App Store Implementation of the Digital Markets Act Exemplifies Law’s Uncertain Future

The EU will not fully implement the Digital Markets Act (DMA) before 2024, despite passing it in late 2022, because policymakers still need to clarify how the law will apply to a variety of products and services. The DMA fails to clearly explain how it will affect different types of mobile ecosystems in particular, which led the European Commission to host a workshop on March 6, 2023, to examine the DMA’s requirements for alternate app distribution and interoperability across various app stores. Unfortunately, the workshop neither provided regulatory clarity nor addressed economic concerns related to its unintended consequences.

The DMA takes a fairness-over-innovation approach to European digital markets by creating precautionary regulations for online platforms based on size rather than alleged anticompetitive conduct. The DMA will apply to a wide range of innovative products and services, and mobile ecosystems and app stores are just some of its many prime targets. In particular, the DMA forces designated gatekeepers, namely Apple, to allow “sideloading,” i.e., allowing users to install apps from third-party app stores. This obligation will harm digital innovation and competition between mobile ecosystems. Because consumers would be able to download potentially hazardous apps outside of app stores, sideloading also poses significant cybersecurity risks and privacy concerns.

But the European Commission brazenly ignored the risks of sideloading in its March 2023 workshop. Instead, participants and speakers focused on the increased consumer choice that sideloading represents, missing how this would inevitably remove a privacy-focused option for consumers to impose the European Commission’s peculiar view of “fair” competition. Supporters of the DMA claimed these obligations would provide more benefits by injecting alternatives into the European market. However, they overlooked that the DMA also removes a critical distinguishing feature of Apple’s mobile devices—their closed mobile ecosystem—from the market entirely. Promoting competition and consumer choice are noble goals. But unless done correctly and in a way that lets both closed and open mobile ecosystems thrive, the DMA’s treatment of mobile ecosystems will fail to do either.

Closed mobile ecosystems, like Apple’s, control both the hardware—the mobile device—and its software—the operating system, app store, and apps—to limit what is allowed on a device. These ecosystems standardize their user experience through default software settings, limited hardware configurations, and standard features. By limiting users from accessing other app stores or downloading apps directly, closed ecosystems restrict users to only installing pre-screened apps on their devices. These restrictions can protect consumers from privacy and security threats.

Alternatively, open mobile ecosystems, like those on many Android devices, offer users more freedom to customize their hardware and software. While this means users have more control over what is on their devices, these products may require more effort to set up and will vary in performance between different configurations and users. Users may only download pre-screened apps from a trusted app store, but they have the option of downloading apps from elsewhere if they want more choice. In an open mobile ecosystem, it is up to users to determine whether they trust the alternative app stores or other websites they can use to download apps.

Having both open and closed mobile ecosystems as options provides users with more choices and encourages each model to address and compete with the benefits of its alternative. But by mandating sideloading, the European Commission and the DMA’s proponents ignore inter-platform competition to focus only on intra-platform competition. The DMA forces intra-platform competition by requiring gatekeepers like Apple to allow users to install alternative app stores and apps on their devices, regardless of the consequences or their previously closed mobile ecosystem. By doing so, the DMA overlooks how offering users the ability to select between closed and open mobile ecosystems contributes to inter-platform competition.

Essentially, the DMA removes the inter-platform competition between open and closed mobile ecosystems from the equation. By making gatekeepers’ closed mobile ecosystems open up to third-party app stores or alternative app distribution, the DMA prevents users from choosing Apple's closed mobile ecosystems and forces Apple to allow users to load apps from third-party stores it has not reviewed. For all Apple users, this would expose them to new privacy and security threats, even though they may have chosen a closed ecosystem specifically to mitigate these risks. Other users could also be tricked into installing malware from third parties, and Apple would have limited ability to block bad actors that enter their customers’ devices through alternative channels and app stores. Effectively the DMA removes the closed mobile ecosystem business model from the mobile device market and deters any future innovation from competing models in the name of “fair competition.”

The European Commission can grant exemptions to designated gatekeepers for public health or public security reasons if it agrees with the gatekeeper’s request on these grounds and reviews the decision annually. But these exemptions act as temporary fixes that will lag as gatekeepers will still have to comply before the decision is made and after the exemption is wholly or partially lifted.

Thankfully, policymakers have time to address these issues by creating legally binding regulations and non-legally binding enforcement guidelines for the DMA before it becomes fully applicable at the beginning of 2024. Unfortunately, the legally binding implementing regulations currently proposed only focus on due process. EU policymakers should create additional binding regulations, as well as enforcement guidelines, that address concerns around privacy, security, and innovation to avoid unintended consequences and preserve the ability of users to choose closed mobile ecosystems. Particularly, the European Commission can inform the extent to which it would accept and consider countervailing arguments to highly controversial obligations such as sideloading requirements, third-party app stores, and so-called “non-discriminatory” access to app stores. These necessary arguments could invoke efficiency considerations, but also safety and cybersecurity considerations.

The most recent DMA workshop is just the latest warning that a significant amount of work needs to be done before the DMA’s numerous obligations and prohibitions are either clear legally or realistically benefit innovation and consumers.