M. Stoller, here.
Monday, July 21, 2025
Figma looks to raise nearly $1 billion as it kicks off its IPO roadshow
The abandoned Adobe/Figma merger? Hats off to the CMA. It deserves a pat on the back, not a muzzle.
Sunday, July 20, 2025
Senate Hearing Debates AI Training on Copyrighted Works
Publishersweekly, here.
TBH, I've been appalled seeing how publishers fought against copyright exceptions for blind people at the WIPO and mistrusted their lobbying since (disclosure: I was representing the Italian Library Association in the negotiations), but this time they are right :-).
Saturday, July 19, 2025
Friday, July 18, 2025
Is EU consumer law getting ready for the agentic "revolution"?
Public consultation on the Digital Fairness Act, here.
Escape Forward: are we finally making progress? Cristina asks
 |
| And two seconds later she did block me 😇- nothing personal, ofc. Just belonging myself to one of those DMA groupies as annoying as mosquitos at sunset |
Thursday, July 17, 2025
Wednesday, July 16, 2025
Tuesday, July 15, 2025
Is the DMA Ready for Agentic AI?
CERRE, here.
[The DMA was never supposed to work in perfect isolation...And should constantly evolve _ whatever it takes]
America First Antitrust w/ Assistant Attorney General for Antitrust Gail Slater
Video here.
[The name AFA makes me nostalgic even of the Chicago School: same with you?]
What is digital sovereignty and how can Europe achieve it? Ask Robin
Here.
Listened to it at least twice - fresh air for Rome's hot summer!
Monday, July 14, 2025
Navigating the Strait of Leipzig: 5,000 euros in damages to a Meta's end user for processing personal data on third-party websites
You Wavesblog Reader are no longer a Spanish Facebook user but a German user not at all enjoying reading gardening websites (your last Bavarian geraniums died off long ago, with no regrets) but you have an health issue (sorry for that!) and spend a lot of time surfing the Internet and spending time specifically on websites like apotheken.de, shopapotheke. de, docmorris.de, aerzte.de, helios-gesundheit.de, jameda.de (You tried out ChatGPT too but are far from trusting its advice).
Google to Pay $2.4 Billion in Deal to License Tech of Coding Startup, Hire CEO
WSJ, here.
Competition authorities are a bit distracted, as of late. Too little of real value or impact has been learned or done. Those who at least tried (Previous CMA, FTC under Lina Khan, DOJ under Jonathan Kanter) have been muted or removed. But, of course, we can all keep busy writing submissions and/or watching webinars.
Sunday, July 13, 2025
Digital Markets Act Enforcement: Impact and next steps: Call for Papers (17 days left, so that you know)
Here. Of course, economies of scale and scope with the EC's public consultation on the DMA review would be rational!
Revising the DMA Variation-Selection-Adaptation Paper
Time for comments closed! Thank you for your great ones, Wavesblog Readers and beyond! Revising and updating it right now. Peer Reviewers are waiting.
I was already unofficially asked to make it (much) shorter: Sunday's cutting ✂✄
...
Submitted!
Friday, July 11, 2025
Thursday, July 10, 2025
Wednesday, July 09, 2025
Tuesday, July 08, 2025
Monday, July 07, 2025
Sunday, July 06, 2025
Saturday, July 05, 2025
Friday, July 04, 2025
Thursday, July 03, 2025
Why Cloudflare wants AI companies to pay for content
TechCrunch, here.
Great, but shouldn't it be a democratic decision taken by a legislator and not by an infrastructure ("gatekeeper")? Not just "tech is law" - get over it?
Targeted advertising by Meta democratised advertising and made people love ads (so we heard): discuss
Meta DMA enforcement/compliance workshop, video here.
Wednesday, July 02, 2025
How Monopolies Secretly Steal Your Freedom
Brought to you by the inimitable Lina Khan, here (may I please live long enough to see a Khan US Presidency, or two?).
Brasil, rumo ao ("DMA") gol!
We spoke candidly: about what seems to be working, about what remains difficult, and about what, in hindsight, might have been done differently. These are not easy conversations, but they are necessary ones.
What stood out, above all, was the seriousness and clarity of purpose shown by our Brazilian counterparts. There’s no doubt: they are approaching the challenge of platform regulation with a level of determination that is both impressive and encouraging. It’s not just about legal design or enforcement mechanics: it’s about political will. And in Brazil, that will is clearly there.
This isn’t Brazil against Europe (or Italy ;-)): it’s one match, one team.
And the stakes couldn’t be higher.
Tuesday, July 01, 2025
Monday, June 30, 2025
Sunday, June 29, 2025
Interoperability in Digital Platforms and its Regulation: Transatlantic Dialogue alive and kicking!
 |
| Not a dead parrot. |
This webinar is a transatlantic conversation bringing together researchers, regulators and civil society. The focus is on interoperability, not as a silver bullet, but as a critical lever to support more open, competitive and innovative digital environments.
It offers a timely comparison: Brazil, a jurisdiction that has demonstrated its ability to build effective digital public infrastructure (Pix), thereby getting rid of the extractive Visa-Mastercard duopoly, and the European Union, which has so far struggled to do the same. At the same time, Europe has taken the lead in legislating to curb Big Tech’s power, and other regions, including Brazil, are now watching the Commission's enforcement of this legislation closely.
All this, just as transatlantic tensions over digital regulation resurface, and as the EC DMA Team does its utmost to stay below Trump’s radar. And then there's the DMCCA (and UK politics).
It offers a timely comparison: Brazil, a jurisdiction that has demonstrated its ability to build effective digital public infrastructure (Pix), thereby getting rid of the extractive Visa-Mastercard duopoly, and the European Union, which has so far struggled to do the same. At the same time, Europe has taken the lead in legislating to curb Big Tech’s power, and other regions, including Brazil, are now watching the Commission's enforcement of this legislation closely.
All this, just as transatlantic tensions over digital regulation resurface, and as the EC DMA Team does its utmost to stay below Trump’s radar. And then there's the DMCCA (and UK politics).
Together with Isa Stasi and Ian Brown, our task on Tuesday is to share a few lessons from the European experience. So what is it, really, that we have to offer from this side of the Atlantic?
As for my contribution, I’m still finalising the details. Not long ago, I wouldn’t have had much to say about EU interoperability, at least not anything terribly useful for promoting open, fair and competitive digital markets. But the past few months have been surprisingly lively. Four developments stand out, and I hope they can add a little spice to our conversation. I will most likely begin with the antitrust commitments by Apple concerning NFC (Apple Pay), and reflect on their aftermath. Next, I’ll briefly touch on the recent judgment of the Court of Justice of the European Union regarding interoperability of the Android Auto OS. I’ll then say a few words about the Commission’s specification decisions on Apple’s interoperability obligations under Article 6(7) of the DMA. And finally, I’ll offer some thoughts on prospects for stronger DMA enforcement, on the case for refining the regulatory framework, and even on the EuroStack (10 minutes in total :-)).
The first reflection I would like to offer concerns access to Near-Field Communication (NFC) functionality, a technology which, until mid-2024, Apple had reserved exclusively for its own Apple Pay service within the EEA. An important point to note is that, across Europe, NFC, a technology not developed by Apple, has become the standard for mobile payment. It enables fast, contactless transactions, secured through tokenisation and encryption. Virtually all payment terminals in the EEA now support it.
It is now almost exactly one year since the European Commission made Apple’s commitments in the Apple Pay case legally binding. These commitments are centred squarely on interoperability: Apple is required to allow third parties access to the NFC functionality for payment purposes on iOS devices. As a result, a wide range of developers can, in principle, begin to use this technology to offer alternative NFC payment services. Even though relatively little time has passed, it is important, I believe, to ask whether anyone has actually seized this opportunity, whether any new entrants have made their way into the NFC in-store mobile wallet market on iOS. There have, in fact, been some entries, though so far limited to a few countries rather than on an EU-wide scale. As illustrated at the most recent OECD Competition Committee meeting in June, the first to enter was Vipps MobilePay, though its launch remains limited to Norway, and facing huge hindrances to becoming a pan-European interoperable wallet (Single Market, anyone?). Next came a US tech firm, hardly a small player, namely PayPal, which is currently rolling out its wallet in Germany. German cooperative banks have also signalled their intention to enter this space soon, likewise focusing on the German market. In the announcement, it is explicitly stated that Apple Pay will no longer be needed to make payments with the new service, a move framed as part of a broader effort to raise awareness of how heavily payment systems in Europe rely on US corporations such as Visa, Mastercard, PayPal, and, of course, Apple. The ongoing trade tensions with the US are cited as an additional reason for concern. This raises a broader question: can interoperability serve not only as a tool to promote competition, but also as a means of advancing digital sovereignty? The answer, perhaps, is that interoperability is certainly a first step, but a far more effective approach, had it been pursued from the outset, would have been to establish a digital public infrastructure for electronic payments, along the lines of Brazil’s Pix. Crucially, this would have required a broad adoption mandate for banks operating across the EEA. If done properly, such a system could have delivered both competition and sovereignty in a more structural and sustainable way. A related and important question is what went wrong with SEPA, the Single Euro Payments Area. Conceived as a cornerstone of European financial integration, SEPA has largely failed to deliver the kind of common digital payment infrastructure that could support genuine sovereignty and competition at scale. Even though scepticism remains high, it remains to be seen whether the Instant Payments Regulation, now in force, with serious enforcement beginning this year, will offer an effective fix to SEPA’s shortcomings. The other, and perhaps enduring, question is whether the commitments offered by Apple were ever sufficient. More fundamentally, even if the commitments had been ideal, one must ask how much they could realistically achieve in isolation. If anticompetitive conditions persist in adjacent markets, and addressing interoperability at just one layer may do little to resolve distortions that are structural and multi-layered in nature (e.g., terminals?). Moreover, to fully benefit, at the EEA-scale, from access to previously gated functionalities, new entrants would need to rely on other components of essential digital public infrastructure, most notably, the European Digital Identity, meant to be enabled by the eIDAS 2.0 framework.
Even from the few observations above, it becomes clear that getting interoperability right, as a driver of innovation, competition, and even digital sovereignty, is no small feat. It requires multiple elements to come together in a coherent and sustained manner. It is far from simply unleashing latent energies held back by a textbook refusal to provide interoperability. In the Brazilian context, the national scope of the market, combined with the groundwork already laid in this area by the regulator, may well place the competition authority in a favourable position to act effectively. That said, it is beyond doubt that the refusal to enable interoperability has often been used strategically by Big Tech players as an anticompetitive tool. In some cases, it served to block potentially disruptive innovators at a critical moment; in others, it was used to secure and preserve market positions in areas where new business opportunities were emerging, as Apple did with NFC functionality until recently, and as Google did in relation to Android Auto, for which it was sanctioned by the Italian competition authority.
This latter case also triggered a preliminary reference to the EU Court of Justice, which did not miss the opportunity to say once again something helpful, a development I would like to briefly address as the second point in my remarks. That the effectiveness of the branch of competition law tasked with preventing and prohibiting abuses of market power has been profoundly challenged by the rise of Big Tech is, of course, no secret. One aspect long recognised as particularly ill-suited to the digital context is the so-called Essential Facilities Doctrine, particularly in its Bronner formulation.The Court’s ruling in Android Auto provides a further fix, in the form of a "clarification" of the doctrine, perhaps a limited one, but a welcome one nonetheless. The case concerned Google’s refusal to allow Enel X’s electric vehicle charging app to interoperate with the OS Android Auto, citing security concerns and the burdens of developing a new template. The Italian competition authority (ICA) found this refusal to be in breach of Article 102 TFEU and ordered Google to enable interoperability.
 |
| Last slide of my 2021 presentation |
The second question I raised during the ASCOLA presentation, bearing in mind that this was back in 2021, after the DMA had been tabled but before it became law, was how to frame the relationship between ex post and ex ante approaches to interoperability mandates going forward. The ex ante approach to interoperability introduced by the DMA will form the third point of my remarks. But before that, a few words are in order on the relationship between ex ante and ex post interventions and, more broadly, between traditional antitrust law and emerging forms of digital regulation with regard to interoperability, which can be of some interest specifically in the context of our transatlantic dialogue. The first thing to note is that the Commission’s experience in the Apple Pay commitments proceedings, discussed earlier, appears to have fed directly into the current phase of DMA enforcement. This is evident in the confidence with which the Commission has now moved to specify Apple’s interoperability obligations under Article 6(7), a point I will return to shortly. The second aspect I wish to highlight, though much more could be said, is that courts are reading the DMA and drawing inspiration from it, even when interpreting traditional antitrust law. This is clearly visible in the Android Auto case, where a regulatory approach inspired by the DMA can be seen in how the Court assessed what may constitute an objective justification for refusing to grant interoperability. In my view, all things considered, this too is a positive development.
 |
| The prince app developer (see blog post) |
The fourth and final aspect I would like to briefly touch on relates to a pronounced sense of urgency. For instance, I find it worrying that it is considered normal for a study on the impact of emerging technologies on the DMA to take up to a year to produce. In the same vein, if we come to realise that the DMA is insufficient, whether in terms of its scope of core platform services or the need for additional obligations, then the time to act is now, and this relates also to the possible need for additional interoperability obligations. We cannot afford to lose time. However, even for the most determined
regulator (and well equipped, also financially) in the world, it is very difficult, though not impossible, as
we have just seen, to impose interoperability obligations on powerful
and recalcitrant gatekeepers. But that is precisely what lies ahead if we allow them to build the digital infrastructure on which we all then come to depend. Equally difficult, and arguably wishful thinking, is relying on the industry to deliver effective interoperability solutions. This has been attempted in the EU for years, with very limited results. So how do we move forward? Well, perhaps by starting with a good look back. We need retrospective analyses to understand how we ended up letting a handful of players control the digital infrastructures we all rely on, not to point fingers at antitrust enforcement alone, but to get a clearer picture of the broader dynamics, which likely vary across different digital services. On this, as on many other things, I fully agree with Robin Berjon, who notes that everything in digital happened so quickly we didn’t even realise we were dealing with infrastructures, let alone how to properly regulate them. Secondly, the kind of public effort required, in terms of both capacity-building for smart regulation and "project" funding, must be laser-focused on identifying the type of infrastructures we need and how to get there. This type of mobilisation cannot be decoupled from public choices. This is particularly clear in the case of Pix, where inclusiveness was a key consideration (but almost accidentally ended up by solving an extractive duopoly problem). Moreover, infrastructural choices inevitably shape the kinds of technological innovation they enable. These are societal decisions, not technical footnotes (and, of course, we cannot afford for them to be significantly steered by even well-meaning think tanks nor other - European! - industry giants, from telecoms to aerospace). The upcoming plenary debate in the European Parliament on the Report on European Technological Sovereignty and Digital Infrastructure, produced by the Committee on Industry, Research and Energy (ITRE), offers an excellent starting point for these much-needed democratic conversations.
To be discussed!
After Notice and Choice: Reinvigorating “Unfairness” to Rein In Data Abuses
L. Khan, S. Levine, S. Nguyen, here.
Friday, June 27, 2025
Thursday, June 26, 2025
Wednesday, June 25, 2025
Interoperability in Digital Platforms and its Regulation: Transatlantic Dialogue alive and kicking! [Spoiler alert: not with the US]
Webinar, 1 July, 15-17 CET. Register here if you want to pose questions, otherwise live on YouTube here.
Together with Isa Stasi and Ian Brown, our task today is to share a few lessons from the European experience. I still vividly remember when Luca Belli came to the European Parliament to explain how digital sovereignty and digital public infrastructure can be built in practice, and how, in just three years, they managed to get rid of the Visa–MasterCard duopoly, which had long become more of a bottleneck than a service. So what is it, really, that we have to offer from this side of the Atlantic?
Tuesday, June 24, 2025
Excessive Wealth Concentration and Power
CEU, here.
I've been dealing with this topic for 7 lustra and it looks increasingly bleak - not my fault😉
CMA takes first steps to improve competition in search services in the UK
Here.
Proposed decision here.
Roadmap here.
Exploring consumers’ search behaviours here.
Read also Sarah's blog post here ("Based on how it is currently offered and used, we have provisionally decided that Gemini AI assistant should not be included as a product within this scope").
"We have identified a further set of possible actions (for example, restricting use of default agreements and providing access to underlying search data) which are currently the subject of live litigation between the US Department of Justice and Google. We will consider our approach in these areas in light of developments over the coming months. This is in line with the CMA’s prioritisation principles and the government’s recent strategic steer, which encourages the CMA to consider where we are best placed to act"
Monday, June 23, 2025
Did Thomas Regnier (EC) today say that DMA enforcement is indeed part of the US/EU trade negotiations?
Video here.
A WSJ journalist asked but the answer is either a masterpiece or a bit too casual.
Sunday, June 22, 2025
EU Near Deal on Nontariff Trade Irritants [read DMA & Co.]
WSJ, here.
The quiet dismantling of the only meaningful tool Brussels has ever deployed to rein in Big Tech, or merely a tactical leak to shape the narrative and apply pressure? Either way, there is cause for concern.
Friday, June 20, 2025
Thursday, June 19, 2025
DMA (Team) Sudans, when will Meta's compliance with Article 5(2) finally flow?
 |
| Don't look for it in Rome... |
Nearly two months on, the Commission’s DMA non-compliance decision against Meta was finally published yesterday [18 June]. Coincidentally or not, a German court also published a ruling yesterday, offering its own reading of the same DMA obligation with which, according to the Commission, Meta is not (yet?) compliant. As Wavesblog Readers will appreciate, both are of considerable interest. What follows are a few preliminary observations. Let me begin, however, with a brief disclosure. During the eight months in which I had the pleasure of consulting for Article 19, I had occasion to focus on Meta twice: first, in writing about an intriguing German judgment applying Article 102 TFEU (not the one you're thinking of, another one entirely); and second, precisely in relation to the application of Article 5(2) of the DMA. As for the latter, in the course of that work I had reached the conclusion, now confirmed by the Commission in its recently published decision, that there was simply no way Meta could be considered compliant, a conclusion I had the pleasure of presenting in the Commission’s presence in beautiful Fiesole.
Why, then, did it take an 80-page decision, and why is Meta, in all likelihood, still not compliant more than a year after it was first required to be? The most obvious answer, of course, is that the obligation in question strikes at the very heart of Meta’s business model, not only as it stands today, but also with implications for future developments, given the EU legislator's insistence on DMA compliance by design, a theme that has been a recurring one here on Wavesblog. Moreover, in this case, the Commission is not simply tasked with interpreting and enforcing a 'standard' DMA obligation in relative isolation; to do so, it must also apply the General Data Protection Regulation in conjunction with the DMA. That these two legislative instruments converge in more than one respect is also confirmed by the German ruling mentioned earlier and to which we shall return in due course. On that note, we are still awaiting the joint EDPB/Commission guidance on the interplay between the DMA and the GDPR, which, according to Commission’s remarks this week in Gdańsk, is expected imminently. Interestingly, the Commission takes this into account as a mitigating factor in determining the fine for non-compliance ("the Commission acknowledges that the interplay between Regulation (EU) 2022/1925 and Regulation (EU) 2016/679 created a multifaceted regulatory environment and added complexity for Meta to design its advertising model in a manner compliant with both regulations"). That might be perfectly understandable, were it not for the fact that we are, after all, dealing with Meta, which has elevated non-compliance with the GDPR to something of an art form worthy of Bernini. This raises both a puzzle and a question: will Meta be left to do much the same under the DMA? And might other gatekeepers be allowed to match, or even surpass, it? Is there, perhaps, a structural flaw in the DMA’s enforcement apparatus, just as there are, quite plainly, in the GDPR, that gatekeepers can be expected to exploit at every opportunity? Or is it simply a matter of DMA enforcement resources falling well short of what would actually be required? What, then, can be inferred from this particular decision in response to that question? Serious reflection is clearly needed here. For now, I can offer you, Wavesblog Readers, only a few very first impressions, but I’d be all the more keen to hear yours.
Even before Compliance Day (7 March 2024), it is clear from the decision that the Commission already had serious reservations about the "Consent or Pay" advertising model that Meta was in the process of grinding out, which had been presented to the Commission as early as 7 September 2023. The decision makes clear not only that the Commission was in close dialogue with Meta, but also that it engaged with several consumer associations and other interested third parties, on both the DMA and privacy sides of the matter. On that note, a further question, though perhaps it’s only me. Should there not be, if not a formal transparency requirement then at least a Kantian one, for the Commission to list, even in a footnote, all the interested parties with whom it bilaterally discussed the matter? On this point, one almost hears the Commission suggesting that such a transparency obligation might discourage others from speaking up, for fear of retaliation by the gatekeeper. The point is well taken, but one wonders whether some form of protected channel might be devised, a kind of "privileged observer’s window with shielding" available where reasonably requested, providing clear assurances that the identities of those coming forward will be safeguarded (short of being a whistleblower). Moreover, as is well known, this point tangentially touches on a broader issue. The EU legislator, likely with a view to streamlining enforcement, left limited formal room for well-meaning third-party involvement. The Commission-initiated compliance workshops, the 2025 edition of which has just begun, are a welcome addition, but they are, of course, far from sufficient. In particular, without access to fresh data provided by the gatekeepers, available only to the Commission, how are third parties expected to contribute anything genuinely useful at this point of the "compliance journey"? As we shall see, this concrete data was also an important point in the very process that led to the adoption of the non-compliance decision in this case (Meta knew that its 'compliance model' was producing exactly the result they wanted). The lawyers, economists and technologists on the DMA team have clearly had their hands full in the matching ring with Meta (hence, of course, the Sudans in the title). Even a quick reading of the decision reveals, between the lines and squarely on them, the array of tactics deployed by Meta to throw a spanner in the works of effective DMA compliance, all carefully orchestrated and calculated with precision, and surprising no one. But one does wonder whether the DMA’s hat might not still conceal other tools, better suited to crowdsourcing and channelling constructive efforts, particularly from those third parties who stand to benefit from the DMA (as we also heard in Gdańsk), from conflict-free academics, and from what might be called real civil society, genuinely committed to effective and resolute DMA enforcement, rather than the usual crop of gatekeeper-supported associations.
To loosely paraphrase Microsoft at the 2025 Enforcement Workshop, Meta’s “compliance model from day one” was a marble (code)-carved binary choice, one that could scarcely have been further from what the EU legislator had in mind. Unlike the strategies adopted by certain other gatekeepers, Meta didn’t even bother to kick the compliance can just far enough down the road to create an illusion of movement. The opening of non-compliance proceedings came swiftly and had, by all appearances, been fully anticipated. The decision that brings them to a close contains no epiphanic surprises, and is lengthy only because Meta's counsel deployed the full repertoire of legal ingenuity, focusing in particular on arguments forged in the intersection between the DMA and data protection law. Time, then, for a modest walkthrough, dear Wavesblog Readers.
As one assumes it must by now form part of general digital literacy (until one realises it doesn’t, even when speaking to students born to parents who were themselves, perhaps, already digital natives), Meta "generates
almost the entirety of its revenues from its advertising service." On Facebook and Instagram, both designated under the DMA, end users "post and consume personalised content." Upon registering, each user receives "a dedicated, unique user identifier... and all data tied to that user identifier is part of a unified user account for that environment, i.e., the Facebook environment or the Instagram environment." Meta combines the personal data it collects from that user within the same social network environment and further merges it with data gathered through another designated core platform service, Meta Ads, to display personalised advertising. It is solely this latter data combination that is at the heart of the non-compliance decision.
[I pick it up again now, not without noting that while I'm still writing this post, the 60-day deadline to comply with the cease-and-desist order, according to my calculations - which are apparently wrong but I don't understand why - has lapsed, and that DMA enforcement may well have found its way into the cauldron of Trump-era trade negotiations].
Let us suppose that you, dear Wavesblog Reader, use Facebook in the EU. Meta, as designated gatekeeper, according to the DMA (and commencing for real no later than today - 24 June - or on the 26th at the latest) must present you with the specific choice of a less personalised but equivalent alternative to the advertising-based service Facebook that you would use if you had given your consent to the combination of your personal data from Facebook with data from the Meta Ads.
[Let's have another go at this, shall we? A few rather significant developments have intervened since last time I wrote here. First off, it appears DMA enforcement hasn't quite ended up in the cauldron of Trump trade negotiations. Second, we've had the last DMA Compliance Workshop, with Meta taking centre stage. During the workshop, we heard that from 27th June, Meta has rolled out yet another iteration of their "compliance journey." The third development is that the Commission has launched a public consultation on the first review of the Digital Markets Act, which will keep many of us rather pleasantly occupied this summer. The fourth, and of less general interest (but mentally preparing for it - we'll record the episode rather soon), is that I'll draw on thoughts from this piece to discuss this decision "Chez Oles" with two more Invitees. Finally, I should mention that it's not merely Meta and the DMA Team feeling the heat at the moment: the entire European continent is currently enduring what can only be described as a perfectly ghastly heatwave. Rather puts everything into perspective, doesn't it?].
 |
| Data cocktails beyond the decision |
Perhaps the best place to restart is with what was clearly explained during the Compliance Workshop, and you, dear Wavesblog readers, who’ve perhaps already pored over the decision, will have caught all the nuances of it. The non-compliance decision at issue concerns a single type of data combination covered by Article 5(2). Many other cocktails Meta shakes up with your data fall outside the decision’s direct scope, but are still covered by the same article and have been extensively discussed in the ongoing regulatory dialogue between the DMA Team and Meta. Data cocktails can be mixed within CPSs themselves (e.g., Facebook and Messanger), but also between CPSs and the gatekeeper’s other services (e.g., Instagram and Threads). During the workshop, we heard from the Commission that these other 5(2)-related compliance discussions largely centred on what qualifies as an equivalent service for users opting out of data combination, without slipping into degradation beyond what’s strictly necessary due to reduced data use. These, as we understood, are discussions about the kind of service a user who declines data combination is entitled to expect, and whether it is genuinely equivalent, as required by Article 5(2). In this context, it emerged that the Commission and Meta have been discussing what such a service looks like. For example, Messenger or Threads when data combination with Facebook and Instagram, respectively, is not allowed by the end user. On this front, the Commission noted, with some satisfaction, that improvements have been made.
Equally outside the scope of the non-compliance decision, but still very much part of the ongoing regulatory dialogue with Meta on Article 5(2) was, unsurprisingly, AI. The Commission has been actively following the rollout of Meta’s shiny new AI services, as well as the more familiar ones, like WhatsApp, where AI has been quietly slipped in, while considering what all this might mean for compliance with Article 5(2).
We heard that the Commission is looking specifically at "data flows across services, how the data is sourced and used [to train, ground of fine-tune the models] and if that involves the combination of personal data." Moreover, the Commission is "looking at data for personalising or grounding AI both within designated services and other services offered by Meta." As we've witnessed throughout the rest of the Compliance Workshops, Series 2, a robust regulatory dialogue on AI is already well underway with all designated gatekeepers, a fact that appears to have been somewhat downplayed by Meta before the Cologne court mentioned earlier, to whose recent ruling we now (very briefly) turn.
 |
| Source: Proton Drive on X |
 |
| End user's journey: 1.0 |
 |
| Penelope waiting, Chiusi Etruscan Museum |
Based on the Commission's reading of Article 5(2) DMA, the legal reasoning underpinning the non-compliance decision is twofold. First of all, the less personalised but paying (Scylla) and the fully personalised (Charybdis) options cannot be considered equivalent alternatives, as they exhibit different conditions of access. Second, the binary configuration of Meta’s consent-or-pay model (Scylla or Charybdis) doesn’t ensure that end users freely give consent to the personalised ads option, falling short of the GDPR requirements for the combination of personal data for that purpose. But what about ('data combination in Meta's advertising services') 2.0? In November 2024, Meta charted an additional ads option. This is a free of charge, advertising-based version of Instagram and Facebook. Further tweaks to this option followed just as the 60-day compliance period set out in the non-compliance decision was about to expire — enter 3.0. Is it finally the Ithaca Option, that ensures compliance with the DMA by giving the end user a real chance to exercise the data right enshrined in Article 5(2)? In its non-compliance decision, specifically on Meta’s data combination 1.0, the Commission, without delving into detail, also indicates what a DMA-compliant solution would, in its view, require, making explicit reference to elements introduced in 2.0:
1) the end user should be presented with a neutral choice with regard to the combination of personal data for ads so that he/she can make a free decision in this respect;
2) for all the relevant personal data combined valid consent has been obtained;
3) the less personalised alternative should be equivalent in terms of user experience, performance and conditions of access - except for the amount of personal data used.
In any case, the Commission has already informed Meta that it is still assessing whether 3.0 is sufficient to meet those main parameters of compliance, while also hinting that one still outstanding issue might be whether the end user is truly being presented with a neutral choice (1).
Before diving into the more legal aspects of the non-compliance decision, while taking on board, too, at least some of the arguments aired by Meta during the workshop (soon to be set out in more precise legal terms in the upcoming appeal against the decision), I’d like to surf briefly above the currents of DMA enforcement. Allow me, dear Wavesblog Reader, a quick self-quotation (then I’ll stop, promise). Reflecting on Article 5(2) and other DMA data-related provisions in something I wrote in early in 2021, I reached a conclusion I still stand by, namely that this provision, at its core, and with regard to online advertising specifically, should provide end users with a real choice over the level of ‘creepiness’ they’re comfortable with. That may sound rather underwhelming — and it is. In fact, in the same piece, I wondered whether it wasn’t finally time to regulate personalised advertising more broadly, and for real, without losing sight of the broader picture: that private digital infrastructures, especially informational ones, ought, depending on the case, to be regulated decisively, dismantled, made interoperable, and so. At the same time, I do believe this end user's right to choose as carved clearly into Article 5(2) of the DMA, without tying it to one’s capacity to pay in order to escape a level of surveillance one finds uncomfortable (for oneself and/or the society she/he lives in), is immensely important.
 |
| Bravissima, whatever. |
It’s a glimpse of something different: a very narrow but real incentive in favour of an "economic engine of tech" that starts rewarding services built around data minimisation and not surveillance and data collection (and its combination). From this perspective, offering the mass of Facebook and Instagram users a genuinely neutral choice, and thus the concrete possibility of making a free decision in favour of a less, but equivalent, personalised alternative (e.g., about the preferred level of creepiness), could also have a welcome educational effect. However, we can’t pretend that the current AI age hasn’t, for now at least, further accelerated the shift towards surveillance and data accumulation — and what’s being done to counter it still feels far too limited (see also the above-mentioned ruling by the Cologne court).
 |
| Hannibal in Italy, Palazzo dei Conservatori - Rome (incidentally, where the Treaty of Rome was signed in 1957) |
 |
| Distinct legal notions |
As just noted, the enforcement of the DMA is not necessarily bound by the contours of the GDPR where the DMA goes beyond it, or simply moves in a different direction. However, for those parts where the EU legislator has drawn on legal concepts from the GDPR, such as the requirement that end users give valid consent to the combination of their personal data for the purpose of serving personalised advertisements, reference must be made to Article 4(11) and Article 7 of the GDPR. This, in turn, triggers a duty of sincere cooperation with the supervisory authorities responsible for monitoring the application of that Regulation. Here, however, a possible complication arises, which in the ideal world of EU law enforcement perhaps shouldn’t exist. And yet, it does. We won’t dwell on it for long, but it’s worth highlighting (and it may at least partly explain Mario Draghi’s well-documented allergy to the GDPR, reaffirmed only a few days ago). The cast of characters on the GDPR enforcement stage has often found it difficult to offer a consistent reading of this Regulation. Unsurprisingly, this has weakened enforcement and worked to the advantage of those less inclined to embrace it. This risk has been avoided under the DMA, notably by assigning quasi-exclusive enforcement power to a single entity: the Commission (though arguably creating others in the process, which we won’t go into here). Echoes of the considerable effort supervisory authorities expend to ensure even a modicum of consistent GDPR application also surface in the text of the DMA non-compliance decision, where the Commission finds itself almost compelled to justify having taken into account the EDPB’s opinion on the matter when applying the GDPR (e.g., explaining that "the fact that some members of the Board voted differently or expressed reservations about the Opinion 08/2024 does not diminish the value of that Opinion, in the same way that the Court’s judgments produce their effects irrespective of whether they were decided by majority or unanimously"). What matters is that DMA enforcement not be delayed or undermined by such tensions, which, one imagines, some gatekeepers could hope to exploit, should a tempting opportunity arise.
 |
| Series 1 |
That specific elephant may not have survived the crossing of the Alps, but the legal battle between the Commission and Meta over whether consent can be deemed freely given in the context of a ‘Consent or Pay’ model, at this point in the non-compliance decision, is far from over. On the contrary, without the specific cover offered by those *six* words from the Meta ruling, the legal discussion necessarily broadens and becomes, frankly, even more engaging. This, however, calls for a deeper analysis, going well beyond the scope of this blog post, which is already out of proportion by my modest standards. There are surely several commentaries in the making. What is clear, though, is that the Commission, as sole enforcer of the DMA, has worked in cooperation with data protection authorities, both within the High-Level Group and beyond, relying in particular on the already mentioned EDPB Opinion. It’s also worth noting that while the debate over what constitutes freely given consent to the processing of one’s data by a dominant undertaking of Meta’s calibre and outreach has been ongoing at least since the Bundeskartellamt took a keen interest in the question, the notion of "specific choice" under the DMA is both novel and distinctive, thereby making the Commission’s first take on it all the more compelling. This is also because, even though the decision is clearly focused on why, between March and November 2024 (when the consent or pay model was in effect), Meta was not DMA-compliant, it nonetheless engages in tracing, affirmatively, the contours of the specific data right conferred on end users under Article 5(2). This is a particularly important discussion both now (LinkedIn on my mind) and going forward, especially in light of the gatekeepers’ obligation to future-proof the services they roll out. The judges who will soon be called upon to interpret this provision, following Meta’s appeal against the decision, are unlikely to disregard these key dynamics.
Time, then, to look at things squarely from the end user’s perspective, because it’s your rights in the digital age at stake. That is, you, dear Wavesblog Reader, using Instagram, Facebook, or both. The Commission imagines you have indicated that you live in Spain and have signalled by your behaviour that you like pages about
gardening: "this allows Meta to offer advertisers, via its...Meta Ads, to
target ads [to you as user] of Meta’s online social networks based on such
categories. Advertisers can choose among a long list of characteristics the
targeted audience who should see a given ad." You should be aware that what gets combined with data in Meta Ads is not just personal data from Facebook and Instagram, as it also includes your data from Messenger, Marketplace, and even Dating or Gaming Play, if you use them (Facebook and Instagram environments, respectively). With your combined personal data from the Non-Ads Services ("likes, comments, activity times, locations...details from the images [you upload]") and data about your behaviour collected by the various trackers on third party websites and transmitted back to Meta, your profile is built. As the Commission explains, "after combination with data held by its...Meta Ads, [Meta can] offer its advertising customers options to serve advertisements that are highly personalised and therefore very effective and profitable for Meta’s advertising-based model."
As a Facebook user living in Spain and enjoying gardening pages, under the DMA you must be presented with a “specific choice” as to whether you wish to allow the combination of data from your Facebook environment with data from Meta Ads. This choice involves two key elements: first, Meta must offer you an alternative version of Facebook that is less personalised, namely one that does not entail combining your data across these two services. Of course, you’d still be very likely served ads, just not extremely targeted ones based on the precise profile Meta has of you, possibly built over many years of Facebook use. Your experience in the Facebook environment would then be less creepy, if you ever happened to feel it that way. Second, this Facebook alternative must be equivalent to the Facebook version based on data combination. This reveals rather strikingly the clear distance between what is required by the EU legislator and the solution instead put together by Meta through the consent-or-pay advertising model, which is the subject of the non-compliance decision. Meta did not offer you the choice of an equivalent but less creepy service, if that is something you care about. What you were offered instead was a version of Facebook with no ads but behind a paywall, and therefore, according to the Commission, not something you could reasonably perceive as equivalent to the unpaid version, and thus you weren't presented with a genuine choice between the two. In fact, the Scylla/pay option entails an economic burden for you, Facebook user living in Spain who has recently visited gardening websites, as the amount paid cannot be spent on other items. The Charybdis option, by contrast, avoids this burden, allowing you to consent to the processing of your personal data in exchange for access to additional services. In addition to the economic burden, further inconveniences make Scylla even less appealing than simply clicking a button to consent to data combination. You may not have access to an online payment service (which not everyone does), and even if you do, entering your payment details into Meta’s system is plainly far less straightforward than simply clicking a button and move on with your life. Moreover, the Commission notes that you have, perhaps for years, been accustomed to using Facebook without any monetary payment, and that it is difficult for you to assign a clear price value to the 'Facebook environment.' Here, the Commission directly addresses a point we’ve also heard from Meta during the public compliance workshop: the so-called YouTube argument. I don’t know about you, dear Facebook user, but I have a YouTube Premium subscription: I find ads particularly disruptive, especially when I’m deep into a good on-demand webinar on the DMA or an informative, in-depth documentary about Scipio Africanus). You, on the other hand (and I wouldn’t know personally, having never used Facebook myself, as I never quite saw the point as it was initially marketed - if I really lost touch with schoolmates and acquaintances, there was probably a reason), have apparently grown accustomed to the display of advertisements as such (not necessarily personalised ads, mind you), and therefore may not perceive them as being particularly disruptive. Hence, the option of no advertisements for a fee does not appear as attractive to you as to me as YouTube user.
And here the Commission goes straight to a point that, by this stage, could hardly be ignored: we “end users of online services overall have a low willingness to pay for privacy, even when [we] would prefer a less personalised experience.” Meta knew this perfectly well, as also shown by the "empirical evidence provided in the academic studies which are cited in Meta’s submissions." Moreover, documents in the case file indicate that Meta actively relied on this specific insight to calibrate the pricing strategy of the ‘Subscription for No Ads’ (SNA) option with a clear objective in mind: "that end users would not exercise their specific choice." And in this, Meta certainly achieved its objective, as “Meta’s own estimation prior to the launch of the SNA option was therefore very close to the actual [miserable] take-up rate.” Therefore, the Commission concludes, "it is evident that Meta not only should have known, but that it actually knew, that the different conditions of access to the Facebook and Instagram environments under the SNA option do not offer end users an equivalent alternative to the With Ads option and that launching the SNA option would deprive its Non Ads Services end users from the specific choice to which they are entitled pursuant to Article 5(2), first subparagraph, of Regulation (EU) 2022/1925."
The decision also reveals an interesting exchange between Meta and the Commission on whether the conditions of access should be regarded as a fundamental feature of the Facebook or Instagram service, such that, if those conditions differ, the services can no longer be considered equivalent. Let’s take a simple example. Choosing between a red apple and a green apple? That’s clearly a choice between equivalent options: still apples, after all. Choosing between an apple and an orange? Arguably, not equivalent. But what if the choice is between paying €1 for a red apple, or getting a green apple for free, on condition that someone records you eating it? Is it still, unavoidably, a choice between two equivalent options? On this point, the Commission is unequivocal: "The means of remunerating the services by the end user are relevant because they are a fundamental characteristic of such services which influence the end users’ choice of whether to use them." The logical conclusion, at this point, is that equivalence between the services from the point of view of the conditions of access would require that both apples are remunerated either with money or with data. And here too, the Commission is unequivocal: “if Meta decides, when exercising its freedom to conduct its business in a manner it sees fit, to offer the With Ads option free of monetary charge, then it is required to offer end users a less personalised alternative which is equivalently free of monetary charge.” Does this also mean that, at some point, Meta could legitimately present you, Facebook user based in Spain with a passion for gardening pages, with a DMA-compliant choice between a With Ads option at €1 or less per month and a Facebook experience free of personalised advertising at €10 or more? Is that where we’re heading? Is it enough to consider this option unlikely simply by acknowledging that even one euro, or much less, might be enough to put you off using the Instagram or Facebook service? And since Meta knows this perfectly well, isn’t that precisely why it would never go down that road? What we do know is that, for now at least, Meta isn’t — at least not if one looks at its Compliance Solutions 2.0 and 3.0.
To close this very long blog post, it’s worth trying to end on a constructive note. The Commission has spent a great deal of time dismantling each of Meta’s legal arguments. But what have we actually learned about the substantive content of this precious end-user right? I would imagine that, in the course of the intense regulatory dialogue between the Commission and Meta, fairly specific indications were discussed at some point, though these surface only in part from the non-compliance decision. But let’s try to distil what can be reasonably be gleaned. First of all, it is clear that there must be an alternative to the With Ads option; that this alternative must be less personalised; and that it must be equivalent. As noted above, this is not to say that advertisements cannot be shown to end-users of the Facebook and Instagram environments — but serving those advertisements must not involve the combination with personal data from Meta Ads. Second, with regard to the requirement of equivalence to the service offered to users who consent to the With Ads option: the only permitted difference lies in the amount of personal data used to provide the service and serve ads. In all other respects, the service must be equivalent, such as, for example, in terms of performance, experience, and conditions of access. From the end-user’s perspective, one may therefore reasonably question whether the option introduced by Meta in November 2024, which brought advertisements in the form of unskippable interruptions across Instagram, Facebook, and integrated services such as dating and gaming, did not in fact degrade the user experience. Based on the slides presented by Meta during the public workshop, there appear to be immediate grounds for doubt on both of these last points.And now, you may well ask, what comes next? A fair question. The Commission is undoubtedly poring over version 3.0, yet because we are testing a brand-new instrument in real time, the path forward is hard to map. At some point the EU courts will have their say on consent or pay as DMA compliance solution under Article 5(2), but, as I noted at the outset, the Commission’s decision looks confidently robust.
Subscribe to:
Posts (Atom)
-
Don't look for it in Rome... Nearly two months on, the Commission’s DMA non-compliance decision against Meta was finally published... -
And two seconds later she did block me 😇- nothing personal, ofc. Just belonging myself to one of those DMA groupies as annoying as mosqu... -
P. Samuelson, here.
-
D. Baldacci, here.
-
Orf.at, hier (Max Schrems ab 9:34).
-
Podcast, here.
-
T. Höppner, here.
-
Not the usual Competition Commissioner's statement. Whole-of-Commission Approach? EC, here . [Dutch company buying an US company, mind...