This year, the UK’s Competition and Markets Authority (“CMA”) is set to gain a range of new enforcement powers under the Digital Markets, Competition and Consumers (“DMCC”) Act (the final text is now available here). The DMCC Act received Royal Assent on 24 May 2024. However, with certain exceptions, the Act’s provisions will not come into force until secondary legislation is passed. The CMA initially expected its new responsibilities to become operational in the Autumn, but this timeline may be delayed due to the UK’s election on 4 July. On the same day as the DMCC Act became law, the CMA published for consultation its new Digital Markets Competition Regime Guidance.
An outline of the key provisions of the DMCC Act can be found here. As the CMA sets the groundwork for exercising its powers under this new regime, this blog post considers five practical considerations for firms active in the UK.
Key takeaways:
- The CMA will administer the new regime through a specialist Digital Markets Unit, which was established over three years ago.
- The DMCC Act may diverge from the EU’s Digital Markets Act, both in the companies being designated, and the obligations imposed on designated companies.
- The interplay between the DMCC regime and existing regulatory obligations – particularly the GDPR – is likely to raise practical challenges.
- We expect the CMA to exercise its powers under the digital markets regime alongside existing antitrust tools (which the DMCC Act amends).
- The CMA’s jurisdictional thresholds to review mergers under the UK’s merger control regime will change as a result of the DMCC Act.
The CMA will administer the new regime through a specialist Digital Markets Unit
The DMCC Act confers powers on the CMA to: (i) designate companies which meet certain quantitative and qualitative thresholds in one or more digital activity as holding ‘Strategic Market Status’ (“SMS”); (ii) introduce specific conduct requirements on those SMS firms; and (iii) consider and where appropriate, introduce so-called “pro-competition interventions” where the CMA identifies particular competition concerns in relation to a digital activity.
The CMA established the Digital Markets Unit (“DMU”), which will lead day-to-day enforcement of the DMCC Act, in shadow form in April 2021 and since then has invested heavily in the resources needed to exercise its new powers (and recently noted its commitment to ensuring its readiness to make full use of its new powers, once granted). In particular, the CMA’s Annual Plan for 2024-25 describes the authority’s preparations for enforcing the DMCC regime to be “well advanced”. In a paper published in January 2024, the CMA noted that the DMU currently has around 60 staff, and that it plans “to build up to a total of around 200 people working across the CMA to implement the Digital Markets competition regime from the point of commencement”. Beyond the DMU itself, the CMA has also appointed nine leading independent digital experts (see here), and its Data, Technology and Analytics unit “now has over 60 people including data scientists and data engineers, technologists, behavioural scientists, and digital forensics specialists”.
The percentage of time spent by CMA staff on DMU work more than doubled year on year from 2022 to 2023, according to the CMA’s 2024-25 Annual Plan. Moreover, given the length of time for which the DMU has been established, the CMA is expected to begin its formal activities under the DMCC Act relatively quickly. The CMA will initially focus its resources on a relatively small number of reviews before casting a wider net, having stated that it expects to initiate approximately 3-4 SMS investigations within the first year. These will likely be run in parallel with public consultations on any potential conduct requirements which the CMA may consider applying should a firm be designated as having SMS.
Before the DMCC Act became law, as well as building teams of people to oversee its enforcement, the CMA had been developing its technical and sectoral knowledge of digital markets. For example, in December 2023, the CMA published a ‘Trends in Digital Markets’ Horizon-Scanning Report (“Report”). The CMA stated that its goal was to “draw on available evidence to discuss and present possible future developments and potential implications for competition and consumers” across ten trends the CMA believes will impact digital markets over a time horizon of five years and beyond. In addition, the CMA has undertaken work in relation to specific areas of focus, such as AI Foundation Models, and public cloud infrastructure (see more on this below).
Accordingly, the CMA’s prior work will likely inform its approach to administering the new DMCC regime.
The DMCC Act may diverge from the EU’s Digital Markets Act, both in the companies being designated, and the obligations imposed on designated companies
Enforcement under the DMCC Act could diverge from that under the EU’s Digital Markets Act (“DMA”) for two main reasons.
First, the companies designated under each regime could be different. There are differing designation thresholds for SMS firms and the DMA’s gatekeepers, meaning some companies face designation under one regime but not the other. Not only is the substantive designation test different, but the DMCC Act provides that no company can be SMS designated unless it meets minimum turnover requirements. By contrast, the financial thresholds under the DMA are only presumptive and do not necessarily need to be met for a company to be designated as a gatekeeper, arguably giving the Commission a greater degree of jurisdictional flexibility than the CMA.
Second, if SMS firms are also gatekeepers under the DMA, the CMA’s considerable flexibility to design tailored conduct requirements may mean the obligations on firms under the UK and EU regimes are not fully aligned. The CMA has much greater flexibility to pick and choose the services it will regulate and the requirements it will impose in relation to those services. This could result in companies being required to design their services differently in the UK and the EU, where the two regimes choose to regulate different services (or different aspects of the same services). To the extent the DMA and DMCC regimes overlap, individual firms may face regulatory friction between the regimes (if, for example, engineering solutions adopted to comply with one regime would be difficult to adapt to comply with requirements in another jurisdiction). Whilst multinationals are used to modifying their operations to meet varying regulatory standards across jurisdictions (such as multinationals altering how they process personal data when operating in EU markets compared with their home (non-EU) jurisdiction, in order to comply with the GDPR), further inter-jurisdictional regulatory fragmentation could increase the costs and complexity of compliance for large technology companies. In principle, this could ultimately lead to different services being offered across jurisdictions.
Interplay between the DMCC regime and data protection may raise practical challenges
The DMCC Act enables the DMU to impose tailored conduct requirements on SMS firms, including to prevent any data being used “unfairly”.[1] Given the complexity of data flows – both from a practical and often a legal perspective – it seems probable that any data-focused conduct requirements will require detailed consideration in order for the CMA to alight on workable solutions to any perceived problems it identifies in the course of a conduct requirement investigation.
Accordingly, the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), could have an important role to play in providing subject-matter expertise on data issues.
Under the terms of a 2021 Memorandum of Understanding (“MoU”) between the two authorities, the ICO and the CMA acknowledged that the nature of their cooperation would evolve with the creation of the DMU. The MoU provides that the ICO and CMA will share relevant information “which enhances their ability to exercise their respective functions”. As part of this cooperation, the MoU expressly provides that the ICO may provide data protection advice to the CMA. The MoU also provides that the CMA will, where possible, alert the ICO to any breaches of data protection law that it uncovers in the course of exercising its functions.
When considering imposing conduct requirements centred on data processing, it therefore seems likely that the CMA will cooperate closely with the ICO. In turn, the ICO may receive information in the context of the DMCC that could inform its enforcement priorities under the GDPR, thereby creating closer alignment between the activities of the CMA and ICO than have historically been the case.
Nonetheless, the CMA is well-versed in the role data plays in digital markets. Indeed, the role of data in a wide range of markets has been an area of interest for competition authorities for a number of years (see, for example, the IMS Health competition law case relating to a refusal to grant access to certain data[2]).
We expect the CMA to exercise its powers under the digital markets regime alongside existing antitrust tools (which the DMCC Act amends)
Aside from the new ex ante digital markets regime, the DMCC Act also introduces a number of generally applicable consequential reforms to the UK’s existing competition regime, including allowing the CMA to accept undertakings at any stage during a market study or investigation, and introducing a new statutory fast-track route for merger reviews (see further here).
The CMA – like many of its peer agencies – has focused significant resources on reviewing and often intervening in a range of digital markets, including using its merger control, antitrust enforcement, and market investigation powers. Areas of focus have included measures such as an ongoing market investigation into public cloud infrastructure, and an investigation into Google’s ‘Privacy Sandbox’ browser changes, where the CMA accepted commitments relating to Google’s proposal to replace third-party cookies in its Chrome browser, in order to address potential abuse of a dominant position concerns that the CMA’s investigation had identified.
Looking forward, we expect the CMA to exercise its powers under the new digital markets regime alongside its existing antitrust tools. Indeed, the CMA noted in a response to the Government’s initial proposal for a new ex ante digital markets enforcement regime that it views the DMCC regime as complementary, rather than replacing, its broader antitrust toolkit: “where issues arise in digital markets as a result of behaviour by non-SMS firms, we will continue to use our existing competition, markets, consumer, and mergers powers in the best interests of people, businesses and the economy”.
The CMA’s focus on digital markets has also been replicated by certain concurrent competition regulators in the UK, indicating that the existing competition regime will continue to be relevant for digital sector players as their activities expand into other areas of the economy. For example, in November 2023, the Financial Conduct Authority issued a call for input to help it consider the potential competition impacts from the data asymmetry between some technology firms and existing financial services businesses. Following this call, the FCA ultimately identified in its April 2024 Feedback Paper three key issues that could affect how competition evolves in retail financial markets, and which the FCA will continue to monitor.
Across different regulatory pathways, therefore, the focus on digital markets appears to set to continue.
The CMA will have the power to review a broader range of transactions
The DMCC Act will impact the UK’s merger control regime in two main ways:
- Beyond the ex ante digital markets regime, the DMCC Act introduces a new generally applicable jurisdictional threshold for the CMA to review mergers and acquisitions even where the parties do not overlap. This is not limited to digital markets and is intended to capture vertical and conglomerate mergers where in the past the CMA was unable to assert jurisdiction, or applied the ‘share of supply’ test expansively in order to establish jurisdiction on horizontal overlap grounds. Broadly speaking, this new threshold will apply where: (i) one of the parties supplies or purchases 33% of goods or services of a particular description in the UK (or a substantial part of the UK); (ii) that same party has UK turnover exceeding £350 million; and (iii) another party to the transaction has a sufficient nexus to the UK (including through supplying goods or services into the UK). In recent years, the CMA has gained a reputation for expansive merger control enforcement, in particular in digital markets (e.g., Meta/Giphy). However, this new jurisdictional threshold will in many instances obviate the need for expansive interpretations of the increment to the share of supply test, which was a feature of some prior merger reviews.
- Additionally, as part of the new digital markets regime, SMS firms (and members of their groups) will have to comply with a suspensory reporting requirement, under which they must inform the CMA in advance of any acquisitions that cross the threshold of as little as 15% (cumulatively) of the shares or voting rights in a company with links to the UK (where such “links” can be established solely through sales), where the total consideration cumulatively paid for the shares or voting rights in that entity is at least £25 million. Similar requirements apply to the creation of joint ventures.
The CMA could therefore use these new powers to intervene in acquisitions proactively in order to address concerns about industry consolidation and concentration, or where it perceives a risk of smaller competitors being disadvantaged. For example, the Report posits that a number of recent transactions concerning acquisitions of smaller players by incumbents in the chip design sector have highlighted the potential for consolidation in markets for CPUs, GPUs and AI accelerators.
Next Steps
The UK’s new digital markets regulatory regime will mark a major departure from the existing competition law enforcement landscape. Although a number of the components of the new DMCC regime reflect existing competition law frameworks (for example, the process for investigating and potentially implementing any pro-competition intervention borrows heavily from the UK’s existing market investigation regime), the DMCC Act will provide the CMA with a significant range of additional powers.
The CMA’s Digital Markets Competition Regime Guidance remains open for consultation until 12 July 2024, following which the CMA will finalise the Guidance and introduce a formal document shortly before the DMCC regime goes ‘live’, which is currently expected to occur in the third or fourth quarter of the year.
[1] The DMCC Act’s more open framing of potential data-related interventions appears to be out of step with the DMA’s more prescriptive requirements on the use of personal data (which include limits on combining and cross-using personal data across services without consent).
[2] Case-418/01, IMS Health GmbH & Co OHG v NDC Health GmbH & Co KG [2004] ECR I-5039.