Following the publication of the first two non-compliance decisions under the Digital Markets Act (DMA), we take a closer look at the reasoning underlying those decisions, and consider what they tell us about the Commission’s approach to enforcement of the regulation.

The Commission’s imposition of significant fines on both Apple and Meta – of €500m and €200m respectively – was a landmark moment for the EU’s (relatively) new digital markets regulatory regime. 

In the face of accusations that US tech companies were being unfairly targeted – prompting speculation that the Commission might opt not to fine either company, the Commission chose to issue fines of comparable severity to those for antitrust violations. This sent out a clear signal that the Commission would not hesitate to use its new fining powers to tackle conduct which it considers breaches the DMA.

Our earlier article examined the Commission press releases summarising the findings against Apple and Meta, with a particular focus on the level of the fines imposed. With the non-confidential versions of the decisions now having been made available, there is merit in taking another, more detailed, look at the nature of the infringing conduct and the Commission’s legal assessment in these two cases.

Apple: limitations on steering 

Article 5(4) DMA requires gatekeepers to allow business users, free of charge, to communicate offers to end users acquired via the gatekeeper’s core platform service (CPS) and to conclude contracts with them – including outside the gatekeeper’s ecosystem. This means that “anti-steering” provisions, which prevent app developers from promoting cheaper subscriptions/digital content to app users and directing such users to external channels to purchase such content, are prohibited.

In its decision, the Commission examined three sets of business terms governing app developers’ use of Apple’s App Store online intermediation service: i) the original business terms pre-dating the DMA’s application (OBTs); ii) new business terms introduced by Apple in March 2024 in response to the DMA (NBTs); and iii) a specific set of business terms introduced in April 2024 for music streaming services (MSTs).

Each of these sets of terms, the Commission found, failed to satisfy Article 5(4) DMA. 

The OBTs prohibited steering

The OBTs expressly prevented developers from encouraging users to make content purchases outside the App Store and were therefore clearly non-compliant.

The NBTs and MSTs restricted developers’ ability to communicate/promote offers

Under the NBTs and MSTs steering was permitted, subject to certain material restrictions, namely:

• “link-outs” from apps could only direct users to the app developer’s own website – not a third-party app store or other intermediary;
• links had to open in the device’s default browser rather than an in-app browser window, making the steering process less seamless;
• under the NBTs, developers were only allowed one link-out per “storefront” (i.e. the part of an app that sells digital content). This meant developers were required to link to a single page containing all the various offers for app users, making navigation more difficult;
• links could not include additional data in the URL, preventing the pre-completion of any forms linked to; and
• a prominent warning had to be displayed in respect of every link-out, referring to privacy and security risks allegedly inherent in leaving Apple’s ecosystem. 

Each of these restrictions unduly limited app developers’ freedom to use any channel or form of communication/promotion to engage with end users, or made the process of benefiting from promoted offers and concluding contracts following steering unduly difficult, contrary to Article 5(4) DMA. According to the Commission, Article 5(4) does not allow for any restriction on business/end users’ choice of distribution channels, including as regards the means of contracting.

The Commission rejected Apple’s attempt to justify a number of these restrictions on security and privacy grounds. It noted that there is no security exemption in Article 5(4), and that Apple had in any event failed to substantiate those security/privacy concerns or explain why it should be responsible for policing app developers’ compliance with data privacy or consumer protection legislation.

The NBTs and MSTs did not allow developers to conclude contracts free of charge 

Under the NBTs and MSTs, a commission fee applied to all purchases made from link-outs within seven days of users having clicked the relevant links. The Commission found that this breached the requirement under Article 5(4) DMA that developers be allowed to conclude contracts with end users “free of charge” following steering. 

The Commission rejected arguments from Apple that the “free of charge” requirement under Article 5(4) applied only to the communication of offers, and that the Commission’s interpretation failed to recognise the value provided by the App Store in acquiring customers.

Apple also argued that the commission fee constituted remuneration for having facilitated the initial acquisition of end users, which – as the Commission accepted – is permitted under Article 5(4) DMA. The Commission, however, noted that the fee applied irrespective of the date a user was first acquired and/or installed the relevant app (which could be some years previously). Moreover, the fee continued to apply indefinitely to any renewed subscriptions or subsequent steered transactions. Therefore, it clearly went beyond simply remunerating Apple for the initial acquisition.

Meta: consent or pay 

The Meta decision concerned the "consent or pay" model it introduced in response to the DMA’s entry into force. Under this model, EU users of Facebook and Instagram were given a choice: continue using the service for free with personalised advertising (which requires the combining of data from the service with other personal data), or pay a monthly subscription fee to use it ad-free.

Meta argued that this satisfied Article 5(2)(b) DMA, which prohibits gatekeepers from combining personal data from one CPS (in this case, data relating to users’ interactions with Meta Ads) with that from any other CPS or service (in this case, user data from Meta’s non-ads CPS, including Facebook/Instagram, Messenger and Marketplace), unless users have been provided a “specific choice” and have given their consent within the meaning of the General Data Protection Regulation (GDPR).¹

The Commission disagreed, finding that the consent or pay model failed on two counts.

Meta had failed to present users with a “specific choice” as to whether or not to combine their personal data

The Commission considered that presenting users with a “specific choice” constitutes a separate and distinct condition to the obtaining of consent. It also presupposes that there is a choice between two or more specific options. Moreover, as explained in DMA recitals 36 and 37, at least one of these options must be a “less personalised” alternative that does not involve the combining of personal data but is otherwise not different or of degraded quality compared to the service provided to users who do consent – unless the degradation of quality is a direct consequence of the inability to process such personal data.

Meta's consent or pay model did not meet this requirement. According to the Commission, the means by which a service is remunerated constitutes an essential feature of the conditions under which it is accessed. Since Facebook and Instagram have traditionally been free for users, making their use conditional on the payment of a fee amounted to a fundamental change in their conditions of access (irrespective of the amount of that fee). Paying a monthly fee and consenting to the processing of personal data to support personalised ads were regarded by the Commission as two forms of consideration with very different characteristics: one requiring end users simply to click on a button, and the other requiring access to an online payment service. This meant the ad-free versions were not a genuine, equivalent alternative. 

The fact that end users of social networks have over many years grown accustomed to using such services for free was also considered relevant, with the Commission pointing to the fact that fewer than 1% of users had chosen to subscribe to the ad-free versions as further evidence that they were not an equivalent alternative to the ad-funded versions. 

Meta argued that the position adopted by the Commission was incompatible with the 2023 Court of Justice (CJEU) judgment in Meta Platforms and Others. In that judgment, the CJEU held that the fact that the operator of a social network holds a dominant position does not preclude its users from validly consenting to the processing of their personal data (though it is a relevant factor in determining whether such consent is freely given). The CJEU also noted that users that do not consent should be “offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations”. 

The Commission, however, noted that Meta Platforms dealt only with the condition of consent under the GDPR – not the wholly separate requirement under Article 5(2) DMA (which is not found in the GDPR) that users be offered a “specific choice” between equivalent alternatives. It was also wrong, according to the Commission, to infer from the use of the words “if necessary for an appropriate fee” that there is an entitlement to charge a fee to end users who refuse to consent to personal data combining/processing. It was likewise wrong to exclude other appropriate forms of consideration. This led the Commission to observe that, even if Meta was entitled to receive some consideration for the “less personalised, but equivalent alternative” it provides (which had not been demonstrated), it did not necessarily follow that it could charge a monetary fee directly to the end user, if it could have been remunerated in a different manner.

Meta had failed to obtain valid consent for the combining of users’ personal data 

Whilst the failure to provide a specific choice was sufficient to conclude that Meta had not complied with Article 5(2) DMA, the Commission also held that the configuration of the consent or pay model did not enable users to provide their valid consent as defined in the GDPR.

The Commission highlighted that valid consent under the GDPR must be “freely given, specific, informed, and unambiguous”. However, given the ubiquity and long-established nature of its social networks, there was an imbalance of power between Meta and its users. Added to that, users would suffer detriment if they refused to consent to the combining of their personal data – in the form of having to pay a monthly fee or being excluded from an ecosystem they had previously used free of charge. According to the Commission, this binary option meant that any consent under the consent or pay model could not be considered as “freely given”.

Meta again sought to rely on the Meta Platforms and Others judgment, as authority for its position that consent given under the consent or pay model was valid for GDPR purposes. The Commission, however, pointed to the European Data Protection Board’s later Opinion 08/2024² – which took Meta Platforms into account – in concluding that the imbalance of power between Meta and its users (many of whom cannot conceive of a life without social media use), when combined with the existence of detriment for non-consenting users, meant that, in this particular instance, Meta’s users were not able to freely consent to the combining of their data for advertising purposes.

Determining the penalties

In both decisions, the Commission followed a structured approach in arriving at the fines, assessing: i) the gravity of the non-compliance; ii) the duration and recurrence of the infringements; and iii) any aggravating or mitigating circumstances, before considering the overall cap of 10% of global turnover. Contrary to the approach in antitrust enforcement, however, the Commission did not apply any sort of mathematical formula. Instead, it considered the relevant factors in the round, before identifying an appropriate amount for each penalty.

In both cases, the Commission found the non-compliance to be: i) at the very least negligent (if not intentional); ii) serious in its impact – affecting a very significant number of users across the EU; and iii) of medium duration – approximately thirteen months for Apple eight months for Meta.³

The Commission also considered certain mitigating factors, noting in particular the novelty of the DMA, and the fact that these were the first non-compliance decisions under the new regulatory framework. However, the Commission rejected arguments from Apple that this meant that no fine at all should be imposed. Regarding Meta, the Commission also took into account the fact that the overlap between Article 5(2) DMA and the GDPR made it more complex for it to design a compliant advertising model.

Ultimately, however, the precise manner in which the final penalty figures were arrived at is unclear. For example, despite the shorter duration of Meta’s infringement, and the presence of more mitigating factors (at least as identified by the Commission), its fine as a proportion of turnover was almost as high as Apple’s (0.13% vs 0.14%).

For analysis of the severity of the fines in comparison to recent antitrust penalties imposed on Apple and Meta, see our previous article.

Key takeaways

These are just the first steps for the Commission when it comes to enforcement of the DMA’s conduct obligations. Nevertheless, even at this stage one can draw some tentative conclusions from the decisions as to the Commission’s approach in this regard.

A focus on textual interpretation… 

Inherent to the DMA is the downplaying (or outright exclusion) of economic argument and analysis, in comparison to traditional antitrust enforcement.⁴ The legal arguments in the two decisions therefore focused almost exclusively on interpretation of the text of Article 5, as explained by the corresponding recitals. Sometimes that analysis was purely literal (e.g. looking at the position of punctuation marks, and comparing different language versions). In other instances, the Commission examined the legislative history and preparatory works in order to confirm the intention behind the relevant provisions. 

… but purposive in its approach

Where the above approaches failed to provide an answer, the Commission was also prepared to adopt a purposive interpretation of the text – which in some places is relatively sparse. 

For example, no mention is made in Article 5(2), or the corresponding recitals, of the conditions of access attaching to the less personalised alternative service a gatekeeper must offer. Only the alternative’s “functionalities” and “quality” are expressly mentioned. 

The Commission also inferred that allowing business users of the App Store to opt between two sets of terms, only one of which permitted steering, defeated the purpose of the DMA and therefore fell foul of Article 5(4). Similarly, the Commission reached the view that Article 5(4) not only precludes gatekeepers from placing any sort of limitation on steering by business users (despite merely stipulating that business users must be allowed to steer customers) – it also requires gatekeepers to facilitate whatever form of communication those business users wish to use for that purpose.

This is despite the fact that – as both Apple and Meta unsuccessfully argued – only Article 6 and 7 obligations are capable of being further specified by the Commission, whereas Article 5 obligations are meant to be self-contained.

The DMA need not respect gatekeepers’ choice of business models 

Meta and Apple argued that the Commission’s interpretation of DMA Article 5(2) and 5(4) respectively unduly interferes with their fundamental freedom to choose their own business models. 

In Apple’s case, it would need to rebalance the way in which it monetises its App Store, away from the facilitation of digital content transactions with end-users. For its part, Meta claimed that requiring it to provide a free, less personalised alternative was economically unfeasible, ignored the realities of ad-supported business models, and ran contrary to the prevalence of paid-for premium versions as an alternative to ad-supported models among numerous online platforms (such as news and streaming services).

The Commission was unmoved by these arguments. It emphasised that the DMA reflects a deliberate legislative choice and is designed to ensure contestable and fair digital markets. Achieving that objective was bound to have an impact on the business models of gatekeepers, who could not simply choose not to comply with their obligations under the DMA in order to preserve previous profit levels. 

Where necessary, the Commission expects gatekeepers to make significant changes to their commercial practices. These changes may involve gatekeepers being held to a higher standard than what is required of other online platforms or by other legislation (such as the GDPR) – even if it impacts gatekeepers’ traditional business models.

Next Steps

Both Apple and Meta have filed appeals with the General Court. While the appeals are pending, the Commission has ordered both companies to cease the infringing practices and bring themselves into full compliance. 

The stakes are high: penalties could reach up to 20% of annual turnover for repeated infringements. But perhaps more significantly, the Commission’s conclusions threaten to fundamentally undermine the core business model of Apple and Facebook in the EU (Meta generates around 99% of its revenue from targeted advertising), or a material part of it. An eventual appeal to the CJEU in both cases therefore looks likely.

¹ See Article 4, point (11), and Article 7 of Regulation (EU) 2016/679

² Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms

³ Meta introduced a new, less personalised model in November 2024, the compliance of which is still being assessed by the Commission, so the non-compliance did not cover the full period up to April 2025

⁴ Meta sought to introduce economic arguments by the back door – submitting economic studies showing that end users had ample alternatives to its social networks and therefore would not suffer detriment if unable to use them – but these were given little to no weight by the Commission.