Digital Decade: Digital Markets Act and Digital Markets, Competition and Consumer Bill

Digital Decade: Digital Markets Act and Digital Markets, Competition and Consumer Bill

Bolstering competition in digital markets – the EU and UK introduce sweeping reforms


Regulators have grown increasingly hostile to the market dominance displayed by the largest digital platforms, believing this state of affairs to be at risk of (if not already) fostering endemic market failures that need to be addressed. Generally, regulators have identified a number of problematic aspects in digital markets, including network effects and economies of scale, unequal access to data, a distinct lack of transparency and restrictions on the exercise of consumer choices.

Part of the problem lies in the nature of digital markets – because they are dynamic, fast evolving, and often esoteric, regulators have been "behind the curve" both in understanding the nuances as to how they function and, in turn, appreciating the potential theories of harm that may arise within them.  Some stakeholders argue that this factor has resulted in authorities like the European Commission ("Commission") and the Competition & Markets Authority ("CMA") adopting erroneous merger control clearance decisions like Google / Doubleclick and Facebook (Meta) / WhatsApp and otherwise failing to take any other sufficient enforcement actions to curb the power of the largest digital firms.

The EU's solution is the Digital Markets Act ("DMA"), first proposed on 15 December 2020 as part of sweeping legislative reforms to bolster regulatory scrutiny and obligations owed by certain digital firms. The DMA came into force on 1 November 2022, though its substantive elements will not begin to take effect until 2 May 2023. The intention behind the DMA is to classify large online platforms as "Gatekeepers" and, in doing so, introduce (inter alia) behavioural obligations on these firms to better monitor and regulate their activities in their relevant digital markets.

In the UK, the Digital Markets, Competition and Consumer Bill ("DMCCB") was finally brought before Parliament on 25 April 2023.  Among a raft of new proposals spanning the whole spectrum of competition and consumer rights laws, the DMCCB also looks to emulate the DMA by introducing a bespoke regulatory regime for digital firms operating in the UK (or whose activities affect the UK).  This has been a long time coming – indeed, proposals for a standalone regulatory regime for digital markets date back to the 'Furman Review', which was published in March 2019.  Simply put, this new digital markets regime will introduce behavioural and other regulatory obligations on firms which are deemed to have Strategic Market Status ("SMS").  The new regime will be overseen by a new unit within the Competition & Markets Authority ("CMA"), called the Digital Markets Unit ("DMU").

What obligations do the DMA and DMCCB create, who do these apply to and what could happen if you don’t comply?




Who do the obligations apply to?

The DMA will apply to companies designated as Gatekeepers by the Commission.

Gatekeepers are defined as providers of Core Platform Services ("CPSs") which meet both quantitative and qualitative criteria (see below).

CPSs range from online search engines and social networking services to video-sharing platforms and cloud-computing services.

Firms/entities which could be classified as Gatekeepers must carry out a self-assessment in the first instance to determine if they meet the applicable criteria. From 2 May 2023, any potential Gatekeepers will have until 2 July 2023 to submit a written application if they consider themselves to be a Gatekeeper. Within 45 working days following the receipt of a written notification, the Commission will decide whether to designate the CPS provider as a Gatekeeper.

Gatekeeper criteria:

1. Quantitative criteria

To meet the thresholds, the Gatekeeper does not need to be established (or resident) within the EU. As such, the DMA is capable of having a wide extra-territorial scope.

The quantitative criteria (which apply cumulatively) are as follows:

  1. the undertaking has generated annual turnover of €7.5 billion or more in the EU in the last three financial years or has had a market capitalisation (or equivalent) of €75 billion or more in the last financial year and the undertaking provides the same CPS in at least three Member States; AND
  2. in each of the last three financial years, the CPS has had at least 45 million active monthly users (consumers) and at least 10,000 active business users located or established in the EU.

2. Qualitative criteria

If a CPS provider meets the quantitative criteria, it will be presumed that the following qualitative criteria apply:

  1. the undertaking has a significant impact on the EU's internal market;
  2. the undertaking provides a form of CPS which is an important gateway for its business customers to reach end users (i.e., consumers); and
  3. the undertaking enjoys an entrenched and durable market position in the EU.

If an undertaking that meets the quantitative criteria wishes to rebut this presumption, it will need to submit a written notification to the Commission before 2 July 2023 explaining why the qualitative criteria do not apply. The Commission may conduct a market investigation (see below) to determine whether or not it should issue a Gatekeeper designation in such instances (i.e., it will confirm whether the undertaking's submissions as to why the qualitative criteria do not apply can be substantiated). Otherwise, the Commission will issue a Gatekeeper designation within the 45 working day period.

Finally, the Commission will not need to define any particular market in which a Gatekeeper is deemed to meet the qualitative criteria, thereby giving significant flexibility to the Commission to ensure CPS providers receive a Gatekeeper designation.

The Commission will review whether a Gatekeeper continues to satisfy the quantitative thresholds every three years.

The DMCCB will apply to any undertaking (involved in digital activities) operating in the UK which is deemed to have SMS.

Unlike the DMA (which requires potential Gatekeepers to self-notify), the DMU will, under the DMCCB, be solely responsible for assessing if a firm meets the SMS criteria and issuing SMS designations. There is no need for (potential) SMS firms to self-assess.

The DMCCB will apply extra-territorially to undertakings if they have the requisite market presence in the UK.

In order for a firm to be eligible for SMS, it must meet the following cumulative criteria:

  1. The firm must conduct a "digital activity", which is broadly defined in the DMCCB. It captures, in essence, any service provided by means of the internet (whether for consideration or not) and the provision of any digital content;
  2. The digital activity must be linked to the UK (i.e., have a sufficient UK nexus). This is met if: (i) the relevant entity has a significant number of UK users; (ii) the relevant entity carries on business in the UK; and/or (iii) the digital activity in question has an immediate, substantial and foreseeable effect on trade in the UK. This test is expected to be easily met;
  3. The firm must have "substantial and entrenched market power". This concept does not have any definition in the DMCCB, though it is noted that the DMU will conduct a forward-looking assessment covering a five-year period in order to make this determination. It is likely that guidance documents relating to the DMCCB will put more flesh on the bones of this concept in due course;
  4. The firm must have a "position of strategic significance". The DMCCB provides an exhaustive list of factors which can (individually or collectively) indicate that a firm has such a market position; and
  5. The firm must meet specified turnover thresholds, namely that it must have global turnover of £25 billion and/or UK turnover of £1 billion.

Saliently, the turnover threshold was not included within any of the proposals which preceded (and led up to) the DMCCB. It is likely that its inclusion has been made in response to criticisms that the SMS criteria were otherwise too broad and lacked certainty as to the firms that could be issued with an SMS designation. The turnover threshold also brings the SMS criteria into more alignment with the scope of the EU's DMA, which has applicable quantitative thresholds which must be met for a firm to be eligible for the so-called Gatekeeper status.

Like the Commission, the DMU will not be required to identify formal market definitions when issuing SMS designations or in any other aspect of its enforcement role under the new digital regime.

What are the obligations?

1. Behavioural obligations

Articles 5, 6 and 7 of the DMA require Gatekeepers to abide by obligations and restrictions in their conduct vis-à-vis any CPS they operate. These obligations are numerous, broad, stringent and in some cases relatively complex. Helpfully, the Commission has provided a summary of overriding "do's" and "don’ts" that will apply to Gatekeepers.

Examples of do's include

  • Allow third parties to inter-operate with the Gatekeeper's own services in certain specific situations.
  • Allow business users to access data that they generate in their use of the Gatekeeper's platform.
  • Allow business users to promote offers and conclude contracts with customers outside the Gatekeeper's platform.

Examples of don't include

  • Treat services and products offered by the Gatekeeper more favourably in ranking than similar services or products offered by third parties on the Gatekeeper's platform.
  • Prevent users from uninstalling any pre-installed software or app if they so wish.
  • Track end users outside the Gatekeeper's CPS for targeted advertising purposes without receiving effective consent.

Once a Gatekeeper is designated as such by the Commission, it will have six months to comply with the behavioural obligations. By current timelines the earliest time that a Gatekeeper will be obliged to comply will behavioural obligations is 1 March 2024.

Gatekeepers will be obliged to appoint an internal compliance officer who must submit an annual compliance report to the Commission.

2. Merger control

Article 14 of the DMA will require Gatekeepers to inform the Commission of any contemplated M&A which do not meet the mandatory notification thresholds under the EC Merger Regulation No 139/2004. and which involve a target which either provides a CPS or, alternatively, provides any other services in the digital sector or enables the collection of data. The information required is quite detailed.

SMS firms will be subject to the following obligations:

  1. Conduct requirements: Each SMS firm will be subject to strict behavioural obligations, the provisions of which will revolve around three key concepts – namely, fair trading, open choices, and trust and transparency – but the specific nature of which will be specifically designed by the DMU and issued bespoke to each SMS firm in question allowing the DMU significant discretion. Such conduct requirements may include for instance, to trade on fair and reasonable terms, have effective processes for handling complaints and disputes by users and to not use data unfairly; and
  2. Mandatory merger reporting: SMS firms will be required to pre-emptively report contemplated acquisitions (which meet certain thresholds) to the DMU. The parties will need to wait for a period of 5 working days before completion and that period only starts once the DMU has accepted the form as "sufficient". Therefore, this will not amount to a requirement to obtain prior merger control clearance, but this reporting requirement will have a suspensory effect given that the CMA may opt within this 5 working day period to open a Phase 1 investigation in line with usual merger control investigation procedures. Should the CMA decide to do this, the CMA will likely impose hold separate orders to prevent closing until its merger control review is complete. Otherwise, if the CMA decides not to open any investigation, SMS firms can proceed to closing these deals without prior merger control approval.

In terms of the applicable thresholds, SMS firms will be required to notify mergers which involve:

  1. A consideration of £25 million or more in a UK-connected body corporate (in effect a target which carries on activities in the UK or supplies goods or services to persons in the UK (whether for consideration or otherwise); and
  2. An acquisition of shares/voting rights from less than 15% to more than 15%, less than 25% to more than 25%, or less than 50% to more than 50%.

Market investigations

Under the DMA, the Commission will be able to conduct market investigations in several circumstances, including:

1. Unilateral investigations into suspected Gatekeepers

The Commission may conduct a market investigation on its own initiative into an undertaking it suspects should be designated as a Gatekeeper. These investigations will last a maximum of 12 months. This is even if an undertaking does not meet the quantitative criteria.

2. Challenges to Gatekeeper designation

As mentioned, undertakings that meet the quantitative thresholds may make a submission to the Commission as to why the qualitative thresholds do not apply. The Commission may decide to conduct a market investigation to finally determine this. These market investigations are intended to last no longer than five months.

3. Systematic non-compliance

The Commission may conduct a market investigation if it suspects a Gatekeeper has engaged in "systematic non-compliance" with its obligations under Articles 5, 6 and 7 of the DMA. A Gatekeeper will be deemed to engage in systematic non-compliance where it has received at least three non-compliance decisions from the Commission within an 8-year period. Such a market investigation will be concluded within 12 months.

4. Requests by Member States

The Commission may open a market investigation at the request of three or more Member States which believe (e.g.,) that a particular firm/entity should be classified as a Gatekeeper or that a Gatekeeper has been guilty of systematic non-compliance.

Under the DMCCB, the DMU will not engage in market investigations per se. Rather, the DMU will be empowered to make pro-competitive interventions ("PCIs") which will enable it to take targeted remedial actions to specifically combat aspects of an SMS firm's market power.

specifically identified market failures arising from SMS firms' conduct. PCIs will go further than the Code of Conduct, as PCIs will look to combat the root causes behind a SMS firm's substantial and entrenched market power, instead of only seeking to manage conduct.

For the DMU to issue a PCI, it must be able to prove that, as a result of an SMS firm's conduct, there has arisen an adverse effect on competition in relation to a specified digital activity. As such, a PCI can only be made after the DMU has conducted a tailored investigation, akin to a traditional CMA market investigation. PCIs are intended to supplement the applicable Code of Conduct to a relevant SMS firm by enabling the DMU to tackle the root causes of a particular SMS firm's market power. A PCI may, for example, take the form of either an order imposing requirements as to how an SMS firm must conduct itself in respect of a designated activity or a recommendation as to steps to be taken by anyone exercising public functions.

Further points to note:

  • The DMU will have nine months to conduct a PCI investigation (and opened up to a public consultation before the PCI investigation concludes).This may be extended by three months in exceptional circumstances.
  • In lieu of imposing binding remedies in the form of a PCI, SMS firms subject to a PCI investigation will be able to offer voluntary undertakings.If the DMU accepts any such undertakings, this may mean that a PCI investigation can be concluded more swiftly.

Enforcement and penalties

The Commission will be able to open proceedings against a Gatekeeper it suspects of non-compliance and will be the sole enforcer of the DMA's rules, though it will cooperate with national courts and national competition authorities.

Article 30 of the DMA empowers the Commission to impose fines on Gatekeepers of up to 10% of their annual worldwide turnover in cases of breaches of any behavioural obligations, interim measures, or remedies or legally binding commitments arising from a market investigation.

The Commission may impose fines of 20% of a Gatekeeper's annual worldwide turnover in cases of recidivism.

The Commission may impose a 1% fine of a Gatekeeper's annual worldwide turnover for non-compliance with requests for information or for providing false information.

The Commission may also have recourse to other enforcement mechanisms as exists under its other antitrust powers. For instance, it will have the power to request information, documents and data, impose interim measures and impose binding commitments / remedies (structural and behavioural) following the outcome of its market investigations.

The DMU will be able to impose penalties against infringing SMS firms, including:

  • fines of up to 10% of the SMS firm's annual worldwide turnover for any failure to comply with substantive aspects of the regime (e.g., the Code of Conduct, a code order, or PCIs);
  • daily penalties of up to 5% of an SMS firm's annual worldwide turnover for continued breaches;
  • fines of up to 1% of an SMS firm's annual worldwide turnover for any failure to comply with a request for document / information production; and
  • individual sanctions such as director disqualification orders and even criminal convictions.

As with the Commission under the DMA, the DMU will be empowered with commensurate enforcement powers as afforded to the wider CMA. Noteworthy to the DMCCB, however, is the putative ability for the DMU to apply to the court for an order (e.g., specific performance) requiring SMS firms to comply with any particular aspect of the digital regime.

SMS may appeal aspects of the DMU's decision-making (e.g., SMS designations, PCIs) to the Competition Appeal Tribunal ("CAT"). Such appeals will only be permitted on judicial review grounds. As such, there will be no ability to appeal a DMU decision on its particular merits, but rather only if there has been some breach of procedure, error of law or other material impropriety.


Other regulatory developments to be aware of

The most significant additional development is the EU's Digital Services Act ("DSA") which has been developed in parallel to the DMA (together they form the EU's so-called Digital Services Package).  In short, whereas the DMA is intended to address underlying market failures in the digital space, the DSA has been constructed to combat inherent failings in the nature of the digital products and services provided to EU businesses and consumers. The DSA will also be far broader in scope than the DMA.  The latter will apply only to the largest, most power digital platforms, whereas the DSA will apply ubiquitously to entities providing digital products and/or services.  It can, therefore, be described as a substantial "top down" reform to the nature of the EU's digital markets.

The DSA will introduce many new obligations on digital companies, including:

  • requirements to counter the hosting of illegal content online (including illegal products and/or services);
  • introducing effective safeguards for digital users;
  • heightening the transparency measures by which online platforms must abide; and
  • bans on targeted advertising on online platforms.

Conclusion: why do you need to be aware of all this?

The short answer is that you need to be aware because you could be on the receiving end of considerable penalties if you are not aware of these changes and/or if you fail to comply. The penalties range from substantial fines to director disqualification, or potentially even criminal conviction. Businesses which could be classified as a Gatekeeper under the DMA, or an SMS firm under the DMCCB, should therefore begin taking measures now to prepare for these regimes that will soon come into full effect.

In the EU, any CPS providers which meet the quantitative criteria will, after 2 May 2023, need to submit a written notification to the Commission before 2 July 2023.  To that end, digital companies should be gathering all relevant information required for this written submission and, indeed, thinking now about the measures they may need to introduce to comply with the DMA's general behavioural obligations.  It may also be sensible for such companies to conduct an internal audit to identify, and quantify, the risks of non-compliance in this area and identify remedial actions to introduce.

In the UK, digital platforms should continue to track the legislative developments in this area.  Even though the DMCCB is a long way from receiving Royal Assent (where, with the best will in the world, this is not expected until early 2024 at the earliest), businesses and individuals would be well advised to plan ahead. Particularly, by making any necessary adjustments to their relevant business practices that might otherwise fall foul of the new rules.