After lengthy consultations and many rumors and leaks, the European Commission has released its public draft of the Digital Markets Act (DMA), which, along with the Digital Services Act (DSA,) represents the first major overhaul of EU Internet legislation in the 21st Century. Like the DSA, the DMA takes aim at the monopolisation of the tech sector and proposes sweeping pro-competition regulations with serious penalties for noncompliance.
It is one world. So #DigitalServiceAct & #DigitalMarketsAct will create safe & trustworthy services while protecting freedom of expression. Give new do’s & don’t to gatekeepers of the digital part of our world – to ensure fair use of data, interoperability & no self-preferences.
— Margrethe Vestager (@vestager) December 15, 2020
The DMA addresses itself to “gatekeeper platforms”: very large tech companies that sit between other businesses and their customers and control “core services”, such as search engines, social networking services, certain messaging services, operating systems, and online intermediation services. Think of how Amazon controls access to customers for merchants that sell on its platform and the manufacturers who make their products, or how the Android and iPhone app stores serve as chokepoints in delivering mobile software. These companies are gatekeepers both because of their business models and their scale: It’s hard to imagine making a successful mobile app without going through the app stores. The DMA identifies core platform services as gatekeepers when they have a significant impact on the EU internal market (e.g. through earnings), have a strong intermediation position (e.g. through their number of users), and which show an entrenched and durable position (number of years in business).
The DMA’s premise is that gatekeepers are international in nature, and EU member states on their own can’t hope to regulate them; it takes an international body like the EU itself to bring them to heel by forcing them to comply with a list of do’s and don’ts. Hence, gatekeepers will need to proactively implement certain practices and refrain from engaging in certain types of unfair behavior. Certain obligations should be complied with by design, while others may be subject to further specification following a dialogue between the Commission and the gatekeepers concerned.
DMA regulations divide gatekeepers’ businesses into “core services,” for example, selling goods on Amazon or apps in an app store, and “ancillary services,” which are the other ways gatekeepers make money, like payment processing and advertising. In general, the DMA hits hardest at ancillary services, for example, by banning platforms from requiring their business customers to use their payment processors.
The Commission’s draft is just a starting point: it will go through many iterations and amendments before it is put to votes at the European Parliament and the Council of the EU (which represents the governments of EU member states). As starting points go, there’s a lot to like in this document, as well as room for improvement.
Things We Like
Future proofing: The DMA is designed to be updated from time to time, first to address new anticompetitive practices that haven’t been invented yet, and second to create less stringent rules for companies that aren’t big enough to be gatekeepers yet, but are headed in that direction (from the “Explanatory Memorandum”). The rules for initiating investigations are set out in Chapter IV and the enforcement rules are in Chapter V.
Real penalties and structural remedies: The DMA provides for up to 10 percent of a gatekeeper’s global annual revenue in fines for violating its rules. So, theoretically, a company like Facebook, which had annual revenue of nearly $71 billion (USD) in 2019, could face a $7.1 billion fine. Ongoing infractions can be punished with “periodic penalty payments” of up to 5% of average global daily revenues. Even more importantly: companies that can’t or won’t stop engaging in monopolistic behavior will face “structural remedies,” like being ordered to sell off whole divisions.
A ban on mixing data: The DMA bans gatekeepers from mixing data from data brokers or their business customers, with the data they collect on their customers (this is a widespread practice today, with companies like Facebook and Google linking commercially available data with the data they extract from their own users). This rule also bans gatekeepers from automatically signing users into additional services: that would mean that,or example, logging into Gmail wouldn’t automatically log you into YouTube (Article 5(a).
Protecting multiple prices and terms: Today, platforms set far-reaching requirements on their business users; for example, a company can’t sell discounted subscriptions to customers who buy them directly rather than through the app store. Under the DMA, gatekeepers would be banned from making rules about selling prices and terms set by their business customers (Article 5(b).
No more forced single sign-on: The DMA bans gatekeepers from requiring their business customers to use their own login or identity system (Article 5(e)).
No cross-tying: Under the DMA, gatekeepers are banned from forcing business customers and end-users to sign up for “ancillary services,” meaning you can use Android without having to get a Gmail account, or sell in Apple’s App Store without using Apple’s high-priced payment processor (Article 5(f)).
No spying on business customers: Today, platforms gather data on their business customers’ activities to figure out how to compete with them, like whether and how to clone their products, for example. Under the DMA, gatekeepers will be banned from using this data to compete with business customers (Article 6(a)).
Let a thousand app stores bloom: The DMA requires gatekeepers to permit third party app stores that compete with their own, but it allows gatekeepers to limit these apps’ ability to interfere with “the integrity of the hardware or operating system” (Article 6(c)).
No lock-in: The DMA bans gatekeepers from “technically restricting” users from switching away from default apps It also bans gatekeepers from locking users into an ISP (Article 6(e)).
Interoperable add-ons: The DMA requires gatekeepers to allow other “ancillary service providers” (like payment processors, cloud hosts, digital identity providers, and ad-tech sellers) to plug into their core services on the same terms that gatekeepers’ own ancillary services enjoy (Article 6(f)).
Data portability and continuous real-time access: Under the DMA, gatekeepers’ business customers and end-users will have the right both to “data portability” (where the gatekeeper gives you all your data in a giant blob you can take to a rival and upload) and “realtime access” (so you can join a rival’s system that can grab all your news messages and data from the gatekeeper every few minutes) (Article 6(h)).
Businesses can access their own data: The DMA requires gatekeepers to allow their business customers to access the data about their sales, customers, and other commercial activity. The access must be “free of charge,” “high quality, continuous and realtime” (from Article 6(i)).
Fair and nondiscriminatory access to app stores: The DMA requires gatekeepers with app stores to accept business’ apps on a “fair and nondiscriminatory” basis ( Article 6(k)).
Things We’re Worried About
A ban on national regulation: The DMA prohibits EU member states from passing their own laws or regulations on gatekeeper platforms that go beyond the DMA. This rule endangers laws already under debate in EU member states that go farther than the DMA, such as Germany’s excellent proposal for expanded interoperability requirements for gatekeepers ( Article 1(5)).
No interoperable “core services”: While the DMA provides for interoperability in ancillary services (payment processing, ad-serving, etc), there is no mention of interop for core services: This means that, for example, Facebook might have to let a competitor offer its own payment processing for Oculus apps, but not offer a competing social media network that interoperates with Facebook. The technical term for this is “weaksauce” (Article 6(f)).
Real-time, but not independent, data-portability: The DMA’s requirement for “realtime data portability” looks good, but users can’t take advantage of it unless they have an account on the gatekeeper service. So if you left Facebook for Diaspora and wanted to stay in touch with your Facebook friends using “realtime data-portability,” you’d have to keep your Facebook account and connect it to Diaspora, which means you’d still be subject to the sprawling garbage-novella of abusive legalese Facebook laughably calls its “terms of service” (Article 6(h))