Apple urges EU Commission to review DMA and GDPR

The long-standing diatribe between Apple and the European Commission, concerning personal data and market rules, is enriched by a new episode. This time, the Cupertino company, which has always argued against the most recent European instruments, has sent the Commission and the EDPB (the European Data Protection Board) its comments on the Joint Guidelines on the relationship between the Digital Markets Act (DMA) and the GDPR. It is a long, very technical document, but can be summarised as follows: according to Apple, the way in which the DMA is applied today risks weakening the privacy protections guaranteed by the GDPR, instead of coexisting with them.

The central issue is the relationship between openness obligations imposed on gatekeepers and architectures designed to limit data access. Apple cites in particular the interoperability provided for in an article of the DMA: the Commission, in effect, asked it to allow third parties access to information such as notification content or Wi-Fi network history, which was previously protected by encryption or processing only on the device. According to the Californian company, this contradicts the principle of data minimisation promoted over the years by the European privacy authorities themselves.

A second front is the opening up to alternative app stores and new forms of app distribution and payments (other strong points of the demands made by Brussels to Cupertino's engineers). Apple emphasises (for the umpteenth time) that the DMA obliges it to give up part of its 'closed' security model, shifting the task of recognising risks such as malware, fraud or subscription scams to the individual user, even if he or she is not an expert. The company therefore demands that privacy and security be explicitly considered in the Guidelines as part of the system 'integrity' that the DMA allows gatekeepers to protect.

Apple also raises doubts on two other points: the possibility of imposing alternative browser engines to its WebKit, which in its view expands the attack surface of devices, and the interpretation of data portability. On this last issue, he disputes the idea that portability should also include 'on-device' data to which the gatekeeper does not have access, because this would force him to create new ways of extracting information that he does not control today. He also calls for reasonable due diligence on data recipients and for users to be reminded at regular intervals of their transfer choices.

In the document, Apple also mentions the risks associated with so-called 'agentic AI' systems, i.e. agents capable of acting autonomously between apps and services. If the DMA were to be interpreted as an obligation to grant these agents very wide access to operating system resources, the company fears an increase in data exfiltration and unwanted actions. This is why it demands that the Guidelines recognise the central role of the operating system in defining which resources are sensitive and under which conditions they must be accessed.