Among the less-discussed requirements of the European Union’s Digital Markets Act (DMA) is the data-sharing obligation created by Article 6(11). This provision requires firms designated under the law as “gatekeepers” to share “ranking, query, click and view data” with third-party online search engines, while ensuring that any personal data is anonymized.

Given how restrictively the notion of “anonymization” has been interpreted under the EU’s General Data Protection Regulation (GDPR), the DMA creates significant tension without pointing to a clear resolution. Sophie Stalla-Bourdillon and Bárbara da Rosa Lazarotto recently published a helpful analysis of the relevant legal questions on the European Law Blog. In this post, I will examine Google’s proposed solution.

Read the full piece here.

While myriad attempts to pass federal privacy legislation have all fizzled out in recent years, House Energy and Commerce Committee Chairwoman Cathy McMorris Rodgers (R-WA) and Senate Commerce Committee Chairwoman Maria Cantwell (D-WA) recently introduced the American Privacy Rights Act of 2024 as a compromise approach that could pass both chambers.

But before it does, it’s worth considering whether the United States really wants to follow the European privacy model, which has led to much confusion and consumer harm.

Read the full piece here.

Due to Meta’s adoption of a “pay or consent” model for Facebook and Instagram, the model became a key issue not only under EU privacy law but also under the new digital regulations: the Digital Services Act (DSA) and the Digital Markets Act (DMA). Given the barrage of pay or consent-related news in the past months, I thought it would be a good idea to take stock of where we are now.

Read the full piece here.

It’s been an eventful two weeks for those following the story of the European Union’s implementation of the Digital Markets Act. On April 18, the European Commission began a series of workshops with the companies designated as “gatekeepers” under the DMA: Apple, Meta, Alphabet, Amazon, ByteDance, and Microsoft. And even as those workshops were still ongoing, the Commission announced noncompliance investigations against Alphabet, Apple, and Meta. Finally, the European Parliament’s Internal Market and Consumer Protection Committee (IMCO) held its own session on DMA implementation.

Many aspects of those developments are worth commenting on, and you can expect more competition-related analysis on Truth on the Market soon. Here, I will focus on what these developments mean for data privacy and security.

Read the full piece here.

You may know that the culprit behind cookie consent banners is not the GDPR but the older ePrivacy Directive, specifically its Article 5(3). The EDPB, a representative body of EU national data protection authorities, has just issued new Guidelines on this law. Setting aside that they arguably didn’t have the authority to issue the Guidelines, this new interpretation is very expansive. They would expect consent for e-mail pixel tracking, URL tracking, and IP tracking. In general, in their view, consent would be required for all Internet communication unless very limited exceptions apply (even more restrictive than under the GDPR).

Read the full piece here.

“What is an appropriate fee?” is among the key questions in the current conversation around Meta’s move to introduce paid subscription options with no ads on Facebook and Instagram. As I discussed previously, the EU’s highest court suggested that businesses may be allowed under the GDPR to offer their users a choice between (1) agreeing to personalised advertising and (2) “if necessary” paying “an appropriate fee” for an alternative service tier. In that text, I also raised some of the legal and economic difficulties in determining an appropriate fee. Eric Seufert followed with a thoughtful analysis. (By the way, don’t miss the next episode of Eric’s podcast in which we’ll discuss this and related issues.) Eric proposed two alternative “conditions for calculating whether a ‘pay-or-okay’ price point represents an ‘appropriate fee’”:

1. The price achieves, at most, overall ARPU parity between the pre-subscription and post-subscription periods, and;
2. The fee doesn’t materially exceed those charged by comparable services.

Read the full piece here.

Meta gave European users of Facebook and Instagram a choice between paying for a no-ads experience or keeping the services free of charge and with ads. As I discussed previously (Facebook, Instagram, “pay or consent” and necessity to fund a service and EDPB: Meta violates GDPR by personalised advertising. A “ban” or not a “ban”?), the legal reality behind that choice is more complex. Users who continue without paying are asked to consent for their data to be processed for personalized advertising. In other words, this is a “pay or consent” framework for processing first-party data.

I was asked by IAPP, “the largest privacy association in the world and a leader in the privacy industry,” to discuss this. I also thought that the text I wrote for them could use some additional explanations for this substack’s audience. What follows is an expanded version of the text published by IAPP. (If this text is too long, I suggest reading just the next section).

Read the full piece here.

In a widely discussed move, Meta gave Facebook and Instagram users the choice between paying for an ad-free experience or keeping the services free of charge using ads. The legal reality behind that choice is more complex. Users who continue without paying are asked to consent to the processing of their data for personalized advertising. In other words, this is a “pay or consent” framework for the processing of first-party data. 

Read the full piece here.

Ayear ago, we cautioned that the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) threatened to embed ill-conceived economic protectionism into the EU’s cybersecurity rules. And, indeed, the European Commission, which has made clear its commitment to pursue “digital sovereignty” for the European Union, can claim some preliminary successes on that front.

A recent draft of EUCS shows that the European Union Agency for Cybersecurity (ENISA) heeded the Commission’s call, contrary to ENISA’s own prior recommendations. Most notably, the draft would preclude entities outside the EU and those under foreign ownership or control from receiving  the highest level of cybersecurity certification.

Read the full piece here.