The European Commission has issued its first decisions under the Digital Markets Act (DMA), imposing fines on Apple and Meta for non-compliance. You can read more about the decisions in our detailed analysis.
But what happens next? How can affected parties make use of these decisions for their own legal claims?
What Are the Two Cases About?
The Commission’s decisions concern different violations, and the potential for follow-on damages differs accordingly.
- The Apple case relates to the promotion of alternative apps both within and outside the App Store.
- The Meta case concerns the unlawful processing of personal data.
The Apple Case – Anti-Steering Obligations
Apple was fined for violating Article 5(4) DMA, which grants business users the right to promote and contract with end users outside the gatekeeper’s ecosystem. According to the Commission, this violation is ongoing and must be remedied.
Full text of Article 5(4) DMA:
“The gatekeeper shall allow business users, free of charge, to communicate and promote offers, including under different conditions, to end users acquired via its core platform service or through other channels, and to conclude contracts with those end users, regardless of whether, for that purpose, they use the core platform services of the gatekeeper.”
The Meta Case – Unlawful Data Combination
Meta was found to have violated Article 5(2) DMA between March and November 2024, in connection with its “Pay or Consent” ad model. The Commission’s decision does not yet address Meta’s updated advertising model introduced in November 2024.
This case revives issues previously debated in competition law: the abusive processing of personal data. The case illustrates how competition law and data protection law increasingly intersect.
Full text of Article 5(2) DMA:
“The gatekeeper shall not do any of the following:
(a) process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
(b) combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
© cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
(d) sign in end users to other services of the gatekeeper in order to combine personal data,
unless the end user has been presented with the specific choice and has given consent within the meaning of Article 4, point (11), and Article 7 of Regulation (EU) 2016/679.
Where the consent given for the purposes of the first subparagraph has been refused or withdrawn by the end user, the gatekeeper shall not repeat its request for consent for the same purpose more than once within a period of one year.
This paragraph is without prejudice to the possibility for the gatekeeper to rely on Article 6(1), points ©, (d) and (e) of Regulation (EU) 2016/679, where applicable.”
Does the DMA Provide for Private Enforcement?
The DMA contains no explicit provisions for private enforcement, but it repeatedly refers to the principle of effectiveness. Under general EU law, Member States must ensure effective enforcement of EU rules, including the DMA.
As I argued years ago — prior to the DMA’s adoption — private enforcement should be supported by the Courage case law of Court of Justice of the EU. The CJEU held:
“The full effectiveness of Article 85 of the EC Treaty would be impaired if it were not open to any individual to claim damages for loss caused to him by a contract or conduct liable to restrict or distort competition.”
(CJEU, Case C‑453/99 – Courage, para. 26)
Failure to ensure access to damages would therefore undermine the effective enforcement of the DMA itself.
Legal Basis for Private Claims
The DMA does not create its own causes of action. Instead, it imposes directly applicable obligations (as a Regulation). These can be enforced under national civil law and procedural rules, depending on where a claimant is entitled to sue.
Where Can Claims Be Brought?
The DMA does not contain jurisdictional rules. Therefore, the Brussels Ia Regulation applies. According to Article 7(2) of the Regulation, claims in tort may be brought:
“in the courts for the place where the harmful event occurred or may occur.”
For violations of prohibitions (such as Article 5(2) DMA), the harm generally occurs at the domicile of the affected person.
For positive obligations (such as Article 5(4) DMA), the legal situation is more complex. These may still be treated as equivalent to tortious conduct, but gatekeepers — like Apple — may dispute this. The question may ultimately require a preliminary ruling from the CJEU.
Legal Basis in German Law
Germany has aligned DMA private enforcement with antitrust law. The relevant provisions are:
- § 33 GWB (German Competition Act): Entitles claimants to injunctive relief for violations of competition law, including Articles 5 – 7 DMA.
- § 33a GWB: Establishes a right to damages for intentional or negligent breaches.
This alignment allows for the transfer of experience from antitrust damages litigation to DMA cases.
Who Can Bring a Claim?
- In the Meta case, any natural person whose personal data was unlawfully processed may be entitled to damages.
– Since the Commission confirmed a violation from March to November 2024, all affected persons in the EU may have a claim.
– Collective actions are conceivable. - In the Apple case, business users affected by steering restrictions may claim damages.
– This could also include indirectly affected parties (e.g. payment providers) under the principle of passing-on (see § 33c GWB).
– Even companies not offering apps themselves might claim if their business was harmed.
Evidence Requirements
- § 33b GWB codifies binding effect for DMA infringements established by the Commission (or other authorities), provided they are final.
- If no appeal has been lodged, courts must accept the infringement as established.
- If an appeal is pending, the decision may still serve as prima facie evidence.
- The binding effect does not cover causation or damage, which must be proven by the claimant. However, courts have become more open to probabilistic inferences, particularly regarding non-zero harm.
Proving Damages – Helpful Tools
- Forensic data analysis
- Access to user logs and analytics
- Pre-action disclosure, based on § 33g GWB, allows claimants to request access to evidence held by the defendant
- Additional data access rights may arise under the DMA and the GDPR
- Article 5 DMA can itself serve as a basis for improving transparency and data availability
Preparing for DMA Damages Litigation – A Checklist
✅ Early documentation of relevant facts
✅ Identify legal contacts and representation
✅ Secure access to data (e.g. via discovery)
✅ Review and ensure internal compliance
✅ Strategic risk assessment
✅ Consider litigation funding options
How We Can Support You
🔹 Initial legal assessment and strategy review
🔹 Comprehensive legal representation
🔹 Coordination with data forensics experts
🔹 Enforcement of DMA-based damages claims
🔹 Internal guidance and checklists
🔹 Training and workshops on DMA compliance and litigation
Stay informed: Subscribe to our newsletter for regular updates on digital markets enforcement, competition law, and regulatory trends.
