The Digital Markets Act (DMA) was published in the Official Journal today. It becomes effective in 20 days and will start being enforced on May 2, 2023.
The DMA aims to ensure that no large online platform acts as a gatekeeper by controlling a “core platform service.” Core platform services include online intermediation services (marketplaces, app stores), search engines, social networking sites, video sharing platforms, operating systems, web browsers, virtual assistants, cloud services and advertising services.
Download our Digital Markets Act FAQ Sheet containing answers to key questions about the regulations.
Who Is Affected?
To be considered a “gatekeeper,” an online platform must:
- have either an annual turnover of at least 7.5 billion Euros within the EU in each of the past three years or a market valuation of at least 75 billion Euros in the past year, and
- have at least 45 million monthly end users (aka consumers or a business user’s customers) and at least 10,000 yearly business users in the EU, and
- provide the same core platform service in at least three member states.
Why Is This Important?
The European Commission will enforce the DMA and can impose fines of up to 10% of a company’s total worldwide revenue. For repeat offenses, the European Commission can impose fines of up to 20% of a company’s worldwide revenue. Gatekeepers will need to be able to demonstrate compliance with the DMA, including through an annual report describing how it is ensuring compliance.
How Is the DMA Different Than the GDPR?
While some of the definitions will sound familiar (e.g., consent must be given by a clear, affirmative action or statement establishing a freely given, specific, informed and unambiguous indication of agreement), the DMA adds significant requirements for gatekeepers.
If My Business Is Not a Gatekeeper, Do I Need to Worry About the DMA?
No, but you might miss out on some opportunities available to small and medium sized businesses. Gatekeepers must permit business users to offer their customers the same products or services at different prices through other channels (such as being able to offer a different price on the business’ website than if purchased through an app store). Businesses must also be permitted to communicate offers and complete purchases outside of the gatekeeper’s platform, even if the customer was obtained through the platform. If you have a small or medium sized business, you may want to explore new opportunities.
If My Business Is Considered to Be a Gatekeeper, What Can’t We Do Under the DMA?
Gatekeepers need to be very careful about how they collect and use personal information. For example, they cannot combine personal information from their different product lines. Additionally, they cannot require consumers to use other products or services they provide or stop consumers from using competitors’ products or services. Gatekeepers also cannot promote their products or services over competitors’ products or services or use dark patterns.
Are There Any Affirmative Requirements for Gatekeepers Under the DMA?
Yes. There are many new requirements, including providing varied information to the European Commission, business users, consumers, and third parties. Gatekeepers also need to make it easier for consumers to uninstall non-essential pre-loaded software, change default settings, and port data to another service.
What Can My Business Do?
The DMA covers a lot of ground, and each business that is considered a “gatekeeper” will need to carefully review its practices for compliance. A gatekeeper can request that the European Commission review its current compliance measures or measures that it plans to implement. The Commission then can choose whether to engage in the review. If it chooses to, within three months, it will publish a non-confidential summary of the submission previously provided by the gatekeeper, along with its preliminary findings. Any interested third parties can submit comments on the Commission’s preliminary findings.
How Can Foster Garvey Help Your Business?
Foster Garvey advises businesses and individuals across a broad range of industry sectors on legal issues relating to privacy, cybersecurity and data protection. Our interdisciplinary team works diligently to advise clients on current and emerging issues in this area, including cybersecurity preparedness, risk assessments and compliance, and related disputes and litigation.
A highlight of some of the DMA’s requirements, including links to the official press releases from the European Parliament and the Council (representing the 27 EU Member States), can be found on the European Commission website.
If you have any questions about complying with the DMA, please contact Eva Novick at email@example.com.