PCC.land, here.
Tuesday, July 08, 2025
Monday, July 07, 2025
Sunday, July 06, 2025
Saturday, July 05, 2025
Friday, July 04, 2025
Thursday, July 03, 2025
Why Cloudflare wants AI companies to pay for content
TechCrunch, here.
Great, but shouldn't it be a democratic decision taken by a legislator and not by an infrastructure ("gatekeeper")? Not just "tech is law" - get over it?
Targeted advertising by Meta democratised advertising and made people love ads (so we heard): discuss
Meta DMA enforcement/compliance workshop, video here.
Wednesday, July 02, 2025
How Monopolies Secretly Steal Your Freedom
Brought to you by the inimitable Lina Khan, here (may I please live long enough to see a Khan US Presidency, or two?).
Brasil, rumo ao ("DMA") gol!
We spoke candidly: about what seems to be working, about what remains difficult, and about what, in hindsight, might have been done differently. These are not easy conversations, but they are necessary ones.
What stood out, above all, was the seriousness and clarity of purpose shown by our Brazilian counterparts. There’s no doubt: they are approaching the challenge of platform regulation with a level of determination that is both impressive and encouraging. It’s not just about legal design or enforcement mechanics: it’s about political will. And in Brazil, that will is clearly there.
This isn’t Brazil against Europe (or Italy ;-)): it’s one match, one team.
And the stakes couldn’t be higher.
Tuesday, July 01, 2025
Monday, June 30, 2025
Sunday, June 29, 2025
Interoperability in Digital Platforms and its Regulation: Transatlantic Dialogue alive and kicking!
 |
| Not a dead parrot. |
This webinar is a transatlantic conversation bringing together researchers, regulators and civil society. The focus is on interoperability, not as a silver bullet, but as a critical lever to support more open, competitive and innovative digital environments.
It offers a timely comparison: Brazil, a jurisdiction that has demonstrated its ability to build effective digital public infrastructure (Pix), thereby getting rid of the extractive Visa-Mastercard duopoly, and the European Union, which has so far struggled to do the same. At the same time, Europe has taken the lead in legislating to curb Big Tech’s power, and other regions, including Brazil, are now watching the Commission's enforcement of this legislation closely.
All this, just as transatlantic tensions over digital regulation resurface, and as the EC DMA Team does its utmost to stay below Trump’s radar. And then there's the DMCCA (and UK politics).
It offers a timely comparison: Brazil, a jurisdiction that has demonstrated its ability to build effective digital public infrastructure (Pix), thereby getting rid of the extractive Visa-Mastercard duopoly, and the European Union, which has so far struggled to do the same. At the same time, Europe has taken the lead in legislating to curb Big Tech’s power, and other regions, including Brazil, are now watching the Commission's enforcement of this legislation closely.
All this, just as transatlantic tensions over digital regulation resurface, and as the EC DMA Team does its utmost to stay below Trump’s radar. And then there's the DMCCA (and UK politics).
Together with Isa Stasi and Ian Brown, our task on Tuesday is to share a few lessons from the European experience. So what is it, really, that we have to offer from this side of the Atlantic?
As for my contribution, I’m still finalising the details. Not long ago, I wouldn’t have had much to say about EU interoperability, at least not anything terribly useful for promoting open, fair and competitive digital markets. But the past few months have been surprisingly lively. Four developments stand out, and I hope they can add a little spice to our conversation. I will most likely begin with the antitrust commitments by Apple concerning NFC (Apple Pay), and reflect on their aftermath. Next, I’ll briefly touch on the recent judgment of the Court of Justice of the European Union regarding interoperability of the Android Auto OS. I’ll then say a few words about the Commission’s specification decisions on Apple’s interoperability obligations under Article 6(7) of the DMA. And finally, I’ll offer some thoughts on prospects for stronger DMA enforcement, on the case for refining the regulatory framework, and even on the EuroStack (10 minutes in total :-)).
The first reflection I would like to offer concerns access to Near-Field Communication (NFC) functionality, a technology which, until mid-2024, Apple had reserved exclusively for its own Apple Pay service within the EEA. An important point to note is that, across Europe, NFC, a technology not developed by Apple, has become the standard for mobile payment. It enables fast, contactless transactions, secured through tokenisation and encryption. Virtually all payment terminals in the EEA now support it.
It is now almost exactly one year since the European Commission made Apple’s commitments in the Apple Pay case legally binding. These commitments are centred squarely on interoperability: Apple is required to allow third parties access to the NFC functionality for payment purposes on iOS devices. As a result, a wide range of developers can, in principle, begin to use this technology to offer alternative NFC payment services. Even though relatively little time has passed, it is important, I believe, to ask whether anyone has actually seized this opportunity, whether any new entrants have made their way into the NFC in-store mobile wallet market on iOS. There have, in fact, been some entries, though so far limited to a few countries rather than on an EU-wide scale. As illustrated at the most recent OECD Competition Committee meeting in June, the first to enter was Vipps MobilePay, though its launch remains limited to Norway, and facing huge hindrances to becoming a pan-European interoperable wallet (Single Market, anyone?). Next came a US tech firm, hardly a small player, namely PayPal, which is currently rolling out its wallet in Germany. German cooperative banks have also signalled their intention to enter this space soon, likewise focusing on the German market. In the announcement, it is explicitly stated that Apple Pay will no longer be needed to make payments with the new service, a move framed as part of a broader effort to raise awareness of how heavily payment systems in Europe rely on US corporations such as Visa, Mastercard, PayPal, and, of course, Apple. The ongoing trade tensions with the US are cited as an additional reason for concern. This raises a broader question: can interoperability serve not only as a tool to promote competition, but also as a means of advancing digital sovereignty? The answer, perhaps, is that interoperability is certainly a first step, but a far more effective approach, had it been pursued from the outset, would have been to establish a digital public infrastructure for electronic payments, along the lines of Brazil’s Pix. Crucially, this would have required a broad adoption mandate for banks operating across the EEA. If done properly, such a system could have delivered both competition and sovereignty in a more structural and sustainable way. A related and important question is what went wrong with SEPA, the Single Euro Payments Area. Conceived as a cornerstone of European financial integration, SEPA has largely failed to deliver the kind of common digital payment infrastructure that could support genuine sovereignty and competition at scale. Even though scepticism remains high, it remains to be seen whether the Instant Payments Regulation, now in force, with serious enforcement beginning this year, will offer an effective fix to SEPA’s shortcomings. The other, and perhaps enduring, question is whether the commitments offered by Apple were ever sufficient. More fundamentally, even if the commitments had been ideal, one must ask how much they could realistically achieve in isolation. If anticompetitive conditions persist in adjacent markets, and addressing interoperability at just one layer may do little to resolve distortions that are structural and multi-layered in nature (e.g., terminals?). Moreover, to fully benefit, at the EEA-scale, from access to previously gated functionalities, new entrants would need to rely on other components of essential digital public infrastructure, most notably, the European Digital Identity, meant to be enabled by the eIDAS 2.0 framework.
Even from the few observations above, it becomes clear that getting interoperability right, as a driver of innovation, competition, and even digital sovereignty, is no small feat. It requires multiple elements to come together in a coherent and sustained manner. It is far from simply unleashing latent energies held back by a textbook refusal to provide interoperability. In the Brazilian context, the national scope of the market, combined with the groundwork already laid in this area by the regulator, may well place the competition authority in a favourable position to act effectively. That said, it is beyond doubt that the refusal to enable interoperability has often been used strategically by Big Tech players as an anticompetitive tool. In some cases, it served to block potentially disruptive innovators at a critical moment; in others, it was used to secure and preserve market positions in areas where new business opportunities were emerging, as Apple did with NFC functionality until recently, and as Google did in relation to Android Auto, for which it was sanctioned by the Italian competition authority.
This latter case also triggered a preliminary reference to the EU Court of Justice, which did not miss the opportunity to say once again something helpful, a development I would like to briefly address as the second point in my remarks. That the effectiveness of the branch of competition law tasked with preventing and prohibiting abuses of market power has been profoundly challenged by the rise of Big Tech is, of course, no secret. One aspect long recognised as particularly ill-suited to the digital context is the so-called Essential Facilities Doctrine, particularly in its Bronner formulation.The Court’s ruling in Android Auto provides a further fix, in the form of a "clarification" of the doctrine, perhaps a limited one, but a welcome one nonetheless. The case concerned Google’s refusal to allow Enel X’s electric vehicle charging app to interoperate with the OS Android Auto, citing security concerns and the burdens of developing a new template. The Italian competition authority (ICA) found this refusal to be in breach of Article 102 TFEU and ordered Google to enable interoperability.
 |
| Last slide of my 2021 presentation |
The second question I raised during the ASCOLA presentation, bearing in mind that this was back in 2021, after the DMA had been tabled but before it became law, was how to frame the relationship between ex post and ex ante approaches to interoperability mandates going forward. The ex ante approach to interoperability introduced by the DMA will form the third point of my remarks. But before that, a few words are in order on the relationship between ex ante and ex post interventions and, more broadly, between traditional antitrust law and emerging forms of digital regulation with regard to interoperability, which can be of some interest specifically in the context of our transatlantic dialogue. The first thing to note is that the Commission’s experience in the Apple Pay commitments proceedings, discussed earlier, appears to have fed directly into the current phase of DMA enforcement. This is evident in the confidence with which the Commission has now moved to specify Apple’s interoperability obligations under Article 6(7), a point I will return to shortly. The second aspect I wish to highlight, though much more could be said, is that courts are reading the DMA and drawing inspiration from it, even when interpreting traditional antitrust law. This is clearly visible in the Android Auto case, where a regulatory approach inspired by the DMA can be seen in how the Court assessed what may constitute an objective justification for refusing to grant interoperability. In my view, all things considered, this too is a positive development.
 |
| The prince app developer (see blog post) |
The fourth and final aspect I would like to briefly touch on relates to a pronounced sense of urgency. For instance, I find it worrying that it is considered normal for a study on the impact of emerging technologies on the DMA to take up to a year to produce. In the same vein, if we come to realise that the DMA is insufficient, whether in terms of its scope of core platform services or the need for additional obligations, then the time to act is now, and this relates also to the possible need for additional interoperability obligations. We cannot afford to lose time. However, even for the most determined
regulator (and well equipped, also financially) in the world, it is very difficult, though not impossible, as
we have just seen, to impose interoperability obligations on powerful
and recalcitrant gatekeepers. But that is precisely what lies ahead if we allow them to build the digital infrastructure on which we all then come to depend. Equally difficult, and arguably wishful thinking, is relying on the industry to deliver effective interoperability solutions. This has been attempted in the EU for years, with very limited results. So how do we move forward? Well, perhaps by starting with a good look back. We need retrospective analyses to understand how we ended up letting a handful of players control the digital infrastructures we all rely on, not to point fingers at antitrust enforcement alone, but to get a clearer picture of the broader dynamics, which likely vary across different digital services. On this, as on many other things, I fully agree with Robin Berjon, who notes that everything in digital happened so quickly we didn’t even realise we were dealing with infrastructures, let alone how to properly regulate them. Secondly, the kind of public effort required, in terms of both capacity-building for smart regulation and "project" funding, must be laser-focused on identifying the type of infrastructures we need and how to get there. This type of mobilisation cannot be decoupled from public choices. This is particularly clear in the case of Pix, where inclusiveness was a key consideration (but almost accidentally ended up by solving an extractive duopoly problem). Moreover, infrastructural choices inevitably shape the kinds of technological innovation they enable. These are societal decisions, not technical footnotes (and, of course, we cannot afford for them to be significantly steered by even well-meaning think tanks nor other - European! - industry giants, from telecoms to aerospace). The upcoming plenary debate in the European Parliament on the Report on European Technological Sovereignty and Digital Infrastructure, produced by the Committee on Industry, Research and Energy (ITRE), offers an excellent starting point for these much-needed democratic conversations.
To be discussed!
After Notice and Choice: Reinvigorating “Unfairness” to Rein In Data Abuses
L. Khan, S. Levine, S. Nguyen, here.
Friday, June 27, 2025
Thursday, June 26, 2025
Wednesday, June 25, 2025
Interoperability in Digital Platforms and its Regulation: Transatlantic Dialogue alive and kicking! [Spoiler alert: not with the US]
Webinar, 1 July, 15-17 CET. Register here if you want to pose questions, otherwise live on YouTube here.
Together with Isa Stasi and Ian Brown, our task today is to share a few lessons from the European experience. I still vividly remember when Luca Belli came to the European Parliament to explain how digital sovereignty and digital public infrastructure can be built in practice, and how, in just three years, they managed to get rid of the Visa–MasterCard duopoly, which had long become more of a bottleneck than a service. So what is it, really, that we have to offer from this side of the Atlantic?
Tuesday, June 24, 2025
Excessive Wealth Concentration and Power
CEU, here.
I've been dealing with this topic for 7 lustra and it looks increasingly bleak - not my fault😉
CMA takes first steps to improve competition in search services in the UK
Here.
Proposed decision here.
Roadmap here.
Exploring consumers’ search behaviours here.
Read also Sarah's blog post here ("Based on how it is currently offered and used, we have provisionally decided that Gemini AI assistant should not be included as a product within this scope").
"We have identified a further set of possible actions (for example, restricting use of default agreements and providing access to underlying search data) which are currently the subject of live litigation between the US Department of Justice and Google. We will consider our approach in these areas in light of developments over the coming months. This is in line with the CMA’s prioritisation principles and the government’s recent strategic steer, which encourages the CMA to consider where we are best placed to act"
Monday, June 23, 2025
Did Thomas Regnier (EC) today say that DMA enforcement is indeed part of the US/EU trade negotiations?
Video here.
A WSJ journalist asked but the answer is either a masterpiece or a bit too casual.
Sunday, June 22, 2025
EU Near Deal on Nontariff Trade Irritants [read DMA & Co.]
WSJ, here.
The quiet dismantling of the only meaningful tool Brussels has ever deployed to rein in Big Tech, or merely a tactical leak to shape the narrative and apply pressure? Either way, there is cause for concern.
Friday, June 20, 2025
Thursday, June 19, 2025
DMA (Team) Sudans, when will Meta's compliance with Article 5(2) finally flow?
 |
| Don't look for it in Rome... |
Nearly two months on, the Commission’s DMA non-compliance decision against Meta was finally published yesterday [18 June]. Coincidentally or not, a German court also published a ruling yesterday, offering its own reading of the same DMA obligation with which, according to the Commission, Meta is not (yet?) compliant. As Wavesblog Readers will appreciate, both are of considerable interest. What follows are a few preliminary observations. Let me begin, however, with a brief disclosure. During the eight months in which I had the pleasure of consulting for Article 19, I had occasion to focus on Meta twice: first, in writing about an intriguing German judgment applying Article 102 TFEU (not the one you're thinking of, another one entirely); and second, precisely in relation to the application of Article 5(2) of the DMA. As for the latter, in the course of that work I had reached the conclusion, now confirmed by the Commission in its recently published decision, that there was simply no way Meta could be considered compliant, a conclusion I had the pleasure of presenting in the Commission’s presence in beautiful Fiesole.
Why, then, did it take an 80-page decision, and why is Meta, in all likelihood, still not compliant more than a year after it was first required to be? The most obvious answer, of course, is that the obligation in question strikes at the very heart of Meta’s business model, not only as it stands today, but also with implications for future developments, given the EU legislator's insistence on DMA compliance by design, a theme that has been a recurring one here on Wavesblog. Moreover, in this case, the Commission is not simply tasked with interpreting and enforcing a 'standard' DMA obligation in relative isolation; to do so, it must also apply the General Data Protection Regulation in conjunction with the DMA. That these two legislative instruments converge in more than one respect is also confirmed by the German ruling mentioned earlier and to which we shall return in due course. On that note, we are still awaiting the joint EDPB/Commission guidance on the interplay between the DMA and the GDPR, which, according to Commission’s remarks this week in Gdańsk, is expected imminently. Interestingly, the Commission takes this into account as a mitigating factor in determining the fine for non-compliance ("the Commission acknowledges that the interplay between Regulation (EU) 2022/1925 and Regulation (EU) 2016/679 created a multifaceted regulatory environment and added complexity for Meta to design its advertising model in a manner compliant with both regulations"). That might be perfectly understandable, were it not for the fact that we are, after all, dealing with Meta, which has elevated non-compliance with the GDPR to something of an art form worthy of Bernini. This raises both a puzzle and a question: will Meta be left to do much the same under the DMA? And might other gatekeepers be allowed to match, or even surpass, it? Is there, perhaps, a structural flaw in the DMA’s enforcement apparatus, just as there are, quite plainly, in the GDPR, that gatekeepers can be expected to exploit at every opportunity? Or is it simply a matter of DMA enforcement resources falling well short of what would actually be required? What, then, can be inferred from this particular decision in response to that question? Serious reflection is clearly needed here. For now, I can offer you, Wavesblog Readers, only a few very first impressions, but I’d be all the more keen to hear yours.
Even before Compliance Day (7 March 2024), it is clear from the decision that the Commission already had serious reservations about the "Consent or Pay" advertising model that Meta was in the process of grinding out, which had been presented to the Commission as early as 7 September 2023. The decision makes clear not only that the Commission was in close dialogue with Meta, but also that it engaged with several consumer associations and other interested third parties, on both the DMA and privacy sides of the matter. On that note, a further question, though perhaps it’s only me. Should there not be, if not a formal transparency requirement then at least a Kantian one, for the Commission to list, even in a footnote, all the interested parties with whom it bilaterally discussed the matter? On this point, one almost hears the Commission suggesting that such a transparency obligation might discourage others from speaking up, for fear of retaliation by the gatekeeper. The point is well taken, but one wonders whether some form of protected channel might be devised, a kind of "privileged observer’s window with shielding" available where reasonably requested, providing clear assurances that the identities of those coming forward will be safeguarded (short of being a whistleblower). Moreover, as is well known, this point tangentially touches on a broader issue. The EU legislator, likely with a view to streamlining enforcement, left limited formal room for well-meaning third-party involvement. The Commission-initiated compliance workshops, the 2025 edition of which has just begun, are a welcome addition, but they are, of course, far from sufficient. In particular, without access to fresh data provided by the gatekeepers, available only to the Commission, how are third parties expected to contribute anything genuinely useful at this point of the "compliance journey"? As we shall see, this concrete data was also an important point in the very process that led to the adoption of the non-compliance decision in this case (Meta knew that its 'compliance model' was producing exactly the result they wanted). The lawyers, economists and technologists on the DMA team have clearly had their hands full in the matching ring with Meta (hence, of course, the Sudans in the title). Even a quick reading of the decision reveals, between the lines and squarely on them, the array of tactics deployed by Meta to throw a spanner in the works of effective DMA compliance, all carefully orchestrated and calculated with precision, and surprising no one. But one does wonder whether the DMA’s hat might not still conceal other tools, better suited to crowdsourcing and channelling constructive efforts, particularly from those third parties who stand to benefit from the DMA (as we also heard in Gdańsk), from conflict-free academics, and from what might be called real civil society, genuinely committed to effective and resolute DMA enforcement, rather than the usual crop of gatekeeper-supported associations.
To loosely paraphrase Microsoft at the 2025 Enforcement Workshop, Meta’s “compliance model from day one” was a marble (code)-carved binary choice, one that could scarcely have been further from what the EU legislator had in mind. Unlike the strategies adopted by certain other gatekeepers, Meta didn’t even bother to kick the compliance can just far enough down the road to create an illusion of movement. The opening of non-compliance proceedings came swiftly and had, by all appearances, been fully anticipated. The decision that brings them to a close contains no epiphanic surprises, and is lengthy only because Meta's counsel deployed the full repertoire of legal ingenuity, focusing in particular on arguments forged in the intersection between the DMA and data protection law. Time, then, for a modest walkthrough, dear Wavesblog Readers.
As one assumes it must by now form part of general digital literacy (until one realises it doesn’t, even when speaking to students born to parents who were themselves, perhaps, already digital natives), Meta "generates
almost the entirety of its revenues from its advertising service." On Facebook and Instagram, both designated under the DMA, end users "post and consume personalised content." Upon registering, each user receives "a dedicated, unique user identifier... and all data tied to that user identifier is part of a unified user account for that environment, i.e., the Facebook environment or the Instagram environment." Meta combines the personal data it collects from that user within the same social network environment and further merges it with data gathered through another designated core platform service, Meta Ads, to display personalised advertising. It is solely this latter data combination that is at the heart of the non-compliance decision.
[I pick it up again now, not without noting that while I'm still writing this post, the 60-day deadline to comply with the cease-and-desist order, according to my calculations - which are apparently wrong but I don't understand why - has lapsed, and that DMA enforcement may well have found its way into the cauldron of Trump-era trade negotiations].
Let us suppose that you, dear Wavesblog Reader, use Facebook in the EU. Meta, as designated gatekeeper, according to the DMA (and commencing for real no later than today - 24 June - or on the 26th at the latest) must present you with the specific choice of a less personalised but equivalent alternative to the advertising-based service Facebook that you would use if you had given your consent to the combination of your personal data from Facebook with data from the Meta Ads.
[Let's have another go at this, shall we? A few rather significant developments have intervened since last time I wrote here. First off, it appears DMA enforcement hasn't quite ended up in the cauldron of Trump trade negotiations. Second, we've had the last DMA Compliance Workshop, with Meta taking centre stage. During the workshop, we heard that from 27th June, Meta has rolled out yet another iteration of their "compliance journey." The third development is that the Commission has launched a public consultation on the first review of the Digital Markets Act, which will keep many of us rather pleasantly occupied this summer. The fourth, and of less general interest (but mentally preparing for it - we'll record the episode rather soon), is that I'll draw on thoughts from this piece to discuss this decision "Chez Oles" with two more Invitees. Finally, I should mention that it's not merely Meta and the DMA Team feeling the heat at the moment: the entire European continent is currently enduring what can only be described as a perfectly ghastly heatwave. Rather puts everything into perspective, doesn't it?].
 |
| Data cocktails beyond the decision |
Perhaps the best place to restart is with what was clearly explained during the Compliance Workshop, and you, dear Wavesblog readers, who’ve perhaps already pored over the decision, will have caught all the nuances of it. The non-compliance decision at issue concerns a single type of data combination covered by Article 5(2). Many other cocktails Meta shakes up with your data fall outside the decision’s direct scope, but are still covered by the same article and have been extensively discussed in the ongoing regulatory dialogue between the DMA Team and Meta. Data cocktails can be mixed within CPSs themselves (e.g., Facebook and Messanger), but also between CPSs and the gatekeeper’s other services (e.g., Instagram and Threads). During the workshop, we heard from the Commission that these other 5(2)-related compliance discussions largely centred on what qualifies as an equivalent service for users opting out of data combination, without slipping into degradation beyond what’s strictly necessary due to reduced data use. These, as we understood, are discussions about the kind of service a user who declines data combination is entitled to expect, and whether it is genuinely equivalent, as required by Article 5(2). In this context, it emerged that the Commission and Meta have been discussing what such a service looks like. For example, Messenger or Threads when data combination with Facebook and Instagram, respectively, is not allowed by the end user. On this front, the Commission noted, with some satisfaction, that improvements have been made.
Equally outside the scope of the non-compliance decision, but still very much part of the ongoing regulatory dialogue with Meta on Article 5(2) was, unsurprisingly, AI. The Commission has been actively following the rollout of Meta’s shiny new AI services, as well as the more familiar ones, like WhatsApp, where AI has been quietly slipped in, while considering what all this might mean for compliance with Article 5(2).
We heard that the Commission is looking specifically at "data flows across services, how the data is sourced and used [to train, ground of fine-tune the models] and if that involves the combination of personal data." Moreover, the Commission is "looking at data for personalising or grounding AI both within designated services and other services offered by Meta." As we've witnessed throughout the rest of the Compliance Workshops, Series 2, a robust regulatory dialogue on AI is already well underway with all designated gatekeepers, a fact that appears to have been somewhat downplayed by Meta before the Cologne court mentioned earlier, to whose recent ruling we now (very briefly) turn.
 |
| Source: Proton Drive on X |
 |
| End user's journey: 1.0 |
 |
| Penelope waiting, Chiusi Etruscan Museum |
Based on the Commission's reading of Article 5(2) DMA, the legal reasoning underpinning the non-compliance decision is twofold. First of all, the less personalised but paying (Scylla) and the fully personalised (Charybdis) options cannot be considered equivalent alternatives, as they exhibit different conditions of access. Second, the binary configuration of Meta’s consent-or-pay model (Scylla or Charybdis) doesn’t ensure that end users freely give consent to the personalised ads option, falling short of the GDPR requirements for the combination of personal data for that purpose. But what about ('data combination in Meta's advertising services') 2.0? In November 2024, Meta charted an additional ads option. This is a free of charge, advertising-based version of Instagram and Facebook. Further tweaks to this option followed just as the 60-day compliance period set out in the non-compliance decision was about to expire — enter 3.0. Is it finally the Ithaca Option, that ensures compliance with the DMA by giving the end user a real chance to exercise the data right enshrined in Article 5(2)? In its non-compliance decision, specifically on Meta’s data combination 1.0, the Commission, without delving into detail, also indicates what a DMA-compliant solution would, in its view, require, making explicit reference to elements introduced in 2.0:
1) the end user should be presented with a neutral choice with regard to the combination of personal data for ads so that he/she can make a free decision in this respect;
2) for all the relevant personal data combined valid consent has been obtained;
3) the less personalised alternative should be equivalent in terms of user experience, performance and conditions of access - except for the amount of personal data used.
In any case, the Commission has already informed Meta that it is still assessing whether 3.0 is sufficient to meet those main parameters of compliance, while also hinting that one still outstanding issue might be whether the end user is truly being presented with a neutral choice (1).
Before diving into the more legal aspects of the non-compliance decision, while taking on board, too, at least some of the arguments aired by Meta during the workshop (soon to be set out in more precise legal terms in the upcoming appeal against the decision), I’d like to surf briefly above the currents of DMA enforcement. Allow me, dear Wavesblog Reader, a quick self-quotation (then I’ll stop, promise). Reflecting on Article 5(2) and other DMA data-related provisions in something I wrote in early in 2021, I reached a conclusion I still stand by, namely that this provision, at its core, and with regard to online advertising specifically, should provide end users with a real choice over the level of ‘creepiness’ they’re comfortable with. That may sound rather underwhelming — and it is. In fact, in the same piece, I wondered whether it wasn’t finally time to regulate personalised advertising more broadly, and for real, without losing sight of the broader picture: that private digital infrastructures, especially informational ones, ought, depending on the case, to be regulated decisively, dismantled, made interoperable, and so. At the same time, I do believe this end user's right to choose as carved clearly into Article 5(2) of the DMA, without tying it to one’s capacity to pay in order to escape a level of surveillance one finds uncomfortable (for oneself and/or the society she/he lives in), is immensely important.
 |
| Bravissima, whatever. |
It’s a glimpse of something different: a very narrow but real incentive in favour of an "economic engine of tech" that starts rewarding services built around data minimisation and not surveillance and data collection (and its combination). From this perspective, offering the mass of Facebook and Instagram users a genuinely neutral choice, and thus the concrete possibility of making a free decision in favour of a less, but equivalent, personalised alternative (e.g., about the preferred level of creepiness), could also have a welcome educational effect. However, we can’t pretend that the current AI age hasn’t, for now at least, further accelerated the shift towards surveillance and data accumulation — and what’s being done to counter it still feels far too limited (see also the above-mentioned ruling by the Cologne court).
 |
| Hannibal in Italy, Palazzo dei Conservatori - Rome |
 |
| Distinct legal notions |
As just noted, the enforcement of the DMA is not necessarily bound by the contours of the GDPR where the DMA goes beyond it, or simply moves in a different direction. However, for those parts where the EU legislator has drawn on legal concepts from the GDPR, such as the requirement that end users give valid consent to the combination of their personal data for the purpose of serving personalised advertisements, reference must be made to Article 4(11) and Article 7 of the GDPR. This, in turn, triggers a duty of sincere cooperation with the supervisory authorities responsible for monitoring the application of that Regulation. Here, however, a possible complication arises, which in the ideal world of EU law enforcement perhaps shouldn’t exist. And yet, it does. We won’t dwell on it for long, but it’s worth highlighting (and it may at least partly explain Mario Draghi’s well-documented allergy to the GDPR, reaffirmed only a few days ago). The cast of characters on the GDPR enforcement stage has often found it difficult to offer a consistent reading of this Regulation. Unsurprisingly, this has weakened enforcement and worked to the advantage of those less inclined to embrace it. This risk has been avoided under the DMA, notably by assigning quasi-exclusive enforcement power to a single entity: the Commission (though arguably creating others in the process, which we won’t go into here). Echoes of the considerable effort supervisory authorities expend to ensure even a modicum of consistent GDPR application also surface in the text of the DMA non-compliance decision, where the Commission finds itself almost compelled to justify having taken into account the EDPB’s opinion on the matter when applying the GDPR (e.g., explaining that "the fact that some members of the Board voted differently or expressed reservations about the Opinion 08/2024 does not diminish the value of that Opinion, in the same way that the Court’s judgments produce their effects irrespective of whether they were decided by majority or unanimously"). What matters is that DMA enforcement not be delayed or undermined by such tensions, which, one imagines, some gatekeepers could hope to exploit, should a tempting opportunity arise.
 |
| Series 1 |
TBC
Subscribe to:
Posts (Atom)
-
Don't look for it in Rome... Nearly two months on, the Commission’s DMA non-compliance decision against Meta was finally published... -
It was a real pleasure yesterday to share some reflections on the European experience with the Digital Markets Act across the Atlantic. You ... -
What do EU citizens expect? Digitalrechte, here. -
L. Lowe, here and here . And the EC has once again confirmed that it won't, here and here.
-
Open Future, here.
-
SOMO, here .