Generative AI has been a (if not the) major preoccupation of policymakers and competition authorities in 2024. With AI’s huge potential to unlock productivity growth and innovation across all sectors of the economy, it is clear that enforcers feel the weight of perceived past underenforcement and are determined not to repeat the mistakes of the past. But with AI technologies evolving so rapidly, consensus is yet to be reached on whether, and if so how, authorities should intervene to address perceived distortions in these markets to optimise the potential benefits.

The European Commission (EC), the UK Competition Markets Authority (CMA), Portuguese Autoridade da Concorrência and French Autorité de la Concurrence (amongst other regulators), as well as bodies such as the G7 Committee of Competition Authorities and policymakers, have all recently published reports on the risks to effective competition in the generative AI sector (the CMA’s report is considered in more detail in this blog). They identified similar potential concerns, focused on the existence of high barriers to entry in the form of access to large datasets, specialised chips and skilled labour, as well as economies of scale and scope, and the scope for incumbents to foreclose smaller developers by withholding access to these inputs (or to distribution channels).

Access to key AI inputs has also attracted scrutiny in China, albeit from a different perspective. The Chinese authority State Administration for Market Regulation (SAMR) is paying significant attention to whether, and how, domestic players are able to obtain similar inputs as their overseas competitors and whether that may be impacted by an anticipated concentration of undertakings.

Against this background, a number of competition authorities, including the EC, Federal Trade Commission (FTC), Department of Justice (DOJ) and CMA have looked very closely at agreements / partnerships between generative AI developers and established digital players controlling the upstream (or downstream) inputs (as discussed further in the mergers section below). They have extended existing investigations / remedies in other digital areas to address emerging AI concerns (for example, the DOJ has signalled it is considering implications of generative AI as part of remedies in the US v Google search monopoly case). They have also signalled their willingness to exercise their enforcement powers where warranted by the behaviour of market participants and investigations have been opened on both sides of the Atlantic, though these remain in their early stages.

Amid the flurry of activity by authorities around the world, we are also seeing increased international cooperation. In July, the FTC, DOJ, EC and CMA issued a joint statement on competition in generative AI (the Statement). As discussed in our recent blog, while the Statement itself is far from revelatory, the Transatlantic alignment between regulators in the US and Europe, alongside the CMA which holds arguably the broadest powers, is important symbolically. The need for a coordinated international effort in promoting responsible AI practices was also highlighted in the recent Digital Competition Communiqué issued by the G7's Authorities and Policymakers' Summit in October 2024. 

The perceptible undercurrent to all enforcement is agencies’ strong desire not to allow the history of perceived underenforcement in tech markets to repeat itself. While generative AI has some shared characteristics with markets that have previously “tipped” in favour of one or two players, it also has some very different economic characteristics – key among them that LLMs have material running costs, and that their development and deployment requires huge capital expenditure. How exactly these factors influence the direction of enforcement is a key area to watch in the year ahead.

2024 marked another year of evolution for digital market regulation. Existing platform regulation has been rigorously enforced in jurisdictions where it exists, while new laws are on the books (or in the process of being drafted) in others.

One of the key 2024 developments was that the EU's Digital Markets Act (DMA)’s obligations kicked in from March. The EC is already flexing its powers – indeed, it has opened investigations against three of the seven designated gatekeepers in respect of a number of behaviours, with more investigations understood to be in the pipeline. Similarly, in China, the industry regulator continued to take steps during 2024 to ensure digital players follow the guidance already given in 2021 on increasing inter-operability between key apps and platforms. This has led to a number of consumer-friendly changes, such as adding more payment channels in key apps or making more mini-apps available in super apps.

But the EU and China are only the beginning. The UK’s eagerly anticipated Digital Markets, Competition and Consumers Act (DMCC Act) received Royal Assent on 24 May 2024 (with commencement of the digital regime expected in January 2025). We can also expect significant activity from the CMA’s Digital Markets Unit (DMU) shortly as they have had over three years to prepare for their powers to take effect, albeit the UK regime will not start with a “big bang” but rather be a slow build as the CMA moves through the process of designating firms. New law is also on the books in Japan, where the Smartphone Act imposes DMA-style restrictions on owners of smartphone operating systems.

There are also proposals for new ex ante regulations in a number of other jurisdictions, including in Australia, Kenya, South Korea and two of the largest developing economies: India and Brazil. In India, a draft Digital Competition Bill contemplates a regime in which “Systematically Significant Digital Enterprises” would be required to comply with both broad service-agnostic obligations as well as separate conduct requirements for each ‘core digital service’, with scope for criminal penalties (however recent reports suggest this may not be current legislative priority). Breaches of the regulation could be criminal. The Brazilian Congress is also currently considering a Digital Markets Law Bill which provides that those platforms deemed to have “crucial access control power” must commit to transparency with the regulator, provide fair and equal service to both businesses and end users and ensure proper usage of data in commercial activities. The Bill also prohibits platforms from refusing to contract with business users.

As the number of regimes pursuing the same goals but through slightly different means multiplies, so does the compliance burden. A key question for affected companies is whether to “build to comply”, or simply remove functionality from particular jurisdictions (or not launch it in the first place), potentially depriving or delaying users’ access to the latest features and tools. This – along with government’s responses where their citizens are deprived access to the latest features and tools – will be an important dynamic to watch as the platform regulation regimes come through infancy into toddlerhood.

Perceived historical underenforcement of merger control in tech markets has loomed large for antitrust agencies over the last decade. While five years ago there was significant debate over whether jurisdictional thresholds needed to be revised to allow agencies to look at deals (especially those involving nascent innovative businesses without significant revenues), a series of reforms – key among them the EU’s decision to accept referrals from Member States even where the local jurisdictional thresholds were not met – saw debate in this area quieten. The possibility of below-threshold call ins meant no deal was safe from the EU’s jurisdiction.

In 2024 however, the debate has been revived, both because of a significant court ruling for the EU, coming at the same time as a desire to review the strategic partnerships between generative AI developers and tech incumbents, many of which do not look like traditional mergers or acquisitions. The dual issues of what kind of transactions can be caught by merger control, and what – if any – thresholds should apply is likely to remain a live issue into 2025.

The EU is constrained by rigid jurisdictional thresholds and had since 2021 relied on member states referring cases to it under the ‘Article 22 EUMR’ procedure. However, the availability of this procedure was dealt a significant blow by the European Court of Justice’s ruling in Illumina/Grail which provided that, in the interest of legal certainty, member states could only invoke Article 22 if the merger met their jurisdictional thresholds. In response, as discussed in a recent post, an increasing number of national competition authorities are being encouraged to use their call-in powers to review transactions that fall below their merger control filing thresholds (e.g. Italy calling in, and referring, Nvidia’s acquisition of Run:ai). Others are considering the introduction of similar rules.

Outside the EU, other agencies also continue to flex their jurisdictional rules:

• The UK's CMA has always had flexible jurisdictional rules, enabling it to look at many deals that were historically outside the EU’s reach. This year, the CMA has used its flexible jurisdictional rules to review several AI partnerships (albeit considering in some cases it did not, in fact, have jurisdiction), as discussed in a recent blog. The CMA’s jurisdiction will become even more flexible with the DMCC Act introducing a new ‘hybrid’ threshold which does not require any overlap between the parties (with the target merely needing to have a ‘nexus’ to the UK), as discussed in this blog. The DMCC Act also introduces an obligation on firms with SMS designation to notify the CMA of certain acquisitions in advance of completion (which will enable the CMA to decide whether to call in the merger, impose an interim order, and prevent completion if it deems it necessary).

• In the US, the FTC also launched an inquiry in January 2024 into generative AI investments and partnerships, issuing information gathering orders to Alphabet, Amazon, Anthropic, Microsoft and OpenAI. It currently remains unclear what next steps the FTC will take in relation to partnerships between these companies and generative AI developers. The FTC is also pursuing enforcement action through the US courts in relation to other historical deals.

• In China, SAMR has power to call in a transaction below the turnover thresholds but believed to raise competition issues and has already done so in two cases so far since SAMR was formally granted that power in 2022. SAMR is closely monitoring the AI space and the approach by overseas counterparts to identify cases that may need to be called in.

Competition authorities (and regulators) are adapting to the evolving digital M&A landscape. Digital companies can therefore expect close scrutiny of any acquisitions or partnerships.

Despite the focus on platform regulation in digital markets, both public and private enforcement remain aggressive.

EU officials have been at pains to make clear that the DMA does not replace competition law, which, by virtue of its case-by-case nature, is better suited to investigating and catching new ways that companies attempt to evade the law – the EC has issued a number of infringement decisions this year and has more on its docket. By contrast, the UK’s CMA has shut down the majority of its antitrust investigations in preparation for its new regulatory regime, but has moved forward with a Statement of Objections against Google in relation to adtech – the first time it has taken such a step in relation to one of the tech majors. Last but not least, 2024 has been a year in which there has been significant movement in the US agencies’ enforcement through the courts, most critically with the finding that Google abused a dominant position in search. The ongoing remedies process will unfold through 2025 and has potentially significant impacts not only for involved parties, but also in terms of read-across to other cases.

In addition to ongoing public enforcement, tech companies are increasingly being targeted by private litigants bringing collective redress actions. In the US, private enforcement has always been and remains a prominent driver of compliance with competition law, either via class actions or individual cases (see for example the recent case of Particle v Epic). The last few years, however, have seen the US approach “exported” around the world, spurred by the introduction and/or expansion of collective redress regimes in a number of jurisdictions, and a boom in the enthusiasm of litigation funders for these claims.

In the UK specifically, the number of opt-out collective proceedings brought in relation to alleged breaches of competition law has grown exponentially in recent years. Approximately one quarter of these are against large tech companies, many of whom are subject to more than one such claim. The procedural benefits offered by the collective proceedings regime for competition disputes compared to the regimes open to those bringing other types of claims in the UK has prompted a trend of litigants attempting to recast claims that might not normally be regarded as competition claims as actions for breaches of competition law. It remains to be seen whether those claims will ultimately be successful.

In the EU, different member states adopt different approaches to collective enforcement, with the EU’s Representative Actions Directive permitting member states a degree of flexibility. As a result, private actions – whether for breaches of competition law or for contraventions of duties owed under the DMA – may be brought by way of opt-out proceedings in certain member states, whereas in others they can only be brought by way of opt-in proceedings. The Netherlands and Portugal fall into the former category, with established opt-out regimes that have seen several high-profile competition damages claims brought on this basis in recent years. Spain is shortly expected to join the Netherlands and Portugal in implementing an opt-out regime. Belgium, France and Germany, by contrast, operate opt-in regimes. The DMA also provides for collective redress and is a potentially attractive new route for litigants wishing to bring action in EU member states thanks to the lack of need to establish dominance, as well as the special duties owed by gatekeepers in respect of such claims.

The introduction and growth of ex ante regulation is not reducing the importance, or extent, of traditional antitrust enforcement. Coupled with the growing use of private litigation, in particular collective proceedings, firms are increasingly needing to fight the same fight on multiple fronts.

Over recent years, businesses around the globe have been busily knitting together a patchwork of compliance protocols to mitigate risks under AI, platform, content, online safety and privacy regulations… as we look ahead, businesses would do well to add consumer protection to that list. A broader, more flexible tool than many existing regulations, there are two main reasons for businesses to focus on consumer law compliance: (i) regulators are increasingly looking to consumer protection to regulate behaviour in the digital markets, and (ii) the consequences of non-compliance are increasing.

One key area of focus for consumer enforcement agencies has been online choice architecture (OCA). Authorities are increasingly wanting to closely scrutinise a range of issues, including default settings, bundled consents, ranking, dark (or light) patterns, pricing and urgency claims and can impact data protection, privacy, online safety and pricing.

In the EU, dark patterns are explicitly called out in guidance on the Unfair Commercial Practices Directive and Digital Services Act (DSA). In the UK, the CMA has worked with the information commissioner’s office (ICO) to consider how OCA can be compliant with both consumer and data protection and will be able to utilise the broad stroke prohibition against unfair commercial practices to tackle dark patterns and other non-compliant OCA.

Consumer law is also poised to play a significant role in relation to AI. The FTC in the US has been actively focused on deceptive practices in AI as part of its dual enforcement authority. In Australia, consultations on a range of reforms to its consumer protection law to introduce specific AI-related protections for consumers are ongoing whilst the CMA in the UK has considered competition and consumer compliance jointly in its assessment of AI foundation models (FMs).

Increased interest by consumer law agencies in digital markets comes as the consequences of non-compliance are increasing. In the UK, the consumer provisions of the DMCC Act are set to come into force in Spring 2025, conferring new powers on the CMA to investigate and fine companies up to 10% of worldwide turnover for breaches of consumer protection law, without first going to court – significantly raising the stakes of non-compliance. In the US, both public and private consumer protection enforcement come at a significant cost, with Epic Games accepting a $520 million settlement in connection with the use of “dark patterns” to encourage users to make in-game purchases, and Amazon having been sued by the FTC for allegedly using dark patterns to retain Prime customers.

Critically, unlike regulations such as the DMA or the digital regulations under the DMCC Act, in many jurisdictions, consumer protection applies across the economy to businesses of all sizes. Consumer protection is no longer seen as something only for retailers and manufacturers to worry about. With increased digitalisation, regulators are alive to the important role tech companies play interfacing with consumers. In this landscape, consumer protection is being used in part to reach the gaps in other regulations and ensure fair, transparent conduct throughout the digital markets.