Digital Markets Act Roundup: March 2024

Overview. March was a very active month for the European Commission and competition policy in digital markets generally. The Digital Markets Act (DMA) entered compliance on March 7, 2024, establishing new rules and obligations for designated gatekeepers. To meet compliance, the gatekeepers submitted compliance reports and consumer profiling technique reports, which were then scrutinized by the Commission.

Gatekeepers also made a series of changes to their designated core platform services, which are the specific product offerings governed by the DMA. Such changes were intended to ensure compliance with the legislation, however, for some gatekeepers, the changes may not be sufficient to comply with the law. Below, the roundup highlights the most important developments related to the Digital Market Act from the last month.

Gatekeeper Status for Booking, ByteDance and X?

On March 1st, the Commission released a press statement stating that it had received notifications from Booking, ByteDance, and X that their services potentially meet the DMA threshold to be designated as a gatekeeper. Despite efforts to challenge its designation, ByteDance’s TikTok app is obligated to comply with the DMA’s rules, and now the company’s advertising services may also fall under the rules. The Commission now has 45 working days from March 1st to decide whether to designate those companies’ services as gatekeepers, including assessing arguments by the companies to challenge the designation. If designated as gatekeepers, the companies would have six months to ensure their services comply with the requirements in the DMA.

Commission’s Annual Report

On March 7, 2024, the Commission also published its first DMA Annual Report. Under Article 35, the DMA mandates that the Commission must publish an annual report “on the implementation of the DMA and the progress made towards achieving its objectives.” The report summarises which gatekeepers submitted notification that their services meet the threshold, any rebuttal cases, and whether those cases are ongoing or have been concluded. Highlights from the report include:

Email services are excluded from gatekeeper designation. The report explains the absence of email as a core platform service under the DMA despite that many email providers meet the thresholds to trigger gatekeeper status. For example, because Alphabet’s Gmail uses open standards in a standardized format, meaning it is fully interoperable with other email providers, “and because Alphabet currently does not exert any control over the operations of Gmail that would allow it to impose any significant degree of dependency between business users and end users” it was not deemed a core platform service.

So while Gmail may have an entrenched position in the market, it does not constrain users to its platform as it is interoperable with other email providers, and Gmail does not force dependencies on the platform by end users in a way that makes it an important “gateway.” This is within the meaning of Article 3 (1)(b) of the DMA, defining a core platform service as a “gateway for business users to reach end users.” It also illustrates one of the goals of the DMA is to break down dependencies on such gateways.

Cloud computing and other services. The Commission writes that they “ha[ve] been in constructive discussions with undertakings other than those that have notified” about whether their services meet the threshold, bearing in mind that the DMA relies on self-assessment. The Commission then states “that none of these other undertakings which have been in discussion with the Commission considered that they would meet the thresholds for notification in 2023.”

Though they do not say which companies or services, it is possible that this, in part, explains the lack of cloud computing providers or virtual assistants from the list of core platform services, despite the DMA listing both those services in the text of the law. Natasha Lomas for TechCrunch clarifies that “the cloud computing designation gap” is purely the result of no cloud service providers notifying the Commission. Quoting the Commission, Lomas writes, “‘[a]t this stage we do not have elements to question this self-assessment,’ [...] adding they will ‘continue to monitor market developments’ in cloud.”

Cooperation between the Commission and the Member States. The report states that cooperation between the Commission and national competition authorities is usually conducted through the European Competition Network. The Commission has given updates to national competition authorities about DMA designation decisions and market investigations whilst national authorities equally exchanged updates with the Commission regarding enforcement actions under their national competition laws.

As of the March 7th deadline, no national competition authority indicated an intention to investigate a gatekeeper under national competition law, however, “one NCA communicated to the Commission under Article 38(3) DMA draft measures it intends to impose on a designated gatekeeper based on national competition law.” Again, the report does not specify which Member State, but looking at Germany’s anticompetition regulator, the Bundeskartellamt, there have been a number of investigations against Meta, Alphabet, Amazon, Apple, and Microsoft under its Competition Act (Gesetz gegen Wettbewerbsbeschränkungen – GWB). This law entered into force in 2021 and, under Section 19a, gives the Bundeskartellamt powers to investigate large tech companies for competition abuses.

More specifically, the authority can ban companies “which are of paramount significance for competition across markets from engaging in certain anti-competitive practices.” The Bundeskartellamt has found Meta, Alphabet, Amazon, and Apple to be companies of paramount significance, and has already imposed changes on Alphabet and Meta, with Amazon appealing the decision. Proceedings against Apple have been initiated regarding potential self-preferencing, and Microsoft is being evaluated to see if it is also a company of paramount significance. Section 19a is seen as complementary to the DMA and provides the opportunity to impose extra obligations on gatekeepers. The law can impose obligations on services by gatekeepers not designated as a core platform service and can be used to investigate new and emerging services.

Expert working group. In the report, the Commission also confirms the establishment of the High-Level Group for the Digital Markets Act, based on Article 40 of the DMA. This is an expert group comprised of the Body of the European Regulators for Electronic Communications, the European Data Protection Supervisor (’EDPS’) and European Data Protection Board (’EDPB’), the European Competition Network, the Consumer Protection Cooperation Network, and European Regulatory Group of Audiovisual Media Regulators. The group will convene yearly to offer advice and expertise on the digital market, new product offerings, and changes in the market. They also offer expertise in implementing consistent regulatory approaches across the different regulatory instruments that each institution represents, including potential interactions with the Digital Services Act.

Apple vs. Epic Games

On March 6th, Epic Games Inc, maker of the popular game Fortnite, announced that they had received correspondence from Apple stating that Epic’s developer account had been terminated effective immediately. Apple rejected Epic’s account “citing court determinations that the game maker had committed an ‘egregious breach of its contractual obligations.’” Epic has had its developer account revoked since 2020 after the company attempted to create a separate payment system from Apple’s in-house payment system which was collecting a 30% commission on in-app purchases.

Epic’s actions breached Apple's anti-steering rules, which at that time banned apps from offering alternative payments to Apple's in-app payment method. In retaliation, Apple removed Fortnite from its App Store in 2020. Epic responded by filing antitrust complaints against Apple in the US, the EU, the UK, and Australia.

Epic, in a blog post complete with email screenshots of correspondence with Apple, maintained that its criticism of Apple’s product changes to meet DMA compliance is another reason why their developer account was blocked. Samuel Stolten for Bloomberg reports that an “EU Commission spokesperson confirmed it had requested further explanations from Apple concerning its conduct with Epic’s game developer account under the bloc’s DMA” and that the Commission would investigate “whether Apple’s behavior may have fallen foul of other digital rules over transparency with business users.”

But, two days later, on March 8th, Apple reversed this decision and reinstated Epic’s developer account. This is likely due to pressure from the Commission as well as the €1.8 billion fine Apple was hit with in an antitrust case by Spotify Technology SA, just days before. Thierry Breton, European Commissioner for Internal Market, publicly stated that this turnaround was proof that only two days in, the DMA is “already showing very concrete results.” Mark Gurman writes for Bloomberg that the decision to reinstate Epic’s European account does not clarify whether this will be mirrored in other jurisdictions outside of the EU, where Epic is still blocked from the App Store.

More Apple Product Changes

On March 12th, Apple announced new changes for third-party app distribution in the EU. Apple is now allowing third-party marketplaces to offer their own developed apps, whereas before, developers could only offer iOS apps for download from alternative app marketplaces. Apple is also now allowing developers to “choose how to design promotions, discounts, and other deals” when linking out to web purchases from apps, rather than requiring them to use Apple’s templates.

Finally, vetted app developers who have agreed to the Alternative Terms Addendum for Apps in the EU are now able to sell apps straight from their own websites. Vetted developers must, among other requirements, be enrolled in the Apple Developer Program and be “a member of good standing in the Apple Developer Program for two continuous years or more, and have an app that had more than one million first annual installs on iOS in the EU in the prior calendar year.” The apps themselves “must meet Notarization requirements [...] and can only be installed from a website domain that the developer has registered in App Store Connect.” Users who wish to install apps directly from websites have to approve the developer in Settings on their iPhone.

As discussed below, though these new changes may meet the letter of the law and technically open Apple’s ecosystem, they require that a multitude of conditions be met. It is also questionable how much less dependent developers are on the gatekeeper if their apps must jump over multiple hurdles for app approval, not to mention continuously paying fees such as the Core Technology Fee.

Compliance Workshops

Beginning on March 18th, gatekeepers engaged in DMA workshops to illustrate how they are complying with the legislation's obligations and allow for open dialogue with participating stakeholders. Apple went first, followed by Meta, Amazon, Alphabet, Bytedance, and finally, Microsoft, which was held on March 26th. These workshops were all-day events, and the recordings of the sessions are available on the workshop’s webpage.

Looking at the agendas for the meetings, they were organized to focus on the core platform services and the corresponding DMA articles. For example, Apple’s workshop first looked at Apple iOS, choice screens, and default settings (Articles 6.3 DMA); App Store and app distribution on iOS (Articles 5.4, 6.4, and 6.12 DMA); iOS interoperability (Article 6.7 DMA) and tying (Article 5.7 DMA); ending the day with data-related provisions (Articles 5.2, 6.9 and 6.10). Each segment allowed the Commission to present the “principles” underlying the Articles, followed by the gatekeeper’s proposed compliance solution with an opportunity for questions to finish the segment.

Overall, there were some moments of useful insight. For example, as Alba Ribera Martínez for the Kluwer Competition Law Blog helpfully summarizes, Amazon illustrated that users would now be given the option to either accept, decline or the “customize and learn more” about which data would be used to personalize different services. End-user data is classified and labeled corresponding to the Amazon service it relates to. This is saved in a central data store and linked to the customer’s ID or a session ID if the user is not logged into an Amazon account. If an end-user declines to link their personal data to an Amazon service, the data access layer is able to check consent preferences at the central database and, on confirming that consent was not given, gives the user access to the de-personalized version of the service. The explanation illustrates how Amazon intends to use more complex consent screens to comply with Article 5(2) provisions regarding data combination and cross-use.

Commission Investigates Alphabet, Apple, and Meta

The final piece of DMA news for March is perhaps the most significant development. On the 25th of March, the Commission opened non-compliance investigations against Alphabet, Apple and Meta. Specifically, the Commission is investigating “Alphabet's rules on steering in Google Play and self-preferencing on Google Search, Apple's rules on steering in the App Store and the choice screen for Safari, and Meta's ‘pay or consent model.’”

The Commission is not satisfied with Alphabet or Apple’s changes to ensure that developers can offer consumers deals or discounts and specifically mentions the link-out charges imposed by gatekeepers as potentially preventing them from complying with the anti-steering rules of the DMA. The Commission also does not find that Alphabet has supplied sufficient evidence that Google Search does not give preference to Google’s own services when displaying results. The investigations against Apple are also examining its “measures to comply with obligations to (i) enable end users to easily uninstall any software applications on iOS, (ii) easily change default settings on iOS, and (iii) prompt users with choice screens which must effectively and easily allow them to select an alternative default service, such as a browser or search engine on their iPhones.”

In its investigation of Meta, the Commission argues that “the binary choice imposed by Meta's ‘pay or consent’ model may not provide a real alternative in case users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers.” Related, the UK’s Information Commissioners Office currently has a call for views on “consent or pay” models for cookie banners. Patrick Rennie for Wiggin LLP also notes that “on 1 March 2024, the European Commission sent Meta a formal request for information under the Digital Services Act (“DSA”) relating to the pay-or-consent model seeking information on the measures it has taken to comply with its obligations concerning Facebook and Instagram’s advertising practices, recommender systems and risk assessments related to the introduction of the new subscription option.”

The Commission also stated in this press release that they are taking “other investigatory steps to gather facts and information to clarify whether Amazon may be preferencing its own brand products on the Amazon Store in contravention of Article 6(5) of the DMA.” It is further investigating whether “Apple's new fee structure and other terms and conditions for alternative app stores and distribution of apps from the web (sideloading) may be defeating the purpose of its obligations under Article 6(4) of the DMA.”

The Commission intends to complete its investigation of Alphabet, Apple, and Meta within 12 months. Within that time, the gatekeepers “will be told what they have to do to fix the Commission’s concerns[...]. If they fail to make those changes, they risk EU fines of up to 10% of global annual revenue.” Samuel Stolten for Bloomberg explains that if the companies are found to be non-complying, they can appeal to the EU’s General Court in Luxembourg and the Court of Justice. If the companies win, “the fines and the decisions targeting them would be struck down. Lose, and the EU will have forced enduring changes on how some of the richest companies make money.”

Stolten also makes the point that this one-year investigation avoids the traditional years-long and litigious nature of regular antitrust cases. The Commission’s compliance-related investigations may the be most significant development of the DMA thus far because not only has the Commission acted quickly, but the outcome of this investigation will set the tone for the impact of the law. If the Commission can prove non-compliance, it will require the companies to make meaningful changes. In that case, it will signal the DMA’s success and could give confidence to other countries considering similar legislation (e.g. the UK's Digital Markets, Competition and Consumers Bill; Brazil's Digital Markets Law Bill PL 2768/2022; or India's Digital India Act). If Big Tech can argue that their compliance thus far is enough, the DMA could end up a mere tick-box exercise, and, worse, further cement the power of the gatekeepers.