1. Arrival of the EU Digital Markets Act – a global blueprint for regulation, or the beginning of fragmentation?
The EU's landmark Digital Markets Act (“DMA”) entered into force on 1 November 2022, heralding a new era of regulation for the largest tech companies.
Under the DMA, tech companies that provide a “core platform service” and meet certain financial and user thresholds will be designated as “gatekeepers”. Gatekeepers will be subject to special obligations relating to interoperability, data access, advertising and customer contracts. Gatekeepers will also be prohibited from self-preferencing, preventing consumers accessing businesses outside their ecosystem, preventing users from uninstalling software or apps and tracking end users’ activities without effective consent. A concrete example is that gatekeepers will almost certainly need to allow users to choose different app stores.
The EC expects to designate the gatekeepers by 6 September 2023 and those companies will have until 6 March 2024 to comply with the new rules. The EC is already gearing up for enforcement, creating a new DMA Directorate within its competition department and even opening an office in San Francisco. It has invited (probable) gatekeepers to talk to it about how best to implement the DMA. Some of the larger tech firms have already expressed concern about the DMA's potential impact on security and innovation.
The DMA was adopted at record speed. While there seems to be growing consensus across continents on the potential benefits of ex ante regulation and proposals for reform around the world, Germany is the only other major economy to have an operational competition-based regime specifically targeting big tech, with its special competition rules for businesses with “paramount significance” (under which Amazon, Google and Meta have been designated so far). In the days before 5 Themes went to press, the UK Government announced that it will bring forward much delayed legislation to establish the UK’s answer to the DMA: the “Strategic Market Status” regime, by Summer 2023, finally giving legislative powers to the UK’s Digital Markets Unit (which has been operating in shadow form since April 2021). But even when it finally becomes operational, the proposed UK regime is not a direct parallel to the DMA, and rather than subjecting all “gatekeepers” to a single set of rules, will have a bespoke Code of Conduct for each “Strategic Market Status” firm.
In principle, gatekeepers are free to adjust their services in the EU to comply with the DMA but maintain their existing business models elsewhere, leading to what some have dubbed the ‘splinternet’. Gatekeepers may prefer to adjust their business models globally to avoid the additional costs and complexity of maintaining different business models and to try to use the DMA as a regulatory baseline to avoid iterative changes as similar rules are rolled out worldwide. If so, the DMA would be an example of the ‘Brussels effect’, where EU market regulation sets de facto global standards. The posterchild for the Brussels Effects is the GDPR, which is now followed in countries as diverse as Brazil, India and Japan (and even the US state of California).
On the substance though, the DMA leaves a lot of room for interpretation which could undermine its utility as a global benchmark. While there are significant elements of commonality in legislative proposals (such as prohibiting self-preferencing) we can already see areas of (subtle) divergence in proposals outside the EU (for example in relation to the designation of gatekeepers, where the EU seems to take a more interventionist approach than others). And the risk of being the forerunner is that other jurisdictions decide to pick-and-choose between different aspects of the DMA.
A ‘splinternet’ on the regulatory side may raise concerns around the loss of economies of scale and scope, interoperability standards and incentives for innovation, to name a few. This will be an area to watch closely.
2. Web 3.0 – utopian competitive future, or a new challenge for regulators?
While the DMA sets the landscape for regulation of Big Tech companies in the Web 2.0 world (the “participatory social” web), some would argue that technological developments and market forces are already shaping the next generation of antitrust tech challenges (and solutions).
In 2022, 57% of global Internet traffic was accounted for by web 2.0 giants, such as Google, Amazon, Facebook, Apple, Microsoft and Netflix . The concentration of internet traffic on a small number of Tech firms each owning digital platforms has given rise to the concerns that the DMA is intended to address i.e., use of data, self-preferencing and network effects.
It has been suggested that Web 3.0 could address some of these concerns, whilst at the same time creating new challenges for regulation and enforcement. Web 3.0 is intimately linked to blockchain technology, an immense digital register shared by a multitude of users, which does not have any central authority, which is reputedly unfalsifiable, and which provides more freedom to users and robust access to and control over their own data. Instead of a web accessed through large technology companies, Web 3.0 is built, operated, and owned by its users.
As Web 3.0 develops, it could result in two major changes to the digital economy as we know it.
First, Web 3.0 will by its nature be a decentralised model. Any user will have access to its preferred decentralised platform. This disintermediates the digital platforms currently relied on by users and will threaten disruption to existing tech companies. As an example, in 2022, Audius, a music streaming and sharing platform built on the blockchain, is already serving millions of users each month with the aim of avoiding digital platforms relied on for streaming (such as Apple Music, Spotify and Amazon Music) to allow artists to directly reach their fans.
Second, Web 2.0 users give away data every day for free, which is monetised by the gatekeepers through their digital advertising models. This has led to concerns from many sides, causing antitrust (and other) authorities to worry about the dominance of these platforms and potential consumer exploitation (as customers don’t always make informed choices about the sharing of their data). Given it is based on blockchain technology (which ensures users’ privacy through pseudonymity, participants are often anonymous and well protected), it is hoped that users of Web 3.0 will have greater control over the use of their data, addressing the risk of data exploitation by large firms.
Whilst Web 3.0 looks to be a solution to certain antitrust problems inherent in Web 2.0, this is not to say that it does not raise fresh challenges.
Firstly, the very idea of controlling the development of blockchain technology is already a challenge, given that decentralisation and anonymity are at its core. Ensuring that appropriate enforcement mechanisms are in place, despite anonymity, and supervising the new era of the digital economy, despite the absence of central authority and reliance on smart contracts, machine learning and decreased human oversight, are highly complex.
Policy makers and subsequent regulations will also have to ensure that existing and future digital regulation does not hinder the evolution of Web 3.0. The need to balance the risks of stifling innovation and chilling competition against orderly developments of markets is not new, but the challenges inherent in tech markets certainly are.
3. Global merger control scrutiny of tech deals continues to intensify – are we reaching peak intervention?
We continue to see more interventionist merger control for tech deals – a global trend that shows no sign of abating. Regulators are using new or revived approaches to expand their jurisdiction, meaning the chances of any tech deal escaping some form of scrutiny are remote. Once within the grasp of merger control authorities, the level of intervention continues to rise with more deals gaining approval only with (stringent) remedies and more falling victim to outright prohibition. With regulators taking diverging approaches, a lack of predictability impacts deal certainty and execution risk.
Historically, the UK’s expansive jurisdictional tests have given the CMA the power to review deals that other regulators could not (e.g. Facebook/Giphy). But now the European Commission (EC) is catching up. In July 2022, the EU General Court ruled in Illumina/Grail that national competition authorities can rely on Article 22 of the EU Merger Regulation to refer a transaction for merger control review where the transaction does not meet either the EU or Member State thresholds. The judgment (currently under appeal) was a boost for the EC’s revised approach to Article 22, which was intended to address a perceived enforcement-gap in EU merger control and will also give it the ability to review killer acquisitions (acquisitions of nascent, potential competitors). A recent EU Advocate General opinion has also indicated that acquisitions which escape merger control could be tackled by abuse of dominance enforcement, although it remains to be seen whether the approach will be endorsed by the court and what impact this will have.
In the US, the burden of proof to challenge killer acquisitions in court is seen as a significant barrier to enforcement relative to European jurisdictions. Antitrust enforcement chiefs have emphasised the need for increased merger enforcement that addresses potential anti-competitive effects before they occur. The agencies have set out to “modernize” the US merger guidelines to address the modern digital economy by expanding theories of harm in the digital sector, and have brought new enforcement that tests the bounds of potential competition theories such as their ongoing challenge to the Meta/Within transaction. The FTC has also announced a new policy statement for the enforcement of unfair methods of competition under the FTC Act that would allow them broader discretion to challenge deals involving potential competition theories that do not meet existing judicial effect standards. However, they likely face an uphill push to have those views endorsed by the courts.
Regulators globally tend to identify similar (novel) competition concerns in tech deals, namely killer acquisitions, exploitation of data and ecosystem concerns (i.e. that a Big Tech player can leverage its range of products to strengthen network effects and raise barriers to entry). Despite the concerns being similar, this has not (yet) resulted in consensus or alignment between regulators.
In Google/Fitbit, the EC relied on theories of harm related to the exploitation of data but not ecosystem concerns, but ultimately cleared the deal subject to behavioural remedies that were rejected by the Australian ACCC and criticised by the then Chief Executive of the CMA. In Facebook/Kustomer, the EC did rely on an ecosystems theory of harm and cleared the deal with behavioural remedies at Phase 2, whereas the same deal was unconditionally cleared at Phase 1 by the CMA. The outcome of other deals currently subject to parallel review by the CMA and EC such as Microsoft/Activision Blizzard will provide further learnings on intervention in global tech deals and scope for (mis)alignment.
On the other side of the world, we see a different approach to intervention in a different set of tech cases. In China, the authority considers tech mergers from both a competition angle and an industrial policy angle. Therefore, opinions from stakeholders and other government agencies based on supply security, impacts on Chinese industry etc. are given weight in the merger review process. This has led to cases such as AMD/Xilinx and SK hynix/Intel that were unconditionally cleared elsewhere being subject to remedies in China.
In an uncertain world, one thing remains certain – parties need to pay careful attention at the outset to risk allocation and ensure merger control strategy is flexible.
4. Rubber hits the road on foreign investment review of tech acquisitions – are the prohibitions just beginning?
The continuing global crises (the COVID-19 pandemic, war in Ukraine and climate change) have resulted in huge investments in future-oriented technologies in many sectors. As governments seek to protect national industries to avoid the outflow of know-how and sensitive information, prevent the formation of dependencies and gain tech sovereignty, we see stricter foreign investment regimes in more countries and with lower thresholds. The challenge will be to find a balance between national security considerations and enabling necessary tech investments.
The EU’s Foreign Direct Investment Screening Mechanism significantly strengthened cooperation and coordination between Member States in dealing with FDI filings. National regimes retain authority but must give due consideration to comments from other Member States and any opinion of the EC (given rarely – seen in less than 3% of transactions).
In the UK, the National Security and Investment Act (“NSIA”) has been in place since January 2022, marking a step change to the Government’s enforcement powers by introducing a standalone CFIUS-style foreign investment regime for the first time in the UK. With over half of the 17 sectors subject to the mandatory notification requirements having a clear link to tech, the focus on tech is only expected to grow. The first prohibitions under the NSIA have related to technology transfers of commercial applications which may have a dual military use. These have also involved investors / licensees based in China or Hong Kong.
In the US, recent changes resulted in tighter rules and sharpened CFIUS’s focus on new technologies. The US enforcer will now be required to consider five new sets of national security concerns in its FDI review, including cybersecurity, sensitive personal data, and certain areas of technological leadership (such as microelectronics, AI, biotechnology, quantum computing, climate technologies). Tech investments in the US will thus be subject to even further scrutiny.
In China, after the overhaul of the national security regime in 2020, the foreign investment regime is playing an increasingly important role. Important information technologies, internet products and services, as well as key technologies and “other important areas” are listed as areas triggering a review. The scope of these is undefined and may change to include new areas, for example the acquisition of certain personal or sensitive data as part of the investment. In addition, China maintains a strict position against foreign investment in certain areas under the general foreign investment regimes (for example, investment into media related tech sectors, or the operation of internet infrastructures).
From around the world, the message is clear: deal makers should keep national security and other foreign investment concerns firmly in mind when considering tech investments.
5. Private enforcement against tech companies – will claimants leapfrog regulators with novel claims?
Private enforcement is on the rise. Companies are facing new frontiers in abuse of dominance / monopolisation claims. While enforcement was traditionally driven by regulatory intervention, we are now seeing private litigants – tired of waiting for infringement decisions on which to found their claims – pushing the legal bounds with new theories of harm in the tech sector.
Private firms have been active in driving major class action litigation against tech firms in the US, undeterred by a lack of success to date (e.g. Epic v Apple in the US). Private plaintiffs have brought monopolisation cases on behalf of classes of consumers, developers, and advertisers on novel theories of harm. Private litigation is, for example, taking the lead in claims against Google over adtech, against Google and Apple over their app stores, and against Amazon and Apple over their distribution agreements. These cases will likely set substantive precedent for many cases to come, including cases involving parallel government enforcement. Indeed, private plaintiff firms work closely with (or sometimes represent) state attorney generals who have been active in the space. There is also a risk of having the theories of harm from investigations applied elsewhere – e.g. the new ApplePay class action litigation that seeks to incorporate statements by the EC on a parallel investigation.
While the US has always been an area of focus for class action litigation, the last few years have heralded a new era of “US style claims” on the other side of the Atlantic as well, meaning that global companies are fighting giant actions on multiple fronts. For example, the UK’s class action regime, introduced in 2015, really kicked off in August 2021 after the first certification in Merricks v Mastercard. Since then, the pace with which opt-out class actions have been launched against big tech in the UK is striking. Since May 2021, opt-out class proceedings have been launched against the entire GAFA quartet.
The Meta case is perhaps particularly instructive in showing how private litigants are stretching the realms of competition law by recasting claims that more traditionally would have been based on data protection or consumer protection legislation. In that case, Meta is accused of abusing its dominant position by making users' access to Facebook contingent on them sharing their personal data, with the class representative arguing that Meta exploits its users by using their personal data without proper compensation.
Most of the above cases reflect live allegations in EC and CMA investigations, while the Meta action bears similarities to the Bundeskartellamt data case (awaiting ECJ judgment following the positive opinion of Advocate General Rantos). Claimant firms and litigation funders are actively looking through the EC / CMA dominance docket and seeking class representatives willing to bring claims on an opt-out basis – and they are not willing to wait for an infringement decision before pressing ahead.
With the European Collective Redress Directive due to be implemented by Member States in the coming months, global companies are likely to face an increased number of collective claims across multiple jurisdictions.
The DMA will also doubtless have significant impact on the private enforcement landscape. On the one hand, the universe of potential claims against future “gatekeepers” is likely to grow significantly for claims brought within the EU. At the same time however, the European Commission will no longer need to bring actions against big tech for much of the conduct which it has focused on over the past ten years using traditional competition tools, making the read-across of adverse findings under the DMA to non-EU jurisdictions potentially more challenging.
Strikingly, the sky is the limit for the quantum of damages sought in such claims. While claimants will always allege the maximum possible damages pay-out, figures on a UK basis alone dwarf any fine ever imposed by the CMA, and some claims even exceed the total global fines ever imposed in a single antitrust investigation: £2.2bn against Meta; £21.6bn for Google advertising, £920m for Google Play Store and £900m against Amazon.