Monday, December 23, 2024
Uncategorized

Europe’s DMA rules for Big Tech explained

The Digital Markets Act (DMA), an ex ante European Union reform of digital competition rules, will be in force today, by midnight Brussels’ time, on six tech giants — applying a new set of legal requirements on more than 20 of their “core platform services” (CPS).

Online empires that scaled in an era of minimal interventions from regulators, shaping the commercial web as we know it, are now facing a prescriptive set of rules on how they can operate and do business in the EU, including hard limits on their use of data; interoperability mandates; and bans on self-preferencing.

The six companies designated under the DMA so far — as so-called Internet “gatekeepers” — are: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft.

Read on for an overview of the new law, its early impacts on platforms and Big Tech, and how it might change digital business as we know it, starting in Europe…

Rules of the road for gateways

The aim of the pan-EU regulation is — essentially — to crack open Big Tech’s market power. The DMA shoots to make digital markets fairer and more contestable by applying a set of up-front obligations and restrictions on the kingpin players entrenched atop digital markets. Such as — for example — a ban on Google’s self-preferencing in search results; or on Amazon using rivals’ data to feed its own retail product development; or on Meta processing user data for ad targeting without people’s consent; or a ban on Apple banning third party app stores from its mobile platform, iOS.

Data portability and interoperability are key planks of the regime — which also, for example, requires Meta to open up its WhatsApp and Messenger platforms to rival services to allow cross-platform access. Idea being smaller messaging apps can offer their users the ability to reach people using those dominant messaging networks without having to sign up for an account with their gatekeeper.

EU lawmakers generally want the DMA to foster service switching and “multihoming” to reduce Big Tech’s grip on web users’ eyeballs and wallets, unlocking the chance for competitors to get a look in. Put another way, the phenomenon of online services evolving into self-reinforcing ecosystems and empires, through network effects and gatekeeper lock-in tactics, is the centrifugal force the DMA is attacking with a range of pro-competition countermeasures targeted at strategic gateways, like app stores, operating systems and web browsers.

Whether the regulation will actually succeed in loosening dominant platform operators’ grip on digital markets is uncertain. But the EU is going to try.

The main DMA criteria for a platform being deemed an “important gateway” for business users to reach end users, and whose entrenched owner/operator has a “significant impact” on the EU’s internal market, is annual revenue of at least €7.5 billion in each of the last three financial years or a market cap of at least €75 billion in the last financial year. A gatekeeper must also provide the same CPS in at least three EU Member States; and these platforms must have at least 45 million monthly active users regionally and at least 10,000 business users.

The bloc has given itself some wiggle room to designate “emerging” gatekeepers, too — if the Commission believes a platform will gain an entrenched and durable market position in the near future it can also impose some rules, with the aim of preventing that outcome.

The DMA’s sizeable ambition is backed up with serious teeth, too: The regulation allows for penalties of up to 10% of global annual turnover for breaches — or even 20% for repeat offences. So we’re talking fines that could run to tens of billions of dollars apiece.

Oversight and enforcement responsibility is centralized with the European Commission. This is an attempt to streamline enforcement and avoid the patchy outcomes we’ve seen with other EU digital regulations, thanks to variable resourcing and forum shopping. However this approach piles complex and high stakes work on the EU’s executive — so one question is whether the bloc might have bitten off more than it can chew?

The DMA does allow for private enforcement, too, in the form of litigation targeting non-compliance — so gatekeepers could face being sued in European courts over unfair practices if they fail to get with the program.

Which platforms are regulated?

Currently, the six gatekeepers’ regulated CPS span a number of techno playing fields — namely: Social networks (TikTok, Facebook, Instagram, LinkedIn); “intermediation” services (Google Maps, Google Play, Google Shopping, Amazon Marketplace, iOS App Store, Meta Marketplace); ads delivery systems (Google, Amazon and Meta); browsers (Chrome, Safari); operating systems (Google Android, iOS, Windows PC OS); N-IICS or Number-Independent Interpersonal Communication Services (WhatsApp, Facebook Messenger); search engines (Google); and video sharing platforms (YouTube).

The regulation allows for CPS to be designated in other tech arenas too, such as cloud computing services and virtual assistants. But so far none have been named in those domains — and cloud computing is one notable early gap (especially given the role hyperscalers like Microsoft are playing in the fast developing generative AI market).

Asked about the cloud computing designation gap, the Commission told us the DMA is built on a system of self-assessment which requires platforms to notify it when they consider they meet the regulation’s thresholds — which no cloud operator has so far done.

“At this stage we do not have elements to question this self-assessment,” the Commission spokesperson said, adding they will “continue to monitor market developments” in cloud — and also emphasizing the current tally of six gatekeepers (and 22 CPS) is “only the start, not the end”. 

More gatekeepers and/or CPS may well be added to the list soon. Reports earlier this month said social media firm X, TikTok’s parent ByteDance’s ads business and European online travel agency Booking.com have notified the Commission of reaching the regulation’s usage thresholds — suggesting they could progress to being designated in the coming months. (The Commission told us it has 45 working days to take a decision on this trio of potential designations.)

It’s worth noting a number of gatekeepers are also challenging their designations in the bloc’s courts. (Three so far: Apple, Meta and TikTok.) So it’s at least possible some platforms could convince judges they don’t qualify as entrenched gatekeepers and be struck off the list. (ByteDance, for instance, is arguing it should be seen as a Big Tech challenger, given its relative newness on the scene vs longer in the tooth tech giants. But it remains to be seen what EU courts will make of the argument.)

Some tech giants have also deployed counterarguments that have been successful at avoiding designations. For example, the Commission recently decided against adding Apple’s iMessage, Microsoft Advertising, its search engine Bing and web browser Edge to the list — after accepting arguments their respective services are not popular enough to qualify.

Last year the Commission also decided against designating Samsung’s internet browser, despite the company notifying the EU it hit DMA usage thresholds — with the bloc assessing it did not hold the necessary gateway position in the browser category. The EU also chose not to designate webmail providers, Gmail and Outlook, at that time, accepting counterarguments against their intermediating market power too.

The bloc’s intention has always been for the DMA to be tightly focused — on only the most powerful gatekeeping giants. However one early (political) charge levelled at the EU’s approach is it puts restrictions and obligations on (only) foreign (and mostly U.S.) tech giants.

This attack tactic is one that seems particularly weak and unlikely to trouble Brussels. If digital market power is concentrated offshore then a regulation that aims to rebalance tipped digital markets must, necessarily, shoot at offshore targets. And it’s fair to say U.S. lawmakers have themselves raised plenty of concerns about homegrown platforms’ market power in recent years.

In any case, European platforms that build enough momentum to fall into scope face becoming regulated, too — as Booking.com may soon be.

How are platforms changing?

In recent weeks we’ve seen a range of moves by gatekeepers in claimed preparation for compliance with the DMA. Apple’s new “core tech fee” on iOS and opening up to non-WebKit-based browsers in the EU, for instance, or Google tweaking how it displays some search results and quietly switching off default cross-service tracking of its own users.

Meta has also given a glimpse of work to roll out messaging interoperability to WhatsApp and Messenger. That particular strand of the regulation will take time to bear fruit as in-scope messaging platforms get three months to respond to interoperability requests. So how effective and user-friendly these implementations will be remains to be seen.

The regulation also allows for a phased rollout of messaging interoperability, with only basic functionalities (texting, image/video and file sharing and asynchronous voice messages between two individual users) required initially. Group messaging interoperability isn’t required until two years after a gatekeeper designation; while a full four years has been allowed for platforms to put in place interoperability for video and voice calling, between individual users and groups.

At the same time, Meta looks to be attempting a direct swerve of other DMA requirements, aimed at reforming privacy-hostile business models, by concocting a version of consent that requires users to pay literal money if they want to avoid being tracked and profiled.

So, in short, the early picture is mixed, with so many pieces in flux and uncertainty over how exactly the law will be enforced. It’ll likely take time before we see how much market transformation the DMA is actually driving.

While some early moves by tech giants look significant and could create interesting new opportunities for competition and innovation, others are obviously cynical and self-serving — showing entrenched platform giants doing their level best to avoid having to end exploitative practices and/or reform entire business models.

Days out from the DMA compliance deadline we’re also seeing some editing of compliance proposals in response to early criticism. Such as Apple removing certain requirements it had said it would impose on developers wanting to take up entitlements, after they complained it was making it too arduous for them to tap into the new opportunities.

Bear in mind, whatever gatekeepers’ blog posts and briefings claim on DMA compliance, it’ll be up to Commission to assess whether or not they’re meeting the legal bar. So we’re not going to get a clear picture of how digital markets will actually change until we start to see how and where the EU will take enforcement action to rein in gatekeeper flexes and tackle competitive pinch-points.

This also means there’s likely to be ongoing PR war, involving both the gatekeepers themselves and their fiercest critics, as each side seeks to shape the narrative about what’s real or fake compliance. (See, for instance, Spotify’s immediate decrying of Apple’s reworked iOS fee structure and Apple’s aggressive pushback by putting a spotlight on the scale of Spotify’s app business success. Or Epic Games claiming yesterday that Apple terminated its iOS developer account after it criticized its DMA proposal as “malicious compliance”. So get the popcorn in.)

The Commission is actively calling for stakeholders to send feedback on DMA compliance moves to support its assessment of gatekeepers. Effective oversight will clearly require an industry-wide effort. To this end, it’s organized a series of workshops in Brussels later this month when it wants tech giants to sit around a table and discuss compliance, face to face, with business users.

How — or even whether — gatekeepers engage in good faith with this EU process will be fascinating to watch. Although they must make their compliance reports public. But if platforms refuse to turn up in person to defend their compliance approaches they’ll be leaving their loudest critics to bend EU enforcers’ ears unchallenged. This means gatekeepers are facing a bit of a Hobson’s choice that, for once, is not of their own dark pattern design.

The workshop set-up looks cleverly conceived by the Commission as a tactic to compel gatekeepers into dialogue (and potentially concessions) about compliance shortcomings. Whoever best engages with the EU may have the strongest chance of cementing compliance narratives that sway DMA enforcers.

At the same time, tech giants remain exceptionally well resourced, employing armies of lawyers who will have been tasked with poring over the detail of the DMA to find weak spots and loopholes they can exploit to minimize damage to commercial self-interest. Legal challenges to enforcement decisions look highly likely. Which means the Commission will have to divert resources into defensive action, too, and there’s a risk of the regime getting bogged down in litigation as time goes on.

Judging by early compliance proposals, some gatekeepers appear to have calculated they’d rather take their chances in the courts — and risk hefty DMA non-compliance fines — than willingly dismantle lucrative business-as-usual on Day 1 of this New Online World Order. 

So far, for example, both Apple and Google have indicated they plan to keep charging fees even if app developers selling digital goods on their mobile platforms make use of DMA-enabled opportunities to point their users to cheaper offers outside the gatekeepers’ stores to complete transactions. Bottom line: Rent demands won’t stop tomorrow. So expect the likes of Spotify and Epic Games to keep crying foul.

Since the DMA does not ban gatekeepers from charging fees for their services, nor stipulate a set formula for rates — beyond requirements to have T&Cs that are FRAND (fair, reasonable and non-discriminatory) — platform giants may feel confident they have a strong case that the fees they charge are fair and reasonable given how much technology and market access their platforms provide.

However, in recent days, the Commission has signalled it may be preparing to take action over complaints about unfair fees. Speaking earlier this week, as she hit Apple with an almost $2 billion fine over anti-steering on the music streaming market, the EU’s competition chief and EVP for digital matters, Margrethe Vestager, said “novel fee structures” should not be used as a tactic to undermine incentives for developers to do something else.

In another example of early DMA friction, look to Meta’s bid to force consent from EU users via imposing a ‘pay or be tracked’ choice on users of Facebook and Instagram, both now designated CPS. The adtech giant’s apparent refusal to reform its business model, even with the DMA coming into view, follows years of complaints over its unlawful processing of user data under the bloc’s General Data Protection Regulation (GDPR).

Two other legal bases Meta had claimed for the ads processing were overturned last year — forcing a switch to consent. But instead of giving users a free choice to deny tracking, Meta concocted a controversial ad-free subscription choice that puts Facebook and Instagram users in a privacy bind.

It will therefore be very interesting to see what the Commission does about this — now DMA gatekeeper’s — attempt to redefine EU law around consent to fit its commercial self interest. “Gatekeepers should not design, organise or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of end users to freely give consent,” runs the regulation’s recitals vis-a-vis “personalized advertising”. The law also stipulates: “Not giving consent should not be more difficult than giving consent.”

Earlier this month, the bloc sent Meta a request for information about its ad-free subscription under the DMA’s sister regulation, the Digital Services Act (DSA) — which also puts limits on the use of people’s data for ads (and came into force on Meta’s business last August). So the EU is already scrutinizing Meta’s consent model. How they act on such an obvious privacy abuse with the DMA also in force will be one to watch.

Elsewhere, gatekeepers appear to be accepting some of the operational writing on the wall. In recent days, for example, a number of the tech giants have been announcing data portability APIs. We’ve also had notice of incoming choice screens — from Apple and Google — which EU lawmakers hope will open up competition in web browser and search markets.

While the devil will be in the detail of how these screens are designed, and when and where they pop up, some early responses are sounding positive.

Eco search engine, Ecosia, has described Google as a “collaborative partner” during the design process for the incoming search choice screen, for example. “There is now a unique opportunity for  alternative search engines such as Ecosia — with less than 0.1% of the global market share (compared to Google’s 92%) — to take full advantage of these improved market conditions and openness,” Sophie Dembinski, its head of public policy and climate action, noted in a statement this week.

On the flip side, privacy search engine and browser, DuckDuckGo, got in touch to tell us it’s radically unimpressed by Google’s initial offer.

“By deciding to only show a choice screen when people are setting up an Android device for the first time, Google is artificially limiting how many people are even exposed to a choice screen — for Android, that is a 3% to 5% of the total user base per quarter, bringing in frustratingly slow change to the market,” it wrote in a briefing note circulated to press this week. “The process is broken. Gatekeepers shouldn’t be in a position to propose solutions to problems they created. Third party experts should be involved in the compliance process from the get-go, with rapid iterations on implementation to reach mutually agreed KPIs.”

DuckDuckGo argues the DMA demands far more meaningful reform on default choices — saying Google must make it persistently easy for consumers to switch default choices, rather than just popping up occasional choice screens. So this is another fight where the Commission will have to not so much pick a side as choose where the compliance line lies.

Also on the negative side, mobile developers are decrying what they dub Apple’s “scare screens” — aka, notifications the iOS maker intends to pop up to warn users of the risks of transacting outside its App Store. But the DMA does allow gatekeepers to take “necessary and proportionate” measures to safeguard user security. So the Commission may even be dragged into refereeing the substance and tone of these sort of user-facing comms.

How the Commission handles its new role as gatekeeper enforcer remains to be seen. But one wider effect the DMA looks to be having is inspiring lawmakers elsewhere to pass similar laws so users in other countries can tap into opportunities that can be seen unfolding in the EU as the bloc has a go at taming Big Tech.

The so-called “Brussels’ effect” leading to DMA copycats is already being discussed. “We’re seeing copycats around the world already,” said Bill Echikson, senior fellow at the Washington-based thinktank the Center for European Policy Analysis (CEPA), which counts a number of gatekeepers among its members, speaking during a press briefing this week. “We’re seeing copies of this Digital Markets Act or variations of it appear in places like Japan, the U.K., Brazil, Mexico, even India… So, I think, in the democratic world, it will become the de facto standard.”

“A decade ago, you would have said the tech companies were sort of like teenagers and they really didn’t face much regulation. And now they’re grown ups and they are going to be regulated — a little bit like banks, telecoms and other industries that have a tremendous impact on our lives and on the economy,” he added.

Will the DMA really make a difference?

The short answer is it depends. Even if gatekeepers do everything that’s demanded by their fiercest critics and crack open the gates of their ecosystems to unleash new and exciting opportunities for competitors, it will still require end users to take a sustained interest in alternative apps and services.

If there’s no uptake, and users prefer to stick with branded wares from familiar tech giants, the DMA’s high profile goal of unlocking competition and innovation will fall flat. The Commission itself is well aware of this risk.

“What the DMA is really about is to ensure fairness and contestability — provide for choice and opportunities — but it’s also important that those choices and opportunities are taken up and exercised. Otherwise we may not see changes in every area where we would want to see them because very often it will depend on take up,” warned Denis Sparas, deputy head of unit at DG CNECT, in the European Commission, during a DMA-focused panel discussion earlier this week organized by the European Digital SME Alliance.

“I think there is a ground to be optimistic,” he added. “What we see are quite significant improvements, compared to what we have initially seen as the proposed compliance solutions — and these improvements will result in tangible changes. Having said that, many of these changes also depend on the fact that choices and opportunities which will be provided are also taken up.”

Take Google: The tech giant routinely defends itself against charges that it’s unfairly self-preferencing its own products at the expense of rivals by claiming its apps are popular simply because they provide users with the best utility. Unsurprisingly, then, it has sought to frame the DMA as anti-user — suggesting the law will reduce convenience for web users who, it implies, are most likely to find changes it enforces annoying.

Apple also maintains that its mobile ecosystem offers users the strongest privacy and security — similarly arguing, therefore, that the EU regulation is anti-user as it’s essentially forcing it to degrade the quality of products it can provide to Europeans.

Expect these sorts of arguments to persist. And there is a clear risk of gatekeepers deploying changes in a way that’s designed to generate more unwelcome friction for users in a bid to — both — undermine support for the regulation and work against the intended competition-boosting effect by making it difficult for people to use alternatives.

Add to that, there will be more pop-ups arriving on the back of this EU law — whether giving users a choice to obtain more privacy by denying platforms’ ability to link their data across accounts; letting them pick from a choice of browsers or search engines to set as their default; or warning they’re headed ‘off world’ and transacting elsewhere means they’re no longer under the platform’s own customer support and refund rules. These notifications will be an obvious target for the law’s critics. And may well annoy a bunch of users.

It’s also quite possible that a lot of web users are happy with what Big Tech provides them. And simply aren’t interested in alternatives. But the DMA does at least offer a way to test platform controllers’ arguments that they’re only popular because they’re the best — and see whether, on a more level playing field, there is appetite for more variety in digital services.

A few extra pop-ups seem like a worthwhile trade-off for the chance to reconfigure some of the self-serving incentives that have shaped the commercial web for decades. And even, potentially, reform entirely exploitative business models.

One cautionary note here: Years of EU antitrust enforcement on Google has failed to dent its regional market dominance and fire up rival tech like search engines, despite the imposition of interventions like choice screens. However that earlier competition action was undertaken under classic antitrust laws, where enforcement is slow and reactive. Whereas the aim for the DMA is to flip the odds by setting rules up front that outlaw a bunch of unfair lock-in tactics.

The bloc hopes this ex ante approach will finally be able to deliver a genuine competition reboot. One aspect hasn’t change though: It’s still up to gatekeepers to design their own compliance — so attempts to game the rules or just implement the narrowest possible solutions are a given.

That said, given it’s already so late to reset Big Tech’s market power, the EU is facing huge pressure to act quickly to tackle the most egregious DMA abuses. The Commission is starting on the back foot, facing — per its own assessment — a set of entrenched gatekeepers. This should concentrate minds in Brussels on the need to move fast and make DMA enforcement count. But with so much the EU could arbitrate here it’s also likely Commission enforcers will pick their battles. So where DMA enforcement falls first will be really interesting to watch — as it will set the tone for the bloc’s approach.

Gatekeepers that have opted for a defiant and even aggressive stance (hi Apple!) could just be putting themselves first in the firing line. Gatekeepers whose business models are already subject to charges of systematic non-compliance with EU law (hey Meta!) should also be worried. And while Google may generally play a slicker PR game, it has a very high level of exposure to the DMA on account of how many of its platforms are designated. The EU has also signalled a willingness to contemplate structural remedies in Google’s case, warning last year, when it issued a statement of objections for suspected anti-competitive conduct of its adtech business, that the only viable remedy, if a breach of the law ends up being confirmed, is to split Google up.

While we’ll have to wait and see how exactly DMA enforcement will play out, one thing is clear: There is plenty of appetite in Europe for a crackdown on Big Tech, both among small businesses and web users.

“There are some gatekeepers that put certain proposals that are really designed purely in bad faith,” said Jurgita Misevičiutė, public policy lead at the privacy-focused app maker Proton, during the same panel discussion on the DMA this week. “We really call on the European Commission… to be really bold and to take swift and strong action against such gatekeepers, because developers, the industry, they don’t have another 5 to 10 years to wait until compliance happens.”

Asked where it thinks DMA enforcement should fall first, the European Consumer Organisation (BEUC) told us it wants the Commission to apply “urgent scrutiny” on Meta and Apple. “We have real concerns that on D-Day of the Digital Markets Act, some gatekeepers will not comply with the rules they have known about for years now,” said Agustin Reyna, its director for legal and economic affairs. “It is really important that the Commission sends a clear signal that this is serious and unacceptable.

“Some cases require urgent scrutiny. For example, Meta’s data practices, from what we have seen so far, might violate the DMA, while Apple’s announcements about how they plan to comply with the DMA are clearly insufficient. The Commission has to open infringement proceedings if non-compliant gatekeepers do not adapt their practices immediately.”

How soon could we see enforcement?

As noted above, the Commission is under considerable pressure to ensure a flagship digital reform delivers results. So there is absolutely a sense of urgency in Brussels.

During Tuesday’s SME Alliance panel discussion, DG CNECT’s Sparas responded to concerns the Commission may not move quick enough to tackle Big Tech by emphasizing that its thinking on enforcement does not involves timeframes that run to years — rather he suggested it’s going to be a matter of “days, weeks and months”.

The letter of the law states market investigations to consider system non-compliance can take up to 12 months, with up to six months allowed for the Commission to deliver preliminary conclusions. But interim measures may allow for swifter action — where the Commission determines there is “urgency due to the risk of serious and irreparable damage for business users or end users of gatekeepers”, as the regulation puts it.

Also speaking during the SME Alliance panel discussion, Johnny Ryan, the Irish Council for Civil Liberties’ senior fellow and director of its Enforce division which focuses on enforcing humans rights on technology, urged the Commission to unbox these interim measures powers stat to tackle long-standing Big Tech abuses.

“There is a clear line to how you impose interim measures if you go through the GDPR — which of course the Commission can under the DMA,” he suggested. “I would urge the Commission to be moving as fast as possible… to mark an investigation of systematic non compliance under Article 18(1).”

If the EU hits the ground running — applying interim measures and opening investigations of systematic non-compliance — it would “signal with action, not words, that it is fully prepared to take serious measures, including structural remedies”, Ryan added.

During the panel, Sparas said the Commission won’t always use “the most far reaching measures” — suggesting the EU is hoping the regulation, as a whole, works to reform gatekeepers’ behavior simply on merit of having heavily cranked up their regulatory risk.

The DMA does allow gatekeepers to offer — and the Commission to accept — commitments to address concerns on an ongoing basis, i.e. rather than waiting for formal enforcement. So the EU will want to keep up pressure on platforms to proactively address complaints, such as via the forthcoming public workshops.

EU enforcers also have powers to request information and conduction on-site inspections. The bloc can also always raise the temperature by getting commissioners to issue public warnings about issues of concern, as we’ve seen happening in recent weeks, too, as compliance proposals have emerged.

It may be hoping gatekeepers opt to tweak ops in contested areas to avoid the risk of formal DMA proceedings, given the potential for hefty sanctions at the end. And, again in recent days — so still ahead of the DMA actually applying — we’ve seen some instances of editing to compliance proposals in the face of pushback, such as Apple tweaking some of the requirements on developers to take up entitlements. The Commission has also emphasized that proposals have improved vs the first iterations gatekeepers came with last year. So some platform reforms may happen quickly.

However, as DMA Compliance Day has loomed, gatekeepers have largely been entrenching on their most heavily criticized positions — such as Apple and Google’s app store fees or Meta’s ‘consent or pay’ model. This suggests the biggest — potentially most transformative — reforms of Big Tech business models aren’t likely to happen unless the Commission takes formal enforcement. So the baton passes back to the bloc to drive real change.

Where non-compliance is “very blatant” Sparas emphasized the EU “will need to act very quickly”.

“One thing that we have learned, for good or bad, is that if we want to really make a change here it is very important that we act quickly,” he said, adding: “Of course still in a legally sound way. But [we need] to act quickly and effectively. Because otherwise, as we said at the time of the [DMA] proposal, many of these markets are prone to very quick tipping. So… if we take too much time, things may change to a point where it’s very difficult to change things back.”

source

Leave a Reply

Your email address will not be published. Required fields are marked *