Comparing EU and UK approaches to regulating big tech

Fiona:

Hello and welcome to Ashurst Legal Outlook. In this episode, we're talking about how the EU Digital Markets Act compares to the UK Digital Markets, Competition and Consumers Act. My name is Fiona Garside and I'm a Senior Expertise Lawyer in Ashurst's Antitrust, Regulation and Foreign Investment team in London. I'm delighted to be joined today by Rafa Baena from our Madrid team.

Raf:

Hi.

Fiona:

And Chris Eberhardt and Hayden Dunnett, who are based in our London office.

Chris:

Hi.

Hayden:

Hi, Fiona.

Fiona:

Today we're comparing the EU's approach to digital regulation with the UK's. We've talked about the EU DMA and the UK DMCC before; but to briefly recap for listeners, the DMA was formerly adopted by the European Parliament and Council in July 2022 and it contains forward-looking rules to regulate Big Tech. At a high level, it enables the European Commission to designate large platforms as gatekeepers and, once designated, these gatekeepers are subject to a set of stringent behavioural requirements. Similarly, the UK DMCC enables the CMA to designate companies as having strategic market significance (or SMS status for short). Designated companies will then be subject to a tailored code of conduct.

So while both the EU and UK are looking to achieve the same end goal, they have taken similar, but notably different approaches. If we kick off with the designation process. In the EU, seven companies have already been designated as gatekeepers. Unsurprisingly, this includes Apple, Alphabet (Google's parent company), Amazon, Meta and Microsoft, who had until March this year to comply with the gatekeeper obligations. ByteDance (who owns TikTok) and Booking.com have also been designated more recently. Rafa, what are the criteria for designation under the DMA?

Raf:

Well, thanks, Fiona. Under the DMA companies are designated as gatekeepers where they provide a core platform service, which is an important gateway for business users to reach end users. This will be presumed where the service has at least 45 million monthly active end users and at least 10,000 yearly active business users in the EU. The company must also have a significant impact on the EU market. Again, there is a presumption that this condition is met where the same core platform service is provided in at least three Member States and the company meets minimum turnover or value thresholds in the last financial year.

Finally, a company needs to enjoy an entrenched and durable position, which will be presumed if the two previous conditions have been met in each of the last three financial years. In this regard, while the majority of gatekeepers have been designated so far based on these presumptions and quantitative criteria, the Commission has made it very clear that the relevant criteria are the qualitative criteria. In fact, it has not designated as gatekeepers companies hitting the presumption thresholds because, after a market investigation, it concluded that they didn't hit one or more of the qualitative criteria. And likewise, it has designated Apple's iPad operating system as a gatekeeper despite the fact that it didn't meet the presumption criteria, relying on qualitative criteria. So it is possible that there will be further designations below the presumption thresholds, based on qualitative data.

Fiona:

Thanks, Rafa. And we recently had the General Court judgment on ByteDance's challenge to its designation as a gatekeeper. Has that given us any further insight?

Raf:

Yes, indeed. ByteDance unsuccessfully challenged its designation as a gatekeeper. It did not dispute that it met the quantitative thresholds I've just mentioned. But it argued that it does not have a significant impact on the internal market and does not enjoy an entrenched and durable position. Thus, it was arguing that it did not meet the qualitative criteria. The General Court recently ruled against ByteDance and dismissed its arguments that its impact on the internal market was not significant because its global market value is mainly attributable to its activities in China. Similarly, ByteDance arguments that it does not have a significant impact in the EU market because it does not have an ecosystem were not successful. ByteDance had argued that the scale of TikTok was smaller than some of the other online social networking activities and the fact that a significant proportion of users multi-home shows it's not an important gateway.

The Court rejected ByteDance's arguments that it does not enjoy an entrenched and durable market position because it was a challenger on the market. The Court emphasised that while TikTok had been a challenger in 2018, it had rapidly consolidated its position and continued to strengthen it despite Meta and Google launching competing services such as Reels and Shorts.

But ByteDance wasn't the only company to challenge the designation decision. Meta has also challenged the Commission's decision to designate Facebook Messenger and Facebook Marketplace as core platform services. Apple is also appealing the designation of its app store and iMessage service. And a competing browser has challenged the decision of the Commission not designating Microsoft Edge as a gatekeeper. We will see more action around designations.

Fiona:

Thanks, Rafa. In the UK, the CMA is still waiting for its new digital market powers to kick in. But, in the meantime, Chris, what do we know about the designation process under the DMCC?

Chris:

Thanks, Fiona. So I think what's interesting is that, as you said at the outset, the CMA's and DMU's approach and the criteria for the designation in particular are notably quite different under the UK rules. Unlike the position that Rafa has just explained, there are no presumptions for establishing a company has SMS status. Rather, in the UK the criteria require that the company must, first, engage in a digital activity, which essentially means providing services on the internet or digital content (including where this is free). And second, it must have a UK turnover of more than £1 billion or global turnover of more than £25 billion in the previous 12 months.

The activity must also be linked to the UK. Here, the CMA will consider factors such as whether there are significant number of users in the UK and if the activity or the way it's carried out is likely to have an immediate substantial and foreseeable effect on trade in the UK.

As with the DMA, the company must have substantial and entrenched market power. Now, when considering this, the draft guidance published by the CMA a few weeks ago (which we discussed in our last podcast) indicates that a CMA will undertake a forward-looking assessment over at least five years. And when doing so, it's essentially trying to see or looking to see whether the company is able to behave independently of competitive forces over that time period. When doing this, the familiar analytical tools that we've seen in dominance cases will also be relevant, things like share of supply or profitability levels, but the draft guidance also notes that the CMA will not typically seek to draw on dominance case law. So this is really going to be an interesting area to watch and see what happens in practice.

Finally, the company must be in a position of strategic significance. So for this, the CMA needs to establish the company meets one of four conditions set out in the Act, which relate to the size and scale of a company's position in the relevant activity for a number of users and the company's ability to leverage its position.

I think as a final point it's worth remembering that, in the UK, these decisions will only be challengeable by a way of JR, so there's no opportunity for a full merits appeal.

Fiona:

Thanks, Chris. And interestingly, the way that the process kicks off for designation under the DMA and DMCC can be quite different. So under the DMA, companies are required to notify the Commission if they meet the quantitative thresholds that Rafa mentioned earlier, but there's no equivalent notification requirement in the UK. Now, as Chris mentioned, that's because there's no presumption in the UK for the CMA to rely on. Once the Commission has received a complete notification, it will then have 45 working days to assess whether to designate that company as a gatekeeper.
But we mustn't forget that designations can also be made based on qualitative criteria as Rafa said. And in that situation, the Commission will endeavour to conclude its investigation within 12 months. That's a more similar timeframe to the UK where the CMA will have up to nine months to complete an SMS investigation. That investigation will be open based on either the CMA's own research, evidence it's gathered through its other work or information / recommendations from other regulators.

And then once a firm has been designated, again, the DMCC and the DMA have very similar aims (the ex ante regulation of digital services) but have taken different approaches for implementation. For the DMA, the gatekeeper obligations are set out in the Act itself but the CMA will be able to impose tailored codes of conduct under the DMCC.

Raf:

That's right. One of the key contrasts between the DMA and the DMCC is that the gatekeeper obligations are prescribed in the DMA itself. The obligations include a number of positive obligations to behave in certain ways as well as prohibitions on gatekeepers engaging in certain types of conduct. We don't have time to go through all of the gatekeepers' obligations on this podcast, but broadly speaking, the DMA obligations cover three key areas: (i) the use and access of data, including portability, banning, combination of data together and data access for business users; (ii) services and distribution, restrictions on the use of parity clauses, banding subscriptions and switching restrictions and allowing site loading of apps and other marketplaces; and finally (iii), interoperability and non-discrimination requirements.

Hayden:

Unlike the gatekeepers' obligations under the DMA, the DMCC act does not include a prescribed list or fixed list of obligations that an SMS firm is subject to. Rather, as Fiona mentioned, the CMA may impose bespoke conduct requirements (CRs) on each SMS firm. Although the CMA has some discretion in imposing conduct requirements, it's not unfettered as the DMCC Act does pose a framework through which CMA must craft a conduct requirement. Under the Act, CR must firstly be proportionate to the aims that the CMA is seeking to achieve, having regard to the consumer benefits that are likely to be obtained from imposing the conduct requirements. Second, the conduct requirement must satisfy one of the three objectives prescribed in the Act (the fair dealing objective, open choices objective or the trust and transparency objective). And the conduct requirement must also be of a permitted type; so it must be an obligation for the SMS firm to conduct its digital activity in a particular way, such as trading on fair and reasonable terms or a prohibition on pursuing the digital activity in a certain way, so for example, a prohibition on applying discriminatory terms and conditions.

Chris:

And I think it's fair to say, Hayden, that in general, all of the DMA gatekeeper obligations are really the same types of obligations that could fall within a conduct requirement framework under this UK regime.

Hayden:

Yes, I think that's right. And although the CMA's guidelines suggest that it can impose a combination of conduct requirements depending on the objective it's seeking to achieve, the CMA's three objectives under the Act for imposing CRs (the open access objective, trust and transparency objective and fair dealing objective), are all sufficiently broad and also the permitted types of obligations mean that in theory the gatekeeper obligations under the DMA could readily be transposed onto SMS firms in the forms of CR requirements in the UK.

Fiona:

And timing wise, once firm has been designated as a gatekeeper for DMA purposes or as an SMS firm under the DMCC, when will the obligations kick in?

Chris:

So in the UK, the CR notice itself will specify the date on which the requirements will come into force and we may well see different elements coming into force at different times. The CMA's draft guidance indicates that they may well allow an implementation period to allow SMS firms sufficient time to make the changes to their systems before the requirements kick in. And I suspect that's likely to be determined on a sort of case by case basis.

Rafa:

Well, under the DMA, a gatekeeper has six months from designation to comply with the gatekeeper requirements. Gatekeepers designated in September 2023 became subject to DMA obligations in March this year. In this regard, it's important to take into account that time really matters in DMA compliance as the Commission launched non-compliance investigations against designated gatekeepers just days after the expiration of those six months.

Fiona:

So I think that draws out quite well one of the purported benefits of the DMCC is the flexibility, but with flexibility comes uncertainty for companies. In contrast, the DMA has fixed obligations and a fixed timetable, but I imagine that might make it more challenging for a gatekeeper to interpret those obligations and understand how to actually implement them in practice. Rafa, what have we seen so far with how gatekeepers are seeking to comply with the DMA obligations?

Rafa:

Well, very interesting question. Gatekeepers are able to request guidance from the Commission in respect of any measures they should, or may wish to, take in order to comply with their gatekeeper obligations. However, the approach of the different companies in the designation process has been different, with some of them engaging in constructive dialogue with the authority and relevant stakeholders and others being more reserved and introverted. We have also seen a number of public workshops organised by the Commission itself, which involve the gatekeeper and other interested stakeholders, to discuss issues that may arise in relation to the specific implementing measures by gatekeepers.

The first compliance reports were published earlier this year and set out high level information about how each gatekeeper is complying with its obligations under the DMA. Is the CMA intending to use a similar consultation process?

Chris:

Yes, Rafa. So the CMA plans to issue what it's calling interpretative notes essentially which, as the name suggests, will provide further detail on the CMA's interpretation of a conduct requirement, explaining how it might apply in circumstances and they say also including illustrative examples. What's important is that these notes will not be binding on the SMS firm however. So the firms will be free to take a different approach if they can demonstrate that their approach still complies with the conduct requirement. And the CMA has also indicated that the notes will be flexible and may well change over time.

Fiona:

Obviously, the EU is further ahead with implementation. And Rafa, you've already mentioned that gatekeepers have provided the Commission with the first compliance reports under the DMA?

Rafa:

Yes. The DMA requires gatekeepers to submit annual compliance reports. The Commission will monitor compliance with the DMA and it has a range of investigatory power very similar to those it uses in competition investigations. The DMA also requires gatekeepers to introduce a compliance function, which is independent from operational functions. The compliance team must have authority to monitor the gatekeepers' compliance with the DMA, which includes an independent senior manager with the strict responsibility for the compliance function.

Hayden:

And under the UK regime, the CMA will mandate SMS compliance reports in conduct requirements and will also specify a reporting period, which could be more frequently than annually. There's also other compliance mechanisms that are baked into the DMCC, including the requirement for an SMS firm to appoint a nominated officer who is in charge of ensuring that SMS firm complies with its compliance reporting obligation. And the compliance officer, or nominated officer, is also required to cooperate with the CMA during the SMS firm designation period. In addition, given the flexible nature of the conduct requirement, the CMA also has the duty to keep conduct requirements under review.

Rafa:

Good. Well, before we move on to enforcement, there is one other element of the DMCC I'm curious about, which I understand is quite different to DMA. The DMA has set out obligations that gatekeepers must comply with and the only way that the obligations under DMA can be supplemented or changed is for the Act itself to be amended. Although each company must design its compliance approach, interpreting obligations that at least some of them are very general, this limits the perimeter of what the designated gatekeepers must or must not do. How will the CMA design conduct requirements? It sounds like they could be quite specific.

Hayden:

Yes, that's right, Rafa. So the UK approach is quite different to the DMA. And as we've mentioned already, the CMA does have a fair bit of discretion in the way in which it imposes and designs conduct requirements. So the CMA has released draft guidance, which includes a three step process for imposing conduct requirements. The first thing it will do is identify the outcome that a conduct requirement is intended to achieve based on the three objectives outlined previously (the fair dealing, open choices and trust and transparency objectives). Then the CMA will identify conduct requirements within the permitted types (the positive obligations, which are outcome focused conduct requirements, or restrictions, which are action focused requirements that I mentioned earlier) that might be effective in achieving CMA's aim. And then the CMA will consider whether imposing that conduct requirement is proportionate.

And in the draft guidance, the CMA has explained that the level of detail in the CR may vary. It may impose higher level conduct requirements where the outcome of a conduct requirement is measurable and compliance is easy to assess, which would give the SMS firm flexibility in deciding how to achieve that outcome. In contrast, if compliance is not measurable or easy to assess or an outcome focused CR won't achieve the CMA's aim and objective, the CMA may look to impose an action-focused conduct requirement, which again, might initially be a higher level requirement. However, it may also impose much more detailed conduct requirements which could be revised following the breach of a higher level outcome focused conduct requirement. So by way of example, the CMA could impose a conduct requirement that bans self-preferencing, which may initially take the form of a high level outcome focused objective. However, if the CMA decides that outcome is no longer being achieved, and there is a whole process that the CMA can review and amend conduct requirements that we won't cover on this podcast, but if that's the case, the CMA may impose a much more granular conduct requirement, which explains how the ban against self-preferencing is to be implemented in practise.

Fiona:

We'd expect similar firms to be designated in the UK to those that have already been designated in the EU. So in terms of overlapping obligations, do you think the CMA will take inspiration from the gatekeeper obligations that firms are already subject to?

Chris:

I think we'll need to wait and see, but that's probably a fair assumption to make. The CMA is required to act proportionately in imposing conduct requirements and I think if an SMS firm has already implemented a change related to the activity that actually meets the requirements under the UK Act and also achieves the outcome the CMA is looking for, then I think it would seem logical where the CMA may well look to impose similar obligations.

Hayden:

I think that's right Chris. And I think it will also depend on the obligation in question and whether it's deemed a success or not in the EU. So when the gatekeeper obligations came into force in March this year, there was a flurry of complaints raised by users and in fact the Commission opened a number of investigations into DMA compliance.

Fiona:

That's right, Hayden. And that leads us neatly on enforcement. Obviously, the EU is much further ahead with enforcement activity, but staying on a theoretical level, how do the powers of the Commission and the CMA compare?

Rafa:

Well, as regards to Commission, the authority has the power to impose fines of up to 10% of worldwide turnover or up to 20% of worldwide turnover for repeated infringements. And it can also the penalty payment of up to 5% of average daily turnover.

Chris:

And it's a similar position in the UK. So the CMA will be able to impose fines of up to 10% of a company's global turnover or daily penalties of up to 5% of daily turnover for breaching of conduct requirement. And also, there are powers to fine individuals up to £30,000 for failing to comply with investigative requirements.

Rafa:

Well, as well as fining powers, let's not forget that the Commission can impose additional remedies on gatekeepers, following a market investigation, if a gatekeeper is systematically failing to meet its obligations under the DMA. These remedies could be behavioural, meaning a requirement to do something such as make a service interoperable or to stop doing something like combining user data collected across different activities, or can be structural, meaning the Commission could require parts of the business to be sold off.

Chris:

Yeah, that's a good point, Rafa. And again, it's a similar position under the UK law. So if the CMA suspects that an SMS firm is breaching a conduct requirement, then essentially it will carry out a breach investigation. If that investigation finds a breach has occurred, then the CMA can impose an enforcement order requiring compliance.

I think it's also worth mentioning at this point, pro competition intervention investigations. We've discussed these in previous podcasts, but I think these will really be an important tool for the CMA when looking to regulate the designated companies. So a pro competition intervention can be imposed following an investigation into a designated firm's digital activities, remedy any harmful effects on competition identified during that investigation. For CMAs Digital Markets Unit (the DMU) will have broad powers to impose remedies including behavioural remedies, like the ones Rafa has mentioned, or requiring the company to divest or sell part of its business, so structural remedies, or requiring certain information to be supplied or published, for example, a requirements to supply user data to competitors.

Fiona:

Thanks, Chris and Rafa. And in the UK it'll be interesting to see when the CMA looks to impose conduct requirements versus when it might look at undertaking a PCI investigation. Unfortunately, as we mentioned in our last episode, the CMA's draft guidance hasn't provided much additional insight on this point yet. Before we wrap up, what enforcement activity have we seen in the EU so far?

Rafa:

Well, I hope we have a lot of time. No, I was just joking. It is true that lots of things are happening in the enforcement front in Europe, in the mainland Europe. The Commission is already making active use of its enforcement powers with five non-compliance investigations into Alphabet, Apple and Meta. The investigations were announced in March shortly after the first compliance reports. And the Commission is investigating whether Apple is compliant with its user choice obligations in respect of its Safari browser. Google is also subject to a non-compliance investigation into whether Google Search compliance, complies, sorry, with self-preferencing rules, which prohibit gatekeepers from treating their own products and services more favourably.

And the final company under investigation is Meta for its "consent or pay" model, which has been investigated for compliance with personal data usage rules. Meta now offers a subscription based ad free version of Instagram and Facebook in the EU and the Commission has expressed concerns this may not be offering consumers a real alternative if they do not consent. In July, the Commission informed Meta that this preliminary conclusion is that the consent or pay model thus breached the DMA rules because it does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the personalised ads based service and does not allow users to exercise the right to freely consent to the combination of their personal data.

The final two investigations opened in March related to app store services with Google and Apple's offerings being investigated to see whether they comply with the DMA's steering rules, which require gatekeepers to allow app developers to steer consumers to third party offers. In June, the Commission announced that it had informed Apple that its preliminary conclusion is that Apple's app store rules breached the DMA and the Commission found that none of the business terms allow developers to freely steer their customers and, under most of the business terms, Apple only allows steering through links out, which are subject to restrictions by Apple to stop developers from communicating, promoting offers and concluding contracts through their distribution channel of choice. In addition, the fees charged by Apple for the initial acquisition of a new customer by the developer go beyond what is necessary according to the Commission's view.

At the same time, the Commission announced a third non-compliance investigation into Apple: this time in relation to its new contractual requirements for third party app developers and app stores. There is also a fact finding investigation into Amazon store listings. And Apple, Alphabet, Meta, Amazon and Microsoft have also been ordered to retain documents which the Commission might use to assess the business' compliance with the DMA. And all this against the background with the European Commission and national competition authorities enforcing abuse of dominance rules against gatekeepers for behaviour covered by the DMA and with potential private enforcement starting shortly. So lots of things going on.

Fiona:

Thanks, Rafa. As you say, a lot to keep an eye on in the coming months. That's all we have time for today, but thank you so much for joining me to share your insights into the two regimes. Digital companies operate globally, so companies already need to be thinking about how to navigate these two regimes and also be mindful of ongoing work in other jurisdictions such as Australia.

In recent years, the CMA has investigated most of the companies which have been designated as gatekeepers in the EU so that's likely to be a good indication of the firms which will be designated under the DMCC. For now, the CMA's Digital Markets Unit has indicated that it expects to start three to four SMS investigations in the first year of the new regime. And it will be interesting to see the extent to which the UK's tailored codes of conduct add additional obligations to the ones which these companies have already been grappling with under the DMA. If you're interested in reading about this in more detail then we have a briefing available on our website.

As we mentioned at the end of the last episode on the DMCC, there's also going to be a lot to keep up with in the UK in the coming months. And since we last spoke, the CMA has released a raft of further guidance for consultation, including the guidance on its new consumer law enforcement powers, Competition Act 1998 investigations and six pieces of merger control guidance. We're still welcoming questions and topic suggestions from listeners as well, so do please get in touch. For now, to ensure you don't miss out on any future episodes, subscribe to Ashurst Legal Outlook now on Apple Podcasts, Spotify or your favourite podcast platform. And while you're there, please feel free to keep the conversation going and leave us a rating or a review. Until next time, thanks for listening and goodbye for now.