Blog

Today, I joined Eric Seufert for my seventh (!) appearance on the Mobile Dev Memo podcast[1] to discuss the European Commission’s April decision on Meta’s “pay or consent” model. The catalyst for our conversation was the recent release of the full text of this decision, which provides crucial insights into the Commission’s approach to enforcing the Digital Markets Act (DMA).

The European Commission published the text of its April Decision on Meta’s “pay or consent” scheme as implemented until November 2024. Since then, Meta has made significant changes to Facebook and Instagram in the EU, introducing a free “less-personalized ads” option.

Ben Thompson argues that Apple should “make its models – both local and in Private Cloud Compute – fully accessible to developers to make whatever they want,” rather than limiting them to the “cutesy-yet-annoying frameworks” like Genmoji.

On 27 May, Meta plans to begin AI training using public EU user data from Facebook and Instagram. Yesterday, Meta’s lead GDPR regulator, the Irish Data Protection Commission (IDPC) published a statement highlighting the additional safeguards adopted by Meta since the previously paused plan from early 2024.

The European Commission issued a significant noncompliance decision earlier today, finding the “consent or pay” model that Meta implemented from March 2024 to November 2024 for its Facebook and Instagram services breached key obligations imposed on designated gatekeepers under the Digital Markets Act (DMA).

[Note: I changed my newsletter’s address to EUTechReg.com, hoping it will be easier to remember than my difficult surname.] Just as we learn that the European Commission’s “GDPR reform” plan is likely to be a performative window-dressing exercise, the EU General Court again denied direct judicial review of a privacy-fundamentalist guidance document from the European Data Protection Board (EDPB) on “pay or OK.

It looks like GDPR reform, touching both its enforcement and its substantive rules, may be happening. I only hope that it will not be a wasted effort. In March, the EU Justice Commissioner announced that the EU Commission’s “simplification” agenda will involve reducing GDPR compliance burdens for smaller organisations.

In recent months, we’ve been hearing about the European Commission’s call for simplification of regulations—an agenda championed by President Ursula von der Leyen. She rightly noted that businesses are overwhelmed by regulations that are “too complex and costly to comply with.

The vibe in Paris around the AI Action Summit feels strikingly different from Brussels. It’s not even the call to pivot away from over-regulation (you can hear that in Brussels). The difference is that, refreshingly, the call seems earnest (in Brussels it very much isn’t).

Just before Christmas, the EU’s data protection authorities (DPAs)—working together as the EU Data Protection Board (EDPB)—issued the hotly anticipated Opinion on AI models and EU privacy law. As it turned out, the excitement about the Opinion was unjustified.