While the recently introduced Digital Markets Act rules might change prior to final approval, there is a lot to consider already. What are these rules based on? Cristina Caffarra and Fiona Scott Morton map the list of proposed obligations to the past and current antitrust cases.

The European Commission has finally issued the proposed Digital Markets Act (DMA), its bid to complement antitrust intervention in digital markets with ex-ante regulation—a set of obligations that large platforms identified as “gatekeepers” should abide by. Having severed its links with Europe, the UK simultaneously laid out its own distinct approach to regulating digital markets, now taking real shape after the statement of intentions in the 2019 Furman report

All of this is happening, extraordinarily, while five major complaints have been filed in the US against Google and Facebook by the federal agencies and the State Attorney General. China has opened a major investigation of e-commerce giant Alibaba as well.

While the final form of the EU’s DMA rules will change—possibly substantially—before final approval, there is a lot to consider already. First, let’s say what this isn’t: Americans in particular may expect it to be something akin to common carrier or public utility-style regulation. Not so: the regime is not so much designed to regulate infrastructure monopolies, but rather to create competition as well as to redistribute some rents. 

Second, the current definition of “gatekeeper” is not nuanced, and so we expect it will be updated and improved in the review process. 

Third, the list of obligations outlined in the DMA seems to be a catalog derived from past and current antitrust cases involving the usual set of Big Tech platforms, where the particular remedy has been generalized to apply to all gatekeepers, but without an explanation as to how and why that would work. Translating these dicta into actionable rules that people and companies can understand likely will require clearer organizing principles around business models.

Fourth, while “data” is mentioned multiple times in the Obligations section, it is unclear that the rules do enough to recognize the direct consumer harm that flows from the exploitation of data and the extraction and appropriation of consumer value, amplified by privacy concerns. 

Lastly, while we understand there are legal reasons why the DMA could not include merger reform, the effective regulation of digital platforms requires powering up this essential tool. As the UK is folding its merger control into their digital markets regime, and the US has made the undoing of bad mergers into a cornerstone of its antitrust cases against Facebook and Google, there appears to be a significant lacuna in the EC digital regime that needs to be addressed. 

For Americans: What This Isn’t 

The US’s “big awakening” on the use of antitrust to deal with digital markets (Google and Facebook in particular) is much welcome and overdue. To Europeans, the recent federal and state complaints have looked like an extraordinary giant iceberg breaking free and finally on the move—with a much broader scope and bolder agenda than anything Europe had set out to do. While Europe has pursued good cases, zooming in on a particular market and conduct (Google Shopping, Android), nothing has been quite as far-reaching in ambition. “You cannot buy your way out of competition” is the big underlying theme of the US complaints—a theme that has broad reach, encompassing exclusivity agreements, special deals with rivals to keep them out of a market, and multiple acquisitions to buy out threats. 

Because experimentation with different approaches will matter, industry participants and policymakers in the US will benefit from observing the European regulatory experiment unfold. It is important for Americans to appreciate that the DMA is not a step toward breakups (in classic European fashion, these are briefly mentioned only as a last resort for repeat offenders), nor a common carrier/public utility-style regulation. While some of the DMA rules might also feature in a common carrier approach (no discrimination, no self-preferencing, access rights), the main animating principle is not so much to control the power of a monopoly infrastructure—e.g., setting access terms, but much more to prohibit or discourage conduct that has either the intent or effect of preventing entry of a rival (or raising its cost) where entry would otherwise be possible. A second purpose is to enforce fairness, a strong pillar of the European ordoliberal tradition, by prohibiting conduct that exploits and weakens counterparties that depend on the platform. Removing obstacles to entry, and fairness in the relationship with dependents, are the two goals of the law. Its method is “pro-competitive regulations” that seek to tame market power by enabling new competitors, rather than choosing price or quality levels. (The Stigler Report recommended just this approach.)

“While we understand there are legal reasons why the DMA could not include merger reform, the effective regulation of digital platforms requires powering up this essential tool.”

The EC Approach: Needs a Translation Key, and Some Organizing Principles

The DMA envisages a two-step process in which the “provider of a core platform service” first self-designates as a “gatekeeper,” and then adheres to a list of obligations that apply to all gatekeepers. 

The criteria for the designation of a gatekeeper are quantitative: annual EEA turnover above EUR 6.5 billion in the last three years, average market capitalization or equivalent fair market value above EUR 65 billion in the last year, active in at least three Member States; over 45 million monthly active end users in the Union and over 10 000 yearly active business users in the last year. Back-of-envelope calculations suggest that these criteria will capture not only (obviously) the core businesses of the largest players (GAFAM), but perhaps also a few others: Oracle and SAP for instance would appear to meet the thresholds, as would AWS and Microsoft Azure. Conversely, Twitter, Airbnb, Bing, Linkedin, Xbox Netflix, Zoom, and Expedia do not appear to meet the thresholds at present, and Booking.com, Spotify, Uber, Bytedance/TikTok, Salesforce, Google Cloud, and IBM Cloud appear to meet some but not others at this point.

For those that do not meet the quantitative criteria, there is a long-winded alternative method of designation via a “market investigation,” a new tool which, however, will require time to get going and to run, and may not survive the review process in its current form. The designation of gatekeepers mainly through quantitative rules is clearly intended to leave no room for the imagination: it will curb shenanigans by companies trying to argue against all common sense, and speed up the process of designation. On the other hand, a more principled approach will be needed for platforms that fall below the hard thresholds but may still be capable of conduct the law wishes to proscribe.

There are then two sets of “obligations” laid out for gatekeepers: a shorter list of obligations that apply without qualification, and a longer list of obligations “susceptible of being further specified,” the latter more tentative and “for discussion” the former a definitive list of proscribed conducts—i.e., “thou shall not.”

Identifying conducts that are not acceptable in general is important and right, but these lists are a curious game of charades. With experience and familiarity with past, current, and pipeline EC antitrust cases, one can just about assign each entry to a particular company and its issue. We attempt to do this in the table below. But this mapping is not obvious, because the writers have generalized each case away from its specific setting in order to apply a rule across the board. And then, when the mapping is finished, it is clear that some rules really are specific to one—or perhaps two—platforms, but unclear how they might or should apply to others, both within and outside the traditional GAFAM list. So how can these lists be made operational? Some organizing principles around business models would have been more useful, even if one does not want to get too “close and personal” and name individual companies. A fixed set of rules—covering all kinds of business models—applying to any platform that is designated a gatekeeper is the contrary of “flexible.” What is more, the separation between the designation of a gatekeeper first, and the application of the obligation second, is artificial because it is through the evaluation of conduct and its impact that an agency would identify a gatekeeper and understand what particular rules would ameliorate the problems that have been identified. As discussed further below, the UK seems to be taking this combined approach. 

The Gatekeeper Role Cannot be Independent of Business Models

Intuitively, one thinks of a gatekeeper as an intermediary who essentially controls access to critical constituencies on either side of a platform that cannot be reached otherwise, and as a result can engage in conduct and impose rules that counterparties cannot avoid. Susan Athey proposes((Susan Athey, Platform Markets – Business Models & Gatekeepers, November 2020 presentation.)) a similar definition: “A platform acts as a gatekeeper when it aggregates a meaningfully large group of participants that are not reachable elsewhere.”

The need to recognize business models explicitly in designing rules for tech is now well established. The DMA makes only a fleeting reference to business models (four times in the whole document, and to no particular purpose), but in practice, there are big differences in economic properties and incentives across these business models. Compare three rough groups—e.g., ad-funded digital platforms (Google, Facebook, Bing, Pinterest, Twitter, Snapchat), transaction or matchmaking platforms that are marketplaces and exchanges (Uber, Airbnb, Amazon, DoubleClick), and OS ecosystem platforms like operating systems and app stores (iOS, Appstore, Android, Google Play Store, Microsoft Windows, AWS, Microsoft Azure, etc.). These business models differ in systematic ways in terms of (a) the type of economies of scale they rely on (data scale, R&D costs), (b) the type and direction of network effects (direct/indirect, one/both directions), (c) the potential for multihoming (on one or both sides), and (as emphasized by Athey) (d) the potential for disintermediation, either by someone else “introducing a different layer” intermediating two sides of the platform (e.g., end-users and business users), or finding a way for two sides to connect to each other directly.

What the “business models” approach makes clear is that it is difficult to formulate rules that are model-independent and work across the piece. Imagining that despite the different incentives created by the different functions of these platforms, uniform rules will work seems optimistic. One possibility is to condition the analysis more explicitly on business models to begin with, while also recognizing that firms’ business models evolve and shift over time. Indeed, competitors in the same space can operate under different models (and increasingly do) because business model innovation is a key form of competition. By interpreting such rules according to high-level principles (e.g., fairness, transparency, low barriers to entry) the regulation would lessen uniformity to some degree while increasing effectiveness. A slight pivot of this form would increase flexibility, improve clarity, and make rules more future-proof. 

Translating the Obligations

In the table below we reproduce the list and try to annotate it (not without some ambiguity) to map how we think the Obligations may have arisen (with a couple of exceptions) from particular platform issues based on publicly-known cases and complaints: some rules appear to have an “Apple” label on them, others a “Google” label, others an “Amazon” label. Only a few appear relevant to more than one platform.  

Obligations for gatekeepers, DMA Art. 5 Who
(a)  refrain from combining personal data sourced from these core platform services with personal data from any other services offered by the gatekeeper or with personal data from third-party services, and from signing in end users to other services of the gatekeeper in order to combine personal data Facebook, Google
(b) allow business users to offer the same products or services to end users through third party online intermediation services at prices or conditions that are different from those offered through the online intermediation services of the gatekeeper Amazon, OTAs
(c) allow business users to promote offers to end users acquired via the core platform service, and to conclude contracts with these end users regardless of whether for that purpose they use the core platform services of the gatekeeper or not, and allow end users to access and use, through the core platform services of the gatekeeper, content, subscriptions, features or other items by using the software application of a business user, where these items have been acquired by the end users from the relevant business user without using the core platform services of the gatekeeper; Apple
(d) refrain from preventing or restricting business users from raising issues with any relevant public authority relating to any practice of gatekeepers Standard
(e) refrain from requiring business users to use, offer or interoperate with an identification service of the gatekeeper in the context of services offered by the business users using the core platform services of that gatekeeper; Facebook,
(f) refrain from requiring business users or end users to subscribe to or register with any other core platform services identified pursuant to Article 3 or which meets the thresholds in Article 3(2)(b) as a condition to access, sign up or register to any of their core platform services identified pursuant to that Article; Facebook,
(g) provide advertisers and publishers to which it supplies advertising services, upon their request, with information concerning the price paid by the advertiser and publisher, as well as the amount or remuneration paid to the publisher, for the publishing of a given ad and for each of the relevant advertising services provided by the gatekeeper. Facebook,
Obligations for gatekeepers susceptible of being further specified, DMA Art 6 Who
(a) refrain from using, in competition with business users, any data not publicly available, which is generated through activities by those business users, including by the end users of these business users, of its core platform services or provided by those business users of its core platform services or by the end users of these business users; Amazon, Google?
(b) allow end users to un-install any pre-installed software applications on its core platform service without prejudice to the possibility for a gatekeeper to restrict such un-installation in relation to software applications that are essential for the functioning of the operating system or of the device and which cannot technically be offered on a standalone basis by third-parties Google, Apple, Microsoft?
(c) allow the installation and effective use of third party software applications or software application stores using, or interoperating with, operating systems of that gatekeeper and allow these software applications or software application stores to be accessed by means other than the core platform services of that gatekeeper. The gatekeeper shall not be prevented from taking proportionate measures to ensure that third party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper; Apple,  Google
(d) refrain from treating more favorably in ranking services and products offered by the gatekeeper itself or by any third party belonging to the same undertaking compared to similar services or products of third party and apply fair and nondiscriminatory conditions to such ranking; Google, Amazon, Apple
(e) refrain from technically restricting the ability of end users to switch between and subscribe to different software applications and services to be accessed using the operating system of the gatekeeper, Apple
(f) allow business users and providers of ancillary services access to and interoperability with the same operating system, hardware or software features that are available or used in the provision by the gatekeeper of any ancillary services; Google, Facebook, Apple
(g) provide advertisers and publishers, upon their request and free of charge, with access to the performance measuring tools of the gatekeeper and the information necessary for advertisers and publishers to carry out their own independent verification of the ad inventory; Google, Facebook
(h) provide effective portability of data generated through the activity of a business user or end user and shall, in particular, provide tools for end users to facilitate the exercise of data portability, in line with Regulation EU 2016/679, including by the provision of continuous and real-time access; General – data portability is by now a non-specific policy objective
(i) provide business users, or third parties authorized by a business user, free of charge, with effective, high-quality, continuous and real-time access and use of aggregated or non-aggregated data, that is provided for or generated in the context of the use of the relevant core platform services by those business users and the end users engaging with the products or services provided by those business users; General – data access / interoperability is a broad policy objective
(j) provide to any third party providers of online search engines, upon their request, with access on fair, reasonable and non-discriminatory terms to ranking, query, click and view data in relation to free and paid search generated by end users on online search engines of the gatekeeper, subject to anonymization for the query, click and view data that constitutes personal data; Google
(k) apply fair and non-discriminatory general conditions of access for business users to its software application store Apple, Google

So we can map these rules into cases, just about. But what are the generalizable principles? The narrative explanation in paragraphs 32-57 of the draft law devotes a paragraph to each obligation, but each is just a slightly expanded version of the same list we show above.

In our view, the list of “Obligations” set out in the DMA is too much of a reproduction of past issues rather than a clear statement of clear organizing principles. Much clarity would be gained by some organization around business models, which would also clarify which platforms/businesses are “in scope” for which behavior.

Some companies will be able to recognize themselves, but what about others who will need to second guess as to how the rule may possibly translate into their case? And how future-proof are rules enunciated in a way that seems to be very backward-looking? What will happen when technology and business models change?

The UK Approach: Business Models in Action

The UK regulation is expected to work somewhat differently. The Competition and Markets Authority (CMA) published its proposal to government a week before the DMA, with a recommendation to establish the long-awaited Digital Markets Unit (DMU) and for this to implement a new regulatory regime for “the most powerful digital firms”—the “Strategic Market Status (SMS) regime.”  

The entry point to the SMS regime is an assessment of whether a firm has strategic market status. Unlike the DMA, there are however no explicit quantitative thresholds and criteria to be met (although some((For example, when a firm “has achieved very significant size or scale”, “is an important access point to customers”, “can use the activity to extend market power from one activity into a range of other activities”, “can use the activity to determine the rules of the game| or “may have broader social or cultural importance” (para. 4.20).)) may come later). The essence is market power, but not any market power: in “certain circumstances, the effects of a firm’s market power in an activity can be particularly widespread or significant.” The process of designation is described as an “evidence-based economic assessment as to whether a firm has a substantial entrenched market power in at least one digital activity, providing the firm with a strategic position (meaning the effects of its market power are likely to be particularly widespread and/or significant).”

“The ability to leverage the ‘data firehose’ is a concern if it allows the gatekeeper to behave as a discriminating (data) monopolist: this can extract consumers’ surplus and leave consumers worse off.”

What About Direct Data Exploitation?

While data issues are mentioned multiple times in the Obligations, we worry about whether there is enough leeway here to really develop and pursue concerns that are well-founded economically, but not traditional, or if the law will embrace harms that are created by the exploitative use of data. Obligation (a) under Art. 5 does proscribe the mingling of user data from different services. And Obligation (a) under Art. 6 appears to have been formulated directly with the Amazon Marketplace investigation in mind, and concerns about use of seller data. But how do these generalize? And how do we account for privacy concerns, that are intimately connected with market power issues and amplify them?

We know that changes in the way data is shared, paired with other data, and used can become a quality-adjusted price increase to consumers for the use of “free” services. And unknown privacy characteristics (like not knowing how data given five years ago may be used today) are analogous to “hidden prices” in behavioral economics. Data based on a consumer’s browsing history and app use can be used to predict personal characteristics many users would strongly prefer to remain private, and yet can be monetized very attractively in applications like medical services, insurance services, financial services and employment decisions. And the ability to leverage the “data firehose” is a concern if it allows the gatekeeper to behave as a discriminating (data) monopolist: this can extract consumers’ surplus and leave consumers worse off.((See the discussion in Bourreau, M., et al., Google/Fitbit will monetize data and harm consumers”, CEPR Policy Insight September 2020.))

We hope more weight will be given to these concerns in the future, though it is not clear to us that the current draft of the DMA recognizes these important dimensions of direct consumer harm in a general enough way. 

Merger Control as Orphan

The third pillar of the UK regime is the establishment of specific “SMS merger rules” to tighten merger control for this group. The motivation is a great cry for action to address “historic underenforcement against digital mergers in the UK and around the world” and the fact that strategic acquisitions have been part of the business model and contributed to create market power that has then become entrenched (para 4.121-124). In making merger control an explicit part of its new digital regime, the CMA recognizes that all acquisitions by SMS firms need to be scrutinized with care; and not under the usual standard, which is applied to any merger, but with “a lower and more cautious standard of proof.” That is, the substantive test does not change (it is still a “substantial lessening of competition”), but the level of certainty the CMA will be required to have around that is lowered from a “balance of probabilities” test to a “realistic prospect” test. No agency can have all the facts at the time, and there is a big band of uncertainty. But “uncertainty should not be an excuse for inaction.”((As stated by Mike Walker, CMA Chief Economist, at the CRA Roundtable event of 17 December 2020 on The European Digital Regulation Experiment”.))

And in the US, the recent complaints at the federal and state level have essentially underscored that either enforcers must be much stricter in the mergers they block, or be clear with industry participants that they face a risk that a few years down the road there may be a need to review and undo those mergers that turned out to be harmful.

In contrast, there is nothing in the DMA on merger control. We understand this is because there is no legal basis for the DMA to alter the EC Merger Regulation. But this leaves a big lacuna in the rules. Art. 31 in the DMA draft just mentions an obligation of gatekeepers to “inform” the EC of any planned deals, but nothing flows from there. Without changes to the merger regime, the EC digital regulation package will remain incomplete (and risk the repeat of decisions like Google/Fitbit). While Member States (and the UK) will be able to enforce vigorously in this space, the EC will be hobbled in its ability to protect dynamic competition and innovation through this critical tool, and digital mergers will continue to be allowed based on a standard of proof, which is simply unfit for purpose. By comparison with other jurisdictions, legal caution about having to demonstrate loss of competition to the usual standard “in Luxembourg” is likely to cripple the initiative that should flow from the impetus behind the DMA. The EC may state publicly that potential competition concerns are nothing new, but the reality is it has not enforced against killer acquisitions or acquisition of nascent competitors at anything like the rate of the CMA. The adoption of the DMA (and the DSA) respond to a call for regulators to serve citizens and consumers better. Without explicit changes to merger rules, history is likely to repeat itself and hold back competition in this sector. 

Editor’s note: A longer version of this piece was previously published by VoxEu. 

Disclosure: Fiona Scott Morton engages in antitrust consulting for a variety of corporations and governments; current and recent corporate clients include Amazon, Apple, Sanofi, Pfizer.

Cristina Caffarra is a Senior Consultant to Charles River Associates in Europe and has been an advisor on antitrust matters to both companies and government agencies both for and against tech platforms. Current or recent clients include Apple, Amazon, Microsoft, Uber, and others.