I also want to flag two design trade-offs that Meta has, in my view, made the right calls on: personalised advertising becomes harder, and so does any “trust-and-safety” approach that relies on human review of flagged conversations. Both will get pushback — inside the company and from outside — and both are worth defending now.

I have argued previously (”Trustworthy privacy for AI: Apple’s and Meta’s TEEs“) that hardware-backed confidential computing is the most credible path to combining frontier-grade AI capabilities with reasonable data safety, and (”AI privilege and ChatGPT encryption“) that voluntary technical self-restraint by AI providers strengthens the case for legal protections of AI conversations. Incognito Chat is the first major consumer AI product that, on the face of it, satisfies both halves of that argument. So my main reaction is: more of this, please — and from every provider.

What does “Incognito” actually mean here?

The privacy claim is meaningful only if you understand how this works, at least more or less. End-to-end encryption secures a message between two endpoints. The computer serving the AI model is itself an endpoint that has to see the plaintext to answer. Without further engineering, “AI in WhatsApp” simply means a copy of your message landing on Meta’s servers as cleartext. The trick is to make the AI endpoint into something that Meta cannot read either.

That trick is the TEE. In the implementation Meta describes in its Private Processing white paper, the AI workload runs inside an AMD confidential virtual machine — paired with NVIDIA confidential computing GPUs — whose memory is hardware-encrypted, whose contents cannot be inspected by the host operating system, the hypervisor, system administrators, or Meta employees. The important guarantees include that:

• The code running on the confidential virtual machine is attested: before your device sends anything, it cryptographically verifies that the server is running the specific, publicly logged software image Meta says it is running (and nothing else).

• Processing is stateless: the request is decrypted, used, and discarded; no key-value cache or persistent log of your messages remains.

• Routing is oblivious: requests pass through a third-party relay (Fastly) that hides the user’s IP from Meta, with anonymous credentials preventing Meta from associating a request with an identified user.

• Critical artifacts are committed to a third-party append-only transparency log hosted by Cloudflare, so that altered code cannot be silently deployed without leaving a public trace.

This is not perfect. NVLink connections between GPUs are not yet encrypted on the deployed hardware, GPU RAM is not encrypted (Meta acknowledges both), AMD does not warrant against certain side-channel attacks within its threat model, and a number of the verifiable-transparency commitments — particularly third-party researcher access to auditable artifacts — remain partially unfulfilled. I flagged the transparency gap in my earlier piece and I am still flagging it. But the architecture is right, and the residual risks are the right residual risks: vulnerabilities that require sophisticated, scaled attacks rather than a casual subpoena or an insider with the right database credentials.

For the user, the practical upshot is that no one, not even Meta, can read these conversations. For now, Incognito Chat is text-only, conversations are not saved by default, and messages disappear unless the user chooses otherwise.

Why this matters — especially for health

Users ask ChatGPT, Claude, and Meta AI about their lab results, their medications, their mental health, their relationships, their finances, and their legal exposures. There are several reasons to take this seriously rather than wave it off as the user’s responsibility.

First, this is precisely the data that is least appropriate to leak — in part because it is sensitive in itself, in part because under the GDPR most of it would qualify as “special categories” of personal data under Article 9, and in part because a substantial breach (or a sufficiently aggressive data-preservation order — recall the one issued against OpenAI in the New York Times litigation) could expose intimate, decontextualised fragments of conversations between an AI system and millions of people.

Second, the costs of self-restraint are real: a person who does not feel safe asking an AI assistant about a worrying symptom may simply not ask, which forecloses a category of benefit — better access to information, better access to expression — that European fundamental-rights doctrine treats as having significant weight.

This connects to the argument I made about “AI privilege.” Sam Altman has been talking about extending professional-secrecy-style protections to conversations with AI, and I am sympathetic to that direction. But the strongest version of the argument depends on a credible technical floor: providers cannot just promise discretion, they have to show that they could not betray it even if they wanted to (or were compelled to). Meta’s Incognito Chat is that demonstration in the WhatsApp setting. In other words, it establishes a technical baseline that legal protections can sensibly map onto — and, crucially, that regulators and courts can reasonably expect a privacy-by-design AI deployment to approach rather than dismiss as exotic. If we want courts to treat AI conversations as something closer to private reflection than ordinary cloud data, the industry has to make those conversations look, technically, more like private reflection. This is how.

The trade-offs Meta is accepting

I’d like to flag to trade-offs, which are real costs Meta is bearing. I expect they will produce pushback (internal and external). But I also think that both are reasons to give Meta credit.

Personalized advertising becomes harder

Inference inside a TEE with stateless processing and no exfiltration channel means Meta cannot read what users are asking Meta AI, and therefore cannot train ad-targeting models on those conversations or feed them into real-time auctions. For a company whose business model rests substantially on behavioral advertising, this is not a small concession — and it is precisely the sort of concession that, in my experience, tends to generate internal friction long before it ships.

That said, this is not a permanent ban on monetization, and it should not be. One can imagine designs that route ads in but tightly constrain what comes out — for example, ad creatives delivered into the TEE and matched against conversation content there, with only deterministic, pre-determined, aggregated, and otherwise constrained signals (such as bucketed impression counts) flowing back out. The constraints would have to be enforced by the attested code, published in the transparency log, and ideally subject to differential-privacy-style noise so that the exit channel cannot be turned into a covert exfiltration vector.

There are non-trivial design questions here (what to do about click-through, for instance, when the click leaves the TEE) and there is plenty of room for ad-tech advocates to overreach. But the right starting point is the one Meta has chosen: no targeting from conversation content unless and until a privacy-preserving mechanism is built, attested, and made transparently auditable. That is the inverse of at least one kind of RTB-style architecture, in which user data is broadcast first and rules about it are written second.

“Safety” becomes harder — and this is the more interesting trade-off

Meta’s representative’s framing in the Reuters briefing is notable for what it does not say. He told reporters that “the AI will also have built-in safety guardrails, refusing to answer problematic questions or steering conversations in different directions.” Read carefully, that describes model-level guardrails — refusals trained into, or prompted into, the model running in the TEE — and nothing else. There is no mention of human review, no mention of flagging “problematic” content for downstream moderation, no mention of an out-of-band classifier reporting on user prompts. The whitepaper’s “non-observability” principle is consistent with this: classification can happen inside the TEE, but even the size of the traffic between any classifier and the orchestrator must not allow outside inference about its output.

To appreciate why this is significant, it helps to compare with what the major web-UI chatbots typically do. In a standard ChatGPT, Claude, or Gemini deployment, a user’s prompt is processed in cleartext on the provider’s servers, with an array of trust-and-safety stages running alongside the model:

• classifier models that score prompts and outputs for categories like self-harm, CSAM, weapons or fraud;

• rule-based denials and topic blocklists;

• refusal behaviors trained in via RLHF;

• and — critically — escalation paths that flag a subset of conversations for human review and, in narrow cases, referral to authorities.

OpenAI’s recent statement about its planned client-side encryption made this stack explicit: “fully automated systems to detect safety issues,” with human review reserved for “serious misuse and critical risks — such as threats to someone’s life, plans to harm others, or cybersecurity threats.” That escalation step is the part Meta does not appear to be reproducing inside Incognito Chat. Doing so would require an exit channel from the TEE — and the no-access promise would no longer hold.

I think Meta’s call here is the right one. Yes, model-level guardrails are imperfect, and motivated bad actors can sometimes work around them — just as they can work around classifier stacks. But the honesty of the model-level approach is its strength: a refusal that happens inside the TEE creates nothing that leaves the TEE. The moment a flagging mechanism is bolted onto this architecture, the user faces a pair of questions they cannot answer for themselves: which kinds of content trigger a flag, and what happens to that content once it crosses the boundary of the confidential environment? Whatever is exfiltrated to a human-review queue is, by definition, data that Meta now holds in cleartext outside the TEE. Which puts it squarely back inside the threat model the TEE was built to neutralise: subpoenas, broad preservation orders, other forms of compelled disclosure, breach by an external attacker, and misuse by an insider. The “no one — not even Meta — can read your conversations” promise quietly becomes “no one can read most of your conversations, but we can’t even tell you in advance which ones we will read.”

If at some point this becomes politically untenable — if a regulator concludes that purely model-level safety is inadequate for a consumer product at WhatsApp’s scale — there is a fallback worth considering, but it is a worse design. One could run a second LLM safety classifier inside the TEE that watches conversations and, in narrow cases, exfiltrates flagged messages for human review. Whether such a system is attestable in a meaningful sense is itself debatable. Even if it is, two problems remain.

First, motivated actors will game the classifier as readily as they game model-level guardrails — that is what red teams routinely demonstrate.

Second, using an LLM as the gate makes the user-uncertainty problem essentially unsolvable. There is no stable rule book that even Meta could publish, because the classifier is a probabilistic system whose outputs shift with phrasing, surrounding context, and silent model updates. The honest user who came to the system to think out loud about a worrying symptom or a medication interaction has no way to know — ex ante — whether their words will be classified as “self-harm-adjacent” or “drug-related” and routed for review, and therefore no way to know whether those words will end up in a queue subject to all the discovery and breach risks just described. The privacy promise, in practice, collapses into “we promise to be reasonable about what we exfiltrate,” which is the promise that Incognito Chat is, refreshingly, trying not to make.

What I hope happens next

The first thing I hope is that Meta closes the verifiable transparency gap quickly. Publishing the binaries corresponding to entries in the Cloudflare transparency log, broadening eligibility for third-party researcher access to auditable artifacts, and shortening coordinated-disclosure timelines where it can are the obvious next steps. The whitepaper says all the right things; the product needs to ship the rest of them.

The second is that the other major AI providers — OpenAI, Anthropic, Google, and the cloud platforms hosting them — converge on this design, with appropriate variations. OpenAI’s client-side encryption announcement is a promising signal but, as I argued at the time, the implementation details (in particular, whether safety detection runs on-device or in a TEE, and how transparently) will determine whether it is a comparable confidentiality story or a softer one. Anthropic, which has built much of its public identity around AI safety, has an obvious incentive to demonstrate that “safety” and “the provider can read every conversation” are separable propositions.

The third is that EU policymakers treat Incognito Chat as a benchmark rather than a problem. There is a real risk that a TEE-based architecture will be received, in some quarters, as inconvenient. I have written before (”Apple and EU DMA: a road to leave the EU?“, “DMA workshops and privacy“) about the tendency to treat strong privacy architectures as obstacles rather than goals. The right reading is the opposite: this is a fundamental-rights-respecting design that other providers should be encouraged — and, where appropriate, required — to match.

The fourth, and most speculative, is that we develop a legal vocabulary for AI privilege that takes technical architecture seriously. Privilege in the legal sense has always rested on a combination of professional duty and practical constraint — the lawyer cannot be made to disclose what the lawyer never knew. Confidential computing offers a similar combination in the AI setting: a duty (the provider’s privacy commitment), a constraint (the provider cannot, in fact, read the data), and an external audit trail (verifiable transparency). If we want this technology deployed at scale for the most sensitive use cases — health, mental health, legal, financial — then the law arguably should reward providers who adopt this architecture, not penalise them for the resulting blind spot.

The European Commission’s Digital Omnibus proposal is, on its face, the most significant attempt to fix the GDPR since the regulation entered into force. It would clarify the definition of personal data and confirm that legitimate interest can support AI training (while failing to do anything about the cookie consent mess, alas). Today, ICLE submitted formal comments, in which I argue that the co-legislators should adopt most of the changes. If you are interested in my responses to the EDPB/EDPS Joint Opinion or the NOYB report, you will find them in the full comments.

Here, I want to focus on the argument that most commentators - and the Commission itself - are avoiding. The changes proposed in the Digital Omnibus are welcome, but they are far from being sufficient. The same authorities that produced the current dysfunction will interpret the new rules. And unless the enforcement architecture changes, textual clarification will deliver only a fraction of the promised benefit. The Commission acknowledges that “more consistent and harmonised interpretation and enforcement across Member States” is needed. However, it provides no mechanism to achieve it.

Privacy myopia

Data protection authorities across the EU are, structurally, single-issue campaigners. This is not a criticism of the individuals who staff them - they are, for the most part, competent professionals who believe (correctly) that data protection matters. The problem lies in institutional design. DPAs have immense power to impose fines of hundreds of millions of euros. But they face no robustly enforced obligation to consider the consequences of their actions for interests other than privacy.

The result is what I have called “privacy myopia“: a regulatory culture in which maximising data protection is treated as the sole objective, and any consideration of competing interests - innovation, economic security, freedom of expression, public health - is treated as someone else’s problem. No countervailing institutional voice represents those interests within the enforcement process. Competition authorities occasionally intervene, but their mandate is narrower than the full range of what is at stake. Political authorities, whose responsibilities span economic security and public welfare, are excluded because their involvement would supposedly violate the independence requirement of Article 52 GDPR.

This has consequences: consider, for instance, the EDPB’s Opinion 28/2024 on AI models. It provides a lengthy list of compliance measures while offering no guarantee that following them will satisfy enforcement authorities. It grants regulators near-limitless discretion while providing minimal practical guidance to those trying to innovate responsibly. Businesses who invest in GDPR compliance for AI training have no assurance their efforts will be judged sufficient in a year or two. As I argued at the time, the uncertainty is as chilling as an outright prohibition - and for any entrepreneur aware of this risk (to be fair, many aren’t) and with a choice of jurisdiction, the rational response is to avoid the EU entirely.

The EDPB lacks accountability

In theory, the EDPB issues non-binding guidelines and opinions. In practice, these instruments function as the law in action: they shape DPA enforcement priorities, drive market behaviour, and are cited by national courts as authoritative. Controllers that deviate from EDPB guidance face the realistic prospect of enforcement action, regardless of whether the guidance accurately reflects the GDPR’s text or the CJEU’s case law.

The EDPB’s guidelines on Article 5(3) of the ePrivacy Directive illustrate the mechanism. The guidelines dramatically expanded what requires prior consent - treating generic URL parameters and standard browser transmissions as “access to information stored on the terminal equipment.” This reversed the narrower interpretation previously adopted by several national authorities (including the German Datenschutzkonferenz). The expansion occurred through guidelines, not legislation. It was not subject to impact assessment, parliamentary oversight, or robust stakeholder consultation of the kind required for legislative or even delegated acts (the consultation that took place served as a window-dressing exercise). The result was a reshaping of the regulatory environment for every website operator in the EU - through a nominally non-binding instrument that no one can effectively challenge in court. (I explored the consequences in “Why Europe Can’t Kill the Cookie Banner.”)

The EDPB/EDPS Joint Opinion 2/2026 on the Digital Omnibus reveals the same institutional logic. The EDPB argues that its own forthcoming guidance on pseudonymisation is a “better vehicle” than the Commission’s proposed Article 41a implementing acts. The pattern is consistent: wherever the Commission proposes implementing acts or legislative clarification, the EDPB argues it should have exclusive or primary control instead. In other words, the enforcer wants to keep setting the scope of the law it enforces.

Can the courts fix this?

Three recent sets of proceedings involving Meta and WhatsApp expose why the answer is: not yet, and not without help.

First, in WhatsApp Ireland v EDPB (Case C-97/23 P), the CJEU Grand Chamber held in February 2026 that EDPB binding decisions under Article 65 GDPR are “acts open to challenge” under Article 263 TFEU. This was a significant ruling. But the case was filed in 2021 and the admissibility ruling took five years. The merits remain pending. In this case, the EDPB had directed the Irish DPC to increase its proposed fine against WhatsApp from approximately EUR 30 million to EUR 225 million - a 7.5-fold increase. Even with access to the courts, meaningful review takes five or more years.

Second, in Meta v EDPB (Case T-319/24), the General Court held that the EDPB’s Opinion 8/2024 on “consent or pay” models “does not produce binding legal effects vis-à-vis third parties” and was therefore not an act open to challenge. The Court acknowledged the opinion used mandatory language (”should,” “should not”) but characterised this as “calling for an in-depth consideration” rather than imposing obligations. Meta’s appeal is pending. Even if Meta prevails, the ruling would address only Article 64(2) opinions --- not the broader category of EDPB guidelines and recommendations that constitute the bulk of its quasi-legislative output. (I discussed the implications in “Meta v EDPB and What Really Needs to Change in the GDPR.”)

Third, in DPC v EDPB (Joined Cases T-578/21, T-579/21 and T-580/21), the General Court upheld the EDPB’s power to direct national authorities to broaden their investigations into areas the national authority had not originally examined - applying no meaningful scrutiny of whether the EDPB’s substantive positions were balanced.

The three cases together expose the accountability gap. The EDPB’s most influential outputs - guidelines, opinions, recommendations - are the instruments most shielded from judicial review. Its binding decisions are now challengeable, but only after years of litigation and without guidance on what standard of substantive scrutiny courts should apply. The courts have treated the EDPB as a neutral authority that considers the general public interest. Whether that characterisation is accurate is, at best, contestable.

What the Joint Opinion does not say

The EDPB/EDPS Joint Opinion on the Digital Omnibus runs to 47 pages. It contains no reflection on whether the enforcement architecture is adequate. It mentions DPA resource constraints only in the context of requesting more resources. It never acknowledges the structural problems that lead to inconsistent enforcement. It never discusses the EDPB’s own accountability or the quasi-legislative nature of its opinions and guidelines. It never engages with the argument that separating investigation from adjudication could improve the quality and legitimacy of enforcement decisions.

This silence is telling. A regulatory body invited to comment on a comprehensive reform of its own legal framework devotes no space to asking whether its own institutional design might contribute to the problems the reform is designed to solve. I am not suggesting the EDPB is acting in bad faith. The more plausible inference is that the institutional incentives run against self-examination. As Mark Leiser puts it, the Joint Opinion is “a regulatory counteroffensive” that “deploys the language of rights not primarily to protect individuals, but to reassert institutional centrality, supervisory reach, and interpretive authority.” The observation is sharp. But the incentive structure produces the behaviour, whether or not any individual regulator intends it.

Is proportionate enforcement possible?

The answer is yes - we have examples.

The CNIL has demonstrated that pragmatic enforcement is achievable within the existing framework. Its AI guidance acknowledges that GDPR compliance for AI training is possible and provides workable compliance pathways --- a marked contrast with the EDPB’s strategically ambiguous Opinion 28/2024. But one national authority cannot shift EU-wide practice. The CNIL’s approach faces opposition among more absolutist privacy officials and activists, and there is no prospect that privacy enforcers will voluntarily adopt it across the EU. The structural incentives run the other way: DPAs that interpret the law broadly expand their own regulatory reach and receive institutional validation from the EDPB’s consistency mechanism. A DPA that interprets proportionately risks being overridden by the EDPB - as the Irish DPC’s experience demonstrates.

The UK provides an even more instructive example. The Information Commissioner’s Office announced in July 2025 a risk-based enforcement approach for online advertising, identifying six advertising capability categories where low-risk activities could proceed without consent. The ICO is doing something EU DPAs seem structurally incapable of (at least when acting as the EDPB): exercising enforcement discretion to achieve proportionate outcomes, distinguishing between extensive behavioural profiling (which requires consent) and low-risk activities like frequency capping and ad delivery (which may not).

Moreover, this is not just a single enforcement initiative. Section 91 of the Data (Use and Access) Act 2025 rewrites the Information Commissioner’s statutory duties. It inserts a principal objective requiring the Commissioner to secure an appropriate level of protection for personal data “having regard to the interests of data subjects, controllers and others and matters of general public interest.” It imposes explicit duties to consider innovation, competition, crime prevention, and public security. Section 120C requires a strategy framed accordingly, and section 120D requires consultation with other regulators, backed by annual reporting to Parliament.

This shows that data-protection enforcement need not be structured as a one-dimensional privacy mandate. A legislature can preserve regulatory independence while imposing explicit duties of balance, strategy, consultation, and public accountability.

What should the EU do?

I have proposed a five-part structural reform. It does not question the importance of data protection. It targets the institutional design that converts competent professionals into single-issue enforcers.

First, separate investigation from adjudication. DPAs would retain their investigative powers - the resources, technical expertise, and local knowledge they have built over years. But for consequential cross-border cases, they would present their findings and enforcement recommendations to an independent decision-making body, rather than serving as both prosecutor and judge.

Second, create an independent multidisciplinary EU tribunal. The tribunal would issue binding decisions, including fines, for consequential cross-border enforcement actions. Critically, it would not be composed exclusively of data protection specialists. A diverse panel - including economists, generalist judges, and experts in the regulated sectors - would weigh data protection against other fundamental rights and Europe’s broader public-interest objectives.

Third, mandate formal balancing of all interests. The tribunal’s legal framework would require it to articulate, explicitly, in each decision, how it balances data protection against other fundamental rights and the economic realities of the regulated activity. The GDPR already requires this balancing (Article 6(1)(f), Recital 4). The current enforcement architecture provides no institutional mechanism to ensure it occurs.

Fourth, appoint advocates general for non-data-protection interests. Drawing on the CJEU model, the tribunal would include judicial officers specifically tasked with highlighting and defending non-data-protection interests - innovation, freedom of expression, economic security, public health - that are affected by enforcement decisions but have no institutional voice under the current system.

Fifth, require tribunal review of EDPB outputs. The tribunal would review EDPB guidelines, opinions, and recommendations before they become final. If the EDPB produces guidance that fails the proportionality standard - as in its Article 5(3) ePrivacy guidelines, which effectively require website operators to obtain consent from would-be fraudsters before deploying anti-fraud measures - the tribunal could refuse to approve it.

This does not require Treaty change. Article 257 TFEU already empowers the European Parliament and Council to establish “specialised courts attached to the General Court.” Garicano, Holmström, and Petit’s Constitution of Innovation proposes using exactly this Treaty basis to create specialised commercial courts for internal market enforcement - regional tribunals with fast-track procedures, English-language proceedings, and EU-wide injunctive powers. Their courts are designed for mutual-recognition and trade-barrier disputes, but the institutional architecture is directly transferable. A specialised EU regulatory tribunal under Article 257 TFEU could house both the commercial jurisdiction they envision and the data protection enforcement function I propose. It would also embed data protection enforcement within a broader framework of EU regulatory adjudication, ensuring that privacy is weighed alongside the other interests that the EU’s regulatory instruments affect.

The Unified Patent Court already provides a working precedent for specialised EU judicial bodies in complex technical and economic matters. The real issue is whether the political will exists to apply the same institutional logic to data protection - where the current enforcement architecture serves the institutional interests of the bodies that would need to cede authority.

Who else sees the problem?

I am not alone. Luca Bolognini and Enrico Capparelli propose that supervisory authorities should be required to carry out a prior analytical assessment of the effect that their decisions would have on innovation, competitiveness, and other fundamental rights - and that this assessment should be notified to the addressee with the provisional decision. They also propose mandatory participatory prior-consultation procedures for EDPB guidelines, with public availability of consultation results.

Peter Craddock observes that DPA opposition to the entity-relative definition of personal data cannot be treated as neutral, because when information ceases to be perceived as personal data, it falls outside the authorities’ remit: “one must be careful not to see their position as neutral.”

What happens if nothing changes?

If the enforcement architecture remains unchanged, the substantive reforms in the Digital Omnibus will be interpreted by the same authorities, using the same maximalist lens, that produced the problems the reforms are designed to solve. The entity-relative definition of personal data will be narrowed through guidance and enforcement practice. The legitimate interest framework for AI training will be hedged with conditions that recreate the uncertainty it was meant to resolve. The ePrivacy exemptions will be read as narrowly as the exemptions they replace.

The Commission should know this. Its own Explanatory Memorandum acknowledges the enforcement consistency problem. But the Digital Omnibus contains no mechanism to address it. The co-legislators have an opportunity - arguably their best opportunity in a decade - to fix not just the text but the institutions that apply it. The question is whether they will take it, or whether they will settle for a reform that looks good on paper and changes less than it promises.

Executive Summary

The approach adopted in the Draft Joint Guidelines will lead to a new proliferation of “consent popups” at a time when the Commission is seeking to address similar past failures of EU law regarding “cookie banners”. Users of digital services regulated under the DMA are likely to see further declines in the quality of their experience, and this could further damage the reputation of EU law. The DMA’s goals do not necessitate this approach, and we encourage both the EDPB and the Commission’s DMA Team to address the issue of consent in a more user-friendly way.

The guidelines disproportionately contradict the aims of EU data protection and cybersecurity laws by requiring that gatekeepers do not warn users about clear and realistic risks that attend data portability (especially real-time and continuous portability) and by preventing gatekeepers from excluding known bad actors as recipients of user data. Effectively, the Draft Joint Guidelines would even mandate that gatekeepers support and enable campaigns by criminal or foreign-enemy-state actors to collect EU personal data, so long as those actors inform the gatekeeper—even falsely—that they’re EU organisations and don’t plan to transfer personal data outside the European Economic Area (EEA).

More generally, the guidelines depart from previously stated Commission policy, supported directly by the DMA, that gatekeepers have a duty to ensure DMA-implementation measures comply with other laws, including those on data protection and cybersecurity. Instead, the Draft Joint Guidelines propose to prohibit gatekeepers from implementing the most effective measures to achieve such compliance.

The guidelines interpret the DMA and the GDPR inconsistently. Without appropriate justification, some serious data-protection risks (e.g., those related to data portability) are not addressed as robustly as others (e.g., the sharing of search data).

The Draft Joint Guidelines also omit interoperability mandates under Article 6(7) DMA, incorrectly suggesting that such obligations pose no serious privacy issues. In fact, such issues include questions regarding the interplay between the DMA and the GDPR, as well as the ePrivacy Directive.

I. PROLIFERATION OF CONSENT REQUESTS (ARTICLES 5(2), 6(10) DMA)

The European Commission last month proposed legislation to address the problem of “cookie consent fatigue” by changing rules that are “outdated and inadequate for contemporary privacy and data needs”. It is therefore surprising to see the EDPB and the Commission’s DMA team pursue guidelines that would vastly increase the proliferation of consent requests with which EU users of digital services are bombarded.

The excessive reliance on ever-more consent requests, without any investigation of ways to reduce the need for them in accordance with the law, flies in the face of the current research on data protection. Even vocal critics of the ways that digital services use personal data recognize that the consent-centric approach has been a failure.

We should expect more from public authorities than the unthinking application of the consent paradigm, while failing to address the actual problems of data protection and security.

The Draft Joint Guidelines contribute to the disproportionate proliferation of consent requests in the following ways:

• Consent requests for the use of third-party data for online advertising, combining and cross-using personal data (Article 5(2) DMA) are meant to be further divided into various “purposes” like “personalisation of content, personalisation of advertisements, and service development” (at [31]). While the guidelines direct gatekeepers to combine DMA and DMA-GDPR requests, avoiding the need to further double many consent requests, this doesn’t address the increased consent fatigue that users will experience (at [42]).

• The Draft Joint Guidelines’ section on “ensuring user-friendly choices and consent designs” is a stark example of what has been dubbed the “nerd harder” approach (at [40]-[45]), without providing much actionable guidance on consent design. In its preoccupation to present choices in a “neutral” manner, the section fails to propose even the contours of a positive guiding example (g., must “yes” and “no” buttons have same the colour and contrast even if it’s a basic user-experience practice to give them different colours, thus enabling rather stifling choice?). Moreover, the section presents vague goals regarding user comprehension as a benchmark, merely paraphrasing the legal texts (at [45]). In doing so, it fails to adopt a realistic assessment of users’ level of interest and familiarity with legal frameworks like the DMA and GDPR.

• The guidelines are unclear regarding separate consent requests for processing special category data under Article 5(2). They may be read as imposing a new disproportionate requirement to seek such consent, together with Article 5(2) DMA consent, even where there is no requirement to ask for it under the GDPR (g., when the gatekeeper has already obtained consent) (at [37]).

• The Draft Joint Guidelines acknowledge that users could be overwhelmed by a large number of requests from businesses for user-data portability under Article 6(10) DMA (“in particular where requests are repetitive or disruptive of the end user’s experience”) (at [172]). Even with regard to obvious cases of abuse, however, the guidelines fail to state clearly that gatekeepers can protect users from “repetitive or disruptive” requests. Instead, they offer a vague statement about “layered and intuitive consent interfaces”, which does not address whether gatekeepers can refuse to convey some consent requests.

II. ANTI-DATA PROTECTION AND SECURITY REQUIREMENTS (ARTICLES 6(9) AND 6(10) DMA)

The DMA’s provisions on data portability, in Article 6(9) and 6(10), indisputably create data-protection and security risks. This is true not only for end users of DMA-regulated services, but also for any other person whose data happens to be in the user’s service account or—on the guidelines’ broad interpretation—even on the user’s device. These include new risks that users would neither expect, nor understand. Consider the following example.

A user, currently logged into a major social-networking service (the Gatekeeper), encounters a viral third-party application promising a “Digital Nostalgia” service. The application claims to use artificial intelligence (AI) to scan the user’s history and generate a sentimental video montage of their friendships. To initiate this process, the user is forwarded from the third-party website to the Gatekeeper’s authorization screen.

Because the user is already authenticated on the platform, they do not need to enter credentials; they are immediately presented with a standard consent popup. This popup bears the social network’s familiar and trusted branding. It lists the permissions the third-party app requires, which include access to historical photos—including images shared only with close friends or romantic partners—private message archives, and contact lists.

Crucially, the user sees only the Gatekeeper’s familiar interface and instinctively applies the trust they have in that established platform to the unknown third party. The Gatekeeper’s consent screen effectively launders the legitimacy of an unvetted requestor. Conditioned by years of “consent fatigue” from cookie banners and terms-of-service updates, the user performs a cursory scan of the permission list—indistinguishable from dozens of benign requests they have approved before—and clicks “Allow” to access the promised feature.

In that single instant, the nefarious application triggers the data-portability interfaces mandated by the DMA. This grants the third-party actor immediate access to a massive trove of sensitive historical data, allowing them to exfiltrate years of private correspondence and intimate media without further interaction from the user. The application need not even deliver the promised nostalgia video, although this may be helpful to attract more victims. The Gatekeeper’s trusted UI effectively cloaks the risk of the unknown third-party requestor, creating a “Trojan Horse” effect where the ease of portability is weaponised against the user’s privacy.

Under the requirement for “continuous and real-time” access, the threat extends beyond the user’s historical data. By granting this permission, the user has inadvertently authorised a persistent data stream—effectively a “live wire” connected to their account. Even after the user closes the “Digital Nostalgia” tab and forgets the application exists—not having received any ongoing notification that data sharing continues (at least for months)—the third-party service retains a valid access token or webhook subscription. This allows the nefarious actor to instantaneously receive copies of every new private message sent, every new photo uploaded, and every location tag created. The user is under active surveillance, with their ongoing digital life being mirrored to a malicious server.

This asymmetry compounds the harm: a single click grants access, but revocation—if the user even remembers the application exists—can only break the link for future data. Any data already exfiltrated is, of course, already in the attacker’s possession. The harvested information opens multiple vectors for exploitation: intimate images may be leveraged for sextortion; private messages mined for credentials, security questions, or blackmail material; and complete social graphs may be sold to data brokers, stalkers, or abusive ex-partners. All this stems from a single, momentary click on a consent form that took less time to approve than to read.

This textbook example of “consent phishing” has some resemblance with the infamous Cambridge Analytica case. But much less information was available to Facebook apps like “This Is Your Digital Life” in 2014-15 than would be under the DMA; importantly, there was no risk to private photos or messages. This is what is new about the risk: at a single click, an entire account and its most private contents could be sent to a third party (not to mention setting up ongoing surveillance).

Neither the European Commission, nor any other EU body, is currently conducting a public-information campaign to address this issue. This is despite the obvious fact that users of at least some DMA-regulated services have grown accustomed, with good reason, to trust that the manufacturer/service provider would not allow users to harm themselves so easily. But this is now possible under the DMA.

Indeed, the Draft Joint Guidelines are generally dismissive of DMA-created risks to data protection and data security, which is surprising given the participation of the EDPB. Instead, they are preoccupied with interpreting the DMA’s explicit security and privacy provisions as narrowly as possible. The example detailed above illustrates two key problems with the guidelines:

1. They require gatekeepers not to warn users about clear and realistic risks of data portability; and

2. They prevent gatekeepers from excluding known bad actors as recipients of user data.

The guidelines state that “portability options and the wording used to describe them should be provided in a neutral and objective manner and should not nudge end users towards a specific choice” (at [126]). In other words, they require gatekeepers to act as if every choice to port data—even a choice that would expose an entire service account (with private messages, etc.) or all data on a user device—is equally neutral and safe, which is obviously not the case.

Moreover, the guidelines explicitly forbid gatekeepers from restricting third parties’ receipt of user data—even when, e.g., the third party has previously been fined or convicted for GDPR violations or is known to engage in practices like “consent phishing”. The Draft Joint Guidelines state (at [131]):

Gatekeepers should also not gather information pertaining to the authorised third party’s compliance measures under the GDPR, including potential administrative or judicial proceedings the third party has undergone in relation to compliance with the GDPR, or whether the third party has suffered breaches of data security in the past.

Gatekeepers would only be permitted to request “third parties’ identity details and information on whether, and to what extent’ the data to be ported” will involve transfers outside the EEA (to a country without an adequacy decision) (at [130]). The guidelines do not mention the possibility of gatekeepers being allowed to verify whether such minimum information is even provided truthfully. In effect, gatekeepers are entirely disarmed from protecting users, even where they know the user is about to become a victim of consent phishing or another kind of attack.

The shortsightedness of this approach is especially staggering given the current geopolitical situation and well-known cyber operations of unfriendly states against the EU. The answer that the Draft Joint Guidelines provides to the issue of potential violations by third-party DMA beneficiaries is that such third parties are subject to the GDPR and potential GDPR enforcement (see the next section). Obviously, data-protection authorities will deter no criminal or state actor, and it is trivially easy to concoct front businesses putatively based in the EU, especially when gatekeepers are barred from verifying any information.

III. PROHIBITING GATEKEEPERS FROM IMPLEMENTING THE MOST EFFECTIVE MEASURES FOR DATA PROTECTION AND CYBERSECURITY

As noted above, according to the Draft Joint Guidelines, any privacy or security violations by DMA-beneficiary third parties can only be policed by actors other than the gatekeepers. The key problem with this approach is that gatekeepers are, in at least some cases, best placed to perform this oversight. Indeed, prevention is likely to be the only intervention that matters, especially in cases like data exfiltration through “consent phishing”.

Effective approaches are needed, because data protection and security are exceedingly difficult to police in practice—both in terms of deterrence and in terms of enforcement against violators. It simply cannot be credibly maintained that the mere fact that DMA’s beneficiaries are theoretically subject to the GDPR solves the issue of GDPR compliance. This is especially true for non-EU actors who aim to benefit from the DMA, either through legitimate but economically insignificant EU establishments, or by simply lying to gatekeepers about their identities.

In adopting this approach, the guidelines depart from previously stated Commission policy, supported directly by the DMA, that gatekeepers have a duty to ensure DMA implementation measures comply with other laws, including those on data protection and cybersecurity. For instance, Commissioner Margrethe Vestager stated in the European Parliament that:

It is for the companies to decide how will they present their services, their operating system, how will they make them safe for you and comply with the DMA.

This aligns with Article 8(1) DMA, which states:

The gatekeeper shall ensure that the implementation of those measures complies with applicable law, in particular Regulation (EU) 2016/679, Directive 2002/58/EC, legislation on cyber security, consumer protection, product safety, as well as with the accessibility requirements.

The guidelines note that (at [88]), but add, in the context of Article 6(4):

At the same time, gatekeepers should not seek to instrumentalize their compliance with other applicable laws with a view to make their compliance with Article 6(4) DMA less effective. When selecting among several possible appropriate measures to comply with obligations stemming from other applicable laws, gatekeepers should select the measures that less adversely affect the pursuit of the objectives of Article 6(4) DMA, provided that they remain effective in ensuring compliance with those other applicable laws.

The legal interpretation implicit in this paragraph is highly questionable, as it appears to assume that DMA obligations take precedence over obligations from other EU legislation. One should ask whether the Draft Joint Guidelines apply the same logic to their interpretation of the DMA. In other words, when there are several ways to interpret the DMA and pursue its goals, do the guidelines choose those that less adversely affect pursuing other EU law objectives, including minimising restrictions of the rights protected by the EU Charter? Little in the Draft Joint Guidelines suggests that such balancing has been conducted, and that the guidelines are defensible from this perspective.

Setting this aside, Article 8(1) is entirely absent from the guidelines’ section on the data-portability mandate under 6(10) DMA. The section on Article 6(9) references Article 8(1) in its discussion on authorised third parties, mentioning the GDPR’s principle of integrity and confidentiality (Article 5(1)(f) GDPR) and the requirement to ensure the security of personal-data processing (Article 32 GDPR) (at [129]). Notably, the principle of data minimization (Article 5(1)(c) GDPR) is not mentioned.

In that discussion, the Draft Joint Guidelines make the already-quoted point that gatekeepers should neither gather information on GDPR compliance by third parties wanting to benefit from the DMA, nor act on any information about their noncompliance. That point is followed by the following sentence (at [131]):

Such information would not necessarily be an indicator of future compliance or the security of an application or related processing, and as such is not strictly necessary to comply with the gatekeeper’s own responsibility under the GDPR.

This reveals two important assumptions implicitly made in the guidelines, detailed in the next two subsections.

A. Gatekeepers Only Responsible for Own GDPR Compliance

First, Article 8(1) DMA concerns only “the gatekeeper’s own responsibility under the GDPR”. This is not the only possible reading of Article 8(1), and the guidelines provide no argument why this reading should be adopted. On an alternative reading, which aligns with previous Commission policy as stated by Commissioner Vestager, gatekeepers are meant to ensure that DMA implementation measures comply with other laws, full stop.

In other words, it is the gatekeepers’ responsibility to ensure—to the extent they can—that implementation measures do not lead to noncompliance with those other laws. It is true that gatekeepers cannot fully control, for instance, what third parties do with ported user data. But this does not mean that they should not at least implement technical and organisational measures (e.g., contractual measures) to safeguard compliance to the feasible extent. They are, after all, best placed to adopt such safeguards.

If gatekeepers do not do so, then DMA-created risks like the “consent phishing” example from the previous section will meet with no effective prevention. In other words, gatekeepers are the lowest-cost avoiders of harm. It is hard to argue that the aim of preventing them from performing a necessary service that they are best placed to do could be attributed to a rational choice by the EU legislature.

What is most puzzling is that the Draft Joint Guidelines do recognise this rather obvious point, but only in the section on search-engine data sharing under Article 6(11) DMA. There, the guidelines explicitly contemplate an implementing act that (at [189]):

…may include an obligation for gatekeepers to contractually impose measures, where appropriate, on eligible third-party undertakings as a condition to access the data. Contractual requirements may, among others, limit onward sharing of the data received by eligible third-party undertakings. The implementing act may also impose specific monitoring obligations on the gatekeeper and also specify appropriate measures that gatekeepers must take in case of an established violation by third-party undertakings providing online search engines of requirements set out in the contract. Such measures may include requiring the gatekeeper to notify the competent data protection supervisory authority in case of an alleged breach of the GDPR, cease sharing data with the third-party undertaking providing an online search engine, and providing it with the contractual right to order the third party to delete any data it received from the gatekeeper.

We will return in the next section to this inconsistency in how the guidelines treat Article 6(11) and other provisions.

B. GDPR Applies Only to the Extent ‘Strictly Necessary’

The other revealed assumption in the Draft Joint Guidelines is that gatekeepers’ responsibility under the GDPR should be interpreted narrowly, placing the DMA’s goals above the GDPR’s goals. The sentence from the guidelines cited above restricts the GDPR’s application in a way that has no basis in the DMA: Gatekeepers are only allowed to comply with the GDPR to the extent this is “strictly necessary” (at [131]). And not just “strictly necessary” as this is typically understood, but in some qualified, extreme sense.

In fact, it is hard to see the limiting principle of this restriction, given how facially unreasonable the provided example is. The guidelines state that, because it is not always the case (“would not necessarily be an indicator”) that third parties’ previous GDPR violations are predictive of future GDPR violations, there can never be a situation where prior violations indicate a strong likelihood of future violations. More precisely, there can never be a situation where knowledge of prior violations would permit a gatekeeper to better comply with the GDPR by refusing to transfer user personal data (likely including special categories of data) to such third parties. This is extremely surprising, given the EDPB’s co-authorship of the guidelines.

As far as the DMA is concerned, it states that it applies “without prejudice” to the GDPR (see, e.g., recital 12). The DMA contains no general qualification that laws with respect to which it remains “without prejudice” apply only to the “strictly necessary” extent, much less in the extreme version suggested by the cited sentence.

To read the final two sections on the inconsistent interpretation of the DMA and the GDPR and on the omission of interoperability mandates (Article 6(7) DMA) go to the ICLE website.

You can listen to the full episode on Mobile Dev Memo, as well as Apple Podcasts and Spotify. Below, you will find my extended notes on that conversation.

1. From the GDPR (2018) to the Draghi report (2024)

To provide some background for the current reform plans, Eric asked me to draw a line from the GDPR’s entry into force in 2018 to Mario Draghi’s 2024 report on EU competitiveness, which criticises the GDPR’s impact on growth.

My framing:

• The GDPR was not a complete break with the past. EU data protection has a long pre‑GDPR history.

• What did change with the GDPR was its economic weight:

  • Fines up to 4% of global annual turnover.

  • Application to nearly all digital services processing “personal data.”

  • Very broad and expansive interpretations by regulators.

A relatively small “true believer” community of privacy professionals suddenly found themselves with a powerful, economy-shaping legal instrument. Many in that community have a strong, almost absolutist view of data protection, as well as little regard for trade‑offs with anything outside privacy (including innovation or competitiveness).

The small community developed into a compliance industry—consultants, auditors, trainers—whose business model depends on maximising perceived GDPR risk.

Draghi’s report picks up one visible part of this:

• Gold‑plating and fragmentation: member states adding extra requirements on top of the GDPR.

• Compliance and red‑tape costs: especially damaging for SMEs that cannot amortise costs the way large tech firms can.

But in our discussion I stressed what Draghi’s accounting‑style analysis cannot easily quantify the opportunity cost:

• Products never launched because founders are told “the GDPR makes this too risky.”

• SMEs that never expand into other member states because of fear of divergent national rules.

• Internal data projects killed pre‑emptively by over‑cautious legal advice.

That is the backdrop for the Commission’s omnibus effort: there is finally political pressure to “do something” about Europe’s economic malaise, and digital regulation is impossible to ignore in that context.

2. What the “digital omnibus” is trying to do

At a high level, the “digital omnibus” package is one chapter in a broader legislative response to Draghi and to mounting political anxiety over Europe’s weak growth and weak tech sector. I already covered this in Europe is not “so back:” why cookie banners are here to stay (despite the reform) and the hard route not taken and Leaked GDPR reform: some good ideas but what about enforcement?.

On data protection specifically, I highlighted three main elements of the proposal:

1. AI & the GDPR: clarifying when AI training and use can proceed without consent.

2. Cookies & signals: shifting some cookie/ePrivacy issues into the GDPR, and introducing mandatory browser/OS‑level “signals” for user choice.

3. Scope of the GDPR: codifying a narrower understanding of what counts as “personal data.”

I cautioned that the proposed legislation, even if adopted, may not achieve much:

• The text of the omnibus is less important than the enforcers (national data protection authorities and their EU-level body, the EDPB).

• Nothing in the proposal reforms the enforcement machinery.

• Even the best textual clarifications can be neutralised later by restrictive interpretation.

That is why I am sceptical that these changes, as currently drafted, will materially reduce the compliance burden or uncertainty.

3. AI under the GDPR: is real‑world AI development illegal?

We then moved to AI, where there is now a clear standoff between two camps:

1. The pragmatic camp (e.g. France’s data protection authority, the CNIL):

   • real‑world AI training and deployment (Mistral, OpenAI, etc.) can be made compatible with the GDPR;

   • guidance that at least gestures towards workable compliance paths.

2. The prohibitionist camp (Max Schrems/NOYB and like‑minded data protection officials):

   • real-world state‑of‑the‑art LLMs essentially incompatible with the GDPR;

   • use ambiguity strategically: never quite declaring AI “illegal” (in theory), but keeping maximum enforcement discretion to be able to deem any actual AI illegal.

The activist legal theory against LLMs

I summarised two key lines of argument used by the prohibitionists:

1. Reasonable expectations

   • Europeans did not reasonably expect publicly available data (e.g. website content) to be used for LLM training.

   • Hence: training requires prior consent from every affected individual.

   • Practical result: impossible to obtain → therefore, large‑scale LLM training is illegal.

2. Sensitive data (Article 9 GDPR)

   • LLM training corpora inevitably contain “special category” data: health, politics, religion, etc. (at least on the current expansive reading of this concept).

   • Even if inclusion is incidental and unintentional, activists argue this triggers Article 9, which would likely demand explicit consent from each individual.

   • Again, impossible in practice → LLMs are unlawful.

I think this is not the best reading of the GDPR. But it is a very real reading embraced by powerful actors (including some data protection authorities), and the EDPB’s opinion on AI was drafted to preserve that enforcement stance.

What the digital omnibus does for AI

The Commission’s digital omnibus proposal tries, modestly, to push back:

• It would clarify in the GDPR that consent is not required for certain AI training and use cases.

• In practice it is aimed at undermining the “in practice everything needs prior consent” theories pushed by NOYB and others.

I see this as a good move in principle, but again:

• It will be interpreted and applied by the same authorities behind the EDPB’s strategically vague AI opinion.

• They can still declare specific AI practices “non‑compliant” using other GDPR hooks (e.g. their reading of “reasonable expectations”).

Eric asked whether the anti‑AI crowd is just staking out an extreme negotiating position, or whether they genuinely want LLMs effectively banned in Europe. I answered that many of them are sincere:

• They doubt AI’s value.

• They place little weight on long‑run economic consequences.

• They’re effectively promoting a de‑growth, anti‑tech vision of Europe.

4. Cookies, ePrivacy, and why the banners may not go away

The other big “user‑facing” topic we discussed was the Commission’s attempt to reduce cookie consent banners.

The starting point: EDPB on Article 5(3) ePrivacy

We reminded listeners that:

• Article 5(3) of the ePrivacy Directive (the “cookie law”) applies to any information stored in or accessed from a user’s terminal equipment, whether or not it is personal data.

• The EDPB issued guidance that dramatically expands what needs prior consent, including:

  • Email tracking pixels,

  • IP‑based tracking,

  • Even UTM parameters in URLs.

If that interpretation is accepted, then in practice almost all meaningful analytics and ad‑related communication between browser/app and server becomes subject to prior consent.

What the omnibus proposes

The Commission’s idea is to:

1. Split the regime:

   • Non‑personal data remains fully under ePrivacy Article 5(3) → status quo (consent by default) → no change for cookie banners.

   • Personal‑data‑related operations are shifted into the GDPR, where:

     • consent is still the default, but

     • new exemptions would be added.

2. The two new GDPR exemptions are roughly:

   • Aggregated audience measurement by the controller for its own use.

   • Security of the service or the terminal equipment.

On paper, that sounds like a step forward. In practice I see three problems:

• Non‑personal data is untouched
  UTMs and a lot of non‑personal device‑origin data stay under the strict ePrivacy regime. If DPAs continue to treat things like UTMs as requiring consent, banners and other consent requests remain unavoidable in many flows.

• Analytics exemption is very narrow

  • Only for aggregated information.

  • Only when generated by the controller for its own use.

  • Real‑world analytics stacks often involve third‑party providers, cross‑site analysis, and user‑level tracking. Those would still trigger consent.

• Security exemption won’t cover adtech reality

  • I fully expect DPAs to say that ad fraud detection and many ad‑ops activities do not fall under “security of the service” (or under “aggregated” analytics).

  • So fraud prevention and billing‑grade measurement would still require consent, unlike in the UK where the ICO is trying to create more realistic exemptions.

Net effect: I do not think this package, as drafted, will significantly reduce cookie consent friction. It is too timid, too complex, and leaves the most expansive EDPB interpretations intact.

5. Browser / OS‑level signals: a one‑way ratchet?

The omnibus also introduces the idea of “automated and machine‑readable indications of user choice”—browser or OS‑level signals that:

• Must be implemented by web browsers within a couple of years.

• Must be respected by online services when:

  • Consent is required, or

  • Users exercise their right to object (e.g. to direct marketing based on legitimate interests).

The legal text is high‑level and foresees a later technical standard. But based on existing GDPR practice, I expect the following pattern:

• Negative signals (opt‑out)

  • Will be interpreted broadly: a single “no tracking” browser setting will be treated as a global refusal of:

    • All consent‑based tracking, and

    • All direct‑marketing processing based on legitimate interests.

• Positive signals (opt‑in)

  • Will likely be declared insufficient for valid consent in virtually all practical cases:

    • DPAs will say consent must be “specific” and “informed” at the service level.

    • A generic browser‑level “yes to tracking” will be considered too coarse.

So the browser/OS signal risks becoming a one‑way ratchet:

• Easy to decline everything, everywhere, with one toggle.

• Hard or impossible to use that same mechanism to give valid consent.

The proposal also mentions an exemption for “media services” (likely reflecting lobbying by large publishers), but that term is undefined. Depending on how it is interpreted, this could become:

• Yet another privileged carve‑out for certain incumbent publishers.

• Another structural blow to the open web, especially smaller services that cannot claim “media” status.

6. “Personal data:” can we tame the “law of everything”?

We then discussed perhaps the most legally important—but politically under‑appreciated—piece: the definition of personal data.

Today, the GDPR is often treated as the “law of everything” in digital markets, because:

• Regulators and activists insist on extremely broad readings:

  • Any pseudonymous identifier that can single out a user is treated as personal data.

  • Even if the controller has no realistic way to discover who the person actually is.

A recent Court of Justice judgment pushed back slightly against this trend, and the Commission is now proposing to codify a narrower, more controller‑centric test.

The core idea:

• Whether data is “personal” for you depends on whether you are reasonably likely to identify the individual.

• If you only hold pseudonymous IDs that cannot, in your setup, be linked back to real people, the dataset might not be “personal data” for you.

• The GDPR would then not apply directly to that dataset.

In our conversation I argued that this could create real incentives for data minimisation and structural separation:

• Many organisations would strive to process only data they cannot link back to individuals.

• A smaller set of specialised entities would handle truly identifying data under full GDPR scrutiny.

Activist organisations like NOYB strongly oppose this, portraying it as a “loophole.” But the test is objective, not subjective:

• It is not enough for a controller to say “we promise we can’t re‑identify.”

• Authorities can and will inspect whether the controller really lacks the means to identify individuals.

If applied in good faith, this could remove a very large class of low‑risk activities from the GDPR’s full compliance burden.

However, my concern is that the same actors who pushed “everything is personal data” will work to re‑interpret the new text so that nothing actually changes in practice.

7. The politics: who hates the omnibus, and why that matters

Eric asked about the reaction to the leaked proposal. The answer is: ferocious opposition from the privacy establishment.

Key elements:

• Left‑of‑centre political groups in the European Parliament publicly attacked the package.

• A coalition of NGOs and trade unions issued an open letter describing the package as:

  • “The biggest rollback of digital fundamental rights in EU history” and

  • A “an attempt to covertly dismantle” Europe’s “gold standard” GDPR regime.

Several aspects stood out to me:

• These groups now feel compelled to argue that the omnibus will harm competitiveness and innovation—a very strange posture in which they lack any credibility.

• One civil‑liberties organisation even pointed to China’s digital regulation as a model Europe should emulate, which I find remarkable given their stated mission.

By contrast, support for reform comes from:

• Some national leaders (e.g. calling to “stop the clock” on the AI Act).

• A small but vocal “EU accelerationist” community of investors and operators.

I noted a paradox:

• The Commission is clearly willing to spend political capital—this package goes further than I would have predicted a few weeks ago.

• Technically and institutionally, it still falls well short of the changes needed to really alter enforcement dynamics.

8. “Pay or consent” and the EU–UK divergence

Although the focus of this episode was the omnibus, Eric also asked for an update on “pay or consent” and the DMA, including the UK angle. In June, Eric and I devoted an entire podcast to this issue. I also recommend my debate with competition law scholars from September.

So what’s happening?

In the EU (the DMA + the GDPR)

• In April 2025, the Commission found Meta’s original “pay or consent” model (subscription for no ads vs free with personalised ads) non‑compliant with the DMA’s Article 5(2) “specific choice” requirement.

• Meta had already moved away from that binary model in November 2024, introducing:

  • A triple choice:

1. Paid, no ads.

2. Free with personalised ads.

3. Free with “less personalised ads” (with non‑skippable ad breaks).

• Lower subscription prices.

• The April decision only covers the earlier, binary model; we still do not know whether the Commission will accept Meta’s current triple‑option design.

In the UK (the GDPR only, no DMA)

• As I wrote in Why is Meta offering cheaper and simpler “pay or consent” in the UK?:

• Meta rolled out a subscription for no ads model in the UK after extensive discussions with the ICO.

• The ICO’s public statement is cautious, but clearly more accommodating:

  • It does not insist on a third, free “less personalised” option.

  • It focuses on whether Meta’s consent flow and information are adequate under the (UK) GDPR.

I see the ICO as charting a pragmatic path that the EU could emulate—but so far shows no real sign of doing so.

9. The “Washington effect” and Brussels’ anti‑fragility

Finally, Eric asked whether the threat of US retaliation (e.g. via tariffs or counter‑measures framed as responses to DMA fines) might soften EU enforcement.

I doubt it. I used the term “Washington effect” for the idea that US pressure might discipline EU regulators. In practice, Brussels is institutionally anti‑fragile:

• Careers in and around EU institutions can still be made by “sticking it to big tech.”

• The Commission and data protection authorities staff can outlast any one US administration.

• They may reasonably believe that US priorities will shift, while their own incentives and internal politics remain constant.

Ursula von der Leyen was right in this year’s State of the Union Address that “Europe is in a fight.” Thanks to the published “omnibus” reform proposals, we now know what Brussels is bringing to this fight.

Good intentions? Sure. Some recognition that our current economic malaise is due to regulatory overreach and the failure to safeguard the common market? Yes.

However, European politicians cannot abandon the “luxury” mindset: the belief that we can pursue all policy aims simultaneously, with “win-wins” and no difficult trade-offs (Rebuild our industry! But also: no emissions! And no nuclear!).

As the authors of the excellent Constitution of Innovation argued, we are on a path similar to that of twentieth-century Argentina—albeit worse due to Russia’s violent imperialism and a demographic crisis. To avoid that fate, the authors propose strengthening the common EU market while limiting the EU’s regulatory ambitions. Of course, the former faces opposition from national governments, and the latter is anathema to Brussels (a small illustration: “civil servants are being asked to rethink and streamline laws they authored, championed and built their careers on …”).

The proposed “digital omnibus” legislation is an excellent example of how challenging it is to meaningfully reform the excesses of EU regulation.

Last week, I commented on its leaked version (Leaked GDPR reform: some good ideas but what about enforcement?). Earlier this week, the Commission published the official proposal, which is largely in line with the content of the leaked document.

Cookie consent banners are here to stay

I have bad news for those who are celebrating the proposal’s headline aim of getting rid of cookie consent banners as a big win over regulatory overreach. To understand why, let’s look at why businesses are currently expected to ask for user consent.

I agree with the Commission that the cookie consent law—from the ePrivacy Directive—is “outdated and inadequate for contemporary privacy and data needs.”As interpreted by the European Data Protection Board (EDPB), the law requires prior user consent for many basic information exchanges between an Internet service and a user device (see my Consent for everything? EDPB guidelines on URL, pixel, IP tracking).

The exceptions to that are interpreted extremely narrowly and don’t include such table-stakes purposes as using parts of web links (URLs) to inform the digital service about which advertising partner originated the traffic or what advertising campaign the link was associated with. Similarly, the exceptions don’t cover basic measures used to detect attempts to defraud advertisers (and thus call for asking fraudsters to kindly consent to enabling anti-fraud measures!). It doesn’t matter if this isn’t personal data. It doesn’t matter if this isn’t even remotely sensitive. On the EDPB’s absolutist reading of the law, prior user consent is required—hence, the consent banners/pop-ups.

The legal change proposed by the Commission doesn’t even attempt to address the bulk of the issue. The non-sensitive, non-personal data will still require prior consent for processing.

What the Commission proposed was to exclude personal data processing from the ePrivacy Directive and mostly replicate the framework within the GDPR, but with minor tweaks.

The tweaks include the addition of two exemptions from consent: creating aggregated usage statistics and security measures. Despite the Commission’s optimism, the new exemptions will be practically insignificant because they will be interpreted with anti-business prejudice by the same people who produced the already cited EDPB guidelines requiring consent for processing even generic web link fragments.

With the EDPB in charge, we can expect the analytics exemption not to apply to the standard third-party analytics that businesses actually use. Not to mention any analytics not deemed “aggregated,” because it tracks individual users. Similarly, the security exemption will almost certainly not cover anti-advertising fraud measures. In other words, the purposes for which actual website operators process data will still require consent. The cookie banner will live to fight another day.

You might object that this is against the spirit of the reform, and surely there must be a way to interpret the law more flexibly? I would agree, but here we reach the core of the problem. It is the reason why, in practice, all the other good ideas from the Commission’s proposal also risk being largely nullified.

The issue is enforcement.

Privacy enforcement will undermine the reform

The officials in charge of applying the changed rules will be the same people who brought us the idea that prior user consent should be required for nearly all Internet communications. In other words, people who genuinely believe their job is to promote data protection and privacy above everything else. Even if legislators were to give them an explicit duty to care about “economic growth” or “innovation,” it would change little. In fact, privacy enforcers would likely argue that they are already doing that (e.g., some EDPB documents contain sections on balancing—I’ll leave it to the reader to guess how serious such balancing is).

What is especially difficult for privacy enforcers to internalise is the importance of clarity. I criticised the opinion on AI models issued by the EU-level body of data protection authorities, the EDPB, by pointing out how it failed to address regulatory uncertainty:

Yes, the Opinion does not say that AI is illegal in the EU, but let’s be honest: even in the EU, explicitly making such a declaration is politically unpalatable. Instead, the EU privacy enforcers did what they usually do. They kept as much enforcement flexibility for themselves as possible, opening the doors for any EU national enforcers to impose billions-worth fines. Of course, the other side of that coin is that those who want to use AI in the EU have no idea if all their GDPR compliance efforts will be judged as not good enough in a year or two. …

Some privacy regulators may protest that this was not their intent; after all, they did provide the list of things to try. But such an answer would show the fundamental disconnect from economic reality. Consciously or not, regulators can thwart development not only by explicitly banning it but also by creating an environment of uncertainty. Even the threat of discretionary regulatory enforcement—combined with the risk of heavy fines—can significantly chill investment decisions (and thus innovation) at the margins.

Why was the EDPB opinion formulated in a way that allows claiming that real-world AI efforts are illegal under the GDPR? Because an influential part of the EU’s data protection officials holds that view.

It should thus not be surprising that privacy activists are now saying the quiet part out loud in their opposition to the Commission’s proposal. For example, in NOYB’s view, the problem with the draft reform is precisely that it would legally enable state-of-the-art AI, which, according to them, is illegal today.

To be clear, some European privacy authorities have recently shown a genuinely pragmatic approach. The best example is the French authority’s guidance on AI. However, it is not a coincidence that the leading European player in that market is a French national champion (Mistral), a fact of which the French government is justifiably proud.

This kind of clarity of purpose, derived from national interest and a “whole-of-government” mobilization, is not something we can rely on for pragmatic, consistent enforcement across the EU.

Pragmatic voices are barely heard in documents adopted by the EDPB.

The EDPB gets to make the rules because courts have been excessively deferential to data protection authorities thus far. Furthermore, even getting an EU court to review the EDPB’s interpretations is procedurally complex and likely to take years.

In their reliance on interpretations from data protection authorities, the EU courts have failed to appreciate that these authorities often do not even attempt to act in the general public interest, as we would expect from a European public authority. Instead, they are effectively American-style campaigners for a single cause—a small aspect of the public interest.

This also partially explains the preoccupation with American “big tech” companies: activists seek “David-vs-Goliath” fights. It’s much harder to get a magazine cover for cracking down on homegrown illegal “sellers” of personal data, scammers, and their ilk.

The hard route not taken

Enforcement reform. Reforming the enforcement framework is essential for the success of any significant improvement to EU data protection law. If done well, this could reduce the need for substantive changes in laws like the GDPR.

This assumes, however, that an appropriately motivated and resourced authority could produce helpful guidance, both balancing privacy (and data protection) interests with other values and clearly informing organizations how to comply. The French data protection authority, CNIL, has demonstrated that this is possible in its guidance on AI, which contrasts starkly with the vague and non-committal language of the EDPB’s opinion on AI models.

I proposed one way to achieve this in A serious target for improving EU regulation: GDPR enforcement. I suggested establishing an EU tribunal with a clear mandate to balance privacy and other EU goals to approve guidance documents and cross-border enforcement decisions. Perhaps this idea could be integrated with the “specialized commercial courts” proposed in the Constitution of Innovation.

I also suggested that a centralised, EU-level data protection authority might be a good idea—though it would likely need to be created from scratch to safeguard ideological neutrality and a capacity for serious balancing of interests.

GDPR/ePrivacy changes and the courts. The disproportionate, myopic practice of data protection enforcement has resulted in a situation where the EU courts require clear guidance from the EU legislature—maybe even a treaty change—to undo the damage.

In the proposed GDPR reform, the Commission tries to rely on a recent judgment from the EU’s highest court, the Court of Justice (CJEU), to clarify that the definition of “personal data”—and thus the GDPR’s scope of application—should be construed more narrowly than many privacy authorities push for. This is now being criticised for not aligning perfectly with what the Court said. I understand why the Commission preferred to have such “cover” for beneficial GDPR changes.

The criticism the Commission’s proposal faced highlights the problem with relying on courts for guidance, rather than acknowledging that this area of law is a mess and that the courts need guidance from the legislature (and perhaps from the “masters of the treaties”—the member states).

The CJEU is unpredictable; they could issue a decision pushing the interpretation of “personal data” in a different direction next month. This is a significant risk, given that the GDPR is currently a de facto “law of everything” in a digital economy, with enforcers wielding powers to block technological progress while being utterly incompetent and lacking legitimacy to do so.

Stating openly that the EU legislature wants to go in a different direction, instead of claiming merely to codify what the EU Court has said, would make it clear to the courts that they’re no longer dealing just with a technical legal question, but with a considered political choice about the future of Europe.

Yes, this strategy is politically more challenging, but I’m skeptical that what the Commission is currently attempting will hold up.

Simplification and the definition of “personal data”

EU data protection law is notoriously complex—partially due to its drafting, but even more so due to its enforcement. The complexity is especially taxing for smaller organizations and may, in some cases, act as a business moat for larger ones. Critics of the proposed GDPR reform argue that modifying the GDPR text will introduce new interpretive challenges. To some extent, this is inevitable; that’s how the law works.

Nevertheless, the Commission’s proposal includes a provision moving toward true simplification: cutting the GDPR down to a manageable size and denying its unearned status as the “law of everything.” It is the provision regarding the definition of “personal data” I mentioned above.

In my previous comment, I summarised it in the following way:

In short, the idea is that whether something counts as personal data for you (and whether the GDPR applies to you) depends on whether you are capable of identifying the individuals to whom the data relates.

I also suggested a potential benefit of this approach:

…this will prompt many organisations to separate the processing of data allowing the identification of individuals (e.g. let other entities specialised in GDPR compliance … handle that processing) and otherwise to only process pseudonymous data (without being able to identify individuals).

Acknowledging that the GDPR should only apply to organisations that are “reasonably likely” to identify specific individuals would create a powerful incentive to process data in such a way that individuals cannot be identified. I can imagine that many organisations, large and small, would jump on that opportunity—even if it means incurring technical costs or knowing less about their customers. The payoff in reduced regulatory complexity would, I think, be very clear.

Of course, such organisations would still be “in the shadow” of the GDPR in the sense of needing to make sure that they are not reasonably likely to identify individuals. Thus, e.g., pragmatic GDPR guidance on data security and organisational measures could still be helpful for them. But that would still constitute a very significant simplification.

The criticism that this particular proposal received looks almost knee-jerk: any assault on the GDPR as the “law of everything” must be rejected. A potentially clear benefit—the reduction in the processing of personal data—is presented as undesirable. This is presumably because “true data minimization” can only be done under a full GDPR regime, without even the slightest hint of reducing privacy enforcers’ control. Such criticism proves too much and is rather revealing about the critics. It shows that those who engage in it start from a position of mistrust towards “business,” demonstrating that they are incapable of serious balancing of rights and interests.

That said, I am still skeptical that this change in the GDPR’s text, presented as a mere codification of what the Court said, will be sustainable. Whatever the official opinion of the data protection authorities will be on the Commission’s proposal, we can expect them to undermine it as much as possible. Whether the courts will police that several years down the line is also uncertain.

So this big chance for simplification will likely quickly fizzle out with new vague, “case-by-case” guidance, prompting lawyers to advise their clients that they are almost always at risk of being “reasonably likely” to identify individuals in the local data protection authority’s view.

“Our long-term roadmap includes advanced security features designed to keep your data private, including client-side encryption for your messages with ChatGPT. We believe these features will help keep your private conversations private and inaccessible to anyone else, even OpenAI.”

This seems to me a rather significant declaration, also from a business perspective. Without access to user conversations, OpenAI may be limited in its ability to use ChatGPT conversations to train new models or to provide some functionalities (e.g. memory, some forms of advertising). I wrote about some technological measures for AI privacy in Trustworthy privacy for AI: Apple’s and Meta’s TEEs. Of course, such limitations can be overcome, but there would likely be additional friction and a need for direct user involvement. So it’s a costly direction to pursue.

How does this relate to AI privilege? To some extent, technical protections are substitutes for legal protections: if OpenAI has no access to some data, it cannot be legally forced to disclose it. However, an AI provider could also be legally forced to undermine the technical protections for future conversations. Merely adopting technical protections doesn’t guarantee their longevity.

I have two rough thoughts on the relationship between legal protections like AI privilege and technical protections.

First, to be sustainable, technical protections will likely need legal protections. The argument that you can’t currently access user conversations may not carry the day against a legal order to implement such functionality, unless some legal bar would apply.

Second, technical protections are an argument for legal protections.

By technically restricting their own access to user chats, an AI provider signals that it treats confidentiality seriously. In turn, this is likely to affect how many users approach the service. Given the expectation of confidentiality, users will be even more likely to have conversations on topics that are highly sensitive to them. Users may (and some probably already do) treat AI chats not as ordinary services, but as extensions of their own minds, having conversations of the kind they otherwise would only have in their own thoughts. This may also be important for the success of Seb Krier’s idea of AI agents outlined in his Coasean Bargaining at Scale.

If anyone accesses such chats, users would legitimately see that as a serious violation. Hence, by affecting user habits and expectations, the existence of technical protections would strongly support legal protections of confidentiality. At the very least, protections against undermining the technical safeguards.

What will likely complicate this, at least in the public debate, is the question of monetization (see Eric Seufert’s analysis of the likely directions of development in this space: Affiliate links, personalized ads, and chatbot revenue optimization).

Both personalised advertising and affiliate links could be perceived as lowering the technical protections, e.g. because they might involve tool calls beyond the encrypted environment. Even though this is solvable technically, the perception of AI providers monetizing chats may still weigh heavily against legal protections in the public debate. This could be partially due to simplistic analogies with professional confidentiality. Some may fail to notice that their medical or legal conversations can be used, perfectly reasonably, by the professional e.g. to “upsell” customers on other services.

Of course, what is important in the medical and legal context is that the service provider acts in the best interest of the client (even when upselling). So, to make the case for legal protections, it may be necessary for AI providers to show that they also act in the client’s best interest.

OpenAI’s CISO added that the AI provider plans to deploy “fully automated systems to detect safety issues.” He added that:

Only serious misuse and critical risks—such as threats to someone’s life, plans to harm others, or cybersecurity threats—may ever be escalated to a small, highly vetted team of human reviewers.

This will naturally raise questions whether such automated detection will take place on device or at least within a trusted execution environment. As I discussed in Trustworthy privacy for AI: Apple’s and Meta’s TEEs, to build trust in such technical protections, businesses should be very transparent about the technical details and enable external auditing.

In general, I think that the technical steps OpenAI plans to adopt to protect chat confidentiality should strengthen the case for legal protections, including some form of AI privilege.

We are finally starting to see what this may involve, with ideas like the additional pan-EU corporate regime (the 28th regime) or tweaks to the rushed and ill-conceived AI Regulation. Perhaps the biggest battle, however, is going to be waged over the excesses of EU privacy law. In other words, over legal interpretations that became an article of faith for a small but loud and influential minority, a costly burden for EU businesses, and a major annoyance for almost everyone.

So what’s on the agenda for GDPR reform? We now know a bit more, given that draft text has just leaked from the European Commission. Before I consider some of the good ideas included in the draft, I want to address the biggest omission, which is likely to undermine the potential beneficial effects: the problem of privacy absolutism and lack of proportionality in GDPR enforcement. I’m not going to repeat here the details of my diagnosis and my proposed solutions (see eg A serious target for improving EU regulation: GDPR enforcement and The EDPB’s AI Opinion Shows the Need for GDPR Enforcement Reform). I just want to reiterate that merely changing the GDPR’s text, even though welcome, will be insufficient when the same text will then be interpreted and applied by people vehemently opposed to the changes.

Let’s look at the substance of the leaked proposal.

Definition of “personal data”: this is crucial issue because this concept defines the scope of application of the GDPR. So far, data protection authorities have been pushing in only one direction: to make almost any data “personal” and thus to claim jurisdiction over virtually all data. The courts, including the EU Court of Justice (CJEU), have an uneven record on this, but at least recently the CJEU pushed back. And it looks like the European Commission wants to amend the GDPR text with a more sensible reading of “personal data.” In short, the idea is that whether something counts as personal data for you (and whether the GDPR applies to you) depends on whether you are capable of identifying the individuals to whom the data relates. I’d say that this is a very good idea.

One thing that the Commission should clarify is that examples of factors that could help identify an individual in the definition of “personal data” (“an identification number, location data, an online identifier…”) should not be considered as definite “identifiers” when they don’t actually allow pointing to a specific person. In other words, using a pseudonymous unique identifier should not mean that we’re dealing with personal data if we cannot say who is the real person behind that identifier.

Some privacy activists (e.g. NOYB) are complaining that this will prompt many organisations to separate the processing of data allowing the identification of individuals (e.g. let other entities specialised in GDPR compliance process handle that processing) and otherwise to only process pseudonymous data (without being able to identify individuals). But I don’t really see how this is a problem. Sounds to me like a big practical win for data minimisation and privacy overall.

Definition of sensitive data: “special categories of data” like health data, data on political opinions or religious beliefs are especially protected by the GDPR. Data protection authorities have been advancing an interpretation that in many practical contexts processing such data requires prior consent of the individuals (data subjects). If such a stringent regime applies only to really sensitive data, this may seem understandable (although serious questions should still be asked whether all current “special categories of data” should be protected in the same way). But privacy absolutists want the restrictions also to apply to any data that could allow someone to infer sensitive information, even when no such inference is being made or even likely to be made. This view would expand the strictest regime disproportionately. The Commission aims to address this by clarifying the definition of sensitive data, specifying that data should be treated as such when it “directly reveals” e.g. health status.

Sensitive data and AI training: restrictions on the processing of special category data are particularly challenging for AI developers and users. The potential requirement of asking for consent of all people whose data was included in AI training datasets (eg sourced from the open web) would amount to a de facto prohibition on AI development, especially frontier large language model development.

AI developers don’t want to process sensitive data—they don’t even want to process personal data. When this is technically feasible, they use automated means to exclude such data from training data. There are, however, at least two potential legal problems. First, someone could argue that even if they delete such data, they already processed it before deleting and in the act of deleting. Second, even when state of the art measures are used to exclude personal/sensitive data, it is currently impossible to fully exclude the possibility that some such information will likely be reproduced by a model. To entirely avoid any incidental processing of personal/sensitive data in AI training would require entirely infeasible manual curation of data sources. If legally obligatory, this would amount to a de facto prohibition on LLMs.

One EU data protection authority—the French CNIL—laudably acknowledged this, while providing pragmatic guidance. But it is not a secret that CNIL’s approach faces opposition among the more absolutist privacy officials and activists, so there is no chance that privacy enforcers will adopt it voluntarily across the EU.

The Commission’s proposal is to allow the processing of special category data for AI training and use with some conditions, which appear to align with the state of the art practices that AI labs are already implementing. In principle, this is also a welcome development.

One worry I have is whether the rules will be interpreted with sufficient flexibility so as not to amount to a prohibition of open-weights distribution of AI models. Note in this context the following provision for what must be done if it is discovered that some sensitive data is “in” an AI model: “If removal of those data requires disproportionate effort, the controller shall in any event effectively protect without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties.” Depending on interpretations, this could be a serious problem for open-weights AI.

Cookie consent law: the EDPB’s recent guidelines on the “cookie consent” law (Article 5(3) of the ePrivacy Directive) is among the most glaring examples of the disproportionate and absolutist approach of EU privacy enforcers. On the EDPB’s interpretation “consent would be required for all Internet communication unless very limited exceptions apply (even more restrictive than under the GDPR)” (Consent for everything? EDPB guidelines on URL, pixel, IP tracking). The Commission proposes to address the obvious problems with the cookie consent law by partially moving the rules from the ePrivacy Directive to the GDPR, with some modifications.

One big problem with the Commission’s proposal is that they would retain the “cookie consent” ePrivacy rules for non-personal data (ie data not covered by the GDPR). I agree with other commentators that this makes no sense. Leaving those rules in place would not solve the cookie pop-up banner problem. More importantly, it would mean that non-personal data is protected in a more stringent and less pragmatic way than personal data.

To the extent there is a need for a legal rule on terminal integrity protection, it needs to be drawn much more precisely to target specific risks—the EDPB’s guidance shows that privacy enforcers cannot be trusted to proportionately interpret and apply broadly phrased rules. One reason to retain some explicit terminal integrity protections is that removing them entirely could further undermine the security protections for, eg, Android and iOS users which are currently being eroded by how the European Commission is applying the Digital Markets Act. Also, EU-law level terminal integrity protections are helpful in defending users against state-mandated incursions.

There are other ideas in the leaked draft, but I will end my comment here. It’s very hard to say how much of the current draft will make it into law given the inevitable opposition. And even if some of those changes do become law, they will likely be watered down significantly by privacy enforcers hostile to such changes. Hence my plea for addressing what I see as a bigger problem: the enforcement framework.

There are two key differences between the UK offer and the one Meta implemented in the EU:

• Price: £2.99 ($3.99) in the UK vs €5.99 ($6.99) in the EU (more on mobile).

• In the UK the choice is binary: subscribe or consent to personalised ads. In the EU, Meta was pushed by regulators to offer a third option: less personalised ads (free-of-charge).

I covered the EU developments extensively, including the European Commission’s recent DMA decision against Meta (see the summary in my notes from a recent conversation with Eric Seufert). Here, I’m not going to give the full background and I’ll comment just on the two features that distinguish Meta’s UK and EU offerings.

Why can Meta offer a binary choice in the UK, without the free-of-charge “less personalized ads” option?

In response to regulatory pressure—under EU GDPR and EU DMA—in November 2024, Meta made changes to their “pay or consent” offering in the EU: they added a free-of-charge “less personalized ads” option (while also reducing prices). In the EU, users are presented with a two-step choice flow where they first choose between paid and free, then can opt for less personalization. If they choose less personalization, then they also get occasional non-skippable ad breaks.

Meta, I think correctly, sees the requirement of the third choice as an overreach not based in EU law (they reiterated that in the UK announcement). It looks like the ICO implicitly agreed with Meta that such a requirement doesn’t follow from the GDPR. (Despite leaving the EU, the UK still has substantively the same GDPR as the EU).

Moreover, given that the UK is no longer in the EU, the EU Commission’s argument that the EU DMA requires the third option independently of the GDPR is irrelevant in the UK.

Why is Meta charging less in the UK?

In their announcement, Meta didn’t directly explain why the price is lower in the UK than in the EU. My interpretation is that this reflects that the free-of-charge “less personalized ads” option in the EU is not as economically valuable for Meta as either subscription or serving personalized ads. So, it makes sense that without offering the third choice, Meta can offer a better price.

Meta and the UK ICO negotiated the price point. As the ICO announced:

During the course of our engagement with Meta, it significantly lowered the starting price point at which users would be offered a subscription. As a result, users in the UK will be able to subscribe at a price point close to half that of EU users.

Will many users choose to pay even this lower price? Probably not many. As I wrote in my analysis of the EU Commission’s DMA decision against Meta:

The Commission highlights that Meta knew, or should have known, that an overwhelming majority of users would choose the free option. They point to academic studies showing low willingness to pay for privacy and Meta’s own internal documents from 2023, which predicted uptake for the SNA option would be extremely low (less than 1%)—a figure that closely matched the actual outcome. (...)

It was obvious to everyone that most users wouldn’t pay, and that only the most valuable advertising targets would. Taking that into account in pricing strategy was basic competence for Meta’s monetization team. I’d suggest the low uptake simply shows that users want social media funded by personalized advertising.

Why the statement? Apple may be hoping that vocal criticism creates political pressure on DMA enforcers when direct engagement has failed. Alternatively—and perhaps more plausibly—it mostly wants to explain EU‑only delays to customers.

On Apple’s relationship with the enforcers, there is a perception perception that officials see the company as less cooperative than other regulated “gatekeepers,” including Meta and Alphabet.

I an earlier piece, I suggested that Apple may be on a road to leave the EU. But I also speculated about other choices open to Apple:

First, Apple could do what I just suggested—attempt to comply with the DMA by giving third-party developers the kind of access that the European Commission calls for, but with robust and effective safeguards controlled by users. This would be a transformation for Apple, because it would require treating its own apps as untrusted. However, I’m skeptical the Commission would allow this (which, of course, would show that the DMA enforcers don’t really care about EU customers, and are firmly committed to a Nirvana fallacy). (...)

Second, Apple could transform itself and abandon the identity of being special even among Big Tech companies in how they approach user privacy and security. This might involve acceding to all the requirements from the European Commission without an attempt to introduce zero trust for all first- and third-party applications on iOS. It would, of course, be a loss for users, but probably what the Commission wants.

It appears Apple is pursuing the first path. As predicted, the DMA enforcers are unwilling to recognise user privacy and security concerns. Hence the feature delays—potentially indefinite for some features.

Apple’s new statement also hints at the strategic flaw in the second option. Fully opening its platforms in the EU might be cheaper in the short term, but it would undercut the differentiation on privacy and security that defines Apple’s brand.

Is the current situation a stable equilibrium?

Recall that, during DMA workshops, Apple said its engineers have spent “hundreds of thousands of hours” on DMA‑driven changes and that “thousands” of employees across engineering, design, operations, and marketing are involved. That suggests Apple will tolerate significant friction—at least for now. The EU market may still be large enough to justify the pain, and Apple can reasonably assume that other jurisdictions could adopt similar rules, making EU compliance work reusable elsewhere.

You can watch the webinar on YouTube, but I’m also including below some notes on the content of our debate.

Conference alert: On September 29-30, I’ll be participating as a panel moderator in RAID - Regulation of AI, Internet and Data conference, in person, in Brussels (even I visit that place from time to time). I believe that registrations are still open.

My analysis centered on the practical consequences of the Commission's decision, my skepticism about its goals, and the lack of clarity for compliance.

The decision harms Meta’s business users (advertisers). My most significant concern is the direct, negative impact this decision will have on business users, particularly small and medium-sized ones. The Commission, in its own decision, acknowledges that Meta Ads is a great tool for advertisers because of its unparalleled scale and personalization capabilities. For a niche artisanal manufacturer, for instance, the ability to target specific customers isn't just a benefit, it's existential to their business model. They don't have the budget for broad brand advertising like L’Oreal. (Simonetta’s point about a hairdresser in Rome is not a good example: such advertising is more likely to be vital for businesses that are not local; businesses which seek a small number of customers across the entire EU). 

Yet, the entire thrust of the Commission's action seems designed to make this highly effective tool worse for its business users. The goal is to create contestability by thwarting the gatekeeper, but the immediate victims are the European businesses who rely on the service. We are seeing business users being harmed in the name of contestability with only hypothetical promises that it will somehow work out in the end. I worry this will become another hotel-like scandal, where the DMA's enforcement action ends up hurting the very constituency it was meant to empower. (I’m referring to the complaints from hotels about Google's DMA compliance measures that ended preferencing intermediaries like Booking.com and harming the end business users like hotels). 

A lack of a DMA vision from the Commission. I've struggled to see a clear, coherent vision from the Commission of what they are trying to achieve. The Commission argued that Meta's data scale creates barriers to entry, but their remedy seems to be based on an implicit hope that if they weaken Meta, a new, better advertising player will magically appear. I am deeply skeptical that this will happen, given the immense challenges of achieving scale and the significant barriers for any new data-driven player created by the GDPR itself.

I've characterized the Commission's stance as a Pontius Pilate perspective. They seem to be washing their hands of the economic consequences of their actions, content to simply apply the DMA as they interpret it and say it's the legislators fault if it goes wrong. You cannot properly interpret complex provisions like Article 5(2) DMA without a teleological approach—an understanding of the ultimate goal—which I believe is missing. A discussion of the basic economic effects on business users is completely absent from the Commission’s decision.

Path to compliance: what is expected of Meta? From a practical standpoint, the path to compliance for Meta is shrouded in ambiguity. The Commission's demands seem to be shifting the goalposts. Their one clear complaint about choices Meta currently offers to users was about a preselected default option, which Meta already changed, yet apparently the Commission remains unsatisfied. 

Engaging in some amateur kremlinology, I suspect the Commission is pushing for a maximalist interpretation: a scenario where the default option for users is a free service with less personalized, contextual ads. However, since contextual advertising performs much worse for advertisers, this model is likely not economically viable to Meta. If many users choose such a default, Meta might need more frequent non‑skippable ads to cover costs—but the Commission could then say such degradations aren’t allowed if they don’t flow from “less personalization” itself.

The Commission seems unconcerned, as their position is that they don't care about economic consequences on gatekeepers unless a formal application is made under Article 9(1) DMA, arguing that the company's economic viability is threatened. It looks as if they are trying to deliberately lead Meta into this exact situation.

Given this difficult dialogue, I've wondered if Meta might eventually consider a “nuclear” option: completely dismantling Meta Ads and creating separate, integrated ad backends for Facebook and Instagram. This might allow them to argue, under Recital 36 DMA, that there is no cross-use or combination of data between different services, thus avoiding Article 5(2) DMA.

However, I still speculated that some sort of settlement between Meta and the Commission is likely.

The concept of “necessity.” Finally, this whole debate hinges on the unresolved concept of "necessity," which I see as a difficult axis of this conversation. I believe you cannot realistically separate the business aspect of the funding of a service from the service itself. If you make a service less personalized, it will generate less revenue, so it just has to cost more in a different way to remain viable. This is a business necessity. The problem is that the Court of Justice's reasoning seems incoherent on this point. It appears to dismiss business necessity from consideration, but in the very same judgment, it says a platform may charge an  appropriate fee if necessary. This creates a contradiction: what kind of necessity allows for a fee if not a business one? This legal ambiguity will not leave us for a long time.

Simonetta, in particular, presented a strong counter-narrative to my points.

On the goal of the DMA (promoting user choice vs promoting contestability). While I focused on the negative impact on business users, Simonetta argued that the decision is fundamentally about giving choice to users. She believes the DMA should be used to experiment with new business models beyond targeted advertising, stating that this is not the only type of innovation that we are looking forward to in the EU. When I raised the concerns of advertisers, she dismissed them, questioning how independent those business users are from the gatekeepers and arguing that the current model is a threat to our democracy.

On the Commission's role. My skepticism about the Commission's vision was met with Simonetta's call for strong enforcement. She stated that she doesn’t expect any settlement between Meta and the Commission, and that she wants the Commission to enforce the DMA “religiously” to clarify the rules and prevent Meta from gaming the system as she believes they have with the GDPR.

On Meta's ability to comply: I suggested that the Commission's demands were unclear, but Simonetta disagreed, stating that Meta is not in the dark about what they are supposed to do. She believes the legal principles are pretty clear and that Meta has been given enough indication of what a compliant solution looks like. She views Meta's pay or consent model as a clear attempt to find a way of gaming the DMA.

Marco’s view was more of a middle ground. He agreed with my assessment that the Commission's decision lacks clarity on what a compliant future model looks like. He also predicted that the parties will eventually find a compromise or settle, viewing the current decision as an interim step in a long regulatory dialogue.

Recent shifts in U.S. trade policy have introduced the threat of tariffs against jurisdictions that adopt such far-reaching regulatory regimes to target U.S. firms, particularly the tech giants, in what we might call the “Washington Effect.”

The just-announced trade deal between the United States and the European Union, however, reveals a more complex picture. While the EU agreed to abandon network fees as a part of the agreement, it is officially signaling defiance on its core digital regulations.

This raises a fundamental question: can the Washington Effect truly succeed when EU bureaucrats’ identity depends on maintaining their regulatory empire? Or would even limited success demonstrate that external pressure is the only force capable of breaking the cozy relationships between EU officials and entrenched interests that harm Europeans as consumers, workers, and innovators?

The Network Fees Capitulation?

The White House fact sheet announcing the U.S.-EU trade deal contains a single sentence that marks a watershed moment in EU digital policy: “the European Union confirms that it will not adopt or maintain network usage fees.” This explicit commitment represents an apparent final burial of what I’ve previously described as nothing more than special pleading from incumbent telecom operators.

What were these “network fees”? The proposal—marketed as a “fair share” contribution—would have required large providers of online content (mostly U.S. platforms like Netflix, Google, and Meta) to pay European telecom operators based on traffic volumes. The telecoms claimed they needed €174 billion by 2030 to meet their connectivity targets and argued that companies generating heavy traffic should compensate them for network usage.

This was economically illiterate. As I argued in 2023, internet traffic is ultimately generated by consumers, who already pay for internet access. The proposal amounted to double taxation, wrapped in the rhetoric of “fairness.” It would have raised consumer prices and potentially slowed network upgrades by reducing competitive pressure on telecom operators. Even the Body of European Regulators for Electronic Communications (BEREC), the EU’s own body of telecom regulators, opposed the plan.

Yet despite overwhelming opposition from stakeholders, member states, and independent experts, it took the credible threat of 30% tariffs from Washington to kill this zombie proposal. There are at least two plausible interpretations of what happened—both likely true to some extent. Arguably, this demonstrates how U.S. pressure can deliver clear benefits to European consumers by breaking through entrenched special interests and their connections to EU officials—exemplified by former Commissioner Thierry Breton, whose background as a telecom executive surely had nothing to do with his enthusiasm for forcing American companies to subsidize his former industry colleagues.

However, it was also probably a factor that the internal EU opposition to network fees was relatively strong and it was unlikely for this proposal to be adopted anytime soon. Hence, it was easy for the EU negotiators to “concede” and not a big win for the US (and for EU consumers).

‘Addressing Unjustified Digital Trade Barriers’

The same White House announcement pledges that “the United States and the European Union intend to address unjustified digital trade barriers.” This carefully chosen language opens the door to challenging the EU’s entire framework of digital regulations.

According to Euro News, U.S. negotiators proposed creating a new advisory body that would give American companies subject to the Digital Markets Act (DMA) a formal voice in the regulatory process. While EU officials publicly denied any such committee is under consideration—with European Commission spokesperson Thomas Regnier insisting that “our legislation is not on the table”—the mere fact that such proposals are being floated demonstrates how far the conversation has shifted.

This represents a fundamental challenge to Brussels’ cherished regulatory “sovereignty.”

The DSA as ‘Foreign Censorship’

The Digital Services Act (DSA) faces its own reckoning. A July 2025 interim staff report from the U.S. House Judiciary Committee framed the DSA as a “foreign censorship threat” that compels “global censorship and infringes on American free speech.”

The committee’s investigation, which included issuing subpoenas to nine technology companies, found that European regulators are targeting core political speech that, in the United States, would be protected under the First Amendment. At a May 2025 DSA workshop, the European Commission reportedly categorized the phrase “we need to take back our country” as “illegal hate speech.” The Commission also asked platforms how they could use “content moderation processes” to address memes that might spread “hate speech or discriminatory ideologies.”

These findings provide ammunition for the Trump administration’s Feb. 21 memorandum directing federal agencies to investigate EU policies that “undermine free speech.” When Thierry Breton threatened regulatory action against X.com for broadcasting a live interview with President Donald Trump in August 2024, it crystallized American concerns that the DSA represents extraterritorial censorship, rather than legitimate content moderation.

The report provides damning examples of politically motivated censorship requests from EU member states:

• Poland’s National Research Institute (NASK) flagged a TikTok post stating that “electric cars are neither an ecological nor an economical solution.”

• French national police directed X.com to remove a satirical post from a U.S.-based account commenting on French immigration policies following a terrorist attack.

• German authorities classified a tweet calling for the deportation of a Syrian family reported to have committed 110 criminal offenses as “incitement to hatred.”

Moreover, the DSA requires platforms to prioritize censorship requests from government-approved “trusted flaggers”—entities the report argues are often pro-censorship and, in some cases, government-funded. The DSA’s ostensibly “voluntary” codes of conduct on hate speech and disinformation are effectively mandatory, as compliance serves as a safe harbor against DSA enforcement.

The penalties reinforce these concerns: fines of up to 6% of global revenue create what the Judiciary Committee report called a strong incentive for platforms to over-censor, affecting users globally, as major social-media platforms typically maintain a single set of terms and conditions worldwide.

The Brussels Bureaucracy Strikes Back

Yet here is where the Washington Effect has met with Brussels intransigence. According to Politico, “there is absolutely no commitment on digital regulation, nor on digital taxes” in the U.S.-EU trade deal. In an editorial, Politico opined that the Commission had “called the Trump administration’s bluff” on its attempt to bend EU rules.

The Economic Times quoted Regnier declaring on behalf of the Commission: “The legislations will not be changed. The DMA and the DSA are not on the table in the trade negotiations with the U.S.” Regnier continued: “We are not going to adjust the implementation of our legislation based on the actions of third countries. If we started to do that, then we would have to do it with numerous third countries.”

A Deal with Two Interpretations

What happens next is far from clear. The United States and European Union are signaling different understandings of what their new deal means. While Washington speaks of “addressing unjustified digital trade barriers,” Brussels insists its digital regulations aren’t even on the table. This ambiguity may be deliberate, as it allows both sides to claim victory while postponing the real confrontation.

But can Brussels truly maintain its current course? The Computer & Communications Industry Association (CCIA) has estimated that EU digital rules cost $97.6 billion annually—a staggering burden that harms not just American companies but, more importantly, Europe itself. While the Commission clings to the DMA and DSA as monuments to its relevance, European innovation falls further behind.

Will the Washington Effect Ultimately Prevail?

Sustained American pressure can work when combined with internal EU opposition. But to be effective, U.S. policy must appreciate which issues are important (network fees were a politically weak idea anyway) and of how hard the EU bureaucrats will fight any real change. The question is whether the Trump administration will maintain such robust focus on digital regulations or move on to other priorities.

Several factors could strengthen the Washington Effect over time. While European companies struggle with 110% service barriers (per the Draghi Report), American competitors burdened by EU regulations may simply focus on other markets, leaving Europe further behind. Moreover, Sweden’s call to pause AI Act implementation hints at growing internal dissent. If major member states break ranks, Brussels’ united front crumbles.

The congressional framing of the DSA as “foreign censorship” may provide grounds for stronger challenges in the United States that could escalate beyond trade negotiations. Also, the striking evidence that the Judiciary Committee uncovered may become crucial for legal challenges to the legislation before EU courts.

For those of us hoping the Washington Effect would force a regulatory reckoning, the deal offers both encouragement and disappointment. Yes, sustained pressure can kill the most egregious proposals. But core regulations that embody bureaucratic identity and power prove remarkably resistant to economic logic.

Perhaps the real question isn’t whether the Washington Effect will succeed, but whether Europeans will eventually tire of paying the price for their bureaucrats’ regulatory fantasies.

The Washington Effect may not achieve immediate victory over Brussels’ intransigence. But by forcing these contradictions into the open, it performs a valuable service. As Europeans watch their continent fall further behind technologically, they should ask whether the Brussels Effect’s conceit is really worth the cost.

The second round of DMA workshops reveals troubling patterns in the Commission's enforcement approach, particularly regarding privacy and security considerations. As I've argued in my work on interpreting the DMA consistently with the EU Charter, the Charter takes precedence over regulations like the DMA. The workshops suggest that the Commission may be failing to meet this standard, pursuing an interpretation of the DMA that undermines rather than upholds fundamental rights.

The gatekeepers' testimonies paint a picture of regulatory enforcement that is creating real harm: European consumers receiving inferior digital services, small businesses losing effective advertising tools, and security vulnerabilities being introduced in the name of openness. Meanwhile, the compliance costs—"multiple orders of magnitude" beyond what the Commission estimated—represent resources that could have been invested in innovation and security improvements.

What is also very concerning is the Commission's apparent belief that it can mandate optimal market outcomes through regulation, even when those outcomes conflict with user preferences and technical realities. The low adoption rates for less personalized advertising that the Commission cites as evidence of non-compliance may instead be evidence that users actually prefer the services as they were originally designed. The Commission's response—to mandate changes that make services worse for users—exposes a regulatory philosophy fundamentally disconnected from consumer welfare.

The path forward requires fundamental changes in the enforcement approach: clearer compliance guidance, genuine engagement with security experts, and recognition that consumer choice—not regulatory fiat—should drive market outcomes. Based on these workshops, however, the Commission appears unlikely to make such changes without significant pressure from stakeholders and the courts.

Below, I first discuss some general themes and then add more specific notes from individual gatekeeper workshops.

General themes

The DMA's ambiguities compound enforcement uncertainty

I previously highlighted the DMA's inherent legal uncertainties—from questions about its validity as a harmonizing measure under Article 114 TFEU to the undefined key concepts and conflicting interpretations that plague its enforcement. The workshops confirmed these concerns have materialized into concrete compliance challenges.

The gatekeepers' frustrations reveal a regulatory framework struggling with its own contradictions. Apple characterized the Commission's interoperability interpretation as "extreme," echoing my analysis that the Commission's approach goes beyond reasonable legal interpretation. Meta and Apple's planned legal challenges reflect a deeper issue: the Commission's refusal to provide compliance clarity while simultaneously imposing fines for non-compliance creates a Kafkaesque regulatory environment. As Apple pointedly observed, when "no two people agree on what the DMA's substantive obligations mean," the resulting ambiguity undermines the rule of law itself.

Amazon's experience particularly illustrates what I've described as the technical implementation challenges inherent in the DMA. Their struggle to reconcile DMA data portability requirements with GDPR data controller obligations exemplifies the regulatory conflicts I warned would emerge. The companies' repeated pleas for guidance—met with Commission silence—suggest an enforcement approach that prioritizes regulatory power over legal certainty or even over positive effects for the EU.

The Commission confuses providing choices with dictating outcomes

While according to the Commission, DMA explicitly focuses on conduct rather than output, the EC's interpretation of low adoption rates for less personalized advertising as evidence of non-compliance contradicts this principle.

Meta's defense—that the DMA concerns conduct and user choice, not adoption metrics—aligns with my analysis of the pay-or-consent framework and subsequent discussions with Eric Seufert. If users overwhelmingly choose personalized services when given a genuine choice, this demonstrates consumer preference, not compliance failure. The Commission's response—treating user preferences as a problem to be solved through enforcement—exposes what I've characterized as the Commission's lack of concern for consumer welfare. This approach suggests the Commission seeks not to enable choice but to engineer predetermined market outcomes, regardless of what users actually want.

Enforcement disconnected from real-world consequences

The Commisson's fixation on "consent rates" contrasts starkly with their lack of concern with real negative effects of their DMA interpretation. I previously warned about the disconnect between the DMA's theoretical goals and practical realities, particularly how enforcement could disrupt business models that European businesses depend on (e.g., targeted advertising.

On this point, Meta highlighted how enforcement "decontextualized from impact" damages both users (through irrelevant advertising) and SMEs (through reduced advertising effectiveness)—precisely the advertising market disruption I've been writing about. Google's examples—€114 billion in potential business losses, 30% traffic reductions for direct hotel bookings, and the withholding of innovations from Europe—illustrate the Commission's willingness to, as I've noted, ignore the economic pain (https://truthonthemarket.com/2025/06/20/the-eus-dma-enforcement-against-meta-reveals-a-dangerous-regulatory-philosophy/) its enforcement imposes.

Apple's concern that the DMA undermines their unique value proposition resonates with my longstanding critique of policymakers' dismissal of the walled garden as a legitimate consumer choice. The real threat of companies being forced to "hit the pause button" on European innovation suggests that the DMA's approach could leave European consumers as second-class digital citizens.

The Commission's systematic dismissal of privacy and security

The workshops also provided evidence for what I've long argued: the DMA creates privacy and security risks with insufficient safeguards while the Commission shows a troubling willingness to dismiss these concerns. See also my characterization of the DMA as a "security nightmare" and my analysis of how interoperability mandates create unaddressed privacy risks.

Apple's testimony was particularly striking. They observed that cybersecurity agencies like ENISA were "nowhere to be found" around specification decisions. The exclusion of technical experts from critical decisions, as Apple noted, ensures that "complex trade-offs around interoperability are being made by those without requisite technical knowledge." The company's incredulity at the Commission's statement that "integrity has a distinct meaning from users' privacy and security" highlights precisely the compartmentalized thinking I criticized when analyzing how the DMA conflicts with EU Charter rights.

Fragmentation threatens the DMA's legal validity

The workshops echoed my thesis about regulatory fragmentation: parallel national enforcement actions, particularly by Germany's Federal Cartel Office (FCO), undermine the DMA's validity as a harmonizing measure under Article 114 TFEU.

Google and Amazon's testimonies provide concrete evidence of fragmentation. Amazon's experience is particularly telling: despite the DMA's promise of a "single European rulebook," they face FCO actions on matters "squarely covered by the DMA"—precisely the "brazen attempt to circumvent the DMA's harmonizing function" I identified in analyzing German enforcement. The FCO's requirement that Amazon promote "higher-priced, independent, third-party seller offers" contradicts the unified approach the DMA was meant to establish.

Google's warning about unchecked national litigation compounds the problem. When member states and private litigants can pursue parallel actions on DMA-covered issues, it creates a legal issue that could invalidate the entire DMA. If the Commission accepts such fragmentation—as it appears to be doing—it admits the DMA has failed its fundamental purpose as a harmonizing instrument, potentially rendering it vulnerable to invalidation by the EU Court of Justice.

Notes on individual workshops

Alphabet/Google: security-privacy issues

Google's workshop testimony raised an important problem in the DMA's implementation: how third parties systematically push to weaken security protections in the name of competition. A participant raised concerns about the friction in the sideloading process due to security warnings, which cause significant user drop-off, and asked if Google could create a whitelist for trusted developers.

Alphabet representatives argued that Android requires a single, one-time warning per install source due to real security risks. A whitelisting system is not technically feasible due to the vast number of apps and the inability to guarantee that a sideloaded app is the same as a verified one from the Play Store. They also stated they do not dictate to OEMs what additional warnings they can show.

Google also presented compelling data: users are 50 times more likely to encounter malware off the Google Play Store. They provided a concrete example of a current threat—an app that clones TikTok and allows malicious actors to upload the entire photo gallery from Android devices. As Google noted, "these are real threats, these are real risks."

This aligns with what I've been warning about regarding privacy and security risks of interoperability and sideloading mandates. As I wrote then, a sideloading mandate "will effectively force users to use whatever alternative app stores are preferred by particular app developers. App developers would have strong incentive to set up their own app stores or to move their apps to app stores with the least friction (for developers, not users), which would also mean the least privacy and security scrutiny."

Another concerning example came from a "privacy-focused" search engine whose representative argued they need more granular search query data from Google because the current anonymization thresholds render over 98-99% of the query data useless for key functions like auto-complete, as it excludes the long tail of unique queries.

Alphabet representatives stressed that the law requires anonymization, and frequency thresholding is the state-of-the-art method. They invited challengers to propose a better, equally robust anonymization technique. Google explained their specific approach: queries must be entered by at least 30 signed-in users globally over the preceding 13 months, and results must have been viewed by at least five signed-in users in a given country per device type. To understand the significance: these thresholds mean that unique or rare search queries—which constitute the 'long tail' of search behavior—cannot be shared with competitors, effectively limiting their ability to improve features like autocomplete. Technical privacy experts who reviewed these measures almost suggested they might not be stringent enough, highlighting the difficult balance required. Google mentioned that they have innovated to find ways to recover some queries that fall below the threshold, such as easily identifiable misspellings. They stated that Google is not aware of any better solution for robustly anonymizing such data and that no one has proposed one. They called the frequency thresholding method "state of the art throughout the industry."

The European Commission representative highlighted that Article 6.11 of the DMA protects end-user privacy by requiring gatekeepers to share search data in an anonymized form. The Commission stated that this anonymization should not significantly reduce the quality or usefulness of the data. They mentioned that the Commission is assessing how data can be anonymized to ensure strong privacy protections in line with GDPR and is engaging with data protection authorities on this topic.

Amazon: compliance costs and unintended privacy consequences

Amazon's testimony exposed two issues in the DMA's design and implementation. First, the staggering gap between projected and actual compliance costs. The Commission estimated €10 million annually across all gatekeepers; Amazon alone reports costs "multiple orders of magnitude beyond that predicted amount." This massive diversion of resources from innovation to compliance represents a hidden tax on digital services offered in Europe.

More troubling is what Amazon's data portability implementation revealed about security risks. Their vetting process for DMA third-party data access uncovered that over 75% of applicants operate from outside the EU, with many appearing to be data aggregators with opaque privacy policies. This validates my concerns about the DMA creating new attack vectors: the very mechanisms meant to enhance competition are being weaponized by actors with no stake in European privacy protection.

The API versus self-service portal distinction matters here. While Amazon maintains some control through vetting, the fundamental problem remains: the DMA mandates data flows to entities that may have minimal privacy safeguards or malicious intent. Amazon's discovery of "significant security risks" in their vetting process should prompt serious reconsideration of these mandates, yet the Commission appears oblivious.

Apple: when interoperability becomes exploitation

As I've written in my analysis on Apple and the EU DMA, Apple's concerns about the Commission's approach are particularly acute.

The Commission representative emphasized that user safety was a primary factor in the Commission's decisions. The official stated that the measures specified in their decision "also come with privacy and security safeguards." A typical measure involves "having user permission to grant apps access to sensitive data," similar to how Apple's own ecosystem works. For example, regarding iOS notifications, the Commission clarified that Apple can "require third parties to encrypt notifications and not to break any end-to-end encryption."

Apple countered that the interoperability mandates were "intrusive" and that the process was being rushed. An Apple representative said, "You're forcing us to rush interoperability engineering, creating the risk that we're going to have to offer premature solutions with bugs... creating lasting problems for developers and users."

Apple revealed that some third parties are exploiting interoperability requirements for data harvesting. Specifically, these parties have requested the ability to "read the contents from each and every message and email on the user's device." An Apple spokesperson pointed out a direct conflict with GDPR, stating, "The DMA was explicitly intended to not undermine the GDPR. Yet it seems we are constantly being asked to do just that."

This weaponization of interoperability is precisely what ICLE warned about in the recent comments on Apple's interoperability requirements. As my colleagues noted there, "unscrupulous actors with no incentive to maintain security safeguards are sure to try to exploit any loopholes created by the Commission. The result is an inevitable increase in vulnerabilities, leaving European users more exposed to risks that could have been mitigated within a more controlled ecosystem."

An Apple representative read a quote from the Commission's specification decision: "Within the architecture of the DMA, integrity has a distinct meaning from users' privacy and security," and responded, "That cannot be right, and again, cannot be what was intended."

Regarding the Account Data Transfer API, Apple described the security measures in place, including a due diligence process for third parties. Apple asks if they "plan to sell or license user data to third parties that the user has no relationship with." The representative noted the Commission's early agreement that "it was important the DMA not become synonymous with abuse of data in this space."

Meta: business model destruction through regulatory fiat

I've written extensively about Meta's advertising compliance, but the workshops revealed one significant clarification. Meta explained that their LPA (less personalised ads) option does not involve any data combination across different Meta services, stating: "if a user opts to take the ads experience less personalised ads, the only data that we would use are personal data relating to a user's interactions with ads, so an ad they want to see more of or an ad they never want to see again, a user's age, gender, if they've provided this, and a general location. We also use very limited context-based data. This is relating to content shown to a user in a specific session they are engaging with."

However, a Meta representative added that "there is a part of the ad selection process which could be impacted by the content in the live session that you are in on Facebook and Instagram. But it's minimal, and it's reduced."

This statement raises important questions. Meta appears to acknowledge that its advertising system still accesses basic user information from Facebook/Instagram, even in LPA mode. This could prove problematic given the Commission's strict interpretation that a less personalized alternative must involve no data combination/cross-use across the gatekeeper's services—as I analyzed in "How will the EU DMA 'pay or consent' decision impact Meta's business?".

But, as a Meta representative noticed during the workshop, data like age and location are "pure table stakes for advertising." This creates an impossible bind. The Commission's interpretation risks mandating that Meta offer a service that cannot economically exist. Meta's observation that this "potentially imposes an unviable business model" understates the severity—it definitively imposes business model destruction.

Even if the Commission accepts LPA as is, this doesn't address the issue of it being largely useless to the many EU SMEs that rely on Facebook or Instagram to be able to reach their customers. Such businesses don't have budgets for "brand advertising." To be viable they need to be able to reach precisely the people who are interested in their, often niche, products or services.

The enforcement "decontextualized from impact" that Meta describes has real consequences: European SMEs lose effective advertising tools, users receive irrelevant ads, and Meta faces potentially a difficult choice between compliance and viability. The Commission's fixation on consent rates while ignoring these impacts reveals enforcement driven by ideology rather than consumer welfare or economic reality.

Microsoft: the Recall controversy and consent confusion

Microsoft's workshop highlighted two distinct but related problems. LinkedIn's dual consent requirement—requiring both DMA and GDPR consent for overlapping data uses—exemplifies the regulatory confusion I've long criticized. Users must navigate multiple consent frameworks for the same data processing, a complexity that serves no privacy purpose but increases the Commission's control. This artificial interpretation seems designed to circumvent inconvenient GDPR precedents rather than protect users. (I explain how the "two consents" interpretation increases EC powers and attempts to circumvent precedent here)

The second issue is the Recall feature in Windows. Microsoft explained that the Recall feature, which allows a user to find content they have previously seen on their screen, "runs entirely locally on the PC." It uses AI to process screenshots locally to make past activity searchable. This design implies that sensitive user activity data is not sent to the cloud.

The Commission's interest in mandating data portability for Recall raises serious security concerns. (Some will say "even more" concerns given existing debates about Recall's security, but I'm more optimistic about the future of this kind of technology). An EU Commission official stated that they're seeking feedback on the "data portability solution" for Recall under the EU DMA.

This could be very problematic. Throughout my work on the DMA, I've argued that the EU Commission consistently downplays user security and privacy concerns about legally-mandated interoperability and data portability.

The long road through two regulatory regimes

I began by providing context on the two regulatory regimes affecting Meta's advertising monetization in the EU: the GDPR and the DMA. The saga began in 2018 when the GDPR entered into force, prompting Meta to move from user consent to "contractual necessity" as their legal basis for processing personal data. This kicked off a regulatory odyssey, which I have been covering here on EUTechReg.

In December 2022, the European Data Protection Board (EDPB) forced the Irish Data Protection Commission to tell Meta they couldn't use contractual necessity for personalized advertising. The EDPB adopted a restrictive—and I think mistaken—interpretation that personalized ads funding a service don't fall under contractual necessity.

By April 2023, Meta had pivoted to "legitimate interests" as their legal basis. However, this too was short-lived. The same month, Meta received an unrelated but significant €1.2 billion fine for EU-US data transfers, signaling the regulatory pressure they faced on multiple fronts.

The EU Court of Justice ruled in July 2023 that Facebook couldn't rely on legitimate interests, though that case was limited to third-party data. Crucially—and this would become important later—the Court stated that businesses may be allowed to charge for an alternative version without data processing if they require consent. This seemingly minor point would become central to Meta's strategy.

A significant escalation came from the Norwegian data protection authority. In July 2023, they issued a local decision prohibiting Meta from relying on legitimate interests and initiated an urgency procedure at the EDPB. 

By August 2023, Meta announced they would move to consent as their legal basis. The EDPB partially agreed with the Norwegian position in October 2023, directing the Irish DPC to decide that Meta couldn't rely on legitimate interest. With contractual necessity and legitimate interests both ruled out by the regulators, consent was the only remaining option under the GDPR.

The Digital Markets Act, which entered into force in November 2022, added another layer of complexity. When Meta was designated as a "gatekeeper" in September 2023, the Commission crucially designated Facebook, Instagram, and Meta Ads as separate regulated services. 

This designation had serious implications. Under Article 5(2) of the DMA, gatekeepers cannot cross-use or combine personal data between separate services without user consent. Even though Meta Ads functions as the advertising backend for Facebook and Instagram—what could be considered as an integrated system—the Commission's designation meant any data flow between these "separate" services would presumptively violate the DMA without consent.

In response, Meta introduced its "Subscription for No Ads" (SNA) plan on September 7, 2023, just two days after their gatekeeper designation. By October 30, 2023, Meta officially announced the model: users could choose between a paid subscription without ads or free access with personalized ads.

The rollout in November 2023 immediately attracted regulatory attention. The European Commission sent Meta requests for information about the new model. From January to March 2024, the Commission engaged in discussions with the Irish DPC about Meta's approach. Meta submitted their compliance report, arguing that the "pay or consent" model satisfied both GDPR and DMA requirements. 

Meta’s initial "Subscription for No Ads" (SNA) model offered users a choice: consent to personalized advertising or pay €9.99 (€12.99 on mobile) monthly for an ad-free experience.

March 7, 2024, marked the deadline for gatekeepers to comply with the DMA. Soon after, the Commission opened formal proceedings to investigate whether Meta's model complied with Article 5(2). 

Back on the “GDPR track,” in April 2024, the EDPB issued Opinion 08/2024 on “pay or consent” models generally. While acknowledging that the Court of Justice had explicitly said paid alternatives to consent were possible, the EDPB struggled to target “big tech” without harming traditional publishers who had long used similar models. Their opinion hinted heavily that binary choices weren't sufficient.

Continuing the DMA investigation, the Commission sent its preliminary findings to Meta at the beginning of July 2024, concluding that the model didn't comply with DMA requirements. Meta responded contesting these conclusions. In November 2024 Meta announced an "Additional Ads option" providing a third choice for users.

Finally, on April 23, 2025, the Commission adopted its final decision, finding Meta in non-compliance with Article 5(2) of the DMA. As I noted previously, the €200 million fine was relatively low—given the €15.2 billion maximum. This monetary penalty, I suggested to Eric, seems designed to deflect attention from the decision's prohibitionist and economically uninformed legal reasoning, perhaps hoping a lower sum would prevent the U.S. administration from viewing this as a tax or tariff on American companies.

The Commission's two-pronged attack

In its April decision, the Commission adopted a novel interpretation that Article 5(2) of the DMA creates two distinct and cumulative conditions:

1. The “specific choice” condition, an autonomous DMA concept requiring gatekeepers to offer “a less personalised but equivalent alternative.”

2. The “valid consent” condition: traditional GDPR consent requirements.

This distinction seems strained, especially since GDPR authorities have long insisted on reading consent requirements to ensure “real” choice. The Commission appears to be creating this separation to assert more regulatory power and circumvent what the Court of Justice said in the Meta case about allowing “appropriate fees.”

The European Commission’s arguments

The Commission's central argument against Meta's "Consent or Pay" model rests on their interpretation that it fails to provide users with a "specific choice" because the paid "Subscription for No Ads" (SNA) option is not an equivalent alternative to the free "With Ads" option.

Different conditions of access

The Commission asserts that the two options are fundamentally different because they have disparate conditions of access. Accessing the SNA option requires a recurring monthly monetary payment and access to online payment systems—a significant economic commitment. In contrast, the "With Ads" option is free, requiring only a click to consent. The Commission argues that the means of remuneration is an essential feature of a service.

Their core thesis is striking: if Meta chooses to offer its primary service for free, any equivalent alternative must also be free of monetary charge to have equivalent access conditions. The Commission states that if Meta finds this unviable, it should make a case under Article 9(1) of the DMA, which allows for suspension of obligations if they threaten economic viability.

Meta counters by accusing the Commission of trying to impose a specific business model, effectively punishing Meta for having historically offered its services for free. They point out that the DMA doesn't explicitly mandate that alternatives must be free of charge, unlike other articles in the regulation where this is specified. Meta claims that offering a non-personalized, ad-supported service for free is not a viable business model.

User “lock-in” and habituation

The Commission also pointed to alleged user lock-in and habituation. For two decades, Meta cultivated a massive user base by offering its services for free, even featuring the slogan "It's Free and Always Will Be" on Facebook's registration page until 2019. The Commission argues that users have grown accustomed to accessing these services without monetary payment and don't perceive ads as disruptive enough to warrant paying a fee. Therefore, presenting a paid option is not a realistic or attractive alternative for most users.

When Meta raised the well-known examples like YouTube Premium, Spotify, and various news publishers offering similar "Consent or Pay" models, the Commission dismissed these examples on two grounds. First, most aren't designated gatekeepers under the DMA. Second, services like video streaming and media publishing allegedly have different user perceptions because their content (movies, articles) has "known monetary value outside the platform," unlike user-generated content on social networks.

I find this distinction particularly unpersuasive. Can Europeans really be considered so unfamiliar with paying for digital services that we can't legally consider them free to choose when payment is involved? The distinction between platforms where content has "known monetary value outside" versus Instagram sounds like arguments from lawyers with no understanding of economic reality. Compare YouTube influencers to Instagram influencers—how is this a relevant categorical distinction?

Predictability

The Commission highlights that Meta knew, or should have known, that an overwhelming majority of users would choose the free option. They point to academic studies showing low willingness to pay for privacy and Meta's own internal documents from 2023, which predicted uptake for the SNA option would be extremely low (less than 1%)—a figure that closely matched the actual outcome.

The Commission suggests Meta's pricing strategy around SNA expressly assumed people wouldn't pay, treating this as a big “gotcha.” But I don't see how this is the gotcha that the Commission's lawyers think it is. Their argument is sophomoric—they say users choose not to pay even though they're "interested" in lesser processing, but provide no argument for why "interest" undermines the choice not to explore that interest. It's a normal feature of life that many interests are of so little value to us that we don't pursue them. A legal standard of free choice cannot be this low as to be based on whatever people might say to a survey, irrespective of business reality.

It was obvious to everyone that most users wouldn't pay, and that only the most valuable advertising targets would. Taking that into account in pricing strategy was basic competence for Meta's monetization team. I'd suggest the low uptake simply shows that users want social media funded by personalized advertising. The low uptake is evidence that the Commission is wasting everyone's time trying to force something Europeans don't want.

Circumventing the CJEU's Meta judgment

The Commission believes that the Court of Justice's ruling in Meta Platforms, which mentioned offering an alternative service for “an appropriate fee,” is inapplicable to the “specific choice” requirement under the DMA. This is because that judgment concerned validity of consent under GDPR, not DMA’s “specific choice.” 

Even if the judgment were applicable, the Commission notes it doesn't automatically entitle Meta to charge a monetary fee. They point out that "if necessary for an appropriate fee" doesn't exclude other forms of remuneration, citing German ("Entgelt" - consideration/compensation) and French ("rémunération") versions that suggest broader transfers of value beyond direct user payment.

Meta insists the Commission is trying to circumvent the Meta Platforms judgment, which they interpret as explicitly permitting an equivalent alternative to be offered for an appropriate fee.

Lack of valid consent

Beyond "specific choice," the Commission argues users cannot give valid GDPR consent due to the coercive nature of Meta's model. They emphasize the power imbalance between Meta and its users, combined with the clear "detriment" of either paying for previously free services or abandoning platforms central to their social lives—what they call a "very substantial and potentially irreparable loss." Citing the EDPB Opinion on pay or consent, they argue the binary choice fails to mitigate this detriment, as true freedom would require a free alternative without behavioral advertising. 

The Commission particularly emphasizes how Meta cultivated users for two decades with free services ("It's Free and Always Will Be"), making the subsequent paywall an "illusory choice." While the CJEU's Meta Platforms judgment allows "appropriate fees," the Commission argues that here the fee itself becomes coercive—a negative consequence for withholding consent rather than a freely chosen alternative.

Economic blindness: the Commission's most troubling stance

Perhaps the most alarming aspect of the decision is revealed partially in paragraph 154, where the Commission states that DMA compliance "will inevitably impact the business models that gatekeepers choose" and that the DMA "does not safeguard such business models from any constraint it mandates." 

Moreover, the Commission explicitly states they won't consider economic impacts unless a gatekeeper applies under Article 9(1), claiming exceptional circumstances threaten their EU operations' viability. Even then, we can expect an extremely narrow interpretation—perhaps pushing gatekeepers to accept minimal profits above a strictly defined cost base.

The third-party blind spot

As I noted in my previous comments on the April decision, the Commission seems to have completely abandoned third-party impact analysis. In paragraph 262, they acknowledge that "behavioural advertising may create value to some end users and businesses under certain circumstances" but immediately dismiss this as irrelevant to their legal analysis.

The Decision contains no examination of potential harm to EU businesses advertising on Meta's platforms. I suggested that personalized advertising on Facebook and Instagram has created significant contestability in European markets, particularly for SMEs and direct-to-consumer businesses that depend entirely on targeted advertising channels.

Meta's current triple choice model

Since November 2024, Meta has implemented a significantly revised model:

• Reduced subscription prices by 40% (€5.99/month on web, €7.99 on mobile).

• Introduced a third option: "less personalized ads" with non-skippable ad breaks.

• Created a two-step choice flow where users first choose between paid and free, then can opt for less personalization.

The Commission's decision hints they might accept this model if Meta removes the pre-selection of personalized ads in the second step. However, given the hostile tone throughout the decision, I wouldn't exclude new objections, particularly around what data processing occurs in the "less personalized" option.

Meta states they use age, gender, location, device information, ad engagement data, and “information about the content you're viewing.” The Commission might perhaps argue this still constitutes cross-use between Meta Ads and the social platforms.

EU AI regulation: a pattern of uncertainty

We also discussed recent developments in EU AI regulation, where similar patterns of regulatory uncertainty emerge.

The EDPB's non-guidance

The European Data Protection Board issued an Opinion on AI models and the GDPR in December 2024, which in classic EDPB style provides a long list of things AI developers can attempt for GDPR compliance while giving no guarantees of sufficiency. They didn't declare AI illegal in the EU, but that's hardly reassuring—such a declaration would be politically unpalatable even there. Instead, they maintained maximum enforcement flexibility, allowing any national enforcer to impose billion-euro fines while leaving AI developers guessing whether their compliance efforts will be deemed inadequate.

CNIL's pragmatic exception

The French data protection authority, CNIL, stands out by actually labeling specific actions as likely to achieve compliance. This may sound like faint praise, but it shows how imbalanced GDPR enforcement has become (see my The EDPB’s AI Opinion Shows the Need for GDPR Enforcement Reform and A serious target for improving EU regulation: GDPR enforcement). The problem is that CNIL's guidance only indicates how the French authority will act. In cross-border cases, CNIL may be outvoted in the EDPB by more privacy-absolutist authorities, as the Irish DPC has repeatedly learned.

Meta's AI training controversy

Meta's plan to train AI models on public user data faced particular scrutiny. Critics argued Meta couldn't use data uploaded before their May 27 announcement because users lacked reasonable expectations about AI training. This creates an impossible retroactivity problem—if accepted, no existing public data could ever be used for AI training.

Meta implemented unconditional opt-outs for both users and non-users. Yet critics argue this still isn't sufficient. As I noted, we're discussing public content anyone on the internet can access. Given search engines and widespread web scraping, can it seriously be argued that users lack reasonable expectations about how public content might be reused?

The Draghi Report's limited impact

Finally, we discussed how the Draghi Report's warnings about European competitiveness have had minimal impact on Brussels. While there's genuine reform momentum in European capitals—with the Swedish Prime Minister even calling to delay AI Act implementation—the Commission treats this as a political problem to be managed rather than a call for fundamental change.

The Commission's proposed GDPR “simplification” is laughable, focusing on minor cost savings while ignoring fundamental issues. Brussels seems unwilling to accept that there are fundamental problems with how laws like the DMA and GDPR are applied—particularly the refusal to consider economic consequences.

What we get from Brussels is lawyers making categorical decisions about digital markets without understanding their economic dynamics. Their formalistic interpretation, divorced from business reality, poses serious risks to European competitiveness.

There’s a segment of privacy officials who view AI like they do cryptocurrency—as a fad to be stopped or at best ignored. They're the same crowd that eagerly shares every paper suggesting LLMs can't count or “reason” properly. Combined with the Commission's explicit stance that they needn't consider economic impacts on gatekeepers or third parties, this attitude threatens the welfare of Europeans.

[1] Here is a list of my MDM appearances so far:

• 1 March 2023, “A deep dive on European data privacy law” 

• 11 April 2023, “A deep dive into the Digital Markets Act (DMA) and Digital Services Act (DSA)”

• 14 June 2023, “The future of EU-US data transfers”

• 20 December 2023, “Exploring the Pay-or-Okay model”

• 24 April 2024, “Is Pay or Okay dead in Europe?” (see also my notes from that podcast on EUTechReg.com)

• 12 February 2025, “Understanding the EU’s AI Act”

• 25 June 2024, “What’s happening with DMA enforcement?”

I examine the Commission's reasoning for why Meta may still be non-compliant and explore potential solutions for Meta. I also analyze the Commission's striking approach: its stated willingness to ignore the economic pain DMA enforcement imposes on gatekeepers. This stance affects all gatekeepers, including Amazon, Apple, Google, and Microsoft. A separate piece will provide my legal analysis of the Decision's other aspects.

The headline from April focused on Meta's EUR 200M fine—far below the maximum EUR 15.2B (10% of global turnover). This relatively modest penalty seems designed to deflect attention from the Decision's prohibitionist and economically uninformed legal reasoning, perhaps hoping a lower sum will prevent the U.S. administration from viewing this as a tax or tariff.

Economic viability as the only limit on enforcement

Paragraph 154 reveals the Commission's approach to DMA enforcement:

“... the purpose of [the DMA] is to ensure, for all businesses, contestable and fair markets in the digital sector across the Union where gatekeepers are present, to the benefit of business users and end users. The achievement of those objectives through the implementation of specific obligations, including Article 5(2) of [the DMA], will inevitably impact the business models that gatekeepers choose for their designated CPSs. In that context, [the DMA] does not safeguard such business models from any constraint it mandates, nor is complying with that Regulation conditional upon preserving the profits gatekeepers generated prior to its adoption.”

The Commission believes Article 9(1) sets the only limit on how much the DMA may hurt gatekeepers. In case of exceptional circumstances beyond a gatekeeper's control that threaten its EU operations' economic viability, the Commission may suspend specific obligations. We can expect narrow interpretation here—perhaps pushing gatekeepers to accept minimal profits above a strictly defined cost base. In essence, gatekeepers become quasi-public utilities (despite the Commission's explicit denial in paragraph 245).

The Commission claims it need not consider DMA interpretations' effect on gatekeepers' profits until a gatekeeper applies under Article 9(1), arguing exceptional circumstances threaten its EU operations' viability.

From a European perspective, the Commission's biggest blind spot is its abandonment of serious third-party impact analysis. It ignores how withdrawing personalized advertising affects SME advertisers in the EU. It fails to recognize that platforms like Facebook and Instagram create massive market contestability where SMEs operate. Without these advertising channels, many EU SMEs will likely fail.

Why the EC found Meta's "pay or consent" non-compliant

The Commission ruled that Meta's pre-November 2024 "pay or consent" scheme didn't allow users to make a "specific choice for a less personalized but equivalent alternative" and to "validly consent" to personal data use.

Simply put: if Meta offers free services to anyone in the EU, it cannot charge for the option that doesn't combine data across services (the less personalized alternative).

The DMA permits "degradation of quality" as a "direct consequence" of not processing personal data or signing in users. However, the Commission views subscription fees as "conditions of access" that exceed DMA-allowed quality degradation.

The Commission treats this finding as independent of GDPR authorities' decisions. The EC interprets the DMA as separately requiring both "specific choice" (a DMA-only requirement) and GDPR "consent" for combining or cross-using personal data across services. The prohibition on charging for less personalized options (when a free option exists) stems from the "specific choice" requirement, not GDPR consent.

Will Meta's current model face non-compliance findings?

The Commission now reviews Meta's post-November 2024 scheme, including the free "less-personalized ads" option. Even if Meta successfully appeals, the Commission's decision on the new model will likely arrive sooner. What might it say?

The Commission appears to have left room to accept Meta's current model. The Decision emphasizes that subscription fees were "conditions of access," not just "degradation of quality." Perhaps the current model—even with non-skippable ads—would qualify as DMA-allowed "degradation of quality."

When preliminarily discussing Meta's current model, the Commission questioned only one aspect: the pre-selection of the free option with personalized ads. Meta could easily address this.

However, given the Commission's hostile tone and unwillingness to consider business reality, it may find "new" arguments against the post-November model.

For instance, perhaps the Commission might want to argue that data used for "less-personalized ads" falls under DMA cross-use/combination prohibitions. Meta’s “About less-personalized ads” lists:

How you engage with ads, such as clicking or liking them
Your age, the gender you provide and your location
Your device information, like the device or browser you’re using
Information about the content you’re viewing while you browse on our Products

I don't know whether Meta Ads processes this data separately or within Facebook. Meta should be able to achieve full separation if needed.

As a "nuclear" solution, Meta could separate "Facebook Ads" and "Instagram Ads" completely, eliminating cross-use of personal data between them and other Ads platforms. Each could then support its respective platform. This approach could benefit from Recital 36 DMA, which the EC acknowledged clarifies that cross-use/combination prohibitions don't apply between services "provided together with, or in support of" a core platform service.

This structure would arguably exempt the integrated ads backend and social media front-end from Article 5(2) DMA's cross-use prohibitions. Meta might even return to the "legitimate interest" GDPR basis[1] rather than consent. At minimum, it would deal with GDPR's consent requirement rather than the stricter, nebulous threshold the Commission conjures under the DMA.

Like restrictions on personalised advertising, this solution would have third-party consequences. The kind of effects for which the Commission has provided no evidence of consideration. Currently, SME advertisers benefit from a unified ad system that allows them to reach audiences across both platforms with a single campaign, shared budgets, and consolidated performance metrics. Meta’s decision to silo these services would mean advertisers would need to manage separate campaigns, split their already limited budgets, and lose the efficiency of cross-platform optimization. 

[1] Often overlooked: the EU Court of Justice didn't require consent for Meta's use of first-party personal data for personalized advertising. The famous Meta judgment addressed third-party data. See my analysis The CJEU’s Decision in Meta’s Competition Case: Consequences for Personalized Advertising Under the GDPR (Part 1) and EDPB: Meta violates GDPR by personalised advertising. A "ban" or not a "ban"?.

My personal stakes in privacy-preserving AI

I don't think anyone would accuse me of being a privacy absolutist. But I am concerned about the safety of my data when processed by various AI services. What makes me even more concerned is the sheer volume of data that may be needed to make personal and professional AI agents truly useful. On the other hand, I really want those agents in my life—and not just to book flights and organize dinner parties.

I've been experimenting with local models, and while they're adequate for many uses, I find myself consistently gravitating toward state-of-the-art hosted services from Anthropic, Google, OpenAI, and X. They're simply better, both in terms of speed of inference and quality of the outputs. The gap in capability is significant enough that I don't want to be forced into running a subpar local AI agent just because I'm concerned about exposing my email history, messages, calendars, and other sensitive data. (I do hope that local models will become a viable option, but it's unclear when this will happen, and even then, it’s possible they will not perform quite as well.) 

This drives my interest in "private clouds" and trusted execution environments (TEEs) as a solution—technologies that could give us both state-of-the-art AI capabilities and reasonable data safety, even for someone with my attitude.

I don't claim to speak for all users. Many people will likely embrace powerful AI agents without much thought about data protection, so captivated by the functionality that privacy becomes an afterthought. However, there are at least two good reasons not to rely on this too much.

First, these same users will be justifiably outraged if they become victims of a major AI service breach. (This reminds me of the data-preservation order against OpenAI in their litigation with the New York Times—possibly a massive data breach waiting to happen.) 

Second, privacy regulators tend to have higher expectations than most users. These regulators are still developing their approach to AI, which creates a window for AI developers to propose credible solutions that could set standards for years to come. 

The long-term viability of the AI business may well depend on addressing those concerns, and reducing the “attack surface.”

How Apple Intelligence currently works

Let me start with a concrete example of how Apple Intelligence handles a common task: text summarization. When you select text in any app using UITextView (the standard iOS text component), the system presents Writing Tools options including summarization.

The app already has full access to the text displayed in its UITextView. When you invoke Writing Tools, the selected text—and only that text, perhaps with minimal context expansion—gets sent to Apple's AI model. If the task is simple enough, it's processed by the ~3 billion parameter on-device model. For more complex requests, it's encrypted and sent to Private Cloud Compute servers.

The crucial point is that the app already possessed this text. Apple Intelligence isn't accessing new data. It's simply processing information the app technically could have uploaded to any server at any time.

Apple's Private Cloud Compute: technical guarantees

Apple's PCC implements several technical guarantees that create a trustworthy environment, including:

• Stateless computation: all data is immediately deleted after processing. No user data persists between requests.

• Hardware-enforced isolation: custom Apple Silicon servers with Secure Enclaves ensure that even Apple employees cannot access user data during processing.

• Cryptographic verification: the device verifies it's communicating with legitimate PCC servers running publicly auditable code before sending any data.

• No privileged access: the system design eliminates debugging interfaces and administrative access that could compromise user data.

• Verifiable transparency: Apple publishes software images and offers bug bounties up to $1 million for security researchers to verify these claims.

The case for developer access

Here's why giving developers access to Apple Intelligence—both local and PCC models—wouldn't introduce significant new privacy risks. Consider the current situation. An app with access to your documents can already send them to OpenAI, Anthropic, or its own servers. The privacy risk exists the moment you grant the app access to your data. Routing AI processing through Apple's infrastructure promises to improve privacy. Unlike most third-party services, PCC guarantees stateless processing and provides cryptographic proof that your data won't be retained or used for training. 

What user data Apple Intelligence processes 

Apple's legal documentation contains a potentially confusing statement: "To provide a customized experience, Apple Intelligence uses information on your device including across your apps, like your upcoming calendar events and your frequently used apps."

This might suggest Apple’s APIs automatically draw on all user context. But this language only applies to system-level features—like Siri Personal Context—not to what developers can access via APIs. Apple is building different privacy models for different features—narrow access for developer-accessible tools, broader access only for system-level features.

Potential impact of the EU Digital Markets Act

This creates an opening for a regulatory challenge. Under the EU’s Digital Markets Act (DMA), regulators might argue that if Apple’s own features can combine data from across apps, then third-party developers should have access to the same functionality. If that argument wins, Apple may have no choice but to build permission systems that allow users to explicitly authorize third-party AI systems to work with their personal data in a comparable way. I’ve explored these implications elsewhere (e.g., "Apple and EU DMA: a road to leave the EU?"), pointing out how culturally difficult it may be for Apple to abandon the idea that they can treat their own apps and functionalities as more trustworthy. 

There is also a risk that the EU DMA will be interpreted in a more radical way, attempting to force Apple to provide access in a way that undermines the security features of their framework. For example, by requiring Apple to run third party code within trusted execution environments or by prohibiting Apple from adopting reasonable restrictions on API use (e.g., if the API will include models with function/tool-calling capabilities). The risk of this is not negligible given that so far, the DMA enforcers have shown little understanding and care for the impact of their actions on end users, especially in terms of data security (see, e.g., DMA workshops and privacy and Apple and EU DMA: a road to leave the EU?).

Essential safeguards for safe implementation

Returning to Ben Thompson’s recommendations, he specifically advocated that Apple should:

• “Make Apple’s on-device models available to developers as an API without restriction.”

• “Make Apple’s cloud inference available to developers as an API at cost.”

I believe this can be done safely, but with caveats:

• All AI model data processing must be fully stateless, like Apple's current model. This ensures user data cannot be used to train new models or be retained for any purpose.

• Both in-app and system-level data access must be controlled by robust, specific permissions that users can understand and manage.

• Any off-device processing must occur in verified trusted execution environments with what Apple calls “verifiable transparency.”

• Process as much as feasible on-device, using cloud resources only when computational requirements demand it.

• End-to-end traffic analysis remains a vulnerability. The TEE approach may in some extreme cases not be a sufficient protection for dissidents or journalists in certain countries, but it is likely adequate for most users.

Meta's WhatsApp Private Processing

Meta faces a higher burden in convincing the public about privacy—they haven't yet successfully made privacy part of their brand the way Apple has. It does, however, seem that they aim to move in that direction, given that their WhatsApp Private Processing framework implements remarkably similar technical guarantees to Apple’s PCC.

Like Apple, Meta uses hardware-based trusted execution environments, though with an important architectural difference. While Apple employs custom silicon with dedicated Secure Enclaves, Meta relies on AMD's Confidential Virtual Machine (CVM) technology within standard cloud infrastructure. This creates a larger potential attack surface but offers more deployment flexibility.

Both systems promise stateless processing, cryptographic attestation, and third-party verifiability. However, Meta's implementation currently lacks the same level of verifiable transparency that Apple provides. While Meta has announced plans to publish Private Processing components and provide third-party access to binary digests, these transparency measures remain partially unfulfilled.

Why verifiable transparency matters

I want to stress the importance of verifiable transparency, which is the area where Meta still likely has the most to improve. One key reason why verifiable transparency is important is the risks from government-mandated backdoors, effectively breaking TEE-based privacy schemes. When code is open source—or at least available to a sufficiently large group of independent, adequately funded researchers—and when devices can cryptographically verify that servers run the published code, this risk is significantly mitigated.

Even if you think that law-abiding users have nothing to fear from democratic governments having this kind of access, you should still be concerned about the track record of such “government access” schemes being exploited by unintended parties, including other governments and criminals (e.g., the 2024 U.S. telecom hack). Cybersecurity experts have long argued that a vulnerability does not distinguish “good” guys from “bad” guys. In other words, the idea that a government agency can claim that “nobody but us” will have access to some backdoor is a dangerous illusion. 

Conclusions

Thompson's proposal to open Apple Intelligence to developers is both technically feasible and potentially beneficial for the AI ecosystem. The privacy risks are manageable because they're largely identical to risks users already accept when granting apps data access. In fact, routing AI processing through privacy-preserving infrastructure like Apple's PCC could improve the status quo.

The convergence of Apple and Meta's approaches suggests an emerging industry standard for privacy-preserving AI. Both companies recognize that long-term success requires solving the privacy problem, not just for regulatory compliance but for maintaining user trust as AI agents become more capable and data-hungry.

UPDATE (27 May): The attempt to block Meta’s AI training plan through an injunction failed before the court in Cologne court. Also, despite expressing some last minute doubts, the Hamburg data protection authority just announced that they will not step out of line and use the GDPR's urgency procedure. However, they referenced some unspecified “forthcoming EU-wide evaluation of Meta's practices,” perhaps aiming to suggest that they will try to push for a more restrictive GDPR interpretation at a later date. (All this is quite puzzling given that it was the Hamburg DPA which previously published a very pragmatic discussion paper on the application of the GDPR to AI models).

The legal questions being raised

Multiple national data protection authorities published information about Meta’s plans, including links to forms provided by Meta, through which users can object to their public data being used for AI training (e.g., Czechia, France, Italy, Hamburg, the Netherlands). Notably, at least the Dutch, the French and the Italian authorities included in their statements—made as recently as late April—that EU authorities are working with the Irish DPC to assess Meta’s compliance with the GDPR. The authorities listed the following issues: 

• the legality of Meta’s plan (presumably meaning the question whether Meta can rely on the legitimate interest basis);

• the effectiveness of the right to object (which Meta facilitates through ex ante opt-out forms);

• the compatibility between the original purposes of the processing and this new use of the data (“historical data” issue).

The historical data issue is reportedly at the centre of the “hearing letter” to Meta from the Hamburg DPA.

Aside from the DPAs, a German consumer advocacy group Verbraucherzentrale NRW (vznrw) is seeking an injunction to stop Meta’s AI training plans in the Higher Regional Court of Cologne (Oberlandesgericht Köln). The hearing in that case was scheduled for 22 May (see commentary from Noerr, a law firm). Vznrw’s position appears to be that Meta should be asking all concerned users for affirmative opt-in (consent), instead of allowing an opt-out.

Opt-out vs opt-in (legitimate interest vs consent)

On the dominant among EU DPAs, broad understanding of what counts as personal data, the authorities would likely argue that the development of many, if not all, Large Language Models (LLMs) involves the processing of personal data at some stage, at least due to scraping public websites. It is not possible to implement an opt-in consent for all concerned individuals, so imposing such a requirement would mean a de facto prohibition of the technology. The other reason why consent is not feasible is the issue of withdrawal of consent—it’s likely to be vastly disproportionate to delete models trained with personal data and surgical removal of an individual’s personal data from a trained model is not yet workable. So withdrawal of consent couldn’t lead to the end of data processing (assuming that a trained model contains personal data).

The European Data Protection Board (EDPB), in their Opinion on AI models only really considered an opt-out mechanism (objection to data processing), suggesting various measures to make AI development and use compatible with the GDPR under the legitimate interest basis.

Privacy activists and some public officials are now pushing to ban LLMs and much of AI more broadly, claiming that opt-out mechanisms are insufficient. Their strategy centers on a peculiar argument about consent requirements. When AI developers can directly contact individuals whose data will be used for training—what's called "first-party" data from direct users[1]—these advocates argue that only individual consent should permit data use. Their solution for withdrawn consent is equally extreme: delete the entire AI model. 

This creates a bizarre contradiction. When developers cannot easily contact data subjects and informing them is much harder—circumstances where providing notice and objection opportunities is genuinely difficult—these same advocates would have us believe that they accept that consent isn't required and legitimate interest suffices. But when circumstances are actually favorable for exercising information and objection rights, suddenly consent becomes mandatory. This logical inconsistency strains credulity. The argument appears to be part of a bait-and-switch strategy: first attack "first-party" data use to establish a consent requirement, then extend that precedent to "third-party" data. 

Ex ante opt-out and effective exercise of a right to object

Meta has implemented unconditional opt-outs from AI training for both users and non-users. This goes beyond Article 21 GDPR's express requirements but follows a suggestion in the EDPB Opinion on AI models (para 102). Yet critics argue this still doesn't allow sufficiently effective exercise of objection rights under legitimate interest processing.

Article 21 GDPR states that "the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims." While this requirement is conditional, it does mandate that controllers "no longer process the personal data."

Allowing unconditional, ex ante objections—before processing even begins—without requiring deletion of already-trained models represents a reasonable, proportionate interpretation of GDPR. A more absolutist reading of the "no longer process" requirement would effectively ban the technology entirely. Notably, switching to a consent basis raises virtually identical issues regarding the consequences of withdrawal of consent.

Arguing that Meta's unconditional, ex ante, and well-publicized opt-out scheme (also publicized by DPAs) remains insufficient would set the compliance bar impossibly high. No one—not just Meta—could train AI models in the EU under such standards. 

To be clear: Meta's offer to accept objections before even beginning training arguably exceeds GDPR requirements. Concluding otherwise would imply that most AI model training conducted so far violated GDPR—assuming a broad interpretation of which models contain personal data.

Historical data and historical reasonable expectations

The EDPB correctly noted in its Opinion on AI models that individuals' reasonable expectations matter when assessing legitimate interest. However, this argument can easily be taken too far. Most people understand technology, business, and government only superficially—and this is entirely normal. We are not omniscient. Requiring individuals to have detailed understanding of technological and organizational aspects before their data can be processed under legitimate interest would make that legal basis impossible to use. This would render the GDPR provision ineffective, violating a fundamental principle of legal interpretation: we should read law as if crafted by a rational lawgiver. While even the Court of Justice sometimes leans toward overly restrictive interpretations—often betraying its own lack of understanding of business and technological realities—this temptation should be resisted.[2] Any interpretation of "reasonable expectations" must remain proportionate and grounded in reality.

This brings us to the "historical data" issue that German DPAs are currently reportedly emphasizing. Their argument appears to be that Meta cannot use data uploaded before May 27, because users lacked reasonable expectations that their public data could be used for AI training before the deadline set in Meta's announcement.

This reasoning proves far too much. If we follow this logic, how could any AI developer claim that individuals reasonably expected their data to be used for training? Even limiting the argument to pre-ChatGPT data still goes too far. Consider an analogous question about search engines circa 1998. Would we really interpret GDPR to treat emerging technologies as inherently illegal simply because their details are novel? I argued against such an approach to the GDPR in my text on the importance of cautious optimism.

Let’s remember: we're discussing data that anyone on the internet can access—public content. Given the existence of search engines and widespread web scraping, can it seriously be argued that internet users lack reasonable expectations about how public web content might be reused?

Some DPAs already recognize this reality. The Baden-Württemberg DPA acknowledged that "given the generally known technological progress of recent years, it may be expected that data published on the Internet may be reused by third parties for other purposes."[3]

[1] What makes things more complicated is that the data Meta plans to use isn’t “pure” first-party data, because even data like Facebook/Instagram posts, comments and so on may include references to other individuals than the person who posted the data. So what is first-party data of a direct Meta user, may very well also be third-party data of someone who is not a Meta user (which is also why Meta facilitates opt-outs for non-users). The same applies, of course, to all other platforms like Reddit, YouTube, X/Twitter, and so on.

[2] See eg EDPB’s reference to Meta v Bundeskartellamt in footnote 73 of the Opinion on AI models and the accompanying text (para 93).

[3] The Baden-Württemberg DPA also made a qualification for data published by others. In principle there may be a difference in reasonable expectations regarding content you post about yourself and what someone else posts about you. However, we also need to have in mind the technical limits of anyone’s capacity to distinguish such situations at scale. 

The Commission’s decision hinges on two determinations. First, Meta’s model, which offered users a binary choice between accepting personalized advertising through personal-data combination or paying a monthly fee for an ad-free experience, did not provide a “less personalized but equivalent alternative,” as required by the DMA—especially as interpreted through Recital 36. Second, this binary structure, along with the associated fee for the privacy-centric option, was deemed to be coercive and that it violated the General Data Protection Regulation’s (GDPR) “freely given consent” requirement, which is explicitly integrated into DMA Article 5(2).

In this post, I’ll try to reconstruct the Commission’s likely reasoning. It’s crucial, however, to state upfront that, without the full published decision text, we’re operating somewhat in the dark, relying on the Commission’s press release and inferring connections to broader regulatory discussions. Of particular interest, in regard to the latter, is the European Data Protection Board’s (EDPB) recent opinions on “pay or consent” under the EU GDPR. This inherent uncertainty must be kept in mind.

Lack of ‘Freely Given’ Consent

Article 5(2) of the DMA demands GDPR-standard consent for the kind of data combination and cross-use that Meta employs for personalized advertising. The Commission’s announcement explicitly stated that Meta’s model “did not allow users to exercise their right to freely consent.”

The uncertainty lies in how, exactly, the Commission reached this conclusion under the DMA. It seems probable they leaned heavily on the reasoning laid out in the EDPB’s Opinion 08/2024 regarding “consent or pay” models under the GDPR (I commented on that opinion here and here). The EDPB strongly insisted that, for “large online platforms,” a binary choice between consent and paying a fee is likely coercive, due to power imbalances and potential detriment, thus invalidating consent.

Directly transposing this quite-restrictive GDPR interpretation (which is itself quite debatable, especially regarding detriment) onto the DMA requires careful justification. While the DMA references GDPR consent, it doesn’t automatically incorporate every aspect of the EDPB’s subsequent guidance. In particular, it does not incorporate guidance that arguably stretches the concept of “freely given” beyond what the Court of Justice of the European Union (CJEU) outlined in Meta Platforms v Bundeskartellamt (see my commentary here and here).

The CJEU specifically acknowledged the possibility of valid consent—even when dealing with a dominant undertaking—and allowed for a fee-based alternative. So, the Commission’s finding of a lack of freeconsent under the DMA likely relies on accepting the EDPB’s premise that the binary choice is inherently coercive for gatekeepers, a point which remains legally contested.

Failure to Provide a ‘Less Personalised but Equivalent Alternative’

The Commission also found that Meta “did not give users the required specific choice to opt for a service that uses less of their personal data but is otherwise equivalent.” This points directly to the language in Recital 36 DMA, which calls for such an alternative as a prerequisite to enable free choice under Article 5(2).

The crux of the issue here seems to be the paid nature of the ad-free alternative Meta offered from March to November 2024. The Commission appears to have interpreted “equivalent alternative” under the DMA as requiring a free option that uses less personal data (perhaps funded by contextual ads, as the EDPB suggested for GDPR compliance).

This is, frankly, a problematic interpretation if it’s indeed the Commission’s definitive stance. Again, the CJEU in the Meta case explicitly allowed for an equivalent alternative under GDPR “if necessary for an appropriate fee.” While the DMA aims for contestability and fairness, neither Article 5(2) nor Recital 36 explicitly mandates that the “equivalent alternative” must be free of charge. Recital 37 focuses on ensuring the alternative isn’t of “degraded quality,” unless unavoidable due to lack of data. It doesn’t directly address the payment model.

Requiring a free-of-charge alternative seems less like a direct application of the DMA text and more like an adoption of the policy preference the EDPB expressed in its GDPR guidance. It effectively means the Commission might be using the DMA to impose a specific business model (free of charge and contextually ad-supported) rather than simply enforcing the stated rules.

From my analysis of “pay or consent” under GDPR, the focus should be on whether the fee is “appropriate” (as per CJEU) and whether consent is genuinely free under the circumstances, not on whether a free-of-charge option exists per se. If the Commission’s DMA reasoning mandates the alternative be free, it represents a significant, and legally questionable, step beyond established principles.

Conclusion

While the Commission fined Meta, citing lack of free consent and a failure to provide an equivalent alternative under DMA Article 5(2), the precise legal steps in their reasoning remain unclear without the full decision. It appears highly likely that they’ve heavily relied on the EDPB’s restrictive interpretation of “consent or pay” under GDPR, potentially extending it to the DMA context.

Specifically, the apparent requirement for a free-of-charge equivalent alternative seems particularly contentious. It arguably goes beyond both the DMA’s text and the CJEU’s guidance on GDPR, raising concerns about whether the Commission is enforcing the law as written or imposing a preferred market outcome.

Until the full reasoning is public and potentially tested in court via Meta’s likely appeal, the exact legal basis and its broader validity remain uncertain. I remain critical of interpretations—whether under GDPR or seemingly now under DMA—that would effectively prohibit established “pay or consent” models outright by demanding a free alternative, where the law and higher courts have explicitly allowed for appropriate fees.

[Previously published on Truth on the Market on 23 April 2025]

Just as we learn that the European Commission’s “GDPR reform” plan is likely to be a performative window-dressing exercise, the EU General Court again denied direct judicial review of a privacy-fundamentalist guidance document from the European Data Protection Board (EDPB) on “pay or OK.” The EDPB is acting like an unaccountable legislator, issuing theoretically non-binding guidance, which easily becomes the law in action. This occurs even when the guidance extends EU data protection law beyond its intended scope, driven by ideological extremism. 

In Case T-319/24, Meta Platforms Ireland v EDPB, Meta challenged the EDPB's Opinion 8/2024 on “pay or OK" (see also my comments here). In its decision, the General Court noted that

although, as Meta observes, the contested opinion uses words such as ‘should’, ‘should not’ and ‘in most cases’, the passages containing such wording, read in the light of the document as a whole, appear to be calling for an in-depth consideration... rather than censuring ‘consent or pay’ models across the board. 

The central problem is this: the General Court rejected Meta's case because the EDPB's Opinion was considered non-binding and lacked direct legal consequences for Meta. Consequently, the EDPB can issue highly detailed “non-binding” documents filled with mandatory language that significantly influence market behavior and national DPA enforcement, but these pronouncements avoid direct EU judicial scrutiny. This leaves businesses in a precarious situation where “guidance” effectively operates as law, yet lacks the oversight inherent in formal law-making.

Contrast this with Advocate General Ćapeta's recent opinion in Case C-97/23 P, WhatsApp/EDPB. Here, the AG took a refreshingly pragmatic approach to the EDPB's binding decisions under Article 65 GDPR. She recommended that the Court of Justice find WhatsApp's action for annulment against such a decision admissible. Her reasoning was that Article 65 decisions are legally binding on national supervisory authorities and directly impact the legal position of companies like WhatsApp, leaving the national authority no discretion regarding the EDPB's findings.   

If the CJEU follows AG Ćapeta, it would indeed be a step towards accountability, allowing direct challenges to the EDPB's formal, binding directives. This would be a welcome development, potentially accelerating legal clarification and forcing the EDPB to be more rigorous when it issues these powerful Article 65 decisions.   

AG Ćapeta's reasonable stance on binding decisions highlights the problem with  “non-binding” guidance. While labeled as such, EDPB interpretations and recommendations are often treated as mandatory by national DPAs and carry significant weight for businesses. However, as the Meta v EDPB case illustrates, their “non-binding” status may shield these influential instruments from direct EU judicial review, creating an accountability loophole (any indirect review that may eventually happen is likely to be too little, too late).

This is quasi-legislation without accountability, transparency, and adequate judicial control. The EDPB, a body of regulators, effectively makes law through the back door, pushing its maximalist interpretations of data protection law without the checks and balances inherent in a proper legislative or even a fully reviewable administrative process. The “pay or OK” opinion is a prime example, where the EDPB heavily suggested that large online platforms should consider providing users with an “equivalent alternative” that does not entail payment of a fee, a significant market intervention not mandated by the GDPR. Similarly with the opinion on AI models, which I criticised as an example of privacy myopia, which is a structural problem of GDPR enforcement.

This situation is untenable and cries out for GDPR reform. As I argued, we need a system that reins in the EDPB's tendency towards privacy fundamentalism and that allows for independent review of all the past guidance. The GDPR was not meant to put two rights—privacy and data protection—above all other rights and vital interests of Europeans. The EDPB has proven institutionally incapable of adhering to this fundamental feature of EU law.   

AG Ćapeta's opinion, if followed, might plug one hole in the dam of EDPB accountability. But the Meta v EDPB case shows that other significant leaks remain, allowing the EDPB's influence to flood the regulatory landscape unchecked. It's time to rebuild the dam. It's time for GDPR reform that ensures the rule of law applies as much to the regulators as it does to the regulated. The kind of reform I've advocated for previously is needed to ensure the GDPR serves its intended purpose without stifling the digital economy and common sense through unchecked regulatory overreach.

What do we know about the proposals?

We know the least about the EU Commission’s plans. All that Commissioner Michael McGrath said was: 

So, it is a real focus of the European Commission to improve the competitiveness of the European economy and to bring forward a whole range of simplification measures, and we have started that process with a number of omnibus packages already focused on sustainability reporting, sustainability due diligence. And yes, GDPR will feature in a future omnibus package, particularly around the recordkeeping for SMEs and other small and medium-sized organizations with less than 500 people. So we will be examining what ways in which we can ease the burden on smaller organizations in relation to the retention of records while at the same time preserving the underlying core objective of our GDPR regime.

Hopefully, relaxing recordkeeping rules is not the full extent of the Commission’s ambition, because that would really be a performative exercise and a wasted chance to really improve EU’s competitiveness.

As to the Voss (Voss-Schrems?) proposal, we know a bit more, based on Axel Voss’ LinkedIn post and on press reports from an event where he presented the idea. The big picture changes (which Schrems did not agree with) would involve the following according to Euractiv:

Voss wants to remove the enforcement role of the European Data Protection Board and "adjust" fundamental principles like 'the right to be forgotten' or 'data minimisation' to modern technologies.

He also wants to flip the logic of the legislation, currently prohibiting personal data processing by default with certain exceptions, to a regime that only prohibits certain privacy-violating practices.

This is somewhat vague, but I welcome the idea that adjusting the key GDPR principles is necessary, due to the imbalanced GDPR interpretations that are currently being enforced. I also like the idea—if I understand it correctly—of removing GDPR Article 6 which requires a “lawful basis” for the processing of personal data

As to removing the enforcement role of the European Data Protection Board, I think that a more important issue is making sure that any decisions or guidance can only be made when approved by a body that is truly institutionally and intellectually independent from privacy enforcers. If that can be achieved, then it may be a good idea for the EDPB or some other body to even centralise on an EU level case-handling functions (but not issuing fines or directions!), at least for cross-border cases. (For more details, see my text A serious target for improving EU regulation: GDPR enforcement.

Voss also proposed a “a new three-layer risk-based approach.” 

The first (“GDPR mini”) layer would apply

to 90% of all businesses (i.e small retailers, manufacturers) that process personal data from fewer than 100.000 data subjects and are not handling special categories of personal data (Art 9 GDPR, i.e. health records).

This seems not to appreciate how broadly the special categories of personal data (Article 9 GDPR) are being interpreted by data protection authorities—which I’d say is one of the prime examples of the privacy-absolutist enforcement framework. So if such disproportionate interpretative approaches to key definitional GDPR elements are not tackled, then a tier meant for “90%” could end up applying to a small minority.

As to the benefits of being in a “mini” tier:

No Data Protection Officer (DPO) required anymore. Simplified transparency rules & no excessive documentation. Lower administrative fines (i.e. capped at €500.000 instead of €20M). Only core obligations (i.e. Art 5) apply.

Interesting, but could mean not too much in practice if the general approach of the privacy enforcement doesn’t change.

As to the other tiers, the one that may cause the most controversy is “GDPR plus:”

for large VLOPs, online advertisers, and data brokers, meaning all those companies whose business model is built fundamentally on the processing of personal data. A threshold of 'processing data from 10M+ individuals' or 'handling 50%+ of a country’s population' seems to make sense. 

If this is combined with the kind of enforcement reform I outlined, the largest companies operating digital services across the EU would probably welcome being placed in a separate category. It would also make sense to have fully centralised EU-level GDPR enforcement for this tier. Perhaps Voss casts the net a bit too broadly (all online advertisers, really?). But on the other hand, many non-”big tech” cross-border digital service providers would probably prefer to have centralized GDPR enforcement, so some flexibility may be needed.

The proposed rules for the “plus” tier would involve:

Mandatory annual external audits (similar to financial audits).  Stronger transparency obligations (i.e. publicly disclose processing records). Reversed burden of proof: companies must prove compliance, not the regulators. Real consequences for structural violations.

All those things may be sensible, but only if the rules (or rather the legal interpretations) against which those organizations are meant to be measured are applied proportionately. This is clearly not the case now, as I’ve been arguing repeatedly.

What is missing?

The main missing element in the proposals is a serious enforcement reform to balance the currently dominant privacy absolutism. Beyond that, the Voss plan suggests the right direction of rethinking some of the key GDPR principles. I’d add that we should also rethink the key definitional notions, including “personal data” and “special categories” of personal data. Also, GPDR reform should simplify digital data protection by addressing problems with a separate “cookie law,” i.e. with the ePrivacy Directive (see e.g. my Consent for everything? EDPB guidelines on URL, pixel, IP tracking).

Frankly, with a better, more balanced approach to enforcement—based on a realistic political economy perspective on bureaucracy and ideologies—I don’t think there would have been a need for much substantive reform. But we are now in a situation where the GDPR “in action,” as interpreted by the authorities and the courts, has been shaped by privacy absolutism. To address that, we likely need both changes in enforcement and in substantive rules. 

Sensible GDPR reform needs to be based on a realistic understanding of what is wrong with the current system. Yes, there are some “red tape” concerns, but this pales in comparison with the more serious, structural problem of an enforcement framework which is institutionally biased in the direction of privacy absolutism. To focus on “record keeping,” without tackling the latter problem would be to waste this opportunity. Europe needs a proportionate data protection framework, which protects individuals, while avoiding absolutist zealotry and placing privacy above everything else. 

Not too long ago, the idea that there may be an opening for a substantive GDPR reform seemed fanciful. Now, it is the official policy of the European Commission. I hope that the reform process will be open to voices from outside the privacy bubble, and will result in restoring the balance between privacy and data protection, and other vital interests of Europeans, like economic security and freedom of expression and information.

Yet there’s one regulatory domain where complexity and unpredictability are on full display: data protection. Under the current GDPR enforcement regime, data protection authorities (DPAs) hold enormous power to impose huge fines, but they do so through an essentially privacy-maximalist lens. This has left businesses unsure of where the lines really are, has sown confusion across EU borders, and worst of all, has arguably placed an absolutist interpretation of one fundamental right—privacy—above everything else. What we do need instead is balanced protection of all Europeans’ vital interests, including innovation, economic security, freedom of expression, and more.

This is why I was surprised to see that the European Commission has not yet withdrawn its proposal for the GDPR Procedural Regulation. The Proposal does little to reduce the complexity in GDPR enforcement and nothing to address the most pressing problem of the lack of balance in GDPR enforcement. The best course of action would be to quickly go back to the drawing board and seriously think about fixing GDPR enforcement, so that it genuinely contributes to the protection of fundamental rights and vital interests of Europeans, including our economic interests. Here, I propose one path for potential reform, hoping to spur a debate.

Why the Current Regime Needs an Overhaul

The key substantive provisions of the GDPR aren’t the problem. The GDPR was intended to protect personal data while acknowledging the need to balance privacy with other fundamental rights and societal goals. But in practice, the enforcement structure has produced a disproportionate, absolutist interpretation of privacy. We see it in how the European Data Protection Board (EDPB) issues opinions that preserve enormous enforcement “flexibility” for DPAs without offering genuinely reliable guidance for compliance. The result is a chilling effect on innovation and a sense that privacy concerns trump everything else, which is neither reflective of European values nor truly mandated by EU law.

The much-hyped EDPB Opinion on AI models exemplifies this phenomenon. It’s a laundry list of action items without any firm commitment that, if followed, will keep you on the safe side of enforcement. In effect, it grants regulators near-limitless discretion while offering minimal practical guidance to those trying to innovate responsibly. That fundamental disconnect from everyday economic realities means a startup or business simply can’t count on any consistent interpretation of what “compliance” looks like once it’s actually tested in a DPA enforcement proceeding.

Some privacy regulators will say they aren’t trying to ban AI or hamper innovation; they merely “keep options open” so that they are never constrained from imposing what they see as the most privacy-preserving interpretation. But in practice, uncertainty can be as chilling as an outright prohibition—especially when regulators have the power to levy fines that could cripple many businesses. Many potential entrepreneurs won’t chance building an ambitious AI tool here if they suspect a DPA might retroactively decide their GDPR efforts weren’t good enough.

What drives this outcome? It’s the political economy of GDPR enforcement. Post-GDPR, privacy authorities gained sweeping powers but haven’t faced a proportionate obligation to weigh the broader societal and economic impacts of their choices. In reality, they’re incentivized to adopt a mindset that maximizing privacy is the sole end, with any consideration of non-privacy interests treated as a burden for businesses (and occasionally other regulators) to defend.

This outcome stands in direct conflict with the EU’s broader ambitions. With the Draghi report and the stated goals of the new EU Commission, the status quo of GDPR enforcement feels increasingly out of sync with where Europe wants to be. Giving more powers to the EDPB as proposed in the draft GDPR Procedural Regulation does not address the real issue.

My vision for a new tribunal to make GDPR enforcement decisions

The problem with GDPR enforcement is structural, and thus my suggested solution is also structural. What if we could end the practice of leaving DPAs as both prosecutor and judge—and instead entrust the most consequential and cross-border decisions to an independent EU tribunal? Here’s how I see this could work:

DPAs keep investigative powers. DPAs would remain responsible for uncovering facts and building cases. It may be worth considering whether for cross-border cases there should be a new DPA on the EU level, but I leave this issue for another day.

An independent, multi-disciplinary tribunal decides. When a cross-border case or similarly significant enforcement action is on the table, the DPA must present its findings to a specialized tribunal. This body would issue binding decisions (including fines). Crucially, it would not be stacked with privacy lawyers. Instead, a diverse panel—including economists, business experts, generalist judges—would weigh privacy alongside other fundamental rights and Europe’s need for innovation and growth.

Formal balancing of all interests. The tribunal’s legal framework would require it to articulate how each decision balances data protection against other fundamental rights and economic realities. Instead of mere lip service, there would be a written record ensuring that privacy isn’t automatically placed above, say, the freedom to do research with AI or the freedom to conduct a business.

“Advocates general” for non-data protection interests. Drawing inspiration from the EU Court of Justice, we could empower judicial officers—“advocates general”—who act specifically to highlight and defend non-data-protection interests. Their role would be to ensure that the tribunal never loses sight of broader vital considerations like free expression or economic development. 

Transparency and harmonization. All parties—DPAs, investigated parties, and possibly third-party interveners—could submit arguments (or amicus curiae briefs). Because this tribunal speaks with a single EU-level voice, we’d see much less fragmentation and more consistent decision-making. Over time, the decisions would build a coherent framework, streamlining compliance efforts across the Union—a direct answer to the calls for simplification and legal certainty.

Review of EDPB opinions, and guidelines. Another possible refinement would be to require that the tribunal reviews any EDPB guidelines or opinions before they become final. This way, if the EDPB produces an imbalanced document like its infamous “cookie law” opinion, the tribunal could refuse to approve it. Regarding documents already produced by the EDPB, many of which call for radical overhaul, there could be a procedure for the tribunal to review them too. Some bodies could be given a right to request a review (e.g., a majority of the EDPB, a group of Members of the European Parliament, a Member State, the Commission, a tribunal panel, or one of the tribunal’s “advocates general”).

Conclusion

Such a reform would complement the Commission’s “simplification” drive. It would reduce regulatory burden by offering better and likely more predictable outcomes, ending the constant second-guessing about whether a new technology might suddenly get crushed by a surprising DPA crackdown that doesn’t take economic and technological reality into account. And it upholds the plurality of rights enshrined in EU law, preventing privacy from overshadowing everything else.

This proposal is not about changing substantive GDPR rules, but about refining enforcement so that it delivers on all European values—privacy, yes, but also innovation, free expression, and economic security. Instead of leaving DPAs to shape the entire digital future of Europe on their own, it would aim to establish a more measured and balanced process.

Reforming GDPR enforcement is not trivial. There is a significant risk of ideological capture of any new mechanism, as it happened with the existing framework. However, it is a worthwhile task and now may be the right time to undertake it. The currently proposed GDPR Procedural Regulation does not address the key problems. Thus I think it would be best for the Commission to withdraw the proposal and replace it with one based on a realistic assessment of the failings of the current enforcement framework. With this text, I hope to provoke some debate about serious reform of GDPR enforcement, a debate that we need but currently lack.