search engines, like Google and Bing
- Online social networking and social media services, like Facebook
- Advertising services, like those by Google and Meta
- Video-sharing platform services, like YouTube
- Interpersonal communication services, like WhatsApp and iMessage
- Cloud computing services, like Amazon Web Services and Azure
- Virtual assistants, like Apple's Siri
- Operating systems, like Microsoft Windows and Google Android
- Web browsers, like Google Chrome and Microsoft Edge
But not every business that offers any of these services is considered to be a gatekeeper. To qualify as one, a business must exceed these quantitative thresholds:
- Market power: The business must have a significant impact in the online world and enjoy an entrenched durable position in the digital economy. To quantify these, the act prescribes an annual turnover of at least 7.5 billion euros in the EU over the previous three financial years or a market capitalization of 75 billion euros in the previous year.
- Service availability: The business must provide the service in at least three EU member states.
- Active end users: This is the average monthly number of natural or legal persons in the EU who use the service directly. The business must average 45 million monthly active end users every year for the previous three financial years.
- Active business users: This is the average monthly number of natural or legal persons conducting commercial activities who consume the service for providing goods or services to their end users. To be considered a gatekeeper, a business must average 10,000 monthly active business users every year for the previous three financial years.
To keep up with technological advancements, the act also empowers the EC to annually review the list of core platform services and their threshold criteria. Any online business that becomes popular in the EU must keep an eye on these criteria to avoid becoming inadvertently non-compliant.
Once a business is designated as a gatekeeper, what must it do to comply? Find out in the next section.
11 Key Obligations on Gatekeepers Under the Digital Markets Act
We explore some of the key DMA obligations and new rules that gatekeepers must follow to ensure fair business practices.
1. No Unfair Advantages From Personal Data
The concentration of personal data of end users in the hands of a digital platform can give it unfair business advantages over smaller competitors. To prevent this, the act prescribes these prohibitions unless a user has given specific consent:
- Gathering end-user data from third-party websites for online advertising and profiling
- Providing end-user data to third parties in exchange for additional data from the latter
- Combining and processing personal data from multiple core platform services and third parties
- Automatically signing in end users across multiple core platform services to gather more data
The DMA complements the DSA and the General Data Protection Regulation (GDPR) in regulating the use of personal data.
2. Allow Users to Access and Migrate Personal Data
Gatekeepers must strive for easy portability of personal data to alternative services. They must provide end users with real-time access to their personal data and provide tools to help them migrate their data to alternative services.
3. No Gatekeeping by the Gatekeeper
A gatekeeper can't prevent its business users from offering alternatives to the same products or services at different prices and conditions. Competing businesses must be allowed to communicate and promote their offers, free of charge, to a gatekeeper's end users.
Also, a gatekeeper can't prevent its end users from accessing the services and features offered to them by its business users.
4. No Mandatory Use of Gatekeeper Services
A gatekeeper can't force businesses or end users to use its authentication, payments, browsers, in-app purchasing solutions, or other core platform services. This is particularly relevant to Google and Apple whose business models force their services on third-party apps awaiting permission to publish to their app stores.
5. Transparency in Advertising Services
A gatekeeper must be transparent about its advertising business. It must provide each advertiser with information like the price and fee it charged for each ad, the revenue received by a publisher, and the metrics used for calculating them. It must be similarly transparent toward the publishers who display its ads.
It must also publish data that enable advertisers and publishers to conduct independent verifications of the gatekeeper's ad services.
6. Facilitate Third-Party Search and Communications
A gatekeeper must allow third-party search engines to access the ranking, queries, views, and clicks data related to its core platform service.
Similarly, a gatekeeper that offers interpersonal communication services (like messaging services) must provide technical interfaces that promote interoperability with the systems of other providers.
7. No Misuse of Proprietary Data of Business Users
The non-public, proprietary data that are generated from the use of its core platform services by business users can provide enormous advantages to a gatekeeper. The Digital Markets Act prohibits a gatekeeper from collecting or using such data.
8. Allow Device Users to Choose Services
A gatekeeper that provides operating systems for devices must allow users to choose any search engine, virtual assistant, or web browser. Users may be allowed to delete apps easily from their devices.
Additionally, users must be allowed to install third-party app stores on their devices. At the same time, gatekeepers can take steps to maintain device security and integrity in the presence of third-party app stores. Thanks to the DMA, Apple recently pledged to allow third-party app stores on its devices, giving Apple users more choices.
9. No Undue Favoring of Own Services
Gatekeepers like search engines that rank, index, or recommend other businesses must avoid self-preferencing their own services and products over those of other providers. The gatekeeper must use fair and transparent criteria in such ranking and recommendations.
10. Allow Access to Private Interfaces
Gatekeepers can't derive undue advantages by using private interfaces to provide unique hardware and software features. Such private interfaces must be made available to all platform services and hardware providers, free of charge.
11. No Legal Restrictions on Complaints
A gatekeeper can't restrict the right of businesses or end users to complain about any non-compliance to government authorities and courts.
Enforcement and Penalties
Gatekeepers must appoint compliance officers to ensure day-to-day compliance with the Digital Markets Act. They must have sufficient authority and management oversight. The act requires companies to file annual reports on the steps taken to meet their obligations.
When it detects or is informed of non-compliance, the EC can launch a market investigation and ask for information from a gatekeeper.
If non-compliance is confirmed, a gatekeeper is fined up to 10% of its previous year's worldwide turnover (not just EU turnover). If it's a repeat offender in the last eight years, the fine can go up to 20% of its worldwide turnover. For minor infringements like incorrect information or reporting delays, the fine can go up to 1% of the annual worldwide turnover.
Compliance Timeline
Potential gatekeepers that meet the criteria must monitor these important dates in the DMA compliance schedule:
- July 3, 2023: This is the deadline for potential gatekeepers to submit details of their qualifying offerings in the 10 core platform services.
- September 6, 2023: The EC will examine their submissions and designate some of them as gatekeeper businesses by this date.
- March 6, 2024: The designated gatekeepers have six months — from September 6, 2023 until March 6, 2024 — to become fully compliant with the DMA.
Once designated, a gatekeeper must file annual reports about its compliance. Remember that the EC is empowered to review, examine, and designate gatekeepers based on available public data even without voluntary submissions from businesses.
Find out next how technology can help businesses comply with the DMA.
A Compliance Guide for the EU's Digital Markets Act
About two and a half centuries ago, Adam Smith wrote, "People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices." In recent years, big tech companies seem to have strived to live up to that prediction.
While some say competition is better than regulation, so far there's been little competition either against these entrenched businesses with deep pockets. In this context, by enacting the Digital Markets Act, the European Union (EU) has taken a decisive step in preventing anti-competitive behaviors in the digital space.
What is this act? To whom does it apply? What are its compliance obligations? How can you use technology to become compliant? Find out all the details in this article.
What Is the EU Digital Markets Act?
In the online world, a small number of technology companies have accumulated enormous market power, enjoy entrenched positions, and serve as crucial hosting platforms that can dictate over other businesses.
The EU in Brussels terms such powerful and large online platforms as gatekeeper platforms. The Digital Markets Act (DMA) is a competition law, enacted in 2022 by the European Parliament, that prescribes structural remedies to prevent gatekeepers from enjoying unfair business advantages and imposing restrictions on other online businesses.
The DMA applies to all businesses in the digital sector operating in any of the member states of the European Economic Area (also called the internal market) and is regulated solely by the European Commission (EC). Along with the Digital Services Act (DSA), the DMA ensures that online digital ecosystems are safe and fair for users and businesses in the EU.
In the next section, we explore the companies that may be impacted by this antitrust law.
Which Businesses Are Impacted by the DMA?
The Digital Markets Act currently regulates 10 online services at risk of unfair business practices by large existing gatekeepers. These services, called core platform services, are:
- Online intermediation services and online marketplaces, like Apple's App Store and Shopify
- Online search engines, like Google and Bing
- Online social networking and social media services, like Facebook
- Advertising services, like those by Google and Meta
- Video-sharing platform services, like YouTube
- Interpersonal communication services, like WhatsApp and iMessage
- Cloud computing services, like Amazon Web Services and Azure
- Virtual assistants, like Apple's Siri
- Operating systems, like Microsoft Windows and Google Android
- Web browsers, like Google Chrome and Microsoft Edge
But not every business that offers any of these services is considered to be a gatekeeper. To qualify as one, a business must exceed these quantitative thresholds:
- Market power: The business must have a significant impact in the online world and enjoy an entrenched durable position in the digital economy. To quantify these, the act prescribes an annual turnover of at least 7.5 billion euros in the EU over the previous three financial years or a market capitalization of 75 billion euros in the previous year.
- Service availability: The business must provide the service in at least three EU member states.
- Active end users: This is the average monthly number of natural or legal persons in the EU who use the service directly. The business must average 45 million monthly active end users every year for the previous three financial years.
- Active business users: This is the average monthly number of natural or legal persons conducting commercial activities who consume the service for providing goods or services to their end users. To be considered a gatekeeper, a business must average 10,000 monthly active business users every year for the previous three financial years.
To keep up with technological advancements, the act also empowers the EC to annually review the list of core platform services and their threshold criteria. Any online business that becomes popular in the EU must keep an eye on these criteria to avoid becoming inadvertently non-compliant.
Once a business is designated as a gatekeeper, what must it do to comply? Find out in the next section.
11 Key Obligations on Gatekeepers Under the Digital Markets Act
We explore some of the key DMA obligations and new rules that gatekeepers must follow to ensure fair business practices.
1. No Unfair Advantages From Personal Data
The concentration of personal data of end users in the hands of a digital platform can give it unfair business advantages over smaller competitors. To prevent this, the act prescribes these prohibitions unless a user has given specific consent:
- Gathering end-user data from third-party websites for online advertising and profiling
- Providing end-user data to third parties in exchange for additional data from the latter
- Combining and processing personal data from multiple core platform services and third parties
- Automatically signing in end users across multiple core platform services to gather more data
The DMA complements the DSA and the General Data Protection Regulation (GDPR) in regulating the use of personal data.
2. Allow Users to Access and Migrate Personal Data
Gatekeepers must strive for easy portability of personal data to alternative services. They must provide end users with real-time access to their personal data and provide tools to help them migrate their data to alternative services.
3. No Gatekeeping by the Gatekeeper
A gatekeeper can't prevent its business users from offering alternatives to the same products or services at different prices and conditions. Competing businesses must be allowed to communicate and promote their offers, free of charge, to a gatekeeper's end users.
Also, a gatekeeper can't prevent its end users from accessing the services and features offered to them by its business users.
4. No Mandatory Use of Gatekeeper Services
A gatekeeper can't force businesses or end users to use its authentication, payments, browsers, in-app purchasing solutions, or other core platform services. This is particularly relevant to Google and Apple whose business models force their services on third-party apps awaiting permission to publish to their app stores.
5. Transparency in Advertising Services
A gatekeeper must be transparent about its advertising business. It must provide each advertiser with information like the price and fee it charged for each ad, the revenue received by a publisher, and the metrics used for calculating them. It must be similarly transparent toward the publishers who display its ads.
It must also publish data that enable advertisers and publishers to conduct independent verifications of the gatekeeper's ad services.
6. Facilitate Third-Party Search and Communications
A gatekeeper must allow third-party search engines to access the ranking, queries, views, and clicks data related to its core platform service.
Similarly, a gatekeeper that offers interpersonal communication services (like messaging services) must provide technical interfaces that promote interoperability with the systems of other providers.
7. No Misuse of Proprietary Data of Business Users
The non-public, proprietary data that are generated from the use of its core platform services by business users can provide enormous advantages to a gatekeeper. The Digital Markets Act prohibits a gatekeeper from collecting or using such data.
8. Allow Device Users to Choose Services
A gatekeeper that provides operating systems for devices must allow users to choose any search engine, virtual assistant, or web browser. Users may be allowed to delete apps easily from their devices.
Additionally, users must be allowed to install third-party app stores on their devices. At the same time, gatekeepers can take steps to maintain device security and integrity in the presence of third-party app stores. Thanks to the DMA, Apple recently pledged to allow third-party app stores on its devices, giving Apple users more choices.
9. No Undue Favoring of Own Services
Gatekeepers like search engines that rank, index, or recommend other businesses must avoid self-preferencing their own services and products over those of other providers. The gatekeeper must use fair and transparent criteria in such ranking and recommendations.
10. Allow Access to Private Interfaces
Gatekeepers can't derive undue advantages by using private interfaces to provide unique hardware and software features. Such private interfaces must be made available to all platform services and hardware providers, free of charge.
11. No Legal Restrictions on Complaints
A gatekeeper can't restrict the right of businesses or end users to complain about any non-compliance to government authorities and courts.
Enforcement and Penalties
Gatekeepers must appoint compliance officers to ensure day-to-day compliance with the Digital Markets Act. They must have sufficient authority and management oversight. The act requires companies to file annual reports on the steps taken to meet their obligations.
When it detects or is informed of non-compliance, the EC can launch a market investigation and ask for information from a gatekeeper.
If non-compliance is confirmed, a gatekeeper is fined up to 10% of its previous year's worldwide turnover (not just EU turnover). If it's a repeat offender in the last eight years, the fine can go up to 20% of its worldwide turnover. For minor infringements like incorrect information or reporting delays, the fine can go up to 1% of the annual worldwide turnover.
Compliance Timeline
Potential gatekeepers that meet the criteria must monitor these important dates in the DMA compliance schedule:
- July 3, 2023: This is the deadline for potential gatekeepers to submit details of their qualifying offerings in the 10 core platform services.
- September 6, 2023: The EC will examine their submissions and designate some of them as gatekeeper businesses by this date.
- March 6, 2024: The designated gatekeepers have six months — from September 6, 2023 until March 6, 2024 — to become fully compliant with the DMA.
Once designated, a gatekeeper must file annual reports about its compliance. Remember that the EC is empowered to review, examine, and designate gatekeepers based on available public data even without voluntary submissions from businesses.
Find out next how technology can help businesses comply with the DMA.
Let Certa Help You Comply With the Digital Markets Act
So far, you've understood the key obligations of companies under the DMA. But the complexity of operations in tech companies means that the risk of inadvertent non-compliance is never far away.
To mitigate that risk and remain compliant, companies opt for an enterprise-grade compliance management system like Certa. With Certa, you get the following features:
- Compliance workflows: Implement all compliance obligations as automated workflows built with Certa's no-code Studio. Certa even provides libraries of ready-made, reusable, regulation-specific workflows.
- Financial information integration: Workflows help you integrate Certa with your enterprise resource planning to obtain the turnover and service availability thresholds required for compliance.
- User management integration: Use workflows to integrate with your user management systems and automatically pull monthly active end users and monthly active business users required for DMA reporting.
- Easy reporting: Easily generate your DMA annual compliance reports with predefined report templates and data-fetching workflows.
- Advertising system integration: Easily design Certa workflows to integrate with operational systems like your ad serving system and publish the transparency data expected by the DMA.
- SCORM support: The key to DMA compliance is making your software and product teams aware of its do's and don'ts. Certa's built-in support for SCORM training modules enables you to constantly train them and your compliance officers on its obligations without switching to another user interface.
- Build a defensible position against a market investigation: Certa supports audit trails that you can use to build a defensible position in case the EC opens a market investigation.
To learn more about how you can use Certa for DMA compliance, talk to our experts today.