Booking.com DMA Compliance Workshop – The Power of No – Win, Lose or Lose
The Digital Markets Act‘s provisions began to apply on May 2, 2023. Since then, enterprises have been required to check if they meet the quantitative thresholds. The DMA then compelled the undertakings to notify the European Commission of their potential gatekeeper status if they met the quantitative thresholds. The first wave of designation decisions relating to six gatekeepers and twenty-two core platform services (CPSs) took place in September 2023.However, a few undertakings met the thresholds in 2024
(i.e., considering years 2021, 2022 and 2023), namely Booking.com’s intermediation service and X’s social networking service. Booking.com was designated as the seventh gatekeeper in May 2024. The deadline for its compliance was set at 14th November. In keeping with its tradition of reaching stakeholders, the European Commission hosted its seventh compliance workshop in order to give the gatekeeper the opportunity to explain their technical solutions for compliance. I’ve already covered previous workshops (e.g. Apple, Meta, and ByteDance), under The Power of No Series. Today’s the turn of Booking.com.At face value, Booking.com’s compliance strategy did not seem especially targeted at providing more information to stakeholders at the compliance workshop. Instead, the discussion revolved around its legal representatives constantly defending the same solutions it had already put forward in its non-confidential summary of the compliance report.
Parity clauses, again (weren’t those inapplicable?) Booking.com has stated that it has removed or waived all parity obligations applicable to EEA travel offerings. Booking.com’s business users are no longer required to provide the same rates and conditions for their EEA inventory as they do to any other OTA, or their own offline channels. Also, all narrow- and wide-parity clauses were (finally!) removed from all standard and negotiated agreements affecting European business users (i.e. hotels). In accordance with Article 5(3) DMA, all standard and negotiated contracts affecting European business users (i.e. hotels) have been removed. The elimination of these clauses now applies to all 27 Member States, including EEA countries, aside from the Member States that had been exempted due to national regulations, namely Belgium, France, Italy and Portugal. The gatekeeper explained that in practice, this meant amending five standard agreements with its partners and issuing over 70 waivers regarding their negotiated agreements. The platform notified all partners of these changes as early as 2024. On 2 December 2024, the parity clauses were eliminated for both new users and existing partners. Booking.com still does not comply with the obligation to this day.
Stakeholders repeatedly questioned the gatekeeper on whether the removal of those parity clauses would also impact the hotel’s ranking on the platform. The platform holder confirmed that the ranking does not take prices outside of the Booking.com platform into account.
Furthermore, Booking.com offers three Premium Programmes (Genius, Preferred and Preferred Plus) to its business users to enhance their visibility on the platform. Although the gatekeeper did not consider it was required to do so, Booking.com removed parity as an eligibility requirement to take part in its Premium Programmes, out of precaution.
Finally, the point that brought the most controversy vis-a-vis stakeholders was that of determining what ‘measures with equivalent effect’ to these parity clauses meant in the context of the DMA. Recital 39 acknowledges that gatekeepers should also eliminate such measures, as they limit the ability of business users to differentiate their commercial conditions. The DMA gives a few examples such as the imposition of a higher commission rate or de-listing business users’ offers. According to Booking, none other of its business practices meet the requirement of such measures bearing an equivalent effect, given that the platform does not impose any other type of conduct upon the business users.
Stakeholders strongly disagreed with such a characterisation, insofar as they questioned whether such measures with equivalent effect could be told apart from the fact that Booking.com imposed them on the business users. Booking.com’s price-quality score, or the Booking Sponsored benefit (BSB), for example, which entails the platform reducing the end user’s price unilaterally without reducing business users’ margins. Booking responded by stating that none of these measures had an equivalent effect to parity because they weren’t required to participate in the platform or because they unilaterally imposed them. The interpretation of the regulation by the platform is not so clear, since some national competition authorities (NCAs), before the DMA’s application had taken issue with these measures. Recently, the Spanish competition authority
considered BSB features in the context Article 102 TFEU. The NCA discovered that the platform applied BSB at their discretion, but only in relation to prices outside the platform. Booking will be more inclined to cut the price if it finds that the hotel’s price is not competitive with other OTAs. It is, therefore, difficult to square the circle of how the application of BSB does not impinge on an equivalent effect to parity.
Moreover, as some stakeholders pointed out, BSB is not widely applied to all hotels and properties available on the platform. It is only available to business users who have chosen Payments by Booking. Booking could decide to increase its prices if the business users consent to having their payments processed by the platform. According to these stakeholders, this interpretation of the DMA in these terms does not only question whether the gatekeeper is complying with Article 5(3), but also Article 5(7). The gatekeeper argued later that it already complied with Article 5(7) in the sense that the provision did not compel the gatekeeper to offer alternative and/or additional payment services through its own CPS. The provision is particularly aimed at those scenarios of app stores tying their own billing systems for in-app transactions and, thus, fall outside of the scope of the gatekeeper’s activities, its legal representatives set forth.
Despite the back-and-forth between the gatekeeper and the concerned stakeholders (including hotel associations from different Member States), Booking.com did not cave at any given point and maintained that its interpretation of the DMA was correct and in line with the standard of effective enforcement enshrined in Article 8(1). As always, the European Commission will be the judge of that.
Anti-steering clauses: get ahold of the end user’s email address
A similar story can be told about Booking.com’s interpretation of its compliance with Article 5(4) DMA. The provision requires gatekeepers to allow business users to communicate directly with end users in order to direct promotional offers or to conclude contracts with them. This can be done via their own CPS, or through other channels. The gatekeeper in this case did not present its technical implementation of the provision. Rather, it explained how and why it already complies with the provision and how the terms presented under the obligation meet its current business conduct.
According to Booking.com, Recital 40 provides for the possibility of the gatekeeper’s remuneration even if it must allow such communications to take place with the business users. The gatekeeper believes that this remuneration is essential to the commercial relationship between the hotel and the traveller. It is not obliged to share information with the user that is not directly related. Hotels receive the name, address and phone number of the end user, but not his or her email. This is because the gatekeeper interprets the Article 5(4) as meaning that the traveller cannot be ‘acquired,’ in the sense of the article, until Booking has been directly compensated by the business user to facilitate this relationship. The hotel is not able to use the Article 5(4) options until the end-user arrives at the accommodation for check-in. The business user can still ask the guest for any information, but cannot use the platform’s service (as specified by the mandate) in this regard. The exchange of information and communication of promotional offers can only take place face-to-face (in the real world, so to speak).
Bottom line: an end user’s email address will not be available to the business user until the end user arrives at the accommodation’s check-in. Booking.com’s compliance strategy was criticized by stakeholders because it is not justified to collect the email address of an end user. Some stakeholders went even further, arguing that even if Booking.com refuses to provide the email address of the end-user, it should take proactive steps to do so once it believes the end-user has been ‘acquired,’ as defined by Article 5(4) DMA. It would be more efficient and beneficial to the traveller to only ask for their email one time, rather than twice, due to the gatekeepers’ restrictions. Booking.com denied it was required to meet stakeholder demands under the regulation.
As a contributor pointed out, it doesn’t make sense for Booking.com to act as an intermediary in regards to the business relationships between hotels and their travellers while simultaneously limiting alternative channels of communication. The discussion went on throughout the third session of the compliance workshop, which revolved around Booking.com’s implementation of the data-related obligations under Articles 5(2), 6(9) and 6(10).
Articles 5(2) and 6(9) did not draw much of the attention at the workshop. The platform explained that Article 5(2) has little impact on its data infrastructures because all of its brands process and combine their data at their back-ends. As a result, data flows between the brands are minimal and irrelevant. Booking.com has ensured it does not use personal data for advertising purposes across the CPS and its services, despite BEUC’s representative questioning this assertion repeatedly, given that its privacy policies indicate the opposite. Booking.com, along with Apple, is one of the only gatekeepers that does not ask their users for consent to exempt their CPS from the prohibitions in Article 5(2). Booking.com, when questioned by a representative from the Coalition for Online Data Empowerment (CODE), defended its API as a way to ensure security and prevent access by bad actors. It introduced two-factor authentication in different stages of end users’ experience to give access to third parties to its data. The gatekeeper’s defence of its API design, however, may contribute more to discouraging third-party developer innovation in accessing that data than to triggering new business opportunities, as argued by CODE.
Finally, Booking.com put on the show it had prepared all along the workshop. It had already stated that it would never share the email address of the end-user with its business users. This was at the Article 5(4) stage. Its presentation of the tools that are available to business users in Article 6(10) is not particularly shocking either. Booking.com claimed that it already met the DMA compliance deadline by providing access to a wide range of analytics via its Extranet. This included aggregated and nonaggregated data about the customer’s origins, bookings, promotions, or the business user’s performance in the Premium programmes. The DMA has only introduced two new features: the Insights dashboard in the Attractions or Cars data portal. Participants in the workshops on compliance asked vehemently: What about the filters end users use to find the hotel’s offers? What about more data on the proportion of guests who choose different payment methods? Booking.com has consistently refused to grant access, claiming that the data did not correspond to the information covered by Article 6(10). This includes the email address. What role do you play, after all? It is a ‘third party’ in respect of the services (and advertising) it provides via its platform but a ‘first party” for everything else. Participants of the workshop asked why Booking had not included any implementation measures relating to Article 6(5) within its compliance report. Booking’s answer was clear: it doesn’t compete with third-party inventories (i.e. properties and hotel rooms) because it does no cater for first-party inventories on its platform. It does not engage in self-preferencing because it has no inventory to self-prefer. Booking Holdings Inc. owns several brands in addition to Booking.com. These include Agoda and KAYAK. In its designation decisions, the European Commission explicitly stated that these brands did not fall under the CPS they designated (para. 47 of the designation decision). The fact that these BHI sister brands of Booking.com are excluded from CPS does, however, not change the fact that the BHI sister brand caters for first-party inventories on the platform. Intuition just points out the fact that self-preferencing may be taking place after all if the platform does include first-party inventory on its ranking besides third-party inventory coming from its business partners.
Against this background, the compliance workshop set out in so many words what the gatekeeper’s compliance strategy is. It’s similar to ByteDance’s: to defend, it must not comply some of the DMA provisions because its values align with the regulation. It is up to the European Commission now to decide how it will respond to this challenge, keeping in mind that the European Commission must determine the credibility of Booking.com’s words as derived from its confidential version.
