European Commission Also Fires Up The Digital Markets Act

Having just opened multiple investigations under the new Digital Services Act, the European Commission has also announced investigations under its new Digital Markets Act (DMA). These investigations would also benefit UK businesses providing services to EU/EEA residents. This post is for information purposes. If you need advice, please let me know.

As previously explained in more detail, the DMA aims to control unfair practices of very large digital platform operators (“gatekeepers”) when providing services that other businesses use to reach their customers online. These gatekeepers effectively act as private rule-makers, and are able to create ‘bottlenecks’ and ‘choke points’ that limit access, unfairly exploit data for their own purposes and/or impose unfair conditions on participants. The DMA operates outside the scope of existing EU competition controls. Member state’s regulators cannot go further than the DMA restrictions, which must be applied consistently throughout the EU. Gatekeepers can be fined up to 20% of worldwide revenue for breaches. The DMA applied from May 2023 and any firm designated as a gatekeeper then has six months to comply with the various requirements. 

Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft were designated as gatekeepers in September 2023, giving them until 7 March 2024 to comply. The European Commission believes they do not. Specifically, the Commission alleges that: 

• the 'steering rules' in Google Play violate Article 5(4) (gatekeepers must allow business users, free of charge, to make offers to and contract with end users acquired either via its core platform service or through other channels, regardless of whether they use the core platform services of the gatekeeper for either purpose);

• the self-preferencing on Google Search violates Article 6(5) (gatekeepers must not treat more favourably (in ranking and related indexing and crawling), services and products offered by the gatekeeper itself in preference to similar services or products of a third party, and must apply transparent, fair and non-discriminatory conditions to such rankings);

• the steering rules in the Apple App Store violate Article 5(4);

• the choice screen for Safari violates Article 6(3) (gatekeepers must allow and technically enable end users to easily un-install any apps on the gatekeeper's operating system (except apps essential for the functioning of that operating system or the device which cannot technically be offered on a standalone basis by third parties). Gatekeepers must also allow and technically enable end users to easily change default settings on the operating system, virtual assistant and web browser of the gatekeeper that direct or steer end users to products or services provided by the gatekeeper); and

• Meta's "pay or consent model" violates Article 5(2) (using personal data gathered by third party businesses from their customer's using the browser, without valid consent under GDPR, in addition to other direct GDPR complaints about that type of model). 

Within the next 12 months, the Commission will inform these gatekeepers of its preliminary findings and proposed orders to fix any issues.

In addition, the Commission:

• is seeking information on Apple's fees for alternative app stores and Amazon's marketplace ranking practices;
• issued document retention orders to Alphabet, Amazon, Apple, Microsoft and Meta to help it monitor their compliance with the DMA; and 
• granted Meta an extension of six months to ensure Facebook Messenger complies with the interoperability requirement in Article 7 (there's a long list of those!).

These investigations would also benefit UK businesses providing services to EU/EEA residents. 

This post is for information purposes. If you need advice, please let me know.

Legal Adventures in the Fediverse

Joining the fediverse has jolted my legal brain into gear over some esoteric questions (listed below). These largely turn on the fact that, unlike in Web 2.0 offerings, such as Blogger or Twitter, there is no central service provider hosting/operating the service on its own servers. In the fediverse, separate sites (or 'instances') can interoperate because they are running the same standardised, open software (e.g. Mastodon) which itself relies on the same standardised, open protocol (Activity Pub, in the case of Mastodon):

Mastodon websites are operated by different people or organizations completely independently. Mastodon does not implement any monetization strategies in the software. 

Some server operators choose to offer paid accounts, some server operators are companies who can utilize their existing infrastructure, some server operators rely on crowdfunding from their users via Patreon and similar services, and some server operators are just paying out-of-pocket for a personal server for themselves and maybe some friends. So if you want to support the server hosting your account, check if it offers a way to donate. 

Mastodon development is likewise crowdfunded via Patreon and via OpenCollective. No venture capital is involved.

Perhaps this is no different to independent website owners building their own websites using a standardised website template provider (e.g. Wix), but the interoperability does seem a significant additional factor to consider. That's like email, which again could be provided by a centralised email service provider (e.g. Microsoft's hotmail) or your employer. Equally, the fact that each site or 'instance' could be self-hosted is similar to websites and email, yet most users choose their site to be hosted with the operator of a server or instance that hosts many sites (e.g. mastodon.world or mastodon.social). Some instances are open to anyone, while others are targeted at, say, residents of Glasgow. 

I think this just involves a sense-check against the regulatory regime of where the relevant fediverse instance and any users that it actively solicits are based. Here's a flavour of some of the issues:

• How does a user proceed if the developer of the relevant communication software somehow fails to ensure the software runs as promised in the documentation?

• Who is responsible for the integrity of the protocol on which the software is based?

• Do fediverse instances based in the EU with UK resident users but no offices, branches or other establishments in the UK need to appoint a UK representative under UK GDPR (and vice versa!)?

• Is each 'instance' in the fediverse ready for the EU's Digital Services Act (exemptions for micro/small enterprises will help)?

• If each 'instance' in the fediverse can be an Intermediary service, online platform or e-commerce platform under the Digital Services Act (see prior post), then they could grow to be 'gatekeepers' under the EU Digital Markets Act.

• How are fediverse instances treated for the purposes of  'reverse solicitation' analysis - i.e. whether you are treated as doing business in another jurisdiction where users are based, as opposed to where the instance is based?

If you need assistance with any of these issues, please let me know.