Litigating the DMA & DSA: Current Landscape and Comparative Analysis to GDPR-Related Litigation
Since their recent entry in 2022 and 2023, respectively, the Digital Services Act (DSA) and the Digital Markets Act (DMA) have significantly added to the caseload of the EU Courts. The plethora of challenges lodged in such a short period of time is reflective of the controversy surrounding the applicability and implementation of the acts as well as of the breadth and depth of the changes affecting the business models of the regulated companies. The DMA imposes ex ante obligations on large online platforms offering certain “core platform services” see https://www.quinnemanuel.com/the-firm/publications/client-alert-shaping-the-future-of-tech-latest-updates-on-the-digital-markets-act/ (the so-called “gatekeepers”), ranging from data access and usage to distribution and bundling of services and interoperability for messaging services. The DSA on its part, imposes a set of obligations on a large category of online services, ranging from simple websites to internet infrastructure services and marketplaces and an enhanced set of stricter due diligence obligations to platforms that have more than 45 million users per month in the EU. These obligations are generally aimed to increase transparency (including with regard to profiling and targeting of users through advertising) and assist with public supervision (including through publication of detailed information about advertisers and targeting parameters).
To date, the European Commission has designated under the DMA seven gatekeepers (Alphabet, Microsoft, Apple, Amazon, Booking, Meta, and ByteDance) for two dozen core platform services they have offered. It also investigated the potential designation of X but concluded that the platform is not an important gateway for businesses to reach consumers.
ByteDance, Meta, and Apple have all challenged the European Commission’s designation decisions before the General Court of the European Union. The applicants rely on broadly similar grounds that: 1) the relevant core platform services are not standalone services (e.g., Meta’s Messager challenge (Case T-1078/23)); 2) their services face intense competition /do not benefit from network effects (e.g., ByteDance’s TikTok challenge (Case T-1077/23)); or, 3) the designated core platform service does not meet the quantitative thresholds set out in the DMA (e.g., Apple’s iMessage challenge (Cases T-1079/23 and T-1080/23)). On the other side of the “V,” rivals transformed to gatekeepers are also challenging the Commission’s alleged failure to designate additional services as core platform ones (see, e.g., Case T- 357/23 Opera Norway v. Commission, in which Opera is complaining that the Commission failed to designate Microsoft as a gatekeeper in relation to its web browser core platform service, Edge).
With regard to challenges of specific provisions, Articles 5 and 6 in the DMA contain the most important legal obligations: Article 5 prohibits practices related to the processing of end-users’ personal data, parity clauses, anti-steering, etc., whereas Article 6 prohibits, in general, preferential treatment of a gatekeeper’s own services, obligations on end-users to use certain default settings and apps, and denying business users access to data generated by those businesses. ByteDance has for instance challenged the immediate implementation of the obligation to disclose certain strategic information concerning its profiling practices under Articles 5, 6, and 15 of the DMA (Case T-1077/23 R).
Under the DSA, the EC has designated 23 Very Large Online Platforms (VLOPs)—including Amazon Store, Apple AppStore, Facebook, TikTok, Twitter, Wikipedia, Pornhub, Stripchat, Temu, and Shein—and two Very Large Online Search Engines (VLOSEs), Bing and Google Search. A large number of providers of VLOPs, including Zalando, Amazon, Meta, TikTok, Technius, Aylo Freesities, and WebGroup contested the designations of the platforms they operate as VLOPs and also the applicability of specific provisions to them. With regard to the designations themselves, the controversy is centered around the appropriate methodologies for calculating the number of monthly users. With regard to the substantive challenges, the most contested provision is, by far, Article 39 of the DSA which obliges the providers of VLOPs to make publicly available and in a consolidated manner a set of detailed, commercially sensitive information on the advertisements presented on their interface, the advertising strategies employed (e.g., targeting parameters) and the number of users reached per advertisement in each Member State. These challenges are centered around violations of fundamental rights and freedoms, such as the right to the protection of confidential information, the right to conduct business and the right to privacy.
Although many of the challenges before the EU Court are still pending, the regulated companies have, to date, been largely unsuccessful: The General Court has already dismissed ByteDance’s challenge of TikTok’s designation, making particular mention of the exponential increase of TikTok users in recent years (Case T‑1077/23). The Court has also dismissed ByteDance’s request that the obligation to disclose certain strategic information concerning its profiling practices under the DMA be suspended (see Case T-1077/23R). On the DSA front, whereas Amazon was initially successful in securing an interim order from the President of the General Court suspending its obligation to make publicly available the Repository mandated under Articles 39(1) and (2) of the DSA (Case T‑367/23 R), on appeal (by the European Commission), the Vice President of the Court of Justice overturned the order. Despite prevailing on the first two criteria for the grant of interim relief (“existence of prima facie case” and “urgency”), Amazon lost on the third (“balancing of interests”) as the highest EU Court found that, on balance, the immediate application of Article 39 must take precedence over Amazon’s confidentiality concerns, especially given that advertising revenue represents a small fraction of its overall business (Case C‑639/23 P(R)). Following the lead of the highest Court, the President of the General Court rejected other similar pending applications for interim measures (see, e.g., Case T‑138/24 R, and on appeal Case C-511/24 P(R), Aylo Freesites v. Commission). It is noteworthy that the European Parliament, the European Council, individual Member States associations, organizations, and other interested parties have sought leave to intervene in the abovementioned cases, a fact that highlights the wider implications of the outcome of the proceedings before the EU Courts.
Against this background, GDPR-related actions appear to be limited both in terms of absolute numbers, as well as in terms of scope, despite the fact that the GDPR has been in force for much longer—six years already. To the best of our knowledge, there have been only four challenges (the most recent ones were brought by TikTok and Meta) that pertain to specific enforcement measures. It therefore appears that (i) challenges under the DMA and DSA are pre-emptive (i.e., are lodged long before the imposition of fines for noncompliance), whereas GDPR-related actions are reactive to the imposition of financial penalties; (ii) regulated companies forcefully resist the application of the far-reaching DSA and the DMA provisions, which go to the heart of their business models, but the GDPR, by contrast, is not perceived as affecting companies fundamentally; and (iii) DMA and DSA-related litigation has inspired more GDPR challenges recently than in previous years. These GDPR challenges are also based on arguments centered around violations of fundamental rights, just like those deployed in DMA/DSA challenges.
It remains to be seen whether any of the applicants will be successful in their pending challenges as well as whether private actions will also play a role in the implementation of the DMA and the DSA. We recall that both acts have direct horizontal effect, meaning that affected parties have the right to initiate private actions before national courts to demand compliance from the regulated companies or damages incurred as a result of infringements. One can therefore expect more litigation to come.