Since I haven't been invited into the room for this one, I'll be live tweeting the livestream of the European Commission's 2025 DMA compliance workshop for Google. 
It's a hot morning, both literally (hottest day of the year in Brussels), and figuratively, with the most spicy topics addressed first:
Note however, the truly most spicy topics are not on the agenda, the EC has left out the open investigation on self-preferencing, where the EC recently made a preliminary finding of non-compliance (I did a thread on that earlier)
https://x.com/KayJebelli/status/1902696888786399583
The EC's Alberto Bacchiega starts out noting that overall the day will focus on changes since last year's workshop, improvements based on feedback, and user uptake (you can see my live-thread of last year's workshop below)
https://x.com/KayJebelli/status/1770723253536821414
This focus on "improvements" to me reveals a lot. But I'll have to dig into that in a longer form later. Remember, the DMA was meant to be a "clear list of do's and don'ts", it shouldn't be a moving target, but it clearly appears to be enforced as such. That's a major concern.
The EC starts with describing the relevant obligations covered in this session, highlighting three areas of improvement, and noting that for FRAND access, these are still subject to regulatory dialogue so are seeking feedback and expecting more improvements.
Over to Google, who say that the purpose of these workshops is to provide transparency for business users looking to take advantage of the benefits of the DMA.
Google highlights that they are committed to compliance with the DMA, and have engaged more than any other gatekeeper with stakeholders, noting over 250 meetings and over 30 workshops with business users.
However, they are concerned about the negative impacts of the way the DMA is being enforced, and that it makes EU users "second class citizens" because of delayed innovations, or degraded services.
Google notes that the success of a compliance solution shouldn't be measured by user uptake "you can lead a horse to water but you can't make it drink". The lack of uptake could be because there was no problem to begin with, or because there's no user interest in the solution.
Google also warns that the DMA is failing in harmonising enforcement, because of national authorities taking action on the same conduct, and national courts engaging in private enforcement.
G urges the EC to act to maintain the harmonizing function.
G urges the EC to act to maintain the harmonizing function.
G also notes the tremendous resources required: 3,000 people working full-time for 2 years for Article 5(2) compliance alone. Most of these were engineers, not lawyers.
The unprecedented demand on engineers and product teams' times is not sustainable. It's not conducive to innovation, and Google can't improve its services if it has to continue this level of investment in compliance.
Again, this is exacerbated by the "moving target" problem
Again, this is exacerbated by the "moving target" problem
Google now closes with a focus towards the future, how the process could be improved: it notes that there needs to be more certainty, and more of a focus on the wider impact.
Before moving to the floor, the EC clarifies that it does not want to be questioned and the focus should remain on Google and its compliance solutions for the obligations on the agenda.
Moving to the compliance specifics of Android and Chrome choice-screens / defaults / uninstallation, Google notes that Android is a unique open operating system that introduced competition against Microsoft, Symbian, and Apple, and that Google has to keep it open and competitive
Google improved choice screens in June of last year by introducing descriptions of each of the various services directly on the choice screen (not needing the chevron click), a fully randomised list, and end of 2024, a persistent choice-screen notification requiring users interaction
This has led to increased user choice, to the tune of hundreds of millions of user interactions.
On alternative app distribution, G notes that it already allowed not only side-loading, but pre-installation and third-party app stores. All of this pre-DMA.
82% of Android devices have downloaded at least one app from a source other than Google Play. 70% of EU devices have a preinstalled app. More than half of devices have a side-loaded app.
Despite this, G warns that there are real threats from side-loading that need to be protected against. 50x more likely to encounter malware off GooglePlay.
Android applies proportionate safety measure for side-loading (respecting the increased risk vis-a-vis preinstallation)
Android applies proportionate safety measure for side-loading (respecting the increased risk vis-a-vis preinstallation)
On interoperability requests, Google notes some of the advanced functionalities it provides on its interoperability request portal, including upvotes and how it addresses prioritisation.
G also explains how they've ensured websites have fair, reasonable, and non-discriminatory access to Google Search
on to questions, and interestingly Google has their external lawyers answering some of the questions for them. I haven't seen that before, but it reflects the quasi-criminal ongoing investigations and how G's answers could be used against them, the difficult situation they're in
G side handles the first volley of questions from DDG, Seznam, and OpenWebAdvocacy fairly well, explaining how each of their demands go beyond what the DMA requires, and how G's compliance reflects a principle of user empowerment across gatekeeper services.
On demands for uninstallation to fully delete any legacy code: G notes that some legacy code needs to remain, it's minimal, isn't seen by the user, and as found by the CMA, doesn't have any competitive impact.
2nd round of questions, EDRi doubles down on uninstallation, demanding to know why Google apps would remain on the system partition.
An open source advocate (I missed the org name) says third-parties can offer system services that could replace google (noting network location provider, and push notification provider), and asks Google why it's not enabling replacement of these services.
G responds that they need to determine what constitutes the OS and what doesn't, but urges business users to make use of the interoperability request portal so they can prioritise requests and adjust the scope as needed.
Back to uninstallation, G again points to the extensive investigation of the UK CMA and their conclusions. Certain core things have to remain in the system partition, so that it can be factory reset.
Responding to Mozilla's repeating the question on the hot seat (the row of apps at the bottom of the screen that remains regardless of what screen you go to), G again distinguishes it from defaults and the DMA's scope.
Questions now are falling outside the scope of the agenda. Google shows willingness to discuss these issues, and identify the right people internally who can address them.
In response to a sideloading question, G says it will reduce the flow from 3 steps to 2 steps later this year. Notes that it can't just do a white-list for app developers, because apps are not installed by GPlay and a malicious developer could spoof a whitelisted install file
Over 100 million apps on android, and there's already billion spent on verifying Play apps. Reviewing all sideloaded and pre-installed apps would 3x the cost. There are limits to the talent available to do this. And the threat is real. Measures are proportionate to this.
And now we have a short break. Next up, Google and AI
Google starts out by defining what it means by AI
Notes that AI is a technology, not a product, and that it will increasingly become omnipresent across a wide range of products and services (and not just Google's)
AI has been part of Google for over 25 years
Google now explains how AI and machine learning has long been used to identify search and youtube video results.
G goes on to discuss how AI technologies have dramatically reshaped competition in the digital space, creating new product categories, attractive massive investment and valuation, and hundreds of millions of weekly users (all unthinkable under the logic underpinning the DMA)
It's not only a new technology paradigm attracting investment and creating massive value for consumers, but it's a highly competitive space as well, throughout the value chain
G concludes that AI is already covered under the DMA, pointing to the DMA's technology neutral nature.
First questions are about data used to train AI, which G notes is not a DMA question, but nevertheless explains the sources and compliance with relevant legal requirements.
In response to self-preferencing and AI overviews, G notes that they are taking compliance seriously but insists that their desire is to be able to bring these services to the public in Europe as soon as possible.
Publishers are now bringing up copyright arguments, demanding payment for use of public content, and claiming that AI Overviews undermine the DMA and lack transparency
(I'm not surprised that they're trying to wedge this issue into the DMA, they've been at war with AI recently)
(I'm not surprised that they're trying to wedge this issue into the DMA, they've been at war with AI recently)
G responds that there are wider changes happening on content and media markets, that AI might accelerate some of these trends, but it requires adapting to the changed media ecosystem, and that G has already undertaken many efforts to support journalism.
G notes that they don't see a "further entrenchment test" in the DMA, suggested by publishers as justification for acting against AI Overviews under the DMA.
AI overviews are fully aligned with the intended purpose of general search results.
AI overviews are fully aligned with the intended purpose of general search results.
In response to a Q on AI interoperability, G's lawyer points to the DMA text, the limitation to Android OS APIs, and how 3rd party gen AI solutions have the same equal access to Android OS APIs.
In response to a Q on the AI Act and potential overlaps, G says that overlapping laws increases the complexity of the regulatory environment, and can make it harder to have the clarity and certainty needed to deliver innovative products to Europeans at pace.
Now it's the lunch break before the net session on data related measures
On data-portability and access, the EC notes that regulatory dialogue is "iterative and open-ended"
... further evidence of the "moving target" problem
... further evidence of the "moving target" problem
G explains the key principles it follows for Art 5(2) Consent Screen compliance, noting that it is also in dialgoue with the Italian competition authority over the same issue.
G says that tracking and labelling every piece of data, and building the infrastructure to do that, was one of the biggest compliance tasks. 97.7% of European users (428 million) have now made a consent decision.
Now on data portability and Google Take-out, G notes 9 million uses per month (note take-out predates the DMA, it was introduced voluntarily by Google in 2011)
On the API for automated export of data to third-parties (3Ps), G notes the balancing of having access, but securing privacy.
Due to regulatory dialogue, there were three important enhancements made to the data portability API
On Art 6(10) access to data, Google has again made improvements in response to EC feedback and regulatory dialogue
For access to search data, Google has made available a massive dataset
And again, has made a number of changes based on feedback, though subject to the limits of anonymisation and data protection.
In the Qs, EDRi asks about consent rates and why G doesn't explain which services might be affected by the consent. G responds that it can only give examples because there are numerous ways that consent can improve services, and it would be too many to tell in an info box.
G notes that if it were to list all the possible things that would be affected by lack consent, this itself would also be alleged to nudge users towards consenting, so it has to do its best. On the consent rates, that information has been provided to the EC.
In response to question, G's lawyer explains that Android OS doesn't collect personal data from users, and that's why there's nothing from Android to be included in the data portability API.
A few specific questions now on access to advertising data, wanting it to be more granular (including individual searches). G urges access seekers to use the online tools, while noting that there is an inherent limitation on what can be made available, due to privacy constraints
Seznam and DuckDuckGo now asking for more granular user search data, complaining that the anonymisation efforts are too strong. G's lawyer replies that they are less anonymised than some experts have suggested, and are not aware of better anonymisation methods.
On the pricing offer for search data-sets, G's lawyer notes that no other company offers this, so there was no reference price, but G did a benchmarking exercise against data-broker who offer similar data sets, and has provided these calculations to the EC.
Final break of the day now, before we move on to the last session focused on the Data Portability API
Interestingly, G has deferred to a 3P developer who has been using the DPAPI to share their experience.
They note transfer speed improvements, and a high quality of the data.
However, consent requirements, service level agreements, and continuous access, could be improved.
They note transfer speed improvements, and a high quality of the data.
However, consent requirements, service level agreements, and continuous access, could be improved.
Google now presents the example of a developer that wants to improve their alternate music streaming services with portability of G user song playlists.
(interesting choice of example, given dominant Spotify doesn't have to offer any playlist export or data portability options).
(interesting choice of example, given dominant Spotify doesn't have to offer any playlist export or data portability options).
A few Qs of particular use cases, or asking for more data. Some promises to follow-up, and a reminder of necessary privacy requirements.
One Q on why G doesn't treat 1P and 3P services the same, doesn't get a complete response.
... But it's the kind of question that answers itself, and really tells a lot about what kind of regulatory tool we're dealing with here.
... But it's the kind of question that answers itself, and really tells a lot about what kind of regulatory tool we're dealing with here.
Getting to finish a bit early now, final comments and wrap up from G and the EC.
The EC thanks everyone for their contributions saying it helps ensure G's compliance with the DMA!
The EC thanks everyone for their contributions saying it helps ensure G's compliance with the DMA!
That's it for this one. I'm supposed to be back in the room tomorrow for Bytedance and Thursday for Meta so won't be live-tweeting those. But if you're keen for more DMA Workshop content, check out my recent blogpost below:
https://x.com/KayJebelli/status/1939187618807238860
@threadreaderapp unroll please
• • •
Missing some Tweet in this thread? You can try to
force a refresh
