N. Pirilides & Associates LLC


Offering high-quality and effective legal advice



Digital Markets Act: Gatekeepers Under Scrutiny

A groundbreaking development has recently been announced by the European Commission, which has for the first time applied the strict rules introduced under Regulation 2022/1925 - otherwise known as the Digital Markets Act (DMA) - to bring non-compliance investigations against three heavyweights in the world of “big tech”, namely Alphabet (the parent company of Google), Apple, and Meta (formerly Facebook Inc.).

The DMA, which has come into force in early March, has introduced onerous requirements for companies classified as “gatekeepers” under its objective criteria. These include a duty to allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations, a duty to refrain from treating services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper's platform, and a duty to refrain from tracking end-users outside of the gatekeepers' core platform service for the purpose of targeted advertising without prior effective consent.

It is these three requirements, among others, that the three tech giants are believed to have breached. For instance, the Commission alleges that Alphabet and Apple are treating their third-party service providers less favorably in the Google search engine (in the case of Alphabet) and in their respective software stores (i.e. the Play Store and App Store). Likewise, it is alleged that Apple is curtailing competition in its “walled garden” ecosystem by prohibiting the removal of its native apps and their replacement by third-party products. While both the Apple and Meta investigations have progressed quickly, with the Commission making preliminary findings as to the breach of their obligations under the DMA, the investigation with the biggest effect on the market will certainly be the one against Meta’s so-called “pay or consent” model.

The model has been implemented by Meta after a cascade of GDPR-related rulings in, among others, Germany, Ireland, Norway, and the Court of Justice of the European Union, which found that the company failed to obtain the explicit consent of users for the collection and use of their data. However, the Commission has found that the model compels data subjects to consent to processing (especially when it comes to cross-platform tracking) or face hefty costs for access to a monopolistic product, in breach of Recitals 36 and 37 and Article 5(2)(a) of the DMA.

Specifically, the commission has made reference to the fact that Meta does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent and that it does not allow users to exercise their right to freely consent to the combination of their personal data. The instigation of a non-compliance investigation is only the first arrow in the Commission’s arsenal of enforcement. Meta now has the right to defend its actions by examining the documents in the Commission’s investigation file and replying in writing to the Commission’s preliminary findings.

Nonetheless, should a decision of non-compliance be made, the technology heavyweights could face hefty penalties which include, as per articles 29 to 33 of the DMA, a fine of up to 10% of the company’s total worldwide annual turnover (which increases to 20% for repeated offenders), periodic penalty payments of up to 5% of the company’s average daily turnover, and even unprecedented non-financial remedies such as the divestiture of (parts of) a business. For reference, imposing the maximum fine allowed under the DMA for a first instance offence would result in an eye-watering USD 13.49 billion hit for Meta Inc. (given its 2023 financial reports)!

All in all, this first application of the compliance mechanism of the DMA seems promising in its ability to rein in big tech, a task which the GDPR has failed to fully achieve, by enlisting the full resources of the European Commission instead of depending on a largely decentralized network of Data Protection Authorities. It also appears that the DMA may offer an alternative to the difficulty in bringing competition-related proceedings against such technology companies. Indeed, the mere threat of an investigation appears to have had an effect on the market, with Apple creaking open the doors of its walled garden within the EU for third-party providers. Nonetheless, this does pose the question of how technology companies, whose business model relies on personalized advertising, can continue to be profitable while offering their products in the European market. One thing is for sure, this is a rapidly developing legal area that must be closely monitored by all EU practitioners.