As EU tech regulators embark on a new policy cycle, their minds—and the lobby agenda—seem to be entirely focused on enforcing the raft of laws implemented in the previous mandate. First and foremost among this is the Digital Markets Act, hailed as the EU’s biggest attempt to rein in Big Tech’s power. While the Act’s narrative is more grandiose than its actual content, so far the EU has shown willingness to make the fullest use of its new tool.
How Did We Get Here?
Agreed in record time in 2022, the Digital Markets Act (DMA) is the EU’s attempt at limiting Big Tech’s ability to use their power to abuse smaller competitors, dependent business users and, in some cases, end users.
The DMA laid out a set of do’s and don’ts that apply immediately to all companies that are designated as ‘gatekeepers.’ In this context, a gatekeeper is a company that is economically dominant and holds an intermediation role between business user and end user. Think for instance of Apple’s control over its App Store, which connects app developers with iPhone users. This control has allowed Apple to impose a 30% fee on app developers for every purchase made within the App store or through in-app payments.
The new rules sought to open up Big Tech’s grip by mandating that gatekeepers open up some of their services such as app stores and messaging, introduce transparency over advertising, stop favoring their own products, and not use business users’ data to compete against them.
In an important win for users, the new rules also demanded that Big Tech firms seek user consent before using data collected from one service (e.g., Google Search) for another (e.g., YouTube) for advertising.
Perhaps most importantly the DMA created the mechanisms for the EU Commission to investigate companies’ practices and oversee implementation, including by getting access to data and algorithms. Systematic non-compliance carries hefty punishments and in extreme situations structural solutions.
Big Tech Prepared for the Fight
Big Tech firms have lobbied hard against the DMA. See, for instance, Google’s strategy to pushback against Commissioner Breton for his alleged support of break-ups and Apple’s lobbying to introduce safety exceptions to the rules demanding it opens up its App Store. Both were partially successful in these specific cases but couldn’t stop the bill from going ahead.
In an important win for users, the new rules also demanded that Big Tech firms seek user consent before using data collected from one service (e.g., Google Search) for another (e.g., YouTube) for advertising.
So, they prepared for conflict: by hiring huge legal teams and increasing their lobbying presence in the EU. By contrast, the DMA unit responsible for policing them has limited resources with about 80 people on staff.
One Year On, What Has Happened?
The DMA rules came into effect in May 2023. Since then, there have been a series of milestones with respect to its enforcement.
By September, the EU Commission announced it had found that Alphabet, Amazon, Apple, ByteDance (TikTok), Meta, and Microsoft acted as gatekeepers with respect to a total of 22 services, including search, advertising, marketplaces, app stores, and messaging.
Within six months, all designated gatekeepers had to respond to the Commission on how they intended to comply with the new measures and provide a detailed report on their user profiling techniques. A redacted version of these reports was made public.
Two weeks later, the gatekeepers were asked to defend their compliance measures in a series of public workshops attended by competitors, user associations, and civil society organizations. At the same time, the Commission opened non-compliance investigations into Alphabet, Meta, and Apple, and started new investigatory steps on Amazon. In May 2024, the Commission further designated the European hotel platform, Booking, as a gatekeeper and opened an investigation into X.
Regular observers of EU policy will notice that, for the usually slow and bureaucratic EU, this has been breakneck speed. Compare it, for instance, to the decade spent investigating Google’s dominance or that, six years on, Meta still doesn’t comply with data protection rules.
In part that is explained by the DMA setup itself, which by virtue of being a targeted ex-ante system that lays out what companies can and cannot do, removes many of the strategies used by the firms to skirt compliance with regulation. But there is also a clear political will in the EU Commission to show that the DMA is not a paper tiger and that the EU is a leader in regulating Big Tech firms.
Yet, the going has been far from smooth. Many have pointed out glaring omissions, including those of cloud services (a market dominated by Microsoft, Amazon, and Alphabet); email providers such as Gmail and Outlook; and virtual assistants from the list of core platform services.
Big Tech Takes Up the Fight
Not all companies have taken the gatekeeper designation lying down. ByteDance, owner of the incredibly popular TikTok, took to the courts to challenge its designation, and especially oppose having to disclose the profiling techniques it uses on its users. Meta and Apple, in turn, challenged the inclusion of specific services. All of these cases are ongoing. However, an interesting characteristic of the DMA is that legal challenges do not postpone the implementation of the rules.
Another challenge came as the compliance deadlines approached. As Cory Doctorow succinctly puts it, Big Tech’s message to the EU then was: “drop dead.” Apple has been notorious here, seemingly taunting DMA enforcers with its plans to open up the app store, thus allowing app developers to escape its 30% fee by imposing a new tax of 50 cents per installation for any app that gets more than 1 million downloads. Not only would third-party app stores have to pay Apple 50 cents per user per year, but on top of it, Apple has introduced technical barriers that would make it hard for users to start using alternative app stores.
To justify all of this, Apple built on its successful lobbying agenda which equated openness with lack of safety. Apple’s public DMA compliance report, for instance, starts with two paragraphs framing the opening up of its closed system as carrying “greater risks to users and developers” which now Apple wouldn’t be able to detect and prevent. From its logic, the new fees and technical barriers are simply new protections.
Apple became the first company to be charged by the European Commission for non-compliance with the DMA.
Despite Apple’s paternalist discourse, developers don’t seem to be buying it and have called the company’s plans “abusive.” Apple’s new fees can quickly add up, in fact, even Meta CEO and founder Mark Zuckerberg said that they were so “onerous” that he doubted any app developer would make use of the new options.
While the company argued that it technically opened up its systems, it has made it so difficult for users to ever choose other options and so expensive for developers to use competitors, that the system is still effectively closed.
Speaking of Meta, the parent company of Facebook, Instagram, Messenger, Marketplace, and WhatsApp, it announced that in order to comply with the DMA it would offer a Pay or Consent model. This way, the company argued, EU-based users who did not want their personal data to be used for surveillance advertising across Meta’s services would be able to do so. But they would have to pay a subscription fee instead. On the other hand, users that consent to the surveillance advertising, would still access the services for “free.”
Unsurprisingly, digital rights groups were quick to file complaints and the European Data Protection body quickly announced that such a binary approach violates EU rules. Perhaps even more interestingly, consumer rights bodies, including BEUC, found that regardless of whether users consented or paid, Meta still did not respect their data rights.
While some have pointed out the lawsuits and Big Tech’s poor compliance as proof that the DMA does not work, most agree that this was to be expected. Big Tech companies were always going to put up a fight.
So far, the regulator has been up to the challenge. Quickly after the compliance plans were made public, the Commission announced it was opening non-compliance investigations against Apple, Meta, and Alphabet. At the same time, it announced it was taking investigatory steps to gather information on Amazon’s compliance.
Just this week, Apple became the first company to be charged by the European Commission for non-compliance with the DMA. These are still just preliminary findings but if the Commission confirms its findings, by March 2025 Apple could be charged up to 10% of its worldwide revenue, about EUR 35.7 billion.
This starts a new step in DMA enforcement. The EU has shown it wants to make the best use of its new tool and it is not afraid to show its teeth. But there is no way around it—the DMA will require immense resources to deal with the ongoing engagement with gatekeepers and users, monitoring compliance and accessing information, developing technical expertise, and facing court cases.
Civil society organizations, academics, businesses, and end users can and must contribute to the implementation by—as much as possible—gathering evidence and making the case publicly of non-compliance. Public legitimacy of enforcement will be crucial to keep up the pressure on the firms.
Reining in Big Tech will Require More than the DMA
The DMA is an important step forward, but it will not rein in Big Tech.
Consider how the EU’s approach to Amazon’s power compares to that of the US Federal Trade Commission (FTC). After years of investigating and preliminarily findings that the company was abusing its power towards the sellers on its platform, the EU DG Competition accepted Amazon’s settlement to end the investigation under the promise that the company would tweak its practices. In March 2024, just 13 months after, the Commission’s DMA unit announced it was again investigating Amazon’s abuses towards sellers.
Breaking open Big Tech will require the use of a mix of antitrust tools, including the DMA, but also older tools such as merger reviews, competition investigations, and public utilities laws.
By comparison, the FTC lodged a wide-ranging lawsuit that captures much of the same practices. But, instead of focusing on behavior, it targets Amazon’s monopoly power directly. The FTC’s approach correctly identifies Amazon’s strategy and dominant position as the root cause behind the abuses and identifies how each abusive practice interacted to entrench Amazon’s power at the expense of sellers, smaller competitors, consumers, and the wider economy.
As we are also witnessing Big Tech’s ongoing takeover of artificial intelligence (AI), we can see some of the gaps in the DMA’s gatekeeper logic. The Act does have the built-in ability to evolve, by adding new products and practices. Yet, we shouldn’t expect that this will be a priority now. Perhaps more importantly, considering Cecilia Rikap’s work, we can see that some of the dynamics deployed by Big Tech to appropriate AI innovation—leveraging access to its cloud, using venture capital to direct innovation and access knowledge, capturing AI talent, and steering academia—will not fit within the DMA’s gatekeeper framework.
Big Tech’s power is an immense challenge to societies across the world. It will take more than one piece of legislation to fix it. There are positive signs from the EU, which has repeatedly used its core competition tools to do this, by seeking to block Amazon’s takeover of iRobot and its preliminary finding that a break-up of Google’s advertising services was required.
Breaking open Big Tech will require the use of a mix of antitrust tools, including the DMA, but also older tools such as merger reviews, competition investigations, and public utilities laws. At the same time, we will need to invest and support real alternatives to develop a plural and decentralized digital sphere.
As the new EU policy cycle begins, Big Tech and its lobby network will once again cry out that the EU has gone too far. We will have to be the loud voice reminding everyone that there is still a long road ahead.