The workshops: informative, transformative (and performative?)
What a week and what a kickstart for the DMA! We listened to six DMA Compliance workshops, where the designated gatekeepers discussed the changes that they have made to their core platform services, answered questions, and received comments from a wide range of stakeholders. After 5 of them, quasi in a break, the Commission disclosed that it opened proceedings for non-compliance against Apple, Alphabet and Meta. Here are our observations from a week – that was not for the weak. One thing that became clear, fulfilling the condition of effective compliance is complicated. As there is much to cover, this blog will be a long one. So feel free to take a seat as we review this week’s highlights.
- For those on the road: Jasper van den Boom was a guest in the competition podcast “Bei Anruf Wettbewerb”, hosted by professors Justus Haucap & Rupprecht Podszun. (The podcast is available on your favourite podcast platforms, e.g. on non-gatekeeper Spotify.) Jasper answered their questions (in English) on the DMA compliance reports and the first DMA workshop. You can listen to this part of the podcast here:
By Jasper van den Boom
The workshops, ranging from a full day to half day depending on the number of designated core platform services and relevant provisions, allowed the spokespersons of the gatekeepers to expand on their compliance reports. Interested stakeholders – whether online or in person – had the opportunity to ask questions or share their viewpoints. The Commission acted as the moderator for these sessions – the enforcers did not take a stance and did not (as some may have wished for) hand out instant non-compliance decisions. The sphinxlike faces of Commission staff like Alberto Bacchiega or Rita Wezenbeek did not reveal content or discontent.
For many, the workshops were informative, as it allowed insights into the concerns of business users of the platforms, representative organizations, and academics. Critics voiced that the workshops came across as performative. The structure of the workshops and the Q&As did indeed leave room for improvement. Questions asked by the audience were often grouped together, allowing the gatekeeper’s spokespersons ample room to decide where to be extensive in their answers and where better be vague. In its role as moderator, the European Commission now found itself in a difficult information gatekeeper position and, in the words of Alphabet, had to strike a balance between time limits, allowing for as many questions as possible, and in-depth engagement on controversial topics. However, these workshops are transformative. Such an open debate via a public engagement platform on how gatekeepers intend to comply and such direct feedback is a novel development within the EU.
If you do desire more information, or if you have missed one of the workshops, please take a look at our high level summaries of each of the individual workshops. These can be found here.
So, what are some takeaways from the workshops? In our previous blog, we have set out 6 categories of compliance risks that we have identified on the basis of the compliance reports. Now, we had the opportunity to hear the gatekeepers’ side of things. Here are the highlights of each workshop:
Apple – Safety & security
The tone during Apple’s compliance workshop mirrored it’s compliance report. Apple’s representatives spent as much time on explaining how their changes comply with the DMA, as on how they protect their users from the unintended safety risks created by the DMA. Apple has made changes to its designated core platform services App Store, Safari web browser, iOS, as well as to its business terms. For Apple’s famous walled garden, the DMA came in like a wrecking ball, forcing them to tear some of those walls down. Apple has made clear that they will only do so reluctantly. Users will be heavily warned of the perilous path they are embarking when they start to side-load apps from the web, have direct links and third-party payment systems in-app, or horrible dictu from an Apple perspective, switch to third-party app stores.
Apple has however made many changes, allowing for the installation of third-party marketplaces (if approved), non-App Store apps (if notarized), and the use of third party payment mechanisms (if the risks are accepted by users and not alongside its own in-app payment service). Apple reiterated that it will maintain its mission of having an active developer ecosystem, where anyone from a big undertaking to a teenager with a dream can participate. One caveat, if that teenager with a dream wants to build a third-party app store it will have to demonstrate a €1.000.000 line of credit, and under Apple’s CTF policy, they will have to pay €0.50 per download after the first million downloads, even if they do not distribute their apps through Apple’s App Store at all.
It thus seems that Apple favors the innovative efforts of larger undertakings first, at least in first instance. However, Apple does allow developers to choose between its new business terms (subjected to the payment of the CTF fee) or its standard business terms (where everything has to be arranged through Apple’s intermediation services). Of course, if developers choose the new business terms their users will have to click through a range of warning screens that explain to them how they are opening themselves up to defrauding by leaving Apple’s walled garden of Eden.
There are several risks for ineffective (or non-)compliance here, including prohibitive fees, the use of nudges, attempts to justify behaviour by introducing (unnecessary) safeguards. Besides this, many of the changes by Apple will not be effective until late 2024 or 2025, demonstrating the risk of avoiding compliance through delays as well. It should, however, not be understated that there are important trade-offs between openness and safety. Much like Alphabet, Apple has operated from its own vision on how to strike a balance. It is now up to the Commission to assess whether Apple’s safeguards are within the limited security and integrity exception the DMA allows.
Apple got a first answer from the Commission a couple of days after the workshop: Apple got an investigation and questions. According to the Commission’s press release, the Commission is taking a closer look into three areas of Apple’s compliance plan: 1. Apple’s steering rules for the Apple App store, 2. Apple’s compliance with user choice obligations and 3. Apple’s fee structure.
Alphabet – Striking a balance
Alphabet arguably had the most choices to make. In their report, they reference the amount of financial and technical resources required to make the changes to eight core platforms on the basis of a large number of provisions. For just the changes to Google Search, Alphabet noted that 300 engineers, product designers and product managers were involved in a two-year process. For all changes together, this number was estimated as high as 3000 employees from all departments of the company. There was not enough time in the workshop to discuss all relevant provisions, showing the complexity of this exercise.
On multiple instances, Alphabet argued that it had to carefully strike a balance between openness and security or the interests of consumers, vertical search services (VSS) and direct suppliers (where it often conveniently forgot to explain its own interests). In discussing their changes surrounding Article 6(5) DMA, the audience made it clear that striking a balance is, well, highly complex. It seems that Alphabet managed to create a textbook example of an unhappy compromise, where everyone perceived themselves to be worse off, with the exception of Alphabet, actually. In the round of comments, several direct suppliers made it clear that the choice by Alphabet to provide more space for vertical search engines over direct links was unacceptable, VSS providers on the other hand argued that it was unacceptable that direct suppliers now had the ability to show as much information related to pricing and images on the horizontal search page as users can find by accessing the VSS function. This would diminish the added value of VSS and turn Google’s search results page into a quasi-VSS service itself.
In the changes to its search engine, Alphabet has provided more opportunities for VSS and direct suppliers to display their results in a rich format. (Of course, this is subjected to paying a mark-up as Alphabet must be compensated for making these intensive compliance changes!) It has removed a number of functionalities that preferenced its own services, and replaced them in many instances with linking to results subjected to authorization or auction. As rightfully noted by one commentator in the audience, it seems that Alphabet’s changes to its search engine promote competition between third-party VSS operators amongst themselves and with direct suppliers. However, rather than promoting competition with Alphabet, it turns them increasingly into customers. While tensions between VSS and direct suppliers rise, and both sides have to make sacrifices, Alphabet only seems to gain from the changes as it improves its horizontal search page compared to VSS and increasingly intermediates VSS providers. Moreover, between all the choice carousels and sponsored results, one started to wonder if there will be any organic search results left on the horizontal search page.
Much like Apple, Alphabet also made changes to its app marketplace by continuing to make sure that Alphabet continues to charge a number of fees to make sure it gets its fair (?) share. Alphabet’s new fee model includes a number of acquisition and maintenance fees for users that want to promote their apps through link-throughs, rather than having them downloaded in the Play Store. It raises many questions on how attractive direct linking will be, as it seems that with all the fees that apply there is limited upside, and a lot of downside, to introducing direct links. For Alphabet’s compliance, real risks exist in the area of prohibitive costs and ineffective compliance mechanisms. If Alphabet cannot reconcile the interests of its users on its search engine, despite its numerous efforts, feedback moments, and stakeholder workshops, one may have to wonder if divestment will come on the table as an option. Perhaps, the best way to strike a balance as a mediator, is to remove oneself from the equation. But let’s see first what the Commission decides after its non-compliance investigation against Alphabet. According to its press release, the Commission is taking a closer look at Alphabet’s anti-steering rules in relation to the Google Play Store and potential self-preferencing in Google search results.
ByteDance – The new kid
ByteDance – owner of TikTok – could be considered the new kid on the block, both in terms of market entry and as their self-described status as a challenger, rather than a gatekeeper. ByteDance really is a different case from the other gatekeepers:
- It is the only gatekeeper with only one core platform service (for now);
- It is the only gatekeeper where the parent company is incorporated on the sympathetic Cayman Islands, and is the only one to originate from China instead of the United States;
- It is the only gatekeeper that successfully challenges another gatekeeper, namely Meta in social media;
- And it is the only gatekeeper where most enforcers are not active content creators themselves.
To which extent these characteristics influence the decision to designate ByteDance, and future enforcement decisions, remains unclear. However, it seems that most stakeholders are not very concerned with ByteDance’s gatekeeper activities when compared to the likes of Alphabet and Amazon, as demonstrated by a lack of attendance from business users and competitors. Luckily, this left some space in the room for academic participation.
Most of the changes implemented by ByteDance relate to the data provisions, including data portability, new consent flows under Article 5(2) DMA and the changes to their consumer profiling reports. ByteDance argues that, partly as a result of its operation of a single CPS, it is already compliant in most areas. In light of its half day program and the limited questions from the audience, it may be true that most stakeholders are not very worried about ByteDance’s contestability, an observation with which we are inclined to agree.
However, being the challenger does not excuse one from their designation as a gatekeeper, and it is not always clear if ByteDance actually lives up to their obligations. During the workshop, ByteDance was asked multiple questions on the technical safeguards it had introduced in the back-end of data processing, about whether and how it labels its collected data for its obligations under 5(2), what it means for data collection if users choose non-personalized ads, and what happens if consent statuses change. For most of these questions, ByteDance representatives had to excuse themselves due to lack of technical knowledge, noting that they will be open for questions at a later stage.
This raises questions about whether ByteDance is actually compliant where it thinks it is. If their representatives at the DMA workshops cannot answer these questions, one must wonder how well information and training on compliance were actually circulated throughout the company. This is also exemplified by ByteDance’s methods to identify business users as compared to consumers: consumers can turn themselves into business users with the toggle of a switch, one must wonder if that truly reflects the difference between business user and consumer.
ByteDance will likely be back in the spotlight soon enough, as the process to designate its advertising service as a CPS is under way. At the same time, it will challenge the designation of TikTok itself before the European court. Here, it should be monitored how their gatekeeper/challenger status evolves, and what evolutions of their compliance strategies will be required. The established players are able to provide much more detail on their changes. However, one must wonder if having such a running start also ensures compliance, as evidenced by Meta’s choices surrounding their use of data.
Meta – Best in class (or so they thought)
With Meta being designated for five core platform services (the social networks Facebook and Instagram, the WhatsApp Messenger, Meta Marketplace, Meta’s ad services), the workshop covered a wide range of DMA provisions. The focus of attention was, however, clearly on data and ad services provisions as well as WhatsApp’s upcoming interoperability with other N-IICS messenger services. If one had to think about a recurring theme for the Meta compliance workshop it would probably be the repeating reminder of Meta’s regulatory overdose: Representatives kept pointing out that Meta had to juggle compliance with several EU policy initiatives, including GDPR and the Digital Service Act. The DMA compliance solutions are, tadaaa, the result of complying with all of them! With regard to Meta’s WhatsApp interoperability as required under Article 7 DMA, Meta went as far as ensuring the audience that they are “best in class” when it comes to balancing the technological requirements and ensuring users’ security.
Most strikingly was the overall puzzlement in response to Meta’s compliance solution for Article 5(2) DMA. In short, Article 5(2) DMA prevents Meta from processing data for ad services, combining or cross-using personal data without proper user consent. Put differently, Article 5(2) DMA means that Meta can only process or combine data a user generates on Instagram and Facebook for personalized advertisement if the user consents – it is the German Bundeskartellamt’s Facebook case in a regulatory fashion. Meta’s solutions as explained during the workshops unveiled the following two options:
- Choice 1: Users can agree to processing of their personal data in return for personalized advertising.
- Choice 2: User can agree to paying a monthly subscription fee of 5.99€/month for the first service – and €4.00/month for any subsequent service – in return for not being subject to personalized ads or data processing.
In any instance where users decide to withhold consent for the cross-use of data between services, they will lose access to the functionalities that rely on data combinations. However, as long as the subscription is not paid, all data generated with the use of a specific service is still combined for the purpose of advertising. This means the user gets the stick, but Meta takes the carrot.
How can this be reconciled with Article 5(2) DMA? Meta’s response: users engage with the service, i. e. Facebook or Instagram, not with the advertisement directly and if they opt for the less personalized option they get the less personalized service not the less personalized advertisement. Aaaah! That is probably exactly what the legislators had in mind… Article 5(2) DMA clearly targets Meta’s core business model of personalized advertising which Meta has decided to answer by making it very unattractive for users to make use of their additional choices (besides granting full consent for data-use by Meta across services): a lower quality service with personalized ads, versus an ad-free experience by paying the monthly subscription fee. Not surprisingly, the Commission opened proceedings regarding this aspect on March 25, 2024.
Amazon – Customer Obsessed
Amazon is a retailer at its core and truly, “customer obsessed”, placing customer experience prime first when it comes to DMA compliance. This was the narrative you could not escape during Amazon’s workshop. It covered data and ad services related DMA provisions as well as self-preferencing.
The self-portrait was promptly challenged when Amazon presented its compliance measures in relation to Article 5(2) DMA (use of personal data). Representatives from consumer protection organizations as well as other stakeholders questioned Amazon’s design choices for its choice screens prompting consumers to either opt-in or opt-out from sharing personal data across Amazon services. Questions concerned the presentation of choice screens as cookie banners and the color choices for buttons on the prompts – highlighting again that the devil seems to be in the details when it comes to nudging consumers through specific design choices for choice screens.
For the final session, Amazon decided to group together Article 6(2) DMA (use of non-public data in competition with business users) and Article 6(5) DMA (self-preferencing). For Article 6(2) DMA compliance, Amazon acknowledged that they would continue to use data generated by the business users where Amazon is responsible as the operator of the Amazon Store (i. e. not a competitor). This would include data used for improving the experience on the store as such as well as customer support and fraud protection. To avoid mix-ups with competitively relevant data, Amazon is relying on system separation and employee training. With regard to self-preferencing, Amazon provided a high level explanation that changes required by the Commission’s commitment decision were already made with the DMA in mind and rankings on Amazon Store are based on objective, consumer preference-based criteria. However, no details on the actual changes were given which coincides with the Commission’s announcement that it is taking investigatory steps to further clarify whether Amazon is self-preferencing on the Amazon Store. Perhaps the Commission will describe itself as ‘enforcement obsessed’ at some point during these proceedings.
Microsoft – Old reliable
Microsoft’s workshop started off the bat with a non-compliance issue. This time, it was Commission representative Alberto Bacchiega who had infringed on the venue’s coffee policies. Much like for the DMA itself, enforcement was swift and remedies were imposed strictly. Despite this exciting start, the rest of the workshop went by quite calmly. It seems that since the non-compliance investigations were already announced on Monday, the tensions had been released.
Microsoft’s representatives had to explain their changes to the Windows OS and LinkedIn. As expected, the Microsoft team emphasized that they are eager to comply with the new law, and that the open nature of their ecosystem meant that they were already compliant with a bulk of the DMA’s new obligations. There are few things that have changed for Windows; users will be allowed to uninstall more applications (including Edge, Cortana, and the Camera apps, but as users we cannot be trusted with the ability to uninstall Microsoft’s antivirus software); users would gain more control in setting defaults, and interoperability will be extended to the Microsoft feed and Search bar. These changes, despite taking significant technical interventions, seem quite limited when looking at the number of relevant provisions.
The changes to data policies were similarly underwhelming and are limited to a new consent prompt and additional features in the API used for access to diagnostics data. As mentioned by Microsoft at the start, there was little new or surprising in the changes they have made. This is, however, surprising in light of Microsoft’s size and societal importance.
One must wonder whether the lack of attention to anything in the Microsoft Office bundle, and the ongoing tying and linking of services there, and their Cloud activities are gaps in the scope of the DMA’s core platform services. While the changes seem to have limited impact on the user experience, there was significant attention from the audience about how they could take over the search bar and Microsoft’s feeds, which indicates some importance of these changes. However, an equal number of questions related to Microsoft’s ‘S-mode’, even to the bedazzlement of Microsoft’s representatives, as even they considered this feature wholly unimportant. So maybe no surprise that the Commission’s final remarks reminded the audience that the game is not over yet as the announcement of non-compliance investigation on Monday “is just the beginning”. Microsoft, however, might be off the hook for now … Let’s wait and see if next Monday holds more surprises in store!
Going forward
On the substantive side of DMA enforcement, the Commission has already shared its thoughts on where it sees the biggest compliance gaps between the gatekeepers’ proposals and the DMA requirements by announcing non-compliance investigations against Alphabet, Apple and Meta. From a procedural perspective, it will be interesting to watch whether public compliance workshops between gatekeepers and stakeholders will continue to take place in the DMA context and elsewhere. Will we be able to see any evolvement of the format and moderation of these workshops? Will this form of public engagement to prove effective compliance in the digital realm have any spill-over effects to other jurisdictions? We will continue to track developments in the SCiDA blog to keep you updated!