The Verge, along with half of my LinkedIn feed, reported that

Apple and Meta are the first companies to be fined for violations under the European Union’s Digital Markets Act (DMA). The European Commission announced today that Apple has been served a €500 million (about $570 million) penalty after ruling that its App Store “anti-steering” practices failed to comply with DMA antitrust rules. Meta has been fined €200 million (about $230 million) following similar charges regarding Facebook and Instagram’s ‘pay or consent’ ad model. Both companies have been given 60 days to comply with the ruling, or face the risk of further fines.

The European Commission’s decisions came after both companies expressed an unwillingness to comply with core terms of the DMA. In response to the decision, both Apple and Meta have announced they would be appealing, and I expect a Trump meltdown imminently.

Apple’s App Store Rules are a No-No

In Apple’s case, the Commission had previously determined on June 24, 2024, that Apple violated the DMA’s Articles 5(4) and 6(4) by imposing technical and commercial restrictions on app developers who sought to steer customers towards alternative (and cheaper) app stores and offers outside of Apple’s walled garden. This locked app developers into Apple’s high app fees if they sold products in the App Store, or required eligible developers to pay Apple a “Core Technology Fee” of €0.50 per install.

In addition to the fine, the Commission ordered Apple to remove these restrictions, and “refrain from perpetuating the non-compliant conduct in the future.” The Commission closed a separate investigation on user app choices, after Apple agreed to comply with Commission demands. This included making it easier for consumers to uninstall default applications and change default settings on iOS.

Meta's “Consent or Pay” is Not Ok

Similar to other laws (including the ePrivacy Directive and the General Data Protection Regulations), the DMA under Article 5(2) requires advertisers to obtain user consent when it comes to advertising and the use of personal data. In the case of the DMA, “gatekeepers” must specifically obtain consent any time they combine personal data across services. Users who do not consent must have access to a less personalized, but equivalent alternative experience.

In November 2023, Meta introduced a binary ‘Consent or Pay' advertising model. Under this model, EU users of Facebook and Instagram had a “choice” when it came to ads — they could either consent to all of their personal data being harvested and combined for personalized advertising, or they could pay a rather high monthly subscription fee (up to €9.99 a month, or €240 a year) for an ad-free version. Other options, like contextual ads, were not available.

The Commission opened an investigation in March 2024, concerning Meta’s approach under the DMA, and less than a month later, the European Data Protection Board (EDPB), responding to a request made by the Norwegian, Dutch, and Hamburg data protection authorities under the GDPR, issued what I’d call a very dependsian opinion in April 2024. The non-binding opinion basically said “maybe pay or ok is fine, except when it’s not? But probably not Meta’s version.”

For the EDPB, whether a given consent or pay model was valid under the GDPR requires a case-by-case assessment (take a drink), where regulators must consider a non-exhaustive list of factors including whether the controller

• has a large number of data subjects; or

• conducts large-scale processing activities; or

• meets the “very large online provider” or “gatekeeper” thresholds under the Digital Services Act or DMA; or

• has a dominant position in the market.

But! the EDPB was careful to note that it could consider other factors as well. So, it depends.

In response, Meta sued the EDPB in June, and that case is still proceeding in the EU General Court. Subsequently, in November, Meta modified its consent or pay approach, giving users an option to consent or receive less personalized, full-screen, un-skippable ads that relied on less-granular, but still arguably personal, data like age, and location (Noyb has a good write-up here).

The Commission issued a decision against Meta in July 2024. The Commission determined that Meta’s original approach did not provide users with any real choice to opt for a service that uses less of their personal data, while still remaining equivalent to the original service. “Meta's model also did not allow users to exercise their right to freely consent to the combination of their personal data,” the Commission explained in its press release.

Both the decision and this fine only cover Meta’s initial pay or consent model. The Commission is currently assessing Meta’s revised approach from November, and has requested that the company to provide evidence of the impact that this new ads model has in practice. Separately, the Commission also found that Meta's online intermediation service Facebook Marketplace would no longer be designated under the DMA. Based on a challenge by Meta and after ongoing monitoring and enforcement, the Commission concluded that Marketplace had less than 10,000 business users in 2024, and was no longer in scope of the DMA’s coverage.

Both Apple and Meta must comply with the Commission’s decision in 60 days, or risk further penalties.

Have commitment issues?

How about a coffee?

Why I <3 the DMA

I’ve written before about how much I love the DMA. It’s a precise, targeted law, focused exclusively on the bad practices of big tech gatekeepers, like Apple, Meta, Google, and Microsoft.

Privacy Disasters - LinkedIn Spies With its (Not-So) Little AI

Carey Lening

·

September 25, 2024

Read full story

But the DMA isn’t just a market competition law—it also builds on the GDPR, especially around consent, transparency, interoperability/portability, profiling, and cross-sharing data in a compliant way. And unlike the GDPR, with dozens of potentially conflicting regulatory interpretations, there’s only a single enforcement body, the European Commission. This is one reason they’ve been able to move quickly in a relatively short amount of time.

The DMA entered into force in May 2023, the Commission designated gatekeepers on September 2023, and opened investigations in March 2024 against Apple, Meta, and Google. They then issued a preliminary ruling against Apple in June 2024 and Meta in July 2024, and the fines today. That’s just shy of two years, which is rocket fast, from a bureaucratic perspective.

Compare that to the glacial enforcement pace of the DPAs and the EDPB, who are often weighed down by conflicting opinions, unhelpful guidance from the EDPB, and the byzantine consistency and dispute resolution processes under the GDPR.

And, I’d argue, based at least on anecdotal evidence, the DMA is having more of a net positive impact on actually forcing behavioral change from big tech. Beyond any flashy fines or headlines, there’s evidence that companies like Apple are making interoperability and distribution better. Cross-sharing and dark pattern consent practices by the likes of Google and Microsoft have been curtailed. And the Commission isn’t going after low-hanging fruit (like many regulators seem to do). The decisions are meaningful.

Meta and Apple have already vowed to sue, and Mark Zuckerberg, via Joel Kaplan, has already dog-whistled that the Commission’s decision was “a tariff” designed to “handicap successful American businesses” while allowing the Chinese and Europeans to do whatever.

I’m sure that Zuck, in a fit of true “masculine energy,” also is down at Mar-a-Lago, begging daddy to revoking the EU-U.S. Data Privacy Framework Executive Order as a “retaliatory tariff.” A reminder that none of these petulant jackwagons know what a tariff actually is.

Anyway, here’s Max in a box: