GDPR under-enforcement by regulators is a warning for the DMA

Prof. David Erdos has shared his latest (excellent) research “showing i) little UK GDPR enforcement, ii) worrying gap with formal law expectations & iii) limited accountability for this.” And the European Parliament’s Justice committee has concerns about the UK’s GDPR reforms and adequacy, including on the independence and effectiveness of enforcement.

A less polite version of Prof. Erdos’ comments would be: the 🇬🇧 government has demonstrated how a law on the books it dislikes (the General Data Protection Regulation) can be undermined by the appointment of supine or actively hostile enforcers (Information Commissioners). As prime minister, Margaret Thatcher was against its predecessor Data Protection Directive from the start; not much has changed.

I hope the European Commission is not going down the same route with the Digital Markets Act’s Art. 7 (on NIICS interoperability), which it was hostile to from start (early 2020) to finish (enforcement). Legislators learned from the GDPR that it is too easy for national regulators to be deliberately undermined by governments looking to attract technology firm investment (see also: Ireland and Luxembourg). The Commission therefore has a central enforcement role.

This is why I’m especially disappointed by the flimsiness of the EC’s finally-published decision not to designate iMessage as a DMA gatekeeper NIICS. It hardly justifies the “exceptional” non-designation decision (Art. 3(5)), or “manifestly call[s] into question” the quantitative tests it meets [1]. I wonder if Meta now feels slightly foolish to have obeyed that provision in (somewhat) good faith 🫠

I still remember the jaw-dropping moment the new 🇬🇧 Information Commissioner in 2009 told a law conference (just about his first public appearance) he didn’t think data protection law should apply to the private sector. (He previously ran the advertising “self-regulatory” Advertising Standards Authority.)

It’s fortunate indeed for GDPR enforcement it contains rights of private action, so effectively taken up by Max Schrems. (Whether individuals such as law students should bear the burden of enforcement, given the millions of euros governments spend on official regulators, is a separate question.)

Meanwhile, the Commission’s lack of legal action to force some member states to properly implement the legislation, enchantment with mass surveillance/data retention, and some of its adequacy decisions, are much less impressive than the Court of Justice’s judgments on Schrems’ two cases.

I was reminded last week talking to a BigTech competitor these much smaller firms have to be extremely cautious about upsetting a company they may rely on for key resources, and the Commission has spent most of its time preparing for DMA enforcement talking to those two groups. So perhaps Schrems’ None of Your Business, or something similar, will have to take up the rights of the individuals the legislation is ultimately supposed to help 🤷🏻‍♂️

Fortunately the DMA also contains rights of private action, as well as the ability of organisations to take representative actions (thanks to campaigning by consumer and digital rights groups in its final stages). As with the Schrems I and II cases, these apparently small issues can ultimately have enormous global impact [2].

[1] Where does the DMA talk about the relative intensity of use of one core platform service versus another? This provides two of three reasons for the decision! And who cares if iMessage for Business is lightly used, given it’s likely iMessage itself is used by many microbusinesses, very few of whom I imagine were part of the “corporate users of iPhone to whom the Commission reached out during the market investigation”? Really, the EC didn’t even bother with a large-scale survey, and/or demand data from Apple? 

I also heard from an impeccable source Apple threatened to withdraw iMessage from the EU if it had been DMA-designated. The EC should not be rewarding such blackmail, even if it was highly likely to be a bluff.

[2] For now, we might have to rely on technology and philanthropy to improve messenger interoperability, such as this great project: a cross-platform, memory-safe OpenMLS library to enable interoperable, end-to-end encrypted messaging (E2EE) in multiple clients, combining “Matrix’s decentralized and federated infrastructure with Signal’s low metadata footprint.” 🎯

What’s happening with TikTok in the US is a strong reminder about the vulnerability of centralized platforms to censorship and surveillance. The Open Technology Fund notes Signal “provides a high level of metadata protection, but is centralized and thus easily censored. In addition, Signal cannot efficiently provide E2EE for large-group communications.”

I hope Signal will move in this direction over time, as well as towards interoperability with other platforms implementing its own protocol (with metadata guarantees) as well as the IETF’s open Messaging Layer Security standard.