Digital markets regulation in the EU and UK: DMA v DMCC 

In recent years, the EU and UK have both introduced new regimes regulating Big Tech companies with the EU Digital Markets Act (DMA) and the UK Digital Markets, Competition and Consumers Act (DMCC Act). This update focuses on the key similarities and differences between the two regimes. 

Key takeaways

• The EU and UK have introduced new regimes to regulate Big Tech. While the regimes pursue the same objective, the EU and UK have taken notably different approaches.
• Under both regimes, companies will be subject to enhanced regulation if they are designated as a gatekeeper in the EU or as having strategic market status in the UK.
• Significant penalties may be imposed on companies who breach their obligations under the DMA and DMCC, including fines of up to 10% of global turnover for both Acts (and up to 20% for repeated breaches of the DMA).

Background

In December 2020, the European Commission published drafts of the DMA and the Digital Services Act (DSA) (see our December 2023 update): the DMA focuses on competition in digital markets and the DSA focuses on transparency and consumer protection. The DMA was formally adopted by the European Parliament and Council on 14 September 2022. It contains forward-looking rules to regulate Big Tech and, at a high level, enables the European Commission to designate large platforms as "gatekeepers" where such large platforms provide a "core platform service". Once designated, gatekeepers are subject to a set of stringent behavioural requirements (see our January 2024 update). 

The DMCC Act received Royal Assent on 24 May 2024. The key reforms introduced by the DMCC Act, including the new digital regime, are expected to enter into force later this year (see our May 2024 update). As with the DMA, the DMCC Act enables the UK Competition and Markets Authority (CMA) to designate companies as having strategic market status (SMS). Designated companies will then be subject to a tailored code of conduct.

While both the EU and UK are looking to achieve the same end goal (i.e., to make the digital sector fairer and more competitive), they have taken notably different approaches. In this update, we'll highlight the key similarities and differences between the two regimes. 

Designation process

When key provisions in the DMA entered into force in May 2023, potential gatekeepers had until 3 July 2023 to notify the European Commission that they met the criteria for designation under the DMA. In September 2023, the European Commission made its first designations: Alphabet (Google's parent company), Amazon, Apple, ByteDance (which owns TikTok), Meta and Microsoft. Booking was designated in May 2024 and the European Commission also announced that it had opened a market investigation to assess the rebuttal submission from online social networking service X (formerly Twitter) in more detail. 

As the DMCC Act is not yet in force, no companies have been designated as having SMS status in the UK, although the CMA has indicated that it expects to start three to four SMS investigations in the first year of the new regime. 

Process under the DMA

Under the DMA, companies may be designated as gatekeepers where they meet the three qualitative conditions set out below. The DMA also sets out rebuttable presumptions based on quantitative criteria which the European Commission may rely on when considering whether to designate a company as a gatekeeper. 

The company must provide a core platform service which is an important gateway for business users to reach end users. This will be presumed where, in the last financial year, the service has:

• at least 45 million monthly active end users; and
• at least 10,000 yearly active business users in the EU.

The company must also have a significant impact on the EU market. This will be presumed where the company has: 

• a minimum of EUR 7.5 billion turnover in the EU in each of the last three financial years; or
• a valuation of at least EUR 75 billion in the last financial year; and
• in each case, provides the same core platform service in at least three Member States.

The third condition requires that the company enjoys an entrenched and durable position in its operations (or it is foreseeable that the company will enjoy such a position in the near future). This condition will be presumed to have been met if the two previous conditions have been met in each of the last three financial years. 

While the majority of gatekeeper core platform services to date have been designated on the basis of the presumptions set out above, the qualitative criteria are the key criteria for determining whether a service should be designated. The European Commission:

• has not designated companies (for example, Apple's iMessage and Microsoft's Bing, Edge and Microsoft Advertising services) which met the quantitative thresholds where it concluded that the company did not meet one or more of the qualitive criteria; and
• relied on the qualitative criteria to designate Apple's iPad operating system as a gatekeeper despite the fact that it did not meet the quantitative criteria.

Process under the DMCC Act 

To be designated under the DMCC Act, a company must have:

• a position of strategic significance in respect of a digital activity;
• substantial and entrenched market power; and
• UK turnover of more than GBP 1 billion or global turnover of more than GBP 25 billion in the previous 12 months.

Unlike the DMA, the DMCC Act does not include any quantitative thresholds which the CMA would be able to rely on to designate a company as having SMS.

Under the DMCC Act, engaging in a digital activity essentially means providing services on the internet or digital content, including free services and content. The digital activity must also be linked to the UK: the CMA will consider factors such as whether there are a significant number of users in the UK and if the digital activity (or the way the company carries on the digital activity) is likely to have an immediate, substantial and foreseeable effect on trade in the UK.

To establish that a company has strategic significance in respect of a digital activity, the CMA needs to conclude that the company meets one of four conditions set out in the DMCC Act which relate to the size and scale of the company's position in the digital activity, the number of users and the company's ability to leverage its position. 

As with the DMA, the company must have substantial and entrenched market power. When considering this, the CMA will undertake a forward-looking assessment over at least five years (see our July 2024 podcast episode). In this assessment, the CMA is essentially looking to see whether the company is able to behave independently of competitive forces. The draft guidance notes that familiar analytical tools used in dominance cases will also be relevant (e.g., the company's share of supply or profitability levels), but that the CMA will not typically seek to draw on existing dominance case law. It will therefore be interesting to see what happens in practice when the CMA begins to undertake SMS investigations. 

Timing

Under the DMA, companies are required to notify the European Commission if they meet the quantitative thresholds set out in the Act. Once the European Commission has received a complete notification, it has 45 working days to assess whether to designate the company as a gatekeeper. Where the European Commission is making a designation based on qualitative criteria (for example, because the quantitative thresholds are not met), it has indicated that it will endeavour to conclude investigations within 12 months. 

In the UK, there are no notification requirements. The CMA will be able to begin an SMS investigation based on its own research, evidence gathered through its other work or based on information or recommendations from other regulators. Once it has begun an SMS investigation, the CMA will have up to nine months to complete it.

Challenges to designations under the DMA

A number of gatekeepers have sought to challenge their designation by the Commission. Only one appeal has been determined to date: ByteDance's unsuccessful appeal before the General Court. While ByteDance did not dispute that it met the quantitative thresholds, it argued that it does not have a significant impact on the internal market and does not enjoy an entrenched and durable market position. ByteDance argued that:

• its impact on the internal market was not significant because its global market value is mainly attributable to its activities in China;
• it does not have an ecosystem;
• the scale of TikTok was smaller than some other online social networking services and the fact that a significant proportion of users multi-home shows it's not an important gateway; and
• it does not enjoy an entrenched and durable market position because it was a challenger on the market.

On 17 July 2024, the General Court dismissed ByteDance's arguments. The Court emphasised that while TikTok had been a challenger in 2018, it had rapidly consolidated its position and continued to strengthen this position despite Meta and Google launching competing services such as Reels and Shorts. 

Other gatekeepers have also challenged designation decisions: 

• Meta has challenged the European Commission's decision to designate Facebook Messenger and Facebook Marketplace as core platform services.
• Apple is appealing the designation of its App Store and iMessage service.

Third parties can also challenge European Commission decisions: a competing browser has challenged the European Commission's decision not to designate Microsoft's Edge as a gatekeeper. 
In the UK, there have not yet been any designation decisions to challenge. However, it is worth highlighting that designation decisions will only be challengeable by way of judicial review, and therefore there will be no opportunity for a full merits appeal.

Comparison of designation processes

Gatekeeper obligations v conduct requirements

Once a firm has been designated, the aims of the DMCC and DMA are very similar – the ex-ante regulation of digital services – but the EU and UK have taken different approaches to implementation. One of the key differences is that the gatekeeper obligations are prescribed in the DMA itself. In contrast, in the UK, the CMA will be able to impose tailored codes of conduct under the DMCC Act.

The DMA obligations include a number of positive obligations to behave in certain ways, as well as prohibitions on gatekeepers engaging in certain types of conduct. The DMA obligations cover three key areas:

• the use and access of data - including portability, banning combining data together, and data access for business users;
• services and distribution - restrictions on the use of parity clauses, bundling subscriptions and switching restrictions, and allowing side-loading of apps and other marketplaces; and
• inter-operability and non-discrimination requirements.

For further details of the gatekeeper obligations under the DMA, see our January 2024 update.

The DMCC Act enables the CMA to impose bespoke conduct requirements on each SMS firm. The CMA's discretion is not unfettered as the Act provides a framework for the CMA to follow when crafting a conduct requirement (CR). The CR must:

• be proportionate to the aims it is seeking to achieve, having regard to the consumer benefits likely to result from a CR;
• satisfy one of the three objectives prescribed in the Act (fair dealing, open choices and/or trust and transparency); and
• be of a permitted type, i.e., it must be an obligation for the SMS firm to conduct its digital activity in a particular way (such as a requirement to trade on fair and reasonable terms) or a prohibition on pursuing the digital activity in a certain way (for example, a prohibition on applying discriminatory terms and conditions).

In its draft guidance, the CMA indicates that the level of detail in a CR may vary, depending on whether the outcome is measurable and whether compliance is easy to assess. Where an outcome-focused CR would not achieve the CMA's aim or where compliance is not measurable or easy to assess, the CMA may impose an action-focused CR. It is possible that a high-level CR may be revised following a breach to provide additional detail. 

The DMA obligations are the types of obligations which could fall under the CR framework in the UK so we may see the CMA take inspiration from the gatekeeper obligations which apply to companies which have already been designated in the EU as gatekeepers, particularly given the requirement that the CMA act proportionately in imposing CRs. 

Timing

Under the DMA, gatekeepers have six months to comply with the gatekeeper requirements once they have been designated. In the UK, the CR will enter into force on the date specified in the CR notice issued by the CMA. This allows greater flexibility, and the CMA may specify that different elements of the CR enter into force at different times. The CMA's draft guidance also indicates that there may be an implementation period to allow SMS firms sufficient time to make changes to technical systems before the requirements come into effect. This is likely to be determined on a case-by-case basis. 

Possibility of guidance

Gatekeepers are able to request guidance from the European Commission in respect of proposed measures to comply with their gatekeeper obligations. The European Commission has also organised a number of public workshops involving individual gatekeepers and other interested stakeholders to discuss potential issues relating to specific implementing measures. 

The CMA plans to issue so-called "interpretative notes", which will provide further detail on the CMA's interpretation of a CR, how it might apply in particular circumstances and include illustrative examples. The notes will not be binding on the SMS firm, which will be free to take a different approach if they can demonstrate that their approach complies with a CR. The CMA has also indicated that the notes may be flexible and change over time. 

Compliance reports

Under the DMA, gatekeepers are required to submit annual compliance reports. The first compliance reports were published in March 2024 and these set out high level information about how each gatekeeper is complying with its obligations under the DMA. The European Commission will monitor compliance with the DMA using the compliance reports, as well as its investigatory powers. 

Compliance reports are also required under the DMCC Act and the CMA will specify a reporting period which could require more frequent compliance reports than under the DMA. 

Comparison of compliance requirements

Merger control

Under the DMA and DMCC Act, designated companies are required to inform the European Commission and/or the CMA (as appropriate) of proposed mergers and acquisitions:

• In the EU, transactions must be notified where the target provides a core platform service or any other digital or data collection services.
• In the UK, SMS firms will be required to report certain transactions where the consideration exceeds GBP 25 million.

Enforcement powers

The enforcement powers under the DMA and DMCC Act are broadly similar. Both the European Commission and the CMA have the power to impose penalties. The European Commission also has the power to impose additional remedies on gatekeepers following a market investigation if a gatekeeper is systematically failing to meet its obligations under the DMA. These remedies could be behavioural (meaning a requirement to do something such as make a service interoperable or to stop doing something like combining user data collected across different activities) or structural, meaning the European Commission could require parts of the business to be sold off.

In the UK, the CMA can impose an enforcement order requiring the SMS firm to comply with a conduct requirement following a breach investigation. The CMA also has the power to conduct a pro-competition intervention (PCI) investigation which will be an important tool for the CMA to regulate designated companies. Following a PCI investigation, a PCI order can be imposed to remedy any harmful effects on competition identified during the investigation. At this stage, the CMA's Digital Markets Unit (DMU) will have broad powers to impose remedies, including behavioural remedies, requiring the company to divest part of its business or requiring certain information to be supplied or published (for example, a requirement to supply user data to competitors). It will be interesting to see when the CMA looks to impose conduct requirements versus when it undertakes a PCI investigation. Unfortunately, the CMA's draft guidance does not provide much additional insight on this point.

Comparison of enforcement powers