PCC.land, here.
Tuesday, July 08, 2025
Monday, July 07, 2025
Sunday, July 06, 2025
Saturday, July 05, 2025
Friday, July 04, 2025
Thursday, July 03, 2025
Why Cloudflare wants AI companies to pay for content
TechCrunch, here.
Great, but shouldn't it be a democratic decision taken by a legislator and not by an infrastructure ("gatekeeper")? Not just "tech is law" - get over it?
Targeted advertising by Meta democratised advertising and made people love ads (so we heard): discuss
Meta DMA enforcement/compliance workshop, video here.
Wednesday, July 02, 2025
How Monopolies Secretly Steal Your Freedom
Brought to you by the inimitable Lina Khan, here (may I please live long enough to see a Khan US Presidency, or two?).
Brasil, rumo ao ("DMA") gol!
We spoke candidly: about what seems to be working, about what remains difficult, and about what, in hindsight, might have been done differently. These are not easy conversations, but they are necessary ones.
What stood out, above all, was the seriousness and clarity of purpose shown by our Brazilian counterparts. There’s no doubt: they are approaching the challenge of platform regulation with a level of determination that is both impressive and encouraging. It’s not just about legal design or enforcement mechanics: it’s about political will. And in Brazil, that will is clearly there.
This isn’t Brazil against Europe (or Italy ;-)): it’s one match, one team.
And the stakes couldn’t be higher.
Tuesday, July 01, 2025
Monday, June 30, 2025
Sunday, June 29, 2025
Interoperability in Digital Platforms and its Regulation: Transatlantic Dialogue alive and kicking!
![]() |
Not a dead parrot. |
It offers a timely comparison: Brazil, a jurisdiction that has demonstrated its ability to build effective digital public infrastructure (Pix), thereby getting rid of the extractive Visa-Mastercard duopoly, and the European Union, which has so far struggled to do the same. At the same time, Europe has taken the lead in legislating to curb Big Tech’s power, and other regions, including Brazil, are now watching the Commission's enforcement of this legislation closely.
All this, just as transatlantic tensions over digital regulation resurface, and as the EC DMA Team does its utmost to stay below Trump’s radar. And then there's the DMCCA (and UK politics).
As for my contribution, I’m still finalising the details. Not long ago, I wouldn’t have had much to say about EU interoperability, at least not anything terribly useful for promoting open, fair and competitive digital markets. But the past few months have been surprisingly lively. Four developments stand out, and I hope they can add a little spice to our conversation. I will most likely begin with the antitrust commitments by Apple concerning NFC (Apple Pay), and reflect on their aftermath. Next, I’ll briefly touch on the recent judgment of the Court of Justice of the European Union regarding interoperability of the Android Auto OS. I’ll then say a few words about the Commission’s specification decisions on Apple’s interoperability obligations under Article 6(7) of the DMA. And finally, I’ll offer some thoughts on prospects for stronger DMA enforcement, on the case for refining the regulatory framework, and even on the EuroStack (10 minutes in total :-)).
The first reflection I would like to offer concerns access to Near-Field Communication (NFC) functionality, a technology which, until mid-2024, Apple had reserved exclusively for its own Apple Pay service within the EEA. An important point to note is that, across Europe, NFC, a technology not developed by Apple, has become the standard for mobile payment. It enables fast, contactless transactions, secured through tokenisation and encryption. Virtually all payment terminals in the EEA now support it.
It is now almost exactly one year since the European Commission made Apple’s commitments in the Apple Pay case legally binding. These commitments are centred squarely on interoperability: Apple is required to allow third parties access to the NFC functionality for payment purposes on iOS devices. As a result, a wide range of developers can, in principle, begin to use this technology to offer alternative NFC payment services. Even though relatively little time has passed, it is important, I believe, to ask whether anyone has actually seized this opportunity, whether any new entrants have made their way into the NFC in-store mobile wallet market on iOS. There have, in fact, been some entries, though so far limited to a few countries rather than on an EU-wide scale. As illustrated at the most recent OECD Competition Committee meeting in June, the first to enter was Vipps MobilePay, though its launch remains limited to Norway, and facing huge hindrances to becoming a pan-European interoperable wallet (Single Market, anyone?). Next came a US tech firm, hardly a small player, namely PayPal, which is currently rolling out its wallet in Germany. German cooperative banks have also signalled their intention to enter this space soon, likewise focusing on the German market. In the announcement, it is explicitly stated that Apple Pay will no longer be needed to make payments with the new service, a move framed as part of a broader effort to raise awareness of how heavily payment systems in Europe rely on US corporations such as Visa, Mastercard, PayPal, and, of course, Apple. The ongoing trade tensions with the US are cited as an additional reason for concern. This raises a broader question: can interoperability serve not only as a tool to promote competition, but also as a means of advancing digital sovereignty? The answer, perhaps, is that interoperability is certainly a first step, but a far more effective approach, had it been pursued from the outset, would have been to establish a digital public infrastructure for electronic payments, along the lines of Brazil’s Pix. Crucially, this would have required a broad adoption mandate for banks operating across the EEA. If done properly, such a system could have delivered both competition and sovereignty in a more structural and sustainable way. A related and important question is what went wrong with SEPA, the Single Euro Payments Area. Conceived as a cornerstone of European financial integration, SEPA has largely failed to deliver the kind of common digital payment infrastructure that could support genuine sovereignty and competition at scale. Even though scepticism remains high, it remains to be seen whether the Instant Payments Regulation, now in force, with serious enforcement beginning this year, will offer an effective fix to SEPA’s shortcomings. The other, and perhaps enduring, question is whether the commitments offered by Apple were ever sufficient. More fundamentally, even if the commitments had been ideal, one must ask how much they could realistically achieve in isolation. If anticompetitive conditions persist in adjacent markets, and addressing interoperability at just one layer may do little to resolve distortions that are structural and multi-layered in nature (e.g., terminals?). Moreover, to fully benefit, at the EEA-scale, from access to previously gated functionalities, new entrants would need to rely on other components of essential digital public infrastructure, most notably, the European Digital Identity, meant to be enabled by the eIDAS 2.0 framework.
Even from the few observations above, it becomes clear that getting interoperability right, as a driver of innovation, competition, and even digital sovereignty, is no small feat. It requires multiple elements to come together in a coherent and sustained manner. It is far from simply unleashing latent energies held back by a textbook refusal to provide interoperability. In the Brazilian context, the national scope of the market, combined with the groundwork already laid in this area by the regulator, may well place the competition authority in a favourable position to act effectively. That said, it is beyond doubt that the refusal to enable interoperability has often been used strategically by Big Tech players as an anticompetitive tool. In some cases, it served to block potentially disruptive innovators at a critical moment; in others, it was used to secure and preserve market positions in areas where new business opportunities were emerging, as Apple did with NFC functionality until recently, and as Google did in relation to Android Auto, for which it was sanctioned by the Italian competition authority.
This latter case also triggered a preliminary reference to the EU Court of Justice, which did not miss the opportunity to say once again something helpful, a development I would like to briefly address as the second point in my remarks. That the effectiveness of the branch of competition law tasked with preventing and prohibiting abuses of market power has been profoundly challenged by the rise of Big Tech is, of course, no secret. One aspect long recognised as particularly ill-suited to the digital context is the so-called Essential Facilities Doctrine, particularly in its Bronner formulation.The Court’s ruling in Android Auto provides a further fix, in the form of a "clarification" of the doctrine, perhaps a limited one, but a welcome one nonetheless. The case concerned Google’s refusal to allow Enel X’s electric vehicle charging app to interoperate with the OS Android Auto, citing security concerns and the burdens of developing a new template. The Italian competition authority (ICA) found this refusal to be in breach of Article 102 TFEU and ordered Google to enable interoperability.
![]() |
Last slide of my 2021 presentation |
The second question I raised during the ASCOLA presentation, bearing in mind that this was back in 2021, after the DMA had been tabled but before it became law, was how to frame the relationship between ex post and ex ante approaches to interoperability mandates going forward. The ex ante approach to interoperability introduced by the DMA will form the third point of my remarks. But before that, a few words are in order on the relationship between ex ante and ex post interventions and, more broadly, between traditional antitrust law and emerging forms of digital regulation with regard to interoperability, which can be of some interest specifically in the context of our transatlantic dialogue. The first thing to note is that the Commission’s experience in the Apple Pay commitments proceedings, discussed earlier, appears to have fed directly into the current phase of DMA enforcement. This is evident in the confidence with which the Commission has now moved to specify Apple’s interoperability obligations under Article 6(7), a point I will return to shortly. The second aspect I wish to highlight, though much more could be said, is that courts are reading the DMA and drawing inspiration from it, even when interpreting traditional antitrust law. This is clearly visible in the Android Auto case, where a regulatory approach inspired by the DMA can be seen in how the Court assessed what may constitute an objective justification for refusing to grant interoperability. In my view, all things considered, this too is a positive development.
![]() |
The prince app developer (see blog post) |
To be discussed!
First-sale doctrine in the AI age: incentivising book bonfires! No externalities there?
Friday, June 27, 2025
EuroStack: a concrete pathway to European digital sovereignty and strategic autonomy
Apple "changes" App Store rules in EU to [fake compliance] with [DMA] order
Thursday, June 26, 2025
Wednesday, June 25, 2025
Interoperability in Digital Platforms and its Regulation: Transatlantic Dialogue alive and kicking! [Spoiler alert: not with the US]
Webinar, 1 July, 15-17 CET. Register here if you want to pose questions, otherwise live on YouTube here.
Tuesday, June 24, 2025
Excessive Wealth Concentration and Power
CEU, here.
I've been dealing with this topic for 7 lustra and it looks increasingly bleak - not my fault😉
CMA takes first steps to improve competition in search services in the UK
Here.
Proposed decision here.
Roadmap here.
Exploring consumers’ search behaviours here.
Read also Sarah's blog post here ("Based on how it is currently offered and used, we have provisionally decided that Gemini AI assistant should not be included as a product within this scope").
"We have identified a further set of possible actions (for example, restricting use of default agreements and providing access to underlying search data) which are currently the subject of live litigation between the US Department of Justice and Google. We will consider our approach in these areas in light of developments over the coming months. This is in line with the CMA’s prioritisation principles and the government’s recent strategic steer, which encourages the CMA to consider where we are best placed to act"
Monday, June 23, 2025
Did Thomas Regnier (EC) today say that DMA enforcement is indeed part of the US/EU trade negotiations?
Video here.
A WSJ journalist asked but the answer is either a masterpiece or a bit too casual.
Sunday, June 22, 2025
EU Near Deal on Nontariff Trade Irritants [read DMA & Co.]
WSJ, here.
The quiet dismantling of the only meaningful tool Brussels has ever deployed to rein in Big Tech, or merely a tactical leak to shape the narrative and apply pressure? Either way, there is cause for concern.
Friday, June 20, 2025
Thursday, June 19, 2025
DMA (Team) Sudans, when will Meta's compliance with Article 5(2) finally flow?
![]() |
Don't look for it in Rome... |
Why, then, did it take an 80-page decision, and why is Meta, in all likelihood, still not compliant more than a year after it was first required to be? The most obvious answer, of course, is that the obligation in question strikes at the very heart of Meta’s business model, not only as it stands today, but also with implications for future developments, given the EU legislator's insistence on DMA compliance by design, a theme that has been a recurring one here on Wavesblog. Moreover, in this case, the Commission is not simply tasked with interpreting and enforcing a 'standard' DMA obligation in relative isolation; to do so, it must also apply the General Data Protection Regulation in conjunction with the DMA. That these two legislative instruments converge in more than one respect is also confirmed by the German ruling mentioned earlier and to which we shall return in due course. On that note, we are still awaiting the joint EDPB/Commission guidance on the interplay between the DMA and the GDPR, which, according to Commission’s remarks this week in Gdańsk, is expected imminently. Interestingly, the Commission takes this into account as a mitigating factor in determining the fine for non-compliance ("the Commission acknowledges that the interplay between Regulation (EU) 2022/1925 and Regulation (EU) 2016/679 created a multifaceted regulatory environment and added complexity for Meta to design its advertising model in a manner compliant with both regulations"). That might be perfectly understandable, were it not for the fact that we are, after all, dealing with Meta, which has elevated non-compliance with the GDPR to something of an art form worthy of Bernini. This raises both a puzzle and a question: will Meta be left to do much the same under the DMA? And might other gatekeepers be allowed to match, or even surpass, it? Is there, perhaps, a structural flaw in the DMA’s enforcement apparatus, just as there are, quite plainly, in the GDPR, that gatekeepers can be expected to exploit at every opportunity? Or is it simply a matter of DMA enforcement resources falling well short of what would actually be required? What, then, can be inferred from this particular decision in response to that question? Serious reflection is clearly needed here. For now, I can offer you, Wavesblog Readers, only a few very first impressions, but I’d be all the more keen to hear yours.
Even before Compliance Day (7 March 2024), it is clear from the decision that the Commission already had serious reservations about the "Consent or Pay" advertising model that Meta was in the process of grinding out, which had been presented to the Commission as early as 7 September 2023. The decision makes clear not only that the Commission was in close dialogue with Meta, but also that it engaged with several consumer associations and other interested third parties, on both the DMA and privacy sides of the matter. On that note, a further question, though perhaps it’s only me. Should there not be, if not a formal transparency requirement then at least a Kantian one, for the Commission to list, even in a footnote, all the interested parties with whom it bilaterally discussed the matter? On this point, one almost hears the Commission suggesting that such a transparency obligation might discourage others from speaking up, for fear of retaliation by the gatekeeper. The point is well taken, but one wonders whether some form of protected channel might be devised, a kind of "privileged observer’s window with shielding" available where reasonably requested, providing clear assurances that the identities of those coming forward will be safeguarded (short of being a whistleblower). Moreover, as is well known, this point tangentially touches on a broader issue. The EU legislator, likely with a view to streamlining enforcement, left limited formal room for well-meaning third-party involvement. The Commission-initiated compliance workshops, the 2025 edition of which has just begun, are a welcome addition, but they are, of course, far from sufficient. In particular, without access to fresh data provided by the gatekeepers, available only to the Commission, how are third parties expected to contribute anything genuinely useful at this point of the "compliance journey"? As we shall see, this concrete data was also an important point in the very process that led to the adoption of the non-compliance decision in this case (Meta knew that its 'compliance model' was producing exactly the result they wanted). The lawyers, economists and technologists on the DMA team have clearly had their hands full in the matching ring with Meta (hence, of course, the Sudans in the title). Even a quick reading of the decision reveals, between the lines and squarely on them, the array of tactics deployed by Meta to throw a spanner in the works of effective DMA compliance, all carefully orchestrated and calculated with precision, and surprising no one. But one does wonder whether the DMA’s hat might not still conceal other tools, better suited to crowdsourcing and channelling constructive efforts, particularly from those third parties who stand to benefit from the DMA (as we also heard in Gdańsk), from conflict-free academics, and from what might be called real civil society, genuinely committed to effective and resolute DMA enforcement, rather than the usual crop of gatekeeper-supported associations.
![]() |
Data cocktails beyond the decision |
Perhaps the best place to restart is with what was clearly explained during the Compliance Workshop, and you, dear Wavesblog readers, who’ve perhaps already pored over the decision, will have caught all the nuances of it. The non-compliance decision at issue concerns a single type of data combination covered by Article 5(2). Many other cocktails Meta shakes up with your data fall outside the decision’s direct scope, but are still covered by the same article and have been extensively discussed in the ongoing regulatory dialogue between the DMA Team and Meta. Data cocktails can be mixed within CPSs themselves (e.g., Facebook and Messanger), but also between CPSs and the gatekeeper’s other services (e.g., Instagram and Threads). During the workshop, we heard from the Commission that these other 5(2)-related compliance discussions largely centred on what qualifies as an equivalent service for users opting out of data combination, without slipping into degradation beyond what’s strictly necessary due to reduced data use. These, as we understood, are discussions about the kind of service a user who declines data combination is entitled to expect, and whether it is genuinely equivalent, as required by Article 5(2). In this context, it emerged that the Commission and Meta have been discussing what such a service looks like. For example, Messenger or Threads when data combination with Facebook and Instagram, respectively, is not allowed by the end user. On this front, the Commission noted, with some satisfaction, that improvements have been made.
![]() |
Source: Proton Drive on X |
![]() |
End user's journey: 1.0 |
![]() |
Penelope waiting, Chiusi Etruscan Museum |
Based on the Commission's reading of Article 5(2) DMA, the legal reasoning underpinning the non-compliance decision is twofold. First of all, the less personalised but paying (Scylla) and the fully personalised (Charybdis) options cannot be considered equivalent alternatives, as they exhibit different conditions of access. Second, the binary configuration of Meta’s consent-or-pay model (Scylla or Charybdis) doesn’t ensure that end users freely give consent to the personalised ads option, falling short of the GDPR requirements for the combination of personal data for that purpose. But what about ('data combination in Meta's advertising services') 2.0? In November 2024, Meta charted an additional ads option. This is a free of charge, advertising-based version of Instagram and Facebook. Further tweaks to this option followed just as the 60-day compliance period set out in the non-compliance decision was about to expire — enter 3.0. Is it finally the Ithaca Option, that ensures compliance with the DMA by giving the end user a real chance to exercise the data right enshrined in Article 5(2)? In its non-compliance decision, specifically on Meta’s data combination 1.0, the Commission, without delving into detail, also indicates what a DMA-compliant solution would, in its view, require, making explicit reference to elements introduced in 2.0:
1) the end user should be presented with a neutral choice with regard to the combination of personal data for ads so that he/she can make a free decision in this respect;
Before diving into the more legal aspects of the non-compliance decision, while taking on board, too, at least some of the arguments aired by Meta during the workshop (soon to be set out in more precise legal terms in the upcoming appeal against the decision), I’d like to surf briefly above the currents of DMA enforcement. Allow me, dear Wavesblog Reader, a quick self-quotation (then I’ll stop, promise). Reflecting on Article 5(2) and other DMA data-related provisions in something I wrote in early in 2021, I reached a conclusion I still stand by, namely that this provision, at its core, and with regard to online advertising specifically, should provide end users with a real choice over the level of ‘creepiness’ they’re comfortable with. That may sound rather underwhelming — and it is. In fact, in the same piece, I wondered whether it wasn’t finally time to regulate personalised advertising more broadly, and for real, without losing sight of the broader picture: that private digital infrastructures, especially informational ones, ought, depending on the case, to be regulated decisively, dismantled, made interoperable, and so. At the same time, I do believe this end user's right to choose as carved clearly into Article 5(2) of the DMA, without tying it to one’s capacity to pay in order to escape a level of surveillance one finds uncomfortable (for oneself and/or the society she/he lives in), is immensely important.
![]() |
Bravissima, whatever. |
It’s a glimpse of something different: a very narrow but real incentive in favour of an "economic engine of tech" that starts rewarding services built around data minimisation and not surveillance and data collection (and its combination). From this perspective, offering the mass of Facebook and Instagram users a genuinely neutral choice, and thus the concrete possibility of making a free decision in favour of a less, but equivalent, personalised alternative (e.g., about the preferred level of creepiness), could also have a welcome educational effect. However, we can’t pretend that the current AI age hasn’t, for now at least, further accelerated the shift towards surveillance and data accumulation — and what’s being done to counter it still feels far too limited (see also the above-mentioned ruling by the Cologne court).
![]() |
Hannibal in Italy, Palazzo dei Conservatori - Rome |
![]() |
Distinct legal notions |
As just noted, the enforcement of the DMA is not necessarily bound by the contours of the GDPR where the DMA goes beyond it, or simply moves in a different direction. However, for those parts where the EU legislator has drawn on legal concepts from the GDPR, such as the requirement that end users give valid consent to the combination of their personal data for the purpose of serving personalised advertisements, reference must be made to Article 4(11) and Article 7 of the GDPR. This, in turn, triggers a duty of sincere cooperation with the supervisory authorities responsible for monitoring the application of that Regulation. Here, however, a possible complication arises, which in the ideal world of EU law enforcement perhaps shouldn’t exist. And yet, it does. We won’t dwell on it for long, but it’s worth highlighting (and it may at least partly explain Mario Draghi’s well-documented allergy to the GDPR, reaffirmed only a few days ago). The cast of characters on the GDPR enforcement stage has often found it difficult to offer a consistent reading of this Regulation. Unsurprisingly, this has weakened enforcement and worked to the advantage of those less inclined to embrace it. This risk has been avoided under the DMA, notably by assigning quasi-exclusive enforcement power to a single entity: the Commission (though arguably creating others in the process, which we won’t go into here). Echoes of the considerable effort supervisory authorities expend to ensure even a modicum of consistent GDPR application also surface in the text of the DMA non-compliance decision, where the Commission finds itself almost compelled to justify having taken into account the EDPB’s opinion on the matter when applying the GDPR (e.g., explaining that "the fact that some members of the Board voted differently or expressed reservations about the Opinion 08/2024 does not diminish the value of that Opinion, in the same way that the Court’s judgments produce their effects irrespective of whether they were decided by majority or unanimously"). What matters is that DMA enforcement not be delayed or undermined by such tensions, which, one imagines, some gatekeepers could hope to exploit, should a tempting opportunity arise.
![]() |
Series 1 |
TBC
-
Don't look for it in Rome... Nearly two months on, the Commission’s DMA non-compliance decision against Meta was finally published...
-
It was a real pleasure yesterday to share some reflections on the European experience with the Digital Markets Act across the Atlantic. You ...
-
What do EU citizens expect? Digitalrechte, here.
-
L. Lowe, here and here . And the EC has once again confirmed that it won't, here and here.
-
Open Future, here.
-
SOMO, here .