Payments remains a very fragmented business around the world: depending on where you’re buying or selling something (and whether you are selling online or offline) you will have different “standard” payment methods, currencies and settlement schemes and more. Today, a startup called Kevin that’s taking one piece of that puzzle — payments made from account to account, an alternative to payment card payments that bypasses those rails — and making it more easier and more ubiquitous to use through the development of whole new set of payments infrastructure that integrates directly with banks, is announcing a significant Series A of $65 million to double down on its business after some strong initial traction.

It has already picked up 6,000 merchants in 12 markets in Europe, starting first with electronic point of sale, and more recently with an integration with physical POS terminals. Its plan is to be available as a payment option across some 35% of European electronic point of sale terminals by the end of this year, and then 85% the year after that, “same as any card scheme,” said CEO Tadas Tamosiunas in an interview.

UK will be later this year but at the end of this year will be 35% of European EPOS terminals and then 85% next year same as card scheme.

The round is being led by Accel, with Eurazeo and previous backers OTB Ventures, Speedinvest, OpenOcean, and Global Paytech Ventures also participating. Harry Stebbings of 20VC; Ilkka Paananen, CEO & Co-founder of Supercell; and Amitabh Jhawar, ex-CEO of VenmoVilnius are some of the individuals also investing in the round. Kevin has now raised $77 million and it is not disclosing its valuation.

Lithuania-based Kevin was co-founded by Tamosiunas and Pavel Sokolovas (COO), who said in a joint interview that the plan will be to use the funding to continue building out its technology and to hire more people to break into more markets, starting first with covering all of Europe.

Kevin is technically styled “kevin.” — including the full stop. Tamosiunas said that the choice was made for a few reasons: first “Kevin” as an everyman name, the idea being that this is a technical payments solution that will be useful for everyone; second the full stop to imply that it’s the first and last name you’ll need to know in the business; but third, as a conversation opener. “It gives us an opportunity to tell our story,” he said simply.

That story is one that will be well known to merchants and others working in payments and commerce: every country has different payment systems at both the frontend and backend of the process. Account-to-account payments, which essentially debits money directly from the buyer and deposits it into the account of the seller, has long been one of those options, and often represents a much cheaper and direct alternative to card payments and the fees those incur, when someone isn’t already using cash.

The problem is that much of pre-existing account-to-account payments infrastructure is very clunky, not built around APIs, and thus hard to expand and integrate into any new services, both those in physical stories as well as those that are “electronic point of sale”, which might be in a store but could just as easily be in, for example, an app to pay for time at a parking lot.

“But account-to-account is a cheaper process and so we had a huge opportunity to solve that, especially in EPOS,” said Sokolovas. Years in the building, Kevin had a lot of naysayers initially, skeptical that APIs could be built to integrate with banks, which have traditionally been slow to embrace them and open up their services to others. There are exceptions, of course, such as the open banking efforts we’ve seen in the United Kingdom, but by and large it’s a fragmented and still-arcane area. “Now we are one and only company on the market that has a technical solution behind that.”

There are now other companies catching on — for example the POS terminal giant Worldline is working on a solution to accept account-to-account payments, Tamosiunas said, but it will take years to build, he claimed.

The bigger theme is that e-commerce remains a big and fast-growing area, but in the shift back to physical movement post-the peak of the Covid-19 pandemic, focus is also changing. “Everyone is looking how to improve sales offline, at the point of sale,” Tamosiunas added.

The disruption that Kevin is going for here is not just that it’s opening and modernizing a process that has been around for years, but has been hard to use; but it’s also giving merchants, consumers and everyone else involved in any transaction a more direct way of enabling a particular payment. Being more direct means it’s also cheaper, which is also a significant part of the pitch: it means that anyone opting for this option can make better margins on transactions. Conversely, it’s also cutting a lot of the traditional players in the payments ecosystem out of the equation, another kind of disruption.

That is what has caught the eye not just of investors but potential strategic partners and would-be acquirers of the startup. The founders wouldn’t go into detail about who has been knocking on their door but you could imagine other big players in payments tech old and new (including Stripe, Adyen, PayPal and maybe even the big credit card rail companies) might be among those interested in picking up this tech in a diversification play. For now, Kevin has declined even to work with them as strategic investors, in order to stay neutral and not tied to any specific platforms.

“Tadas, Pavel and the Kevin team are powering the future of payments with their next generation payments infrastructure,” noted Luca Bocchio, a partner at Accel, in a statement. “Offering a fast, seamless payment experience, with reduced costs and increased authentication rates, the time for A2A payments is now and Kevin has already had impressive momentum with its offering. With the launch of its unique POS payments product, the opportunity ahead is huge and we’re looking forward to partnering with the team on their journey.”

One interesting twist here will be whether and how Kevin and those like it will be integrated with mobile wallets.

Today Kevin operates in services when a merchant has integrated its tech into their own point of sale, whether it’s physical or electronic and in an app. But Wallets like Apple Pay or Google Pay today only work with cards. Given how so many card transactions are now being supplanted by NFC-based payments using people’s phones, it could potentially limit how much Kevin can grow if it cannot also offer an alternative to consumers to pay this way.

Coincidentally, Apple just yesterday was called out for anticompetitive practices by the EU over how it opens (or doesn’t as the case may be) its NFC-based wallet technology to other parties. That will be one to watch, and one that could have a big impact on how Kevin grows in future.

It’s not exactly shocking news at this point that the cloud infrastructure market had another standout quarter. After the big 3 vendors — Amazon, Microsoft and Google — reported earnings this week, we were once again provided a big result with Synergy Research estimating that the market reached $53 billion for the quarter, up 34% from the prior year.

Perhaps the most surprising thing about these numbers is that Microsoft is creeping ever closer to Amazon, the long-time market leader.

Amazon has steadily controlled a third of this market for years. Of course, it’s important to understand that the Seattle-based e-commerce giant has maintained a steady percentage of a pie that is dramatically expanding. Microsoft, on the other hand, has been growing slowly but surely over time. This quarter the company accounted for 22% of public cloud revenue, according to Synergy, up from around 20% in the year ago period.

Amazon pioneered the public cloud market in 2006 and was out there all alone for years before Microsoft began competing in earnest, especially after Satya Nadella came on board in 2014, and has pushed closer to Amazon in recent years.

The last of the big 3, Google is working hard as well and has now cornered around 10% of the market. In fact, the research firm reports that the three companies account for 65% of the entire cloud market.

Image Credits: Synergy Research

Yet even with Microsoft’s hard push into the market and impressive growth, when you add up Microsoft and Google’s growing market share percentages, Amazon still controls a tick more than the other two combined. It shows the amazing staying power of first-to-market advantage, even when you have well capitalized giants competing with one another. And also speaks to Amazon’s ability to fend off the growing competition to this point.

Numbers from Canalys were right in line with Synergy’s with the total coming in a tad higher at just under $56 billion. The differences are due to the models and formulas each firm uses, but are close enough that the divergence barely matters.

As for market share percentages, Canalys had Amazon at 33%, Microsoft at 21% and Google at 8%, again with very slight differences from Synergy.

These companies are looking at revenue from infrastructure, platform and hosted private cloud services. Neither is counting Software as a Service (SaaS) in these numbers, which could account for differences in reported numbers.

In terms of the numbers, for Synergy, it breaks down this way: $17.67 billion for Amazon, $11.66 billion for Microsoft and $5.3 billion for Google.

For Canalys, it’s Amazon with $18.45 billion, Microsoft with $11.74 billion and Google with $4.47 billion.

The numbers here are so large that it’s easy to forget just how big the public cloud market really is. The category is on an astonishing $212 billion run rate (using Synergy’s number) and continues to grow at a surprisingly rapid rate as more companies push more workloads to the cloud. Consider that total revenue last year was $178 billion.

Growth has accelerated since the pandemic hit in March 2020, and if you believe the numbers out there, cloud adoption still has a long way to go, especially when you consider many companies are adopting a multi-cloud strategy. The growth can’t go on forever, but considering that the need for cloud services isn’t a finite amount, it’s likely it will continue to experience substantial growth for quite some time.

A ruling by the European Union’s top court today is set to unblock a raft of litigation brought by consumer protection organizations seeking to apply the bloc’s General Data Protection Regulation (GDPR) standard against tech giants such as Facebook and Twitter over issues like whether they gather properly informed consent to process people’s data.

In a judgement today, the Court of Justice (CJEU) affirmed that consumer protection organizations can bring representative actions against infringements of the bloc’s laws protecting people’s data under GDPR.

The referral to the CJEU came from a German court in a case brought against Meta (Facebook) by the German Federal Union of Consumer Organisations and Associations (aka the vzbv) relating to the ToS of certain free games apps running on its platform which force consent from users by not providing them with an option to decline processing if they play the game.

In a brief response statement, a Meta spokesperson said: “The underlying legal proceedings showed that there were some open questions, which the CJEU has now addressed. We will review the decision and assess its implications.”

The CJEU ruling prefigures a wider change — coming to EU next year, when the Representative Actions Directive come into application in June — which will further expand the ability of consumer rights groups to litigate on behalf of individuals whose rights they believe are being violated.

“By today’s judgment, the Court finds that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation,” the court writes in a press release.

Tech giants have typically tried to derail these kinds of privacy suits by arguing national courts do not have jurisdiction under the GDPR — which is intended to harmonize national legislation in this area. It also contains a mechanism (the one-stop-shop; OSS), which funnels cross-border GDPR complaints through a lead data protection agency in the EU Member State where each entity locates their regional HQ (for many most tech giants that means Ireland).

EU lawmakers included the OSS to simplify compliance for businesses. But its existence has supercharged the anti-consumer-rights practice of forum shopping — whereby corporate giants flock together around ‘friendly’ regulators, piling on pressure at a political level — say, by touting the local jobs and wealth their presence creates — to encourage oversight that aligns with their commercial interests.

The tactic also effectively shrinks the resources of the regulator by piling on complex case work.

All these pressures can and have contributed to GDPR enforcement bottlenecks, delays in decisions and even investigations being dropped or never opened in the first place. And complaints over this recently led to an investigation being opened into the European Commission’s monitoring of the GDPR’s application by the EU’s ombudsperson.

In Facebook’s case, oversight by Ireland has led to the equivalent of a total freeze on enforcement — as the service has not been hit with a single final GDPR decision since the regulation came into application in May 2018, despite myriad complaints (some of which now date back almost four years).

Ireland did finally produce a decision on a complaint against Facebook-owned WhatsApp last year. But scores more complaints continue to languish — and only today the European privacy rights group, noyb, announced that the Irish Data Protection Commission (DPC) had settled with it over what it described as a “gross delay” in two cases related to Facebook-owned Instagram and WhatsApp which it also said will see Irish taxpayers footing a legal bill of several tens of thousands of euros.

“Forty-seven months after the filing of the cases on Facebook’s ‘consent bypass’, the DPC agreed to pay tens of thousands in costs for a Judicial Review over delays,” noyb wrote in a press release. “While the GDPR requires a decision ‘without delay’ the DPC takes the view that four years for producing a draft decision is reasonable. In most EU Member States the law requires a decision within 3 to 12 months.”

noyb’s press release offers an eye-tickling visual metaphor for forum shopping — illustrating the latest painstaking development in the neverending regulatory saga with a picture of a snail crawling over a pile of money. (In case it wasn’t clear, the snail is Ireland’s DPC; not pictured: Facebook holding everyone’s data and laughing all the way to the bank.)

This embarrassing GDPR enforcement bottleneck continues to take the shine off the EU’s flagship data protection regulation — making it extremely hard for individuals to exercise their rights against the most powerful tech platforms.

That in turn means that any avenues which open up the possibility of more litigation against big tech — and today’s ruling is not the first such CJEU judgement — are important to resetting the power imbalance between platform giants and individual web users. Although the pan-EU change coming next year — via application of the Representative Actions Directive — should unlock more actions as that legislation will not rely on the procedure in question existing at a national level.

Nonetheless, in a note on its website (which we’ve translate from German), the vzbv calls the CJEU decision a “landmark ruling”, saying it means the Federal Court of Justice is “on the train again”. The consumer group has spent years trying to litigate against Facebook in areas like unfair privacy settings, while Meta’s lawyers have giving it the runaround, arguing against local courts having any jurisdiction to hear the challenges.

In the statement, Jutta Gurkmann, board member of the vzbv, added that today’s CJEU ruling “puts an end to the tiresome debate about consumer associations’ right to sue for data protection”.

“It is an open secret that some European data protection authorities are not quite able to cope with the escalating data collection of the big technology companies,” she also said, adding: “In the past, this enforcement deficit increasingly gnawed at the acceptance of the GDPR.

“Now it is clear: In addition to the supervisory authorities, civil society organizations such as the vzbv can also punish violations of the GDPR to a very large extent. The vzbv has been successfully and efficiently suing Meta, Google and Co. for a long time. Today’s ECJ judgment creates legal certainty until the European Class Actions Directive to be implemented this year, which also contains such a power.”

Also commenting on the CJEU ruling in a statement, Ursula Pachl, deputy director general of the European consumer organization, BEUC, welcomed it as “good news”, while underscoring the importance of the looming June 2023 pan-EU directive.

“Today’s ruling is good news because it underlines that consumer groups can file collective claims against companies like Meta in case of a breach of the GDPR, as long as this procedure exists at national level. The GDPR is a crucial law that protects people’s personal data in the EU. It is essential that it is better enforced, and rulings like today’s will help,” she said.

“As of next year, new EU rules will allow consumer groups to launch representative actions, which will further improve the situation. It will then be possible for consumer associations in all EU countries, as long as they meet certain criteria, to launch injunctions or collective redress claims against companies that break the law, including under the GDPR. A new era in enforcement by consumer groups will then begin.”

We already suspected that the controversy surrounding the Joe Rogan podcast on Spotify was doing little to actually prompt users to leave the streaming service, based on app store data. Now, Spotify’s first-quarter earnings have confirmed it. Despite losing 1.5 million users in Russia, Spotify’s premium subscribers grew 15% year-over-year in the first quarter to reach 182 million, largely in line with analyst estimates. Ad-supported users, meanwhile, grew 21% to reach 252 million.

Earlier this year, several prominent musicians including Neil Young, Joni Mitchell, and others pulled their music from the streamer to protest its relationship with the controversial podcaster Joe Rogan, who was accused of using his platform to spread Covid-19 misinformation. But app store data at the time indicated rival streaming apps were not getting a boost from this latest PR headache, as Spotify’s app had continued to see millions of weekly downloads — a significantly larger figure than its nearest rivals — even amid the #deletespotify campaign on social media.

Spotify’s earnings indicate the news headlines around Rogan that dominated in the first quarter didn’t drag its business down.

The streamer beat on nearly every metric, with total monthly active users up 19% year-over-year to a record 422 million in the quarter ending March 31, above estimates of 417.1 million. Revenue rose 24% to reach 2.66 billion euros ($2.82 billion), above estimates of 2.61 billion euros. Meanwhile, average revenue per user (ARPU) was €4.38, above the expected €4.26, but down from last quarter’s €4.40. Earnings per share were €0.21, compared to the loss per share of €0.25 in the year-ago period.

Spotify cited Latin America and Europe as contributing to the user growth during the first quarter and helping to offset the loss resulting from its exit from Russia.

The stock, however, fell on weaker projections of 187 million premium subscribers in Q2, versus estimates of 189.4 million, and a lower gross margin of 25.2% versus the expected 27%. The company also said it’s expecting a loss of another 600,000 subscribers related to the closure of its service in Russia.

In its shareholder letter, Spotify touted its plans to launch “User Choice Billing” in partnership with Google, which later this year will allow Android users to pay through Spotify’s own payment system for the first time, instead of using Google Play Billing. It also noted the launch of call-to-action cards — an interactive ad format that prompts podcast listeners to take some sort of action — like clicking a button to “shop now,” for instance — while streaming. And it referenced its Q1 acquisitions of podcast advertising service Podsights and analytics platform Chartable in the quarter, which Spotify said was its largest-ever Q1 for ad-supported revenue (11% of total revenue).

Spotify’s podcast footprint also grew in the first quarter, from 3.6 million total podcasts in Q4 to now 4.0 million on its platform. The growth in monthly active users who engaged with podcast content also outstripped total monthly active user growth, it said, and podcast consumption rates grew in the double-digits year-over-year.

The company didn’t bother to reference the Rogan drama in its letter, saying only that it’s pleased with its performance and encouraged by the traction it’s seeing.

Google today launched the first beta of Android 13 and, as usual, this means that if you’re an early adopter who isn’t afraid of a few broken features here and there, you can now install it as an over-the-air update as well. As of now, you’ll need a recent Pixel phone to do so, with the Pixel 4 being the oldest device it will install on.

For the most part, there isn’t a lot that’s new in the beta, but that’s to be expected as Google already launched most of the new developer-centric features during the preview phase. Those features included things like themed app icons, per-app language support, Bluetooth LE audio and, for the musicians out there, MIDI 2.0 support over USB. Maybe the most important update in Android 13, though, is that push notifications will now be opt-in.

Image Credits: Google

In this first beta, Google is adding more granular permissions for media file access to this lineup. Apps can now request access to specific file types, so developers can now ask for permission to specific media types like images, video and audio files. There is also some better error reporting, especially in the contetx of key generation, and a new audio API that helps “media apps anticipate how their audio is going to be routed.”

As Google VP of Engineering Dave Burke notes in today’s announcement, now is the time for developers to test their apps for compatibility with Android 13. As of now, Google expects to launch one more beta before hitting platform stability in June. By then, all of the app-related system features and APIs should be stable.

Chances are we will hear quite a bit more about Android 13 at Google I/O, which is now only a few weeks away.

Image Credits: Google

Google Play is today officially launching its own version of privacy-related “nutrition labels” for apps. The company says it will begin to roll out the new Google Play Data safety section to users on a gradual basis, ahead of the July 20th deadline that requires developers to properly disclose the data their app collects, if and how it’s shared with third parties, the app’s security practices, and more.

The company’s plan to introduce app privacy labels on Google Play was first announced last spring, months after Apple’s App Store introduced privacy labels on its own app marketplace.

While both sets of labels focus on informing users about how apps collect and manage data and user privacy, there are some key differences. Apple’s labels largely focus on what data is being collected, including data used for tracking purposes, and on informing the user what’s linked to them. Google’s labels, meanwhile, put a bigger focus on whether or not you can trust the data that’s collected is being handled responsibly by allowing developers to disclose if they follow best practices around data security.

The labels also give Android developers a way to make their case as to why they collect the data directly on the label, so users can understand how the data is used — for app functionality, personalization, etc. — to help inform the user’s decision to download the app. They can also see if the data collection is required or optional.

Google says that it heard from app developers that simply displaying the data an app collects without additional context was not enough, which is what prompted the label’s design.

At launch, the Google Play Data safety section will specifically detail the following, says Google:

• Whether the developer is collecting data and for what purpose.
• Whether the developer is sharing data with third parties.
• The app’s security practices, like encryption of data in transit and whether users can ask for data to be deleted.
• Whether a qualifying app has committed to following Google Play’s Families Policy designed to better protect children in the Play Store.
• Whether the developer has validated their security practices against a global security standard (more specifically, the MASVS).

Alongside the launch, Google will also now finally introduce permission requests — a feature iOS has had for years. These prompts will appear when an app needs access to a sensitive permission, like your location, the camera, or the microphone. The user will see the prompt on the screen, then make a decision as to whether to grant the app access. They can also review existing data access by apps on the Android Privacy dashboard.

Image Credits: Google

Since introducing its plan for the labels, Google says it’s only made minor tweaks to the developer guidance and the store’s user interface and experience. This includes updates like encouraging developers to refer to their SDK providers’ data safety information and a new question about System services, among other clarifications and rewordings.

While the addition of the labels could, in theory, help Android users make better decisions about which apps they want to use, it’s not clear there’s an effort to actually check the data for accuracy at the time of submission. Asked how the data would be vetted, Google told us that developers are responsible for the information they provide. Google also said that if it finds a developer has misrepresented the data they’ve provided in violation of the policy, it won’t immediately remove the app — it will just ask the developer to fix it. Only if the app doesn’t comply would an action later be taken.

App privacy labels have already been accused of being an unreliable source of information following their launch on the App Store. According to a report by The Washington Post last year, many of the labels they reviewed in a spot-check provided false information. For instance, apps claiming they collected no data were actually found to be doing the opposite — collecting it and sharing it.

Image Credits: Google

In other words, the labels functioned to give users a false sense of security about how their data was accessed and used, rather than a real way to take action. Apple, however, had told The Washington Post it would routinely audit labels for accuracy. Google makes no such claims today.

Google has given developers until July 20 to complete their Data Safety section, but the Data safety section is already rolling out. That means many users will see apps without labels even as the product launches. That staggered release could also be by design, as it dissuades users from immediately going to check their favorite apps’ privacy and security practices; and by the time those labels arrive, users may have forgotten they had wanted to do this.

Users will begin to see the labels appear on their Android phones at some point over the next few weeks as the labels reach global users.

This has been a long time coming: Google today announced that it is submitting its Istio service mesh project for consideration as an incubating project within the Cloud Native Computing Foundation (CNCF).

Google’s Kubernetes has long been the flagship project for the CNCF and the company recently also brought Knative, a project that aims to make it easier to build and deploy serverless applications on top of Kubernetes, to the CNCF as well. It’s maybe no surprise then that Istio, too, will likely become a CNCF project. There are still some steps to take before that happens, but chances are Google wouldn’t make today’s announcement if those weren’t, for the most part, formalities.

“For over 20 years, Google has helped shape the future of computing with its open source contributions and has invested deeply to unlock innovation for our customers,” Google VP of Engineering Chen Goldberg writes in today’s announcement. “Istio extends Kubernetes to establish a programmable, application-aware network using the Envoy service proxy. Istio works with both Kubernetes-based and traditional workloads, and brings standard, universal traffic management, telemetry, and security to complex deployments. Finding a home in the CNCF brings Istio closer to the cloud-native ecosystem and will foster continuing open innovation.”

Service meshes may not seem like the most exciting of projects, but they are often a fundamental technology for managing large container deployments. The idea here is to have a tool that can manage all of the messaging between services, which can quickly become difficult in a system where (micro-)services — and the machines they run on — are ephemeral.

With the Open Service Mesh, the CNCF is already home to one service mesh project, but the foundation has long played home to competing projects.

The Istio project launched version 1.5 of Istio in 2018. That’s often the point where vendors start looking for a foundation for their open-source project. The fact that Google didn’t do that puzzled quite a few pundits, but the Istio team then also launched a re-architected version of the software with the launch of version 1.5.

Google says it has made over half of all contributions to Istio and two-thirds of the commits.

“Istio is the last major component of organizations’ Kubernetes ecosystem to sit outside of the CNCF, and its APIs are well-aligned to Kubernetes,” Chen explains. “On the heels of our recent donation of Knative to the CNCF, acceptance of Istio will complete our cloud-native stack under the auspices of the foundation, and bring Istio closer to the Kubernetes project. Joining the CNCF also makes it easier for contributors and customers to demonstrate support and governance in line with the standards of other critical cloud-native projects, and we are excited to help support the growth and adoption of the project as a result.”

It’s worth noting that IBM, which also contributed to Istio and previously wasn’t a fan of how Google handled the Istio project by not donating it to a a larger foundation (with Oracle and the CNCF also adding to the complaints), today posted a note to congratulate the company on this move. Given the overall open-source landscape, the CNCF is the logical home for Istio.

“IBM fully believes in open governance and the power of community. Therefore, we enthusiastically applaud today’s submission of Istio to the Cloud Native Computing Foundation (CNCF),” IBM’s Briana Frank and Michael Maximilien write in today’s announcement. “IBM has worked alongside Google and other key partners since the inception of the Istio project five years ago and helped to lead the open source community with our contributions to code, innovations, blog posts, documentation, and steering committee, and by leading various technical workstreams.”

In the small hours local time, European Union lawmakers secured a provisional deal on a landmark update to rules for digital services operating in the region — grabbing political agreement after a final late night/early morning of compromise talks on the detail of what is a major retooling of the bloc’s existing ecommerce rulebook.

The political agreement on the Digital Services Act (DSA) paves the way for formal adoption in the coming weeks and the legislation entering into force — likely later this year. Although the rules won’t start to apply until 15 months after that — so there’s a fairly long lead in time to allow companies to adapt.

The regulation is wide ranging — setting out to harmonize content moderation and other governance rules to speed up the removal of illegal content and products. It addresses a grab-bag of consumer protection and privacy concerns, as well as introducing algorithmic accountability requirements for large platforms to dial up societal accountability around their services. While ‘KYC’ requirements are intended to do the same for online marketplaces.

How effective the package will be is of course tbc but the legislation that’s was agreed today goes further than the Commission proposal in a number of areas — with, for example, the European Parliament pushing to add in limits on tracking-based advertising.

A prohibition on the use of so-called ‘dark patterns’ for online platforms is also included — but not, it appears, a full blanket ban for all types of digital service (per details of the final text shared with TechCrunch via our sources).

See below for a fuller breakdown of what we know so far about what’s been agreed. 

The DSA was presented as a draft proposal by the Commission back in December 2020 which means it’s taken some 16 months of discussion — looping in the other branches of the EU: the directly elected European Parliament and the Council, which represents EU Member States’ governments — to reach this morning’s accord.

After last month’s deal on the Digital Markets Act (DMA), which selectively targets the most powerful intermediating platforms (aka gatekeepers) with an ex ante, pro-competition regime, EU policy watchers may be forgiven for a little euphoria at the (relative) speed with which substantial updates to digital rules are being agreed.

Big Tech’s lobbying of the EU over this period has been of an unprecedented scale in monetary terms. Notably, giants like Google have also sought to insert themselves into the ‘last mile’ stage of discussions where EU institutions are supposed to shut themselves off from external pressures to reach a compromise, as a report published earlier today by Corporate Europe Observatory underlines. That illustrates what they believe is at stake.

The full impact of Google et al‘s lobbying won’t be clear for months or even years. But, at the least, Big Tech’s lobbyists were not success in entirely blocking the passage of the two major digital regulations — so the EU is saved from an embarrassing repeat of the (stalled) ePrivacy update which may indicate that regional lawmakers are wising up to the tech industry’s tactics. Or, well, that Big Tech’s promises are not as shiny and popular as they used to be.

The Commission’s mantra for the DSA has always been that the goal is to ensure that what’s illegal offline will be illegal online. And in a video message tweeted out in the small hours local time, a tired but happy looking EVP, Margrethe Vestager, said it’s “not a slogan anymore that’s what illegal offline should also be seen and dealt with online”.

“Now it is a real thing,” she added. “Democracy’s back.”

In a statement, Commission president Ursula von der Leyen added:

“Today’s agreement on the Digital Services Act is historic, both in terms of speed and of substance. The DSA will upgrade the ground-rules for all online services in the EU. It will ensure that the online environment remains a safe space, safeguarding freedom of expression and opportunities for digital businesses. It gives practical effect to the principle that what is illegal offline, should be illegal online. The greater the size, the greater the responsibilities of online platforms. Today’s agreement — complementing the political agreement on the Digital Markets Act last month — sends a strong signal: to all Europeans, to all EU businesses, and to our international counterparts.”

In its own press release, the Council called the DSA “a world first in the field of digital regulation”.

While the parliament said the “landmark rules… effectively tackle the spread of illegal content online and protect people’s fundamental rights in the digital sphere”.

In a statement, its rapporteur for the file, MEP Christel Schaldemose, further suggested the DSA will “set new global standards”, adding: “Citizens will have better control over how their data are used by online platforms and big tech-companies. We have finally made sure that what is illegal offline is also illegal online. For the European Parliament, additional obligations on algorithmic transparency and disinformation are important achievements. These new rules also guarantee more choice for users and new obligations for platforms on targeted ads, including bans to target minors and restricting data harvesting for profiling.”

Other EU lawmakers are fast dubbing the DSA a “European constitution for the Internet”. And it’s hard not to see the gap between the EU and the US on comprehensive digital lawmaking as increasingly gaping.

Vestager’s victory message notably echoes encouragement tweeted out earlier this week by the former US secretary of state, senator, first lady and presidential candidate, Hillary Clinton, who urged Europe to get the DSA across the line and “bolster global democracy before it’s too late”, as she put it, adding: “For too long, tech platforms have amplified disinformation and extremism with no accountability. The EU is poised to do something about it.”

DSA: What’s been agreed?

In their respective press releases trumpeting the deal, the parliament and Council have provided an overview of areas of key elements of the regulation they’ve agreed.

It’s worth emphasizing that the full and final text hasn’t been published yet — and won’t be for a while. It’s pending legal checks and translation into the bloc’s many languages — which means the full detail of the regulation and the implication of all its nuance remains tbc.

But here’s an overview of what we know so far…

Scope, supervision & penalties

On scope, the Council says the DSA will apply to all online intermediaries providing services in the EU.

The regulation’s obligations are intended to be proportionate to the nature of the services concerned and the number of users — with extra, “more stringent” requirements for “very large online platforms” (aka VLOPs) and very large online search engines (VLOSEs).

Services with more than 45M monthly active users in the EU will be considered VLOPs or VLOSEs. So plenty of services will reach that bar — including, for example, the homegrown music streaming giant Spotify.

“To safeguard the development of start-ups and smaller enterprises in the internal market, micro and small enterprises with under 45 million monthly active users in the EU will be exempted from certain new obligations,” the Council adds.

The Commission itself will be responsible for supervising VLOPs and VLOSEs for the obligations that are specific to them — which is intended to avoid bottlenecks in oversight and enforcements of larger platforms (such as happened with the EU’s GDPR).

But national agencies at the Member State level will supervise the wider scope of the DSA — so EU lawmakers say this arrangement maintains the country-of-origin principle that’s baked into existing digital rules.

Penalties for breaches of the DSA can scale up to 6% of global annual turnover.

Per the parliament, there will also be a right for recipients of digital services to seek redress for any damages or loss suffered due to infringements by platforms.

Content moderation & marketplace rules

The content moderation measures are focused on harmonizing rules to ensure “swift” removal of illegal content.

This is being done through what the parliament describes as a “clearer ‘notice and action’ procedure” — where “users will be empowered to report illegal content online and online platforms will have to act quickly”, as it puts it.

It also flags support for victims of cyber violence — who it says will be “better protected especially against non-consensual sharing (revenge porn) with immediate takedowns”.

MEPs say fundamental rights are protected from the risk of over-removal of content from the regulation putting pressure on platforms to act quickly through “stronger safeguards to ensure notices are processed in a non-arbitrary and non-discriminatory manner and with respect for fundamental rights, including the freedom of expression and data protection”.

The regulation is also intended to ensure swift removal of illegal products/services from online marketplaces. So there are new  requirements incoming for ecommerce players.

On this, the Council says the DSA will impose a “duty of care” on marketplaces vis-à-vis sellers who sell products or services on their online platforms.

“Marketplaces will in particular have to collect and display information on the products and services sold in order to ensure that consumers are properly informed,” it notes, although there will be plenty of devil in the detail of the exact provisions.

On this, the parliament says marketplaces will “have to ensure that consumers can purchase safe products or services online by strengthening checks to prove that the information provided by traders is reliable (‘Know Your Business Customer’ principle) and make efforts to prevent illegal content appearing on their platforms, including through random checks”.

Random checks on traders/goods had been pushed for by consumer protection organizations — who had been concerned the measure would be dropped during trilogues — so EU lawmakers appear to have listened to those concerns.

Extra obligations for VLOPs/VLOSEs

These larger platform entities will face scrutiny of how their algorithms work from the European Commission and Member State agencies — which the parliament says will both have access to the algorithms of VLOPs.

The DSA also introduces an obligation for very large digital platforms and services to analyse “systemic risks they create” and to carry out “risk reduction analysis”, per the Council.

The analysis must be done annually — which the Council suggests will allow for monitoring of and reduced risks in areas such as the dissemination of illegal content; adverse effects on fundamental rights; manipulation of services having an impact on democratic processes and public security; adverse effects on gender-based violence, and on minors and serious consequences for the physical or mental health of users.

Additionally, VLOPs/VLOSEs will be subject to independent audits each year, per the parliament.

Large platforms that use algorithms to determine what content users see (aka “recommender systems”) will have to provide at least one option that is not based on profiling. Albeit, many already do — although they often also undermine these choices by applying dark pattern techniques to nudge users away from control over their feeds so holistic supervision will be needed to meaningfully improve user agency.

There will also be transparency requirements for the parameters of these recommender systems with the goal of improving information for users and any choices they make. Again, the detail will be interesting to see there.

Limits on targeted advertising  

Restrictions on tracking-based advertising appear to have survived the trilogue process with all sides reaching agreement on a ban on processing minors’ data for targeted ads.

This applies to platforms accessible to minors “when they are aware that a user is a minor”, per the Council.

“Platforms will be prohibited from presenting targeted advertising based on the use of minors’ personal data as defined in EU law,” it adds.

A final compromise text shared with TechCrunch by our sources suggests the DSA will stipulate that providers of online platforms should not do profile based advertising “when they are aware with reasonable certainty that the recipient of the service is a minor”.

A restriction on the use of sensitive data for targets ads has also made it into the text.

The parliament sums this up by saying “targeted advertising is banned when it comes to sensitive data (e.g. based on sexual orientation, religion, ethnicity)”.

The wording of the final compromise text which we’ve seen states that: “Providers of online platforms shall not present advertising to recipients of the service based on profiling within the meaning of Article 4(4) of Regulation 2016/679 [aka, the GDPR] using special categories of personal data as referred to in article 9(1) of Regulation 2016/679.”

Article 4(4) of the GDPR defines ‘profiling’ as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”.

While the GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as biometric and health data, data on sex life and/or sexual orientation.

So targeting ads based on tracking or inferring users’ sensitive interests is — on paper — facing a hard ban in the DSA.

Ban on use of dark patterns

A prohibition on dark patterns also made it into the text. But, as we understand it, this only applies to “online platforms” — so it does not look like a blanket ban across all types of apps and digital services.

That is unfortunate. Unethical practices shouldn’t be acceptable no matter the size of the business.

On dark patterns, the parliament says: “Online platforms and marketplaces should not nudge people into using their services, for example by giving more prominence to a particular choice or urging the recipient to change their choice via interfering pop-ups. Moreover, cancelling a subscription for a service should become as easy as subscribing to it.”

The wording of the final compromise text that we’ve seen says that: “Providers of online platforms shall not design, organize or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of recipients of their service to make free and informed decisions” — after which there’s an exemption for practices already covered by Directive 2005/29/EC [aka the Unfair Commercial Practices Directive] and by the GDPR.

The final compromise text we reviewed further notes that the Commission may issue guidance on specific practices — such as platforms giving more prominence to certain choices, repeatedly requesting a user makes a choice after they already have and making it harder to terminate a service than sign up. So the effectiveness of the dark pattern ban could well come down to how much attention the Commission is willing to give to a massively widespread online problem.

The wording of the associated recital in the final compromise we saw also specifies that the dark pattern ban (only) applies for “intermediary services”.

Crisis mechanism 

An entirely new article was also added to the DSA following Russia’s invasion of Ukraine — and in connection with rising concern around the impact of online disinformation — that creates a crisis response mechanism which will give the Commission extra powers to scrutinize VLOPs/VLOSEs in order to analyze the impact of their activities to the crisis in question.

The EU’s executive will also be able to come up with what the Council bills as “proportionate and effective measures to be put in place for the respect of fundamental rights”.

The mechanism will be activated by the Commission on the recommendation of the board of national Digital Services Coordinators.

A new report has peeled back the curtain on big tech’s frenzied lobbying of European Union lawmakers as they finalize a major series of updates to the bloc’s digital rulebook.

It reveals some of the arguments used by tech giants including Apple, Amazon, Google, Meta (Facebook) and Spotify to press their interests behind the scenes in a bid to reshape key components of the EU’s Digital Markets Act (DMA) and Digital Services Act (DSA) — targeting areas such as surveillance advertising and access to platform data for researchers — with the clear intent of shielding their processes and business models from measures that could weaken their market power.

The report, which is based on lobbying documents obtained by civil society groups Corporate Europe Observatory and Global Witness via freedom of information requests, also highlights how tech giants have ramped up their spending on regional lobbying since the DMA and DSA were proposed back in December 2020 — with the big five collectively spending over €27M (close to $30M) last year alone.

It concludes with a series of recommendations for how policymakers can better protect the democratic process from undue influence by the best resourced corporate giants.

Spend, spend, spend!

Citing publicly disclosed data, the report shows that Apple has increased its spending on EU lobbying the most — almost doubling how much it’s shelling out from €3.5M in 2020 to €6.5M in 2021, meaning it also pulled into the lead among platform peers for total regional lobbying spend last year.

Facebook (Meta) had the next biggest increase, growing the size of its EU lobbying budget from €5.5M in 2020 to €6M in 2021. Google also topped up its outlay from €5.8M in 2020 to €6M. While Amazon and Microsoft both made similar increases in regional spending over this period.

Image credit: Corporate Europe Observatory

The DMA, which gained political agreement last month, will apply only to the largest and most powerful intermediary platforms — so called “gatekeepers”; a designation that’s likely to apply to the five ‘big spenders’ in the above chart — introducing a set of operational obligations these giants must abide by up-front.

The pan-EU regulation, which is expected to come into force in October, aims to reboot competition in digital markets dominated by gatekeepers and ensure they remain open and fair.

Its sister regulation — the DSA — applies more broadly, setting rules for all sorts of digital services which are intended to harmonize online approaches to tackling illegal content and products. This means it touches on areas like content moderation, consumer protection and transparency. And while it applies across digital services a subset of so-called “very large online platforms” (aka VLOPs) will be subject to additional oversight under the regulation — meaning that tech giants will face additional DSA compliance hurdles vs smaller players.

At the time of writing the DSA is still pending political agreement — although a deal is expected after Friday’s (April 22) trilogue meeting — so the impact of big tech’s lobbying on EU policymaking should become clearer in the coming days.

So what have tech giants been spending their millions on lobbying for as EU lawmakers finalize the DSA and DMA?

Read on for a breakdown of their focus areas from the report…

Surveillance advertising

One major target for Big Tech lobbyists, per the report, has been around surveillance advertising as tech giants marshalled their millions to block off an attempt to get an outright ban on tracking-based advertising into EU legislation.

They succeeded in that goal as an earlier push by some MEPs for an outright ban did not gain full backing of the parliament so did not make it into the trilogue discussions. But the European Parliament did vote to incorporate limits on tracking ads into both the DSA and the DMA — with MEPs backing a ban on processing of minors’ data for targeting ads and a ban on use of sensitive categories of personal data.

However the Council position diverged from parliament, toeing closer to the Commission’s original proposal — which had merely suggested ads transparency requirements — so tech giants sought to exploit this to try to water down restrictions on tracking ads, per the report.

Documents obtained for the report show that Google directly lobbied the Commission in a series of high level meetings with top commissioners between November and early January in which the adtech giant raised concerns about the European Parliament’s proposals on advertising — suggesting limits on trackings would be detrimental to SMEs and harm news publishers. 

“This marked a continuation of Google and Facebook’s strategy throughout the whole discussion on new digital regulations — trying to reframe it away from Big Tech’s immense profits and business model and to instead hype up potential negative impacts for smaller businesses and consumers,” the report notes. “As Google’s leaked lobbying strategy showed, one of its priorities was to focus the discussion on the costs to the economy and consumers.”

Between January to the end of March, lobby documents show that Google remained in frequent contact with the Swedish government — arguing on four different occasions against Parliament’s proposal to ban advertising targeted at minors and other limits, per the report. “Their recommendation to national governments was to ‘support the Council / Commission position (i.e. no restraints on targeted ads’). Google argued ‘that the DSA is not the right forum to deal with these issues’,” it adds. 

There’s a special irony here given Google also led big tech lobbying efforts to delay an update to the bloc’s ePrivacy rules — which explicitly cover tracking technologies like cookies. That update remains stalled even now (the Commission proposal was presented all the way back in January 2017!). So if the tech giant were to have its way there would, it seems, be no ‘appropriate’ legal forum to rein in its surveillance ads empire. Funny that!

But as it turns out, EU lawmakers in the Council and Parliament were able to agree — through the trilogue process — on including limits to tracking ads.

At least that was the position announced last month, at the moment of political agreement on the DMA.

At the time of writing the Commission is signalling that limits on targeting advertising will be included in the DSA, with internal market commissioner, Thierry Breton, including a ban on targeted advertising to children or based on sensitive data in a tweet storm highlighting “10 things you need to know” about the regulation, for example…

Under the political deal reached between EU co-legislators last month, the DMA requires gatekeepers to gain explicit consent from users to combine their personal data for advertising.

But the French presidency of the Council also said then that they had agreed complementary provisions to limit tracking ads would also be included in the text of the DSA (still to be agreed via trilogue) — signalling that the parliament’s goal of limits on processing children’s data for ads or using sensitive data for ads would make it into EU law. 

So what did Google’s lobbyists do next? According to the report, the tech giant continued pushing against any/all limits on surveillance ads — but also evolved the lobbying tactic, by suggesting to Member States governments ways in which restrictions could be watered down in the final text to limit their impact on its ability to track and target web users.

“On 22 March 2022, the day of the final DMA trilogue, Google sent the Swedish government its thoughts for future trilogue meetings,” notes the report. “Google’s positions reflected the up to date state of the ongoing discussions. Google continued to oppose concrete new proposals regarding user consent to tracking and banning the use of sensitive data for advertising. Perhaps more interesting though, Google now seemed to understand that likely there would be some new limits to targeted advertising. So Google offered suggestions about how these should be drafted: the ban on targeting minors should be limited to ‘known minors’ and behaviour advertising should be defined as the use of individual profiling.”

As the report points out, Google’s fall back positions here are no accident — given that the tech giant has been working for several years to retool its tracking apparatus — under its so-called Privacy Sandbox plan — which proposes to switch from individual-level tracking and targeting to cohort or (now) topic-based targeting which will continue to subject web users to behavioral targeting just now putting them into buckets of eyeballs, not solo pairs.

So — to spell it out — if EU lawmakers were to limit the definition of behavioral advertising as Google suggests it could simply circumvent any limits on its flavor of behavioral advertising by saying it does not target individuals ergo the legal restriction simply doesn’t apply.

Similarly, a final text that would ban advertising to “known minors” would allow Google to claim it does not know the age of users who are not logged into its services (and potentially even users who are logged in as it does not explicitly age verify users) — again avoiding the need to restrict its behavioral targeting by default across most services (barring any it directly targets at children, such as YouTube kids).

Per the report, Google’s lobbyists didn’t stop there. They also sought to water down ad transparency requirements — pushing back against proposals that would allow users to know the criteria used to target them specifically, including when ads were targeted at kids and — in “detailed suggestions” to national governments — proposed that they should “seek to delete the obligation to disclose the criteria used for targeting, even when ads target vulnerable people like children”.

“The documents show Google taking a central position lobbying against limits to surveillance ads,” the report adds. “But they weren’t alone. Facebook, and other European companies [including Spotify] and publishers also resorted to trying to persuade national governments to oppose the Parliament’s position.”

Another big target for Big Tech tech lobbying was around data access for NGOs and public scrutiny…

Public scrutiny

On this issue, which is core to the DSA’s ability to deliver on the goal of ramping up accountability around major platforms, the report details particular moves by Spotify and Google to limit how much access external researchers can gain to platform data — such as to carry out research into the societal impact of recommender algorithms.

Civil society groups have been pushing to strengthen the Commission proposal in this area — to increase external scrutiny of VLOPs by forcing them to give access to data on algorithmic content ranking systems to vetted external researchers so they can study their function.

But Spotify and Google have been busy pushing back against closer scrutiny of how their AIs rank and recommend content to users, per the report.

“The world’s biggest music streaming service didn’t want the transparency requirements to include detailed lists of parameters, as was introduced by the Parliament. On the other hand, it welcome the Parliament’s last-minute introduction of exceptions to recommender transparency, including the protection of intellectual property and trade secrets,” runs one section on Spotify’s lobbying.

“In March this year, Spotify followed up to add its comments ‘regarding the latest compromise proposals on Recommender Systems’. The company supported the ‘evolution of the text’ regarding recommender transparency and welcomed ‘a clarification in a Recital that these rules do not prejudice IP [intellectual property] rights and trade secrets’,” it adds.

Google, meanwhile, was lobbying Member State governments to limit data access for public authorities and vetted researchers to urgent health threats. So in this scenario Europeans might have to wait for the next pandemic to get external scrutiny of YouTube’s recommender engine!

Where the DSA will actually end up on this issue isn’t clear at the time of writing.

Google also questioned whether non-profits organizations should get data — seeking to spread fear that this could put “user data and privacy and confidentiality of information at risk”, according to lobbying documents obtained for the report.

“The company asked national governments to oppose the Parliament’s position and instead support the Council’s mandate. Taken all together, Google’s suggestions would make external scrutiny of the ways in which services like Youtube amplify or de-prioritise content nearly impossible,” it adds. 

The report also reveals Google opposed proposals that would require platforms to “make the information on the main parameters for recommender systems and the functionality to opt-out from personalised recommendations directly accessible from the content itself” — presumably because that would make it too easy for users to figure out how to turn off unwanted content recommendations.

‘DMA? Er, just give us a chance to explain first…’

On the DMA, Google, Amazon, Apple and Facebook were all spotted in documents obtained for the report trying to soften the proposal during its last stage. 

Apple, for example, brought its (now) familiar argument against moves to force it to open up its App Store and mobile OS, such as by allowing sideloading of apps or other types of interoperability, to discussion tables in the region.

“The company’s main argument was that increasing data access, sideloading and interoperability would reduce user privacy and security,” the report notes, going on to conclude: “While Apple could not successfully stop interoperability and sideloading entirely, the final text does introduce a security safeguard, which will enable the company to try to justify not complying with these obligations.”

It also highlights one particular strand of collective lobbying by Big Tech targeting the DMA that looks intended to enable a repeat show of an oft used tactic against enforcement of existing EU laws which threaten how they like to operate — such as the GDPR (General Data Protection Regulation). This tactic boils down to one word: Delay.

Per the report:

“[T]he top level message from the Big Tech companies to policy-makers regarding the DMA was the same across the board: Big Tech wanted to build a dialogue between the DMA’s regulator — the European Commission — and the companies covered by it — the gatekeepers, into the text and the regulatory approach.

“They brought this wish up consistently at the high level meetings, such as the December meeting between Google and [Margrethe] Vestager’s cabinet. There Google said that regarding the DMA their ‘core argument towards the Parliament was the need for regulatory dialogue and the opportunity to individually justify certain practices’. Google repeated the same message to Breton’s cabinet in January — ‘Proper regulatory dialogue is important to ensure the enforcement of the DMA’.

“On the very same day, Nick Clegg, Facebook’s head lobbyist, told Commissioner [Didier] Reynders, that for Facebook ‘it would be helpful to have the possibility of having a dialogue with regulators on questions concerning compliance’.

“Amazon, in turn, told the Swedish government that it was ‘more comfortable with content of the Council compromise proposal than with the European Parliament’s amendments.’ The company also raised concerns that specific measures had been moved from Article 6 to Article 5, which would mean they would be automatically applicable and not dependent on a regulatory dialogue.”

Thing is, the whole point of the DMA is to bring in an ex ante competition regime for the bloc — via a set of ‘dos and don’ts’ that are supposed to apply up front for companies designated as gatekeepers, i.e. rather than antitrust authorities having to do the slow and painstaking work of building a case against a particular abusive behavior while the market suffers.

But there is — potentially — a sliver of wiggle room, at least for obligations set out in Article 6 of the DMA. For those requirements, the regulation allows for a dialogue between the Commission and relevant companies over how best to comply.

Which, well, sounds like it could be spun into delay heaven.

The report summarizes the main aim of Big Tech’s lobby campaign against the DMA as being to “expand this dialogue as much as possible”, with Corporate Europe Observatory noting it fingered this as a key priority for Facebook, Google and Apple since last summer. It also quotes another lobby transparency group, Lobbycontrol, which has argued that Big Tech’s aim here is to “gain time — and first of all an entrance point for challenging the DMA’s obligations.”

The painstakingly slow ‘regulatory dialogue‘ which Facebook and other tech giants have managed to establish with their lead EU privacy regulator — Ireland’s Data Protection Commission — since (and, indeed, even before) the GDPR came into force in 2018, enabling them to successful delay enforcement despite multiple open investigations into a variety of aspects of their businesses, is likely providing Clegg & co with plentiful inspiration for the sort of friction-filled conversation they want signed off and baked into the DMA to create a legally viable ‘back and forth’ that lets them delay actually changing abusive practices for as long as humanly possible.

It’s not yet clear how successful the tech giants have been in this regard.

However the Commission has, in recent weeks, been spotted making some concerning noises on the topic of DMA enforcement to anyone who actually wants to see regulators crack down on Big Tech, as consumer protection experts have observed…

“Ultimately the scope of regulatory dialogue in the DMA has been changed to allow the gatekeepers to initiate it. However, it will still be up to the Commission to decide whether or not to engage. We will have to wait and see how this plays out in practice,” is the report’s cautious conclusion on this.

In recent days, others have raised concerns about another potential loophole in the DMA — which, if they’re right, could see a history of failed GDPR enforcement against Big Tech tech being leveraged by the self-same giants to avoid freshly inked obligations in the DMA. Earlier this month, the Irish Council for Civil Liberties (ICCL) drew together signatures from a long list of competition and privacy experts to a letter that warns of “a severe flaw in Article 5(1)a of the latest DMA text” which they suggest will “help Big Tech firms undermine data protection and competition”.

The concern is that gatekeepers will continue to evade the GDPR’s purpose limitation principle by bundling consent for combining user data across multiple services into a single opt-in — thereby making it harder for users to deny — which is essentially how adtech giants like Facebook have evaded existing EU regulations, continuing to track and target web users in the region despite the GDPR’s requirement for unbundled consent (Facebook does not offer an opt out of behavioral advertising; to use its service you have to ‘agree’ to being profiled for ads).

The parliament’s rapporteur on the DMA file, MEP Andreas Schwab, has rejected the concern in recent days — suggesting that the DMA does not change the GDPR. And indeed, in a letter responding to the ICCL which we’ve reviewed, that “the consent requirement under the DMA builds on the GDPR consent”. He has also claimed there’s “no need to fear circumvention” because the Commission will be in charge of enforcement. Aka, no more forum shopping.

However signatories to the letter continue to warn that gaps in GDPR enforcement create a problem for effectively enforcing the DMA — unless the Commission acts quickly to provide guidance and bring cases.

“Gatekeepers will try to use the ambiguity to their advantage,” warns the ICCL’s Johnny Ryan. “It is essential that the Commission issues quick and clear guidance and enforcement decisions to stop that.”

Structural weakness?

How EU lawmaking is structured means the Commission’s legislative proposals are typically modified, via a co-legislative process, which loops in the (directly elected) European Parliament and Member States’ national government representatives, via the European Council — which together amend, vote and negotiate to try to reach a compromise on the final details of the law.

This means that there are, at least from one perspective, multiple point at which lobbyists can seek to influence — or indeed block — EU policymaking.

This starts with the Commission itself, as the EU’s executive body drafts and thus frames legislative proposals; moving on to MEPs who play a key role by voting for amendments and to set the parliament’s negotiating position (typically prefigured via committee vote/s); and extending to Member States’ governments which are represented on the Council and lead the so-called trilogue negotiations with the Parliament and Commission to seek a compromise via a rotating presidency structure that sees one Member State (currently France) responsible for producing compromise texts on behalf of the Council.

So, in short, it’s a lobbyists’ picnic!

The latter stage trilogue negotiations are especially problematic, being conducted entirely behind closed doors — thereby reducing transparency on how exactly policy is being reshaped, as the report underlines:

“This process is one of the most secretive stages of EU policy-making, held entirely behind closed doors and with nearly no public access to the discussions. The EU Institutions have argued that this secrecy is needed in part to prevent lobbying pressure on the policy-makers.

“New lobby documents obtained from the European Commission and the Swedish government via freedom of information requests show that intense corporate lobbying is happening regardless of the lack of transparency.”

The details that the civil society groups were able to glean on big tech’s lobbying around the DMA and DSA are only partial, as the report notes that responses to freedom of information requests varied.

However they say the documents they did obtain showed that tech giants like Google continued to target the trilogue process even after the Council had agreed its negotiating positions — meaning they are shown trying to grasp a very last minute, non-transparent opportunity to favorably water down measures that could shrink their market power.

“We can now confirm that corporate lobbying of EU capitals continues even after the Council agrees its positions and starts trilogue negotiations with the Parliament and Commission,” the report authors write. “While only Sweden gave us extensive access to these documents, we can expect that all EU governments must be on the receiving end of similar lobby efforts.”

“The lobby documents also reveal that Google remained in frequent contact with the Swedish government from January to the end of March (the time when we placed our freedom of information request). During this period, the tech giant would send in analysis of the difference positions, adding the company’s own analysis, and all the while replicating the EU Institutional format of documents with four columns,” they go on. “As the discussions went on behind closed doors, Google pitched in with ‘specific language on articles currently discussed’ and suggested ‘concrete amendments’, showing a strikingly live knowledge of what was happening in the negotiation process.”

According to the report, Google, Apple, Amazon and Facebook — alongside European firms such as Spotify and the copyright industry — actively sought to influence the trilogues themselves, meaning they were trying to exert influence during the least transparent point of the co-legislative process. 

The lobbying tactics they are reported to have used included:

• pitting the EU Institutions against one another;
• becoming more technical and offering amendments to the text;
• using meetings to gain access to information that was not available to the public;
• going high level: bringing in the CEOs to meet Commissioners, inviting them to off the record dinners.

Corporate Europe Observatory and Global Witness argue that this evidence of lobbying taking place during trilogues “shows how the lack of transparency benefits big corporate lobbies and adds weight to the urgency of finally opening the trilogues process up to the public” — further suggesting: “This secrecy means that only the well-resourced and well-connected lobbying actors can follow and intervene in trilogues, and excludes citizens from crucial discussions that will have an impact on their lives.”

“National governments have a say in EU policy-making via the Council. This is often referred to as the EU’s ‘black box’, as it is difficult for citizens to know who is lobbying their national government on EU policies, or even what position their national government takes in the Council. This approach, combined with the fact that lobbying at member state level requires massive resources and good connections, creates the conditions for undue corporate influence,” they add.

The report makes a series of recommendations to protect EU policymaking against undue influence by the most well-resourced lobbyists, based on the NGOs’ tracking and analysis of the DSA and DMA process since the drafting stages.

Its suggestions include shedding light into the trilogues by publishing an up-to-date calendar of meetings, including summary agendas, and proactively publishing the four-column document (which details co-legislator positions and amendments) on a rolling basis; boosting transparency and democratic accountability at the Member State and Council level including by requiring disclosure of each country’s position; putting limits on one-to-one lobby meetings and replacing them with public hearings as much as possible; and requiring EU institutions to proactively seek out those who have less resources, such as SMEs, independent academics, civil society and community groups.

Other recommendations include beefing up the existing EU Transparency Register to improve transparency on lobbying; putting in place proper funding transparency requirements that mandate think tanks and other organisations to reveal their funding sources; strengthening ethics rules to block the revolving door between EU institutions and Big Tech firms and establishing an independent ethics committee which can launch investigations and implement sanctions.

The report authors also urge EU officials and policymakers to be sceptical of those lobbying them — writing that they “should question their funding sources, check their information and data sources and denounce any type of wrongdoing or non-transparent/unethical lobbying they encounter”.

They also recommend they should not attend or participate in events or debates that are closed to the public, held under Chatham House rules, or that do not disclose their sponsorship.

Google has shared a screenshot of its new cookie consent popup. At first, the new popup will be available on YouTube in France. But the company says it plans to roll out the new design across Google services in Europe.

This updated design comes a few months after the CNIL, France’s data watchdog, fined Google €150 million ($163 million at today’s exchange rate) for breaching French law. According to the French authority, Google failed to comply with current regulation when it comes to presenting tracking choices to users — what people usually call the “cookie banner” or “cookie popup”.

Without further ado, here’s the new design that is progressively being rolled out:

Image Credits: Google

And here’s what it currently looks like:

Image Credits: Google

The text has been updated. More importantly, the choices at the bottom of the screen are radically different. With the old design, users had two options — “I Agree” and “Customize”.

If you clicked on “Customize”, Google would take you to a separate web page with several options. In order to disable all personalization settings, you had to click on “off” three times and then confirm.

With the new design, there are now three buttons. In addition to the existing buttons, there’s a new “Deny All” button that lets you opt out of tracking altogether in a single click. The two main buttons are the same color, size and shape.

Following the EU’s General Data Protection Regulation (GDPR), online services have to obtain clear consent from its users before it can process data. In particular, consent must be informed, specific and freely given in order for it to be obtained legally.

When it comes to the French fine specifically, the CNIL is leveraging the ePrivacy Directive, transposed in the French Data Protection Act, to justify that it is a competent authority to verify and sanction operations related to cookies.

“The CNIL has received many complaints about the way cookies can be refused on the websites google.fr and youtube.com,” the CNIL wrote in a press release back in January. “In June 2021, the CNIL carried out an online investigation on these websites and found that, while they offer a button allowing immediate acceptance of cookies, the sites do not implement an equivalent solution (button or other) enabling the user to refuse the deposit of cookies equally easily. Several clicks are required to refuse all cookies, against a single one to accept them.”

While Google doesn’t mention the sanction directly in its blog post, the updated design seems to be a result of the CNIL’s investigation.

“Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote.

After rolling out the updated popup on YouTube in France, the company plans to use the same design for its search engine as well. It’ll go live in France, but also across the European Economic Area, the U.K. and Switzerland.

And yet, many users simply won’t see the updated popup. If you’re already logged into a Google account, Google doesn’t need to get your consent as your settings are already stored in your profile page. Moreover, if you’re using Google Chrome, chances are your web browser is tied to your Google account if you ever logged into a Google service in the past.

In other words, users who don’t have a Google account will have more options. And if you have a Google account, I encourage you to review your privacy settings.

We talk about bulls in china shops, but what about bulls running through the streets of entire shopping districts, or other neighborhoods? This morning, Amazon unveiled a new feature that will test just how much of a bull it can be online — beyond its own china shop, so to speak.

Prime — its membership-based scheme that provides free and fast shipping options on a number of products sold on Amazon, alongside a number of other perks like Amazon’s streamed video and music services, used by more than 200 million consumers — is now officially stepping outside of the walls of Amazon itself. Buy with Prime, as the service is officially called, will see Prime members get to extend those Prime benefits — specifically fast and free delivery, free returns, and a seamless checkout experience — to participating third-party merchants on their own sites and apps.

There is no guarantee that this will be a big hit for Amazon. Alexa was huge for the company, and Prime on Amazon itself has been, too. But don’t forget the Fire Phone, or Amazon’s foray into restaurant delivery, or other projects that have been killed over the years.

Be that as it may, there is a giant amount of potential here for the company, so it’s worth spelling out what is going on, some of the context behind this launch (and what that means), and what it’s giving Amazon that it hasn’t had before, and why that matters.

First, the basics

Buy with Prime is starting with merchants that are already using Fulfillment By Amazon (FBA) — which, like Amazon Pay, is an Amazon feature that had already been available outside of Amazon.com and merchants use to outsource shipping and logistics.

Amazon said it will be rolling out to these retailers throughout the rest of this year, and as 2022 progresses it will also be extended to those no already using FBA or selling with Amazon on an invitation basis.

Users look for the Prime logo on these other online stores to find and use the service. Merchants meanwhile integrate by signing up, linking in their Amazon Seller Central accounts, Multi-Channel Fulfillment, and Amazon Pay; and then installing a JavaScript widget. Merchants get access to order data — but Amazon does, too (more on that below).

The whole service is run on a similar idea to AWS, based on SaaS pricing covering a service fee, a payment processing fee, a fulfillment fee and a storage fee — all calculated per unit. “Merchants pay only for what they use,” Amazon writes. “Merchants can expand selection or cancel at any time.”

Amazon is playing this as more convenience and another perquisite for Prime subscribers.

“We always aim to exceed Prime members’ expectations by offering more selection, exclusive deals, quality content, and convenient features,” said Jamil Ghani, VP of Amazon Prime, in a canned statement in Amazon’s official announcement. “With the introduction of Buy with Prime, we’re expanding where members can enjoy trusted and convenient Prime shopping benefits beyond Amazon, adding even more value to their membership. Members will have the flexibility to shop from merchants directly, all while enjoying the fast, free delivery, seamless checkout, and easy returns they’ve come to know and love from Amazon.”

It’s also touting it as part of its strategy to build B2B tools, aimed at merchants selling online.

“For over 20 years, we’ve been empowering small and medium-sized businesses with opportunities to grow,” said Peter Larsen, Amazon’s VP of Buy with Prime, in the same announcement. “Allowing merchants to offer Prime shopping benefits on their own direct-to-consumer online stores is an exciting next step in our mission to help merchants of all sizes grow their business—whether on Amazon or beyond. With shoppers purchasing directly from merchants’ online stores, Buy with Prime will allow merchants to build customer relationships and brand loyalty while offering conversion-driving benefits like fast, free shipping.”

Move slow, break things

As with other very slow rollouts we’ve seen at Amazon, the expansion of Prime beyond Amazon’s walled garden has been in the works for years — more than three, in fact.

Back in March 2019 — when the company unveiled a partnership with WorldPay that enabled merchants outside of Amazon to start to accept Amazon Pay as a payment option alongside others like credit cards, PayPal, Apple Pay and Google Pay — its VP of Amazon Pay at the time, Patrick Gauthier, got very coy when I asked him about its ambitions to extend Prime in a similar way.

Instead, he pointed me to a small trial it was running with fashion retailer All Saints, which was providing Prime shipping benefits to customers if they were already Prime subscribers.

“It has been very successful in terms of customer conversion and lift, and to capture new customers,” he said. He also noted that it ran a different test during Prime Day in 2018, embedding Prime links with third-party merchants (but linking shoppers back to those merchants’ Amazon-based products) to understand the potential opportunity it might have here. “Yes, we have had interest from merchants if and when we decide to go further with Prime,” he added. (Gauthier has since left Amazon to run Convera, Western Union’s Business Solutions spin-out.)

Prime is Amazon’s Prime agent of change

Amazon is famously vague when it comes to user numbers and revenues for specific products. Its last official numbers are from April 2021, when founder (now) executive chairman CEO Jeff Bezos said it had 200 million members. (It now says it has “over 200 million.”)

Amazon Prime arguably has been the primary agent of change in the Amazon universe: first and foremost, it’s been the company’s chief (prime, even) way of building loyalty among customers, who have found the free and quick shipping options to be a huge lever to lowering the barriers to shopping online. The allure of quick and “free” shipping has been strong enough that Prime members turn first to Prime before considering (let along buying) other products when it comes to browsing and purchasing, a route made easier by Amazon’s search feature to search just for Prime-eligible products.

That’s been shown to be powerful enough that people are even willing to opt for a Prime-based product over one that is less expensive, but might take longer to receive, or have the shipping price spelled out more explicitly in the overall price — usually a combination of the two.

Amazon’s also used Prime to introduce completely different product categories, too, from groceries through to streamed media services. Overall Amazon says that Prime covers thousands of films and shows on Prime Video; 2 million songs, thousands of stations and playlists, and thousands of podcasts on Amazon Music; free games with Prime Gaming; over 3,000 books and magazines on Prime Reading; unlimited photo storage with Amazon Photos; grocery delivery and pickup from Amazon Fresh and Whole Foods Market; same-day and other fast deliver options for 15 million items in the U.S. alone; Amazon Pharmacy and prescription access; and more.

Considering how transformative Prime has been to Amazon itself, it’s fair to wonder if Amazon might try to exercise some of that strategy further afield, too. That is to say, if it starts with the bread and butter of its business now — the Marketplace, and the kinds of products third-party sellers already offer on Amazon itself — does it expand next to offering Prime for subscriptions to magazines and newspapers, or to other kinds of media, or to grocery shopping online?

One of the key issues with Amazon for so many has been that third-party brands haven’t been so keen to fit into the Amazon template when it comes to presenting its products. Amazon has tried to make efforts over the years to address this — for example this partnership with Adobe to help D2C brands using Amazon fulfillment to customize their storefronts — but generally even when a merchant has a storefront that looks “different” to the rest of Amazon on Amazon itself, going any deeper than the front page yields the same cookie-cutter river approach that Amazon has standardized across the whole of Amazon.com.

That attitude has driven a lot of business to the likes of Shopify, Commercetools and many others offering “headless” commerce solutions to merchants to build and run storefronts with as little or as much input, and integrating as many third-party solutions including those for logistics and fulfillment, as they are willing to make — a large army of third-party e-commerce technology providers amassing in the name of giving retailers a way to bypass Amazon.

Now, Amazon is playing nice with platforms like BigCommerce. Powering sites on their own terms does away with all of that, and could be a powerful option for a wide swathe of businesses beyond e-commerce, which have a very specific focus on content management.

Move slow, break things

There are many examples of how Amazon has not been the fastest draw when it comes to launching new things. It took Amazon years to add more countries to the Kindle beyond its home market of the U.S. (or really to add much of anything: do a search on TC or Google for the words “kindle” and “finally” to see what I mean). It’s worth wondering whether that drawn-out processes has helped or hindered the growth of e-books, or if it was both and they simply cancelled each other out.

The Kindle is worth looking at when considering how Amazon has done in building products that extend it to new frontiers, as Prime would do. The success of the its home-grown e-reader is undisputed: although Amazon is famously vague when it comes to talking about actual sales numbers, others estimate that its share of e-readers is around 68%.

On the other hand, e-books themselves are still a smaller market compared to the reading market overall, with Pew Research (admittedly using 2019 data) noting that only 7% of respondents said they only read e-books, compared to 37% saying they only read print books (28% read a combination). In other words, changing overall habits may or may not happen, and it will be a slow-burn issue one way or the other. But in the meantime, Amazon itself makes a killing in the market that it has created. That could well be a pattern that gets repeated with Buy with Prime.

Data is Amazon’s oil

Last but not least, there is a fascinating data play here for Amazon, which goes to the heart of how the e-commerce giant is fueling its growth.

Amazon is giving merchants control over aspects of the e-commerce process that would have been out of their hands if they sold through Amazon itself. They can control personalization for shoppers, the algorithms behind what different people are offered and how items get priced, and the wider user interface and experience. But if keep get full control of their data, Amazon now will see it, too.

It’s processing information about its Prime subscribers, key details about their shopping habits, behavior and interests across other kinds of sites that are not designed or run by Amazon — all information that it can in turn use to improve and shape what it sells on Amazon.com.

It goes beyond that, though. Amazon has become a major player in online advertising, an area that will also potentially benefit from richer datasets on browsing and shopping habits, which because this concerns Prime subscribers and processing Prime orders, will be first-party data for the company.

It’s also giving Amazon an interesting crack at an even bigger role in the online universe, that of identity management.

Companies like Facebook (Meta), Apple and Google have all made interesting plays at controlling the “log in” across apps and sites, creating social graphs and user graphs across different walled gardens (benefitting those controlling the log-in services), while also providing a way to manage users and profiles across specific apps and sites (benefitting those app and site publishers).

This gives that concept a new twist, and points to just how Amazon really could control it all. If Facebook focused on the social graph, and companies like Apple or Google have made a play to build the identity graph, Amazon has the potential to build the consumer graph, a bigger overall picture of how the internet moves based on purchasing activity.