Online platforms transcend borders, as do regulations and fines. If your US company has EU operations or users, you may be impacted by trends in the European regulatory landscape.

Companies should remember that the penalty for non-compliance with certain EU regulations is calculated as a percentage of global revenue.

The European Commission issued an update as it relates to Europe’s Digital Decade effort on July 4, 2023. Driven by the desire to establish a level ecosystem in the EU that creates innovation, growth, and competitiveness, the EU’s Digital Markets Act (DMA) sets out obligations for those designated as ‘gatekeepers’ with the aim of creating fairer competition for digital businesses, generating increased innovation, and providing consumer protection within the EU. 

The European Commission announced that seven organizations notified the Commission that they meet the gatekeeper thresholds¹ defined in the DMA. The next step in the DMA journey is for the Commission to confirm the submissions and designate the gatekeepers, which they expect to do by September 6, 2023. From there, gatekeepers will have six months to comply with DMA obligations or they could face fines for non-compliance of up to 10% of the company’s total worldwide annual turnover, or up to 20% in the event of repeated infringements². 

Some of the DMA obligations for gatekeepers include, but are not limited to, the following:

• Data Use: Don’t use personal data generated by business users (or their end users) on your platform without appropriate justification, including end-user consent.
• Business Practices: Allow business users to promote their goods/services and finalize contracts with their customers outside the gatekeeper’s platform.
• Information Access: Grant advertisers and publishers access to information free of charge to allow for objective verification of their advertisements hosted by the gatekeeper.
• Terms and Conditions: Provide fair, reasonable, and non-discriminatory terms for business users, avoiding self-preferencing. 
• Self-preferencing: Refrain from self-preferencing and taking advantage of the information gatekeepers have; use objective and unbiased guidelines when ranking, crawling (i.e., a process through which new and updated content is found); and indexing internet content.
• Consumer Choice: Allow end users to un-install pre-installed software (except where these are essential, such as for running of an operating system) and to use third-party app stores.
• Interoperability: Create interoperability between gatekeepers and smaller messaging platforms, allowing users to exchange messages, send files, or make video calls across apps.

We have some thoughts on what this may mean for those that are gatekeepers:

• Understand your Current State: Determine the impact to the business and your strategy, assess the state of your program, understand your readiness for the new obligations, and define what it will take to meet the requirements. Evaluate and address. 
• Redesign your Ecosystem Effectively: Interoperability is a big change. Significant system, functionality, and process redesign is required across companies’ ecosystems. Work cross-functionally to understand the changes that are needed across your ecosystem, reconfigure, and work with teams—including security—to stress test and determine whether you can create an environment that is interoperable and doesn’t create undue risk. Restructure and stress test.
• Leverage Existing Knowledge and Look for Efficiency Gains: Organizations have privacy practices in place to respond to privacy regulations with information on data usage. Understand these processes and determine how data is currently used and combined and the changes that may be needed to comply with the DMA data usage and access requirements. Work with privacy, security, and engineering to adjust data pipelines and structures. Update and redesign.
• Establish Compliance Processes and Responsibilities: There are several compliance-related requirements in the DMA, including providing compliance reports to the EU Commission on a regular basis, building a compliance function, and conducting an objective audit that provides a description of techniques used for profiling consumers that the gatekeeper will apply across its platform services. It is important to determine what is needed to address risks and compliance to implement a broad program. Additionally, understand existing compliance practices within your organization, leverage what is applicable, and build integrated processes to meet these requirements while reducing business impact. Integrate and build.