Blog

Much has been said about the so-called “Brussels Effect”—that is, the European Union’s animating conceit that its mission is to make rules for the entire world. Without irony, the EU has embraced the meme that others innovate, while the EU regulates.

Over the past two weeks, the European Commission held a second round of public workshops with the designated “gatekeeper” companies Alphabet, Amazon, Apple, Bytedance, Meta, and Microsoft. Having analyzed the first round in April 2024 from a privacy and security perspective, I now examine what happened in Brussels during these follow-up sessions.

Today, I joined Eric Seufert for my seventh (!) appearance on the Mobile Dev Memo podcast[1] to discuss the European Commission’s April decision on Meta’s “pay or consent” model. The catalyst for our conversation was the recent release of the full text of this decision, which provides crucial insights into the Commission’s approach to enforcing the Digital Markets Act (DMA).

The European Commission published the text of its April Decision on Meta’s “pay or consent” scheme as implemented until November 2024. Since then, Meta has made significant changes to Facebook and Instagram in the EU, introducing a free “less-personalized ads” option.

Ben Thompson argues that Apple should “make its models – both local and in Private Cloud Compute – fully accessible to developers to make whatever they want,” rather than limiting them to the “cutesy-yet-annoying frameworks” like Genmoji.

On 27 May, Meta plans to begin AI training using public EU user data from Facebook and Instagram. Yesterday, Meta’s lead GDPR regulator, the Irish Data Protection Commission (IDPC) published a statement highlighting the additional safeguards adopted by Meta since the previously paused plan from early 2024.

The European Commission issued a significant noncompliance decision earlier today, finding the “consent or pay” model that Meta implemented from March 2024 to November 2024 for its Facebook and Instagram services breached key obligations imposed on designated gatekeepers under the Digital Markets Act (DMA).

[Note: I changed my newsletter’s address to EUTechReg.com, hoping it will be easier to remember than my difficult surname.] Just as we learn that the European Commission’s “GDPR reform” plan is likely to be a performative window-dressing exercise, the EU General Court again denied direct judicial review of a privacy-fundamentalist guidance document from the European Data Protection Board (EDPB) on “pay or OK.

It looks like GDPR reform, touching both its enforcement and its substantive rules, may be happening. I only hope that it will not be a wasted effort. In March, the EU Justice Commissioner announced that the EU Commission’s “simplification” agenda will involve reducing GDPR compliance burdens for smaller organisations.

In recent months, we’ve been hearing about the European Commission’s call for simplification of regulations—an agenda championed by President Ursula von der Leyen. She rightly noted that businesses are overwhelmed by regulations that are “too complex and costly to comply with.