Digital Markets Act (DMA): what actually is it?

Apple needs to give iPhone access to other app stores, Meta has to allow WhatsApp to communicate with other messenger apps. These changes are enforced by new requirements for large tech companies in Europe, based on the Digital Markets Act (DMA) of the European Union. It was adopted by the European Parliament on 5 July 2022 and came into force in November 2022. It contains a series of rules for particularly large and influential tech companies, so-called gatekeepers.

The EU gave these companies a deadline by which they must implement the new regulations in relation to some of their products and services – so-called core platform services. This deadline expires on 6 March 2024. If the requirements aren’t met by then, companies will be penalised.

The idea behind the Digital Markets Act

In the digital world, some companies are so huge and have such large market shares that they can exert a great deal of influence on the industry through their size and importance alone. On market development, on innovation, but also on legislation – for example with regard to data protection or competition.

This massive influence in turn ensures that companies grow without having to do anything, hurting smaller competitors. These companies can no longer keep up, and big companies have even less competition. This in turn affects you as a consumer – you have less choice when it comes to appliances or services and therefore have to pay the price and accept the conditions set by these corporations.

The Digital Markets Act aims to change this. It’s intended to ensure that the market operates fairly. Companies shouldn’t abuse their market position and should handle their customers’ user data responsibly – in other words, protect their privacy. The Digital Markets Act – a type of antitrust law for digital companies – was developed to give this desire a legal framework.

Where exactly is the Digital Markets Act regulated?

The ordinance, commonly known as the DMA, has a full name:

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)

It’s based on the Treaty on the Functioning of the European Union, in particular «Title VII: Common rules on competition, taxation and approximation of laws» (from page 42 in the PDF linked above) and extends this in certain scenarios.

The most important terms explained

I’ve summarised the most important points about the DMA here. Namely, which companies are affected by the law, which of their services they have to change and to what extent these changes affect you. If you’re interested in exact details, you can read them in all official languages in the so-called EUR-Lex, the legal overview of the EU. Here’s the English version.

What are gatekeepers?

Gatekeepers are particularly large tech companies. But not every big tech company is automatically a gatekeeper. According to Chapter II, Art. 3 of the DMA, a company is a gatekeeper if it:

• Has a strong economic position with a significant impact on the internal market and is active in several EU countries.
• Has a strong gateway position, i.e. connects a large user base with a large number of companies.
• Has or will have in the foreseeable future an entrenched and durable position on the market. Companies are considered durable if they have met the two previous criteria in each of the last three financial years.

So far, the EU list of gatekeepers includes six companies – but there may be more. Currently it’s:

• Alphabet (the parent company of Google)
• Amazon
• Apple
• ByteDance (the parent company of TikTok)
• Meta (the parent company of Facebook, Instagram, WhatsApp and Threads)
• Microsoft

These companies are currently affected by the legislation and must fulfil certain requirements with regard to their products and services.

What is a core platform service?

Some of these obligations concern the company as a whole, while others concern only parts of the company or individual services or products. In connection with the last point, one mentions so-called core platform services.

The Act defines the term core platform services as «(…) those integral to the operation of a digital business.» These include search engines, browsers, social networks and much more. To date, the EU has defined 22 services of the six gatekeepers mentioned as such core platform services.

Google

• Search engine and advertising service: Google
• Video-sharing platform: YouTube
• Browser: Chrome
• Operating system: Android
• Intermediation platforms: Google Maps, Google Play, Google Shopping

Meta

• Messenger services: Facebook Messenger, WhatsApp
• Advertising service: Meta
• Social networks: Facebook, Instagram
• Intermediation platform: Meta Marketplace

Apple

• Browser: Safari
• Operating system: iOS
• Intermediation platform: iOS App Store

Microsoft

• Operating systems: Windows
• Social networks: LinkedIn

ByteDance

• Social networks: TikTok

Amazon

• Advertising service: Amazon
• Intermediation platform: Amazon Marketplace

Further services may be added to this list if a review by the EU leads to the conclusion that a service qualifies for the term core platform service. The DMA specifies when such an investigation may and must be carried out in Chapter IV, Article 19. Exceptions to this rule can be found in Chapter III arts. 9 and 10.

What duties do gatekeepers have?

The duties of a gatekeeper are dynamically regulated in Chapter III of the DMA, from Article 5 onwards. This means that certain obligations may be added or even eliminated.

The most important duties are:

Interoperability and non-discrimination

According to Chapter III, Art. 7 of the DMA, gatekeepers must ensure their own services and platforms are interoperable with those of third-party providers. According to dictionary.com, interoperability describes things «capable of being used or operated reciprocally». In this context, it means that services from different providers can be connected and communicate with each other without users having to do anything. This often relates to data access or transfer. Here, the EU wants to promote competition and prevent gatekeepers from gaining excessive advantages.

A concrete example. Gatekeeper Meta must ensure that you can send messages to a Signal user using its core platform service WhatsApp – if Signal wants this. Signal doesn’t belong to any gatekeeper company and therefore doesn’t have to be interoperable. As Signal has repeatedly publicly criticised WhatsApp’s data protection, it is by no means certain that this scenario will occur.

Meanwhile, «non-discriminatory conditions» are intended to ensure that gatekeepers treat all companies and users fairly. They can’t give preference to their own products or those of direct partners.

A concrete example. If you google for an e-mail service, Google is no longer allowed to prioritise Gmail in the search rankings by default.

Data portability and access

According to Chapter III, Article 6, paragraph 9 of the DMA, a gatekeeper must grant an end user or their authorised representative permanent real-time access to data generated by the end user’s activity in connection with the use of the core platform service. In addition, effective data portability must be ensured. This means that a gatekeeper must not make it unnecessarily difficult for you to «move» your data from one service to another in order to replace the gatekeeper’s service with another, if necessary.

A concrete example. You’ve used Chrome as your default browser, now you want to switch to Opera. Google must now enable you to download the complete content – search history, cookie settings, browser history, etc. – in a usable format and upload it to Opera again, granting you a seamless user experience.

Transparency and profiling

Article 5, paragraph 2 of the DMA regulates how a gatekeeper may collect data, what it can do with it and, above all, what it can’t, so-called profiling rules. The main points:

• The gatekeeper can’t use any personal data from third-party services, which in turn are customers of the gatekeeper.
• It also can’t merge or use personal data from several of its core platform services.
• It can’t register you in other services of its portfolio in which you have not registered yourself.

Unless you’ve consented to these practices in accordance with Regulation 2016/679 Article 4, point 11 and Article 7. But there are rules on transparency, which I’ll explain in the next paragraph.

Concrete examples:

• If Zalando places an advertisement on Instagram and you click on it, Instagram (i.e. Meta) may not use the data you provide to Zalando for advertising services.
• Meta may not merge data collected via WhatsApp and Instagram (e.g. to learn more about you) or use it, e.g. for advertising.
• Meta isn’t allowed to create a Facebook account for you if you’ve only registered with Insta.

Transparency ensures a gatekeeper always asks your permission to collect and process your data. In addition, they must always provide you with information about how they collect data, why and for how long. You can also refuse or subsequently revoke this permission. The law also forces gatekeepers to obtain your consent in a generally understandable way. This way Facebook can’t present you with a thirty-page mess in legalese where you can only click Yes or No. As they’ve done until now. So-called dark patterns are also no longer permitted. Think those forms in which the button for approval is huge and coloured in, and the button for rejection is grey and hidden at the bottom in tiny letters.

What if companies don’t meet these requirements?

In Chapter V, Article 30, the European Union sets out several ways in which offending companies can be prosecuted. Fines are one option. And they can be quite severe. A fine can amount to up to 10 per cent of the company’s total global turnover. This even jumps to 20 per cent if the company repeatedly violates these regulations.

If a company is found guilty of systematic non-compliance (Chapter V, Article 29), a fine of up to 5 per cent of average daily turnover can be demanded (Chapter V, Article 31 DMA). Alternatively, the EU may decide to take remedial measures. This refers to certain precautions or sanctions intended to ensure that the company concerned (again) complies with the regulations. However, this requires a market investigation (Chapter IV, Article 16) as to whether there is systematic non-compliance.

What impact does the DMA have on Switzerland?

The DMA was adopted by the European Commission and the European Parliament. From a legal point of view, this has no effect on you or companies in Switzerland. This means that companies don’t have to comply with the rules of the DMA in Switzerland. National Council member Min Li Marti (SP/ZH) submitted a motion (page in German) on 8 March 2023, calling for Switzerland to make legislative amendments that are substantially similar to those of the DMA.

However, the National Council hasn’t yet decided whether it’ll accept the motion and discuss it. The Federal Council, on the other hand, has already issued a statement and recommends rejecting the motion (page in German). It justifies this recommendation by stating that the main objectives of the DMA are already implemented in principle with existing legislation – especially in antitrust law, for example with the instrument of «relative market power» (Cartel Act, SR 252, Art. 7). In addition, precautionary measures may also be ordered in individual cases.

It’s now up to the National Council to decide whether to accept this motion. If so, it’ll have two years to deliberate. If the motion is accepted, it’ll be passed on to the Council of States for discussion.

However, you’ll have to wait and see what it’ll look like in practice. We’ll probably also see certain changes in Switzerland. It’s likely, for example, that Swiss citizens will also be given the option of downloading all their stored data from a service. In some cases, this is already possible anyway. We’re unlikely to see other changes, such as Apple’s alternative app stores. Apple only does the absolute minimum to comply with this law anyway. It’ll probably only comply with it where it has to. Only time will tell what the details will look like.