The EU’s experimental approach in overhauling competition rules | #itsecurity | #infosec | #hacking | #aihp

Late last month, European policymakers unveiled a provisional agreement on the text of the Digital Markets Act, marking the beginning of a new era of digital regulation. The DMA aims to make it easier for small and mid-sized tech companies to enter markets currently dominated by Big Tech and proposes a set of rules that so-called “gatekeepers”—those with a market value of 75 billion euro or annual turnover of 7.5 billion and more than 45 monthly active users—must abide by or risk staggering fines. Changes in the final rounds of negotiations turned the DMA from an innovative policy that was nonetheless firmly rooted in European case law into a far more novel regulatory approach. Even before coming into force, the DMA has paved the way for bolder digital regulation across the globe.

The DMA represents a landmark in the attempt by regulators globally to strengthen frameworks for ensuring competition in an ascendant technology industry. In doing so, the DMA adopts a number of untested approaches—most prominently, a proposal to require interoperability among messenger services. This entails significant risk but is in line with what appears to be a growing appetite among regulators to embrace more novel rulemaking to keep up with technological developments. Getting this approach right will require EU policymakers to adopt rigorous enforcement and oversight regimes to monitor how their regulatory structures are impacting technology ecosystems—and a willingness to quickly revise these regimes if they fail to deliver the desired effects.

Over the past decade or so, European antitrust enforcers have attempted to maintain competition in the digital economy by bringing a long list of antitrust cases against major tech companies. These laborious, time-consuming cases have secured some important legal victories, but on the whole, they have failed to counteract with the necessary speed and force the strong tendencies toward concentration in digital markets. The EU’s first antitrust case against Google, for example, kicked off in 2010, was decided in 2017, and confirmed by the courts in 2021. With the DMA, European policymakers are shifting to an ex-ante approach that builds on the previous cases brought by the European Commission. Instead of drawn out legal battles, European policymakers are attempting to write self-executing rules for gatekeepers.

The final negotiation between various EU bodies to hammer out the text of the DMA resulted in provisions that go beyond previous cases and investigations. One new rule mandates messenger services run by gatekeepers—WhatsApp and iMessage, for now—to provide interoperability. This means that, in principle, users of a gatekeeper messaging service should be able to communicate without friction with users of other services, both smaller and established ones. While interoperability is often hailed as a silver bullet to make markets more competitive, a recent report by the Centre on Regulation in Europe found that its impact is generally ambiguous and, despite the tempting precision of mathematical modelling, hard to forecast.

The uncertainty about outcomes is due to the interaction of multiple factors. Interoperability reduces network effects, which means that someone pondering which messenger to install is less likely to be driven to the biggest player (currently WhatsApp). However, interoperability also means that consumers who currently use multiple messengers have less reason to do so. This can reduce competition and even lead more people to use the most popular messenger on an exclusive basis. Therefore, it is important that European policymakers consider what they aim to achieve with their interoperability requirement: Is the goal to increase competition and reduce concentration by making it easier for smaller rivals to gain market share? Or is there a benefit in giving consumers the choice not to use the most popular messenger, regardless of whether they make use of that choice?

Many observers, including consumer associations, seem to put a high value on choice even if, in the worst case, it could be detrimental for competition. There are few historical examples of mandated interoperability, and this makes it difficult to assess how an interoperability requirement would affect competition dynamics in the technology industry. Telecommunication network interoperability, for example, does not provide much guidance because people usually use only one provider at a time. The United Kingdom’s Open Banking initiative, which aims to reduce hurdles to switching or using multiple financial services providers, is a more instructive example. Its initial results are promising: User adoption continues to rise, and current users of Open Banking-enabled personal finance management apps report shopping around more and being better able to minimize fees/costs. Nonetheless, the initiative requires substantial ongoing oversight to make sure it works as intended.

It is likely that the European Commission is aware that imposing interoperability has uncertain consequences; nonetheless, it is willing to take the risk of getting it wrong because it believes the odds of improving the market are sufficiently high. But this risk-taking approach means that it would be beneficial if the Commission articulated more clearly the objectives of the interoperability and other requirements. By translating those objectives into meaningful indicators, firms, regulators and the public would be able to assess whether the DMA is working as intended or if it needs adjusting. This is particularly important because the DMA stands outside of the established competition law framework and aims to achieve contestability and fairness—two terms still open to interpretation.

The effects of interoperability will also depend on what exactly it will cover, which is not fully defined yet. European policymakers have made clear that text, image, and voice messages between two users need to be included from the start, but group conversations have an implementation phase of two years and video calls even longer. Additional features will not be covered, such as stickers, gifs, and new features the messenger operators develop.

Another potential unintended side effect is that interoperable messengers are harder to encrypt end-to-end because they rely on different encryption protocols. Many cryptographers fear that interoperability will come at the expense of user privacy and security. Even advocates of interoperability such as Matrix, an open standard for decentralized communication, admit that a trade-off between user choice and security is inevitable. But ways to reach an acceptable balance may exist: Different protocols can be bridged, even if this can open the door to some attacks, and a concerted move to using one decentralized protocol may address these concerns. (Options include Matrix and MLS.) The computer security expert Steven Bellovin argues interoperable end-to-end encryption “is somewhere between extraordinarily difficult and impossible,” but it makes a huge difference if it is the former, implying that the DMA might provide the necessary push to throw the necessary time and resources at the problem, or the latter. If it is impossible, indeed, the Commission might want to reassess its stance and prioritize privacy and security over improved choice.

After the DMA comes into force later this year, key questions about its implementation will remain. Companies will have six months to assess whether they fall into the gatekeeper definition, and while they do so, the European Commission has to prepare for what will be a huge enforcement task. The Commission is still deciding whether those charged with overseeing those companies designated as gatekeepers will sit within the Directorate-General for Competition; the Directorate-General for Communications Networks, Content, and Technology; or somewhere in between. The role of national competition authorities is still to be defined.

Significant concern remains that gatekeepers will simply refuse to comply with the DMA and that the European Commission will lack sufficient enforcement tools to bring them into line. Multi-billion-euro fines have had little effect on gatekeepers’ willingness to take regulatory risks, and it is unclear whether the DMA’s proposed fines will change this dynamic. Indeed, earlier this year Apple refused to comply with an order to give dating app developers a choice of in-app payment systems and incurred a 50 million euro fine instead. In the DMA, policymakers have sharpened the penalty for repeated infringement: The maximum fine now amounts to 20% of worldwide revenue, and the Commission can block acquisitions by repeat infringers. The latter option is surprising because acquisitions are not obviously related to violations of the rules contained in the DMA, but its inclusion reflects regulators’ determination to bring cash-rich offenders to heel.

One open question is in which markets changes will first become visible. Will gatekeepers proactively adjust their products to be on the safe side or will they drag their feet to see where the Commission first decides to allocate its limited enforcement resources? This is likely to depend on the clarity of the 19 behavioral rules contained in the DMA. For example, a rule requiring explicit consent for merging data from different services by the same gatekeeper is very likely to translate into an additional box for users to tick. By contrast, a rule imposing fair and non-discriminatory access to app stores, search engines, and social networks may require further debate and discussion before it can be translated into a corporate policy capable of implementation. It is reasonable to expect legal proceedings about various rules to arrive at a shared understanding of what the rules mean in practice. Hence, enforcing the DMA might take a while in the beginning, but once the rules are clear, they can become self-executing as intended.

Nonetheless, the DMA is a game-changer for both the European Commission and Big Tech. Given the complexities of the act’s rules and the variety of the business models covered by them, errors and inconsistencies in enforcement almost seem inevitable. However, the European Commission seems much more willing to take the risk of being wrong regarding some details as long as they get the big picture sufficiently right. Whereas regulators in the past seemed more concerned about over-enforcement of competition law causing harmless behavior to be prohibited, today, they seem far more concerned that under-enforcement is the larger reason to worry.

The willingness to intervene more strongly in digital markets is global. Regulators across the world have followed the EU’s lead and some have even overtaken it, mostly with more specific rules for a subset of behaviors addressed in the DMA. South Korea, for example, passed a law last year requiring that app stores allow alternative payment options. (A similar provision was added to the DMA in the final phase of negotiations.) Some six months after the law came into effect, South Korean regulators are already raising concerns that Google parent company Alphabet has made insufficient changes to its app store to bring the company into compliance with the law—highlighting the need for clear interpretations and enforcement mechanisms for the competition measures contemplated in the DMA.

Given the global presence of large digital platforms, it would make sense that the rules governing them be coherent across countries, and while the DMA is a step in this direction, the global regulatory landscape is likely to remain fractured. Having learned from the challenges of relying on states to enforce the General Data Protection Regulation, the European Commission will take the lead in enforcing the DMA—a welcome move. If regulations were harmonized globally, this would both alleviate both the burden of corporate compliance and regulatory enforcement. But this seems unlikely. While momentum is building in the United States to write new regulatory regimes for technology companies, Congress seems no closer to passing legislation on the issue. In China, by contrast, the ruling Communist Party has taken strong measures against technology platforms.

Digital regulation will also collide with broader geopolitical interests. U.S. officials have criticized the DMA as an attempt to unfairly single out U.S. firms, setting up a point of friction between Washington and Brussels even as the Biden administration attempts to improve ties with its European allies. The DMA may also cause conflict between Europe and China. Chinese platforms are likely to eventually meet the gatekeeper criteria, and it will be interesting to see how China reacts to EU-imposed restrictions to make their digital platforms more contestable and fair. Chinese platforms often have separate versions for domestic and global markets—ByteDance-owned Chinese Douyin and global TikTok do not interoperate, for example. This may make compliance with EU rules easier than it is for U.S.-based Big Tech whose platforms usually offer usually offer the same products with local tweaks in the United States and Europe. U.S. gatekeepers will need to decide if, for example, only European WhatsApp will interoperate with European Signal or if the same functionality will be extended to other markets.

The EU has decided to venture into new territory with the DMA. Some of its rules will turn out to work better than others, and some may even harm competition or consumers. In the history of regulation, learning processes are normal because each market is different and markets evolve over time. This makes it even more important for the European Commission to monitor market outcomes and adjust the rules where appropriate. Such transparency and flexibility could serve as an inspiration for digital regulators around the world: Even if they pursue different objectives than the EU and opt for approaches different from the DMA, lessons-learned could be shared and built upon.

Aline Blankertz is a co-founder and co-chair of the SINE Foundation, a non-profit think-and-do tank.

Google provides financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.