A statue holding the symbol of the Euro in front of the European Parliament building.
Photo: Mark Renders via Getty Images

The DMA is a BFD

Protocol Policy

Hello and welcome to Protocol Policy! I’ve spent years tracking every incremental development of U.S. tech competition proposals because it would be so monumental if any passed. Now, Europe’s pretty much wrapping them all together and shoving them out the door. Plus, Europe and the U.S. are going back to their on-again/off-again thing on data flows, the Lapsus$ gang was maybe a bunch of meddling kids and blockchain shockingly(!) is bad for voting.

The DMA goes for tech’s DNA

While you were sleeping, Europe got ready to change all of Big Tech.

There’s a lot of rhetoric around the Digital Markets Act (and a potential EU/U.S. data flows deal): “Historic.” “New era.” “Landmark.”Trillions in commerce. All I can say is: The hype is real. This is all really, really big.

  • Last night, European authorities announced they had agreed to new rules for Big Tech competition under the DMA. Final passage is still required, but that’s basically a formality.
  • The DMA will focus on digital gatekeeper platforms worth over about $83 billion (75 billion euros) in areas such as messaging, social networking, browsers and mobile operating systems.
  • Many of those would of course be U.S. companies such as Amazon, Apple, Google and Meta — which will now be subject to penalties as high as 20% of global turnover for repeat offenses unless they fundamentally remake how they operate in Europe, if not across the world.

Here’s what that will actually look like in our everyday screen-swiping, “Buy”-clicking world:

  • Apple will have to let iMessage text and send files with smaller messenger players such as Signal or Telegram (as will WhatsApp). It will also reportedly have to allow third-party app stores and outside payment systems in apps, which pretty much makes everyone in Cupertino sick.
  • Google won’t be able to combine users’ “personal data for targeted advertising" without explicit consent. And because the DMA will touch on search engines, browsers and digital assistants, Android will have to make sure users really can choose between Google competitors like DuckDuckGo, Firefox or Siri.
  • Amazon, meanwhile, will have to contend with the apparent ban on self-preferencing, which seems likely to force the company to pull back in its competition against third-party sellers on its site — particularly its use of their data.
  • Meta won’t be too happy with the messenger provisions, or the data-combining limits either.

Big companies are sad.

  • Big Tech lobbied about as hard as it could against the rules over the last year-plus, knowing that regulation in Europe has a way of becoming a worldwide standard.
  • They’ve dismissed the DMA as an effort to hobble U.S. companies and foster underperforming European competitors at the expense of consumers and security.
  • The parts of the Biden administration that are charged with boosting U.S. companies won’t be too happy either (even as they battle against the competition-reform side of the government).

That wasn’t all the EU did, by the way … President Joe Biden and European Commission President Ursula von der Leyen also announced Friday they’ve agreed to principles that will allow them to set up a new approach to data flows between the U.S. and EU.

  • Since 2020, when Europe’s top court invalidated a prior framework, thousands of companies have been on edge over the fate of trillions of dollars in commerce linked to data transfers.
  • The agreements are supposed to ensure that U.S. companies, which more or less operate without privacy restraints, are actually respecting the data rights Europeans have, but the court found that U.S. surveillance laws make that impossible.
  • The White House said companies will be able to adhere to the principles and self-certification underlying the old deal, while the U.S. puts in place new boundaries on government surveillance and an independent body that will be able to get remedial measures for those in the EU.
  • Will that be enough for European courts, which stopped not only the previous agreement, but in 2015, scrapped the one in use before it, too? It’s hard to know. But Max Schrems, the privacy campaigner who brought both past frameworks to court, is already threatening to try again. The countdown to Schrems III is on.

It’s easy to get lost in the swirl of developments and acronyms, but something genuinely transformational really did start in recent days. It’ll mean changes for the world’s most powerful companies — and for us, their users — for years to come. And if that isn’t enough, keep in mind: Europe wants to tackle online content next.

Ben Brody (email | twitter)

In Washington

The government’s all-purpose, in-house watchdog says using blockchain for voting could introduce “new vulnerabilities” to elections, mostly because decentralization makes for more attack points. The GAO’s new report did conclude, however, that the technology could be useful in managing supply chains.

The Senate GOP’s campaign arm is trying to make net neutrality advocate Gigi Sohn’s pending confirmation to the FCC into an election issue that’s somehow also about the police. The National Republican Senatorial Committee noted that the Fraternal Order of Police has opposed Sohn over issues like encryption, but really mostly just her likes and retweets during the height of 2020’s Black Lives Matter protests.

The Justice Department arrested two alleged NFT scammers. The creators of the Frosties collection were accused of performing a “rug pull” after they transferred $1.1 million in crypto proceeds out of a designated wallet.

Google also announced a bevy of measures intended to “support the 2022 U.S. midterm elections.” There’s a whole lot of “what could go wrong?” in the list of initiatives. For instance, on YouTube, the company will surface “authoritative voices” and will ban “content that advances false claims that widespread fraud, errors, or glitches changed the outcome of any past U.S. presidential election.”

In the states

The patchwork is now at four: Utah’s governor signed the state’s privacy bill, which consumer groups labeled as too weak. Utah now joins California, Colorado and Virginia on the list of states with online data protection laws, signaling the growing threat of a “regulatory patchwork” for companies because of Congress’ ongoing failure to pass its own law.

The San Francisco Board of Supervisors voted unanimously for an 18-month pause on the development of future delivery centers in the city, including Amazon’s planned facility on 7th Street. The Teamsters supported the measure, which focused on environmental impact and now heads to the mayor’s desk, as they seek to unionize Amazon workers.

Gas prices are high and EVs are expensive, so what does California do? Nothing, so far. But Governor Gavin Newsom is proposing a relief package that would give registered car owners $400 per vehicle. President Biden is also reportedly debating whether to instate a gas tax holiday. With EV prices so high, Congress is facing pressure to pass legislation that would offer tax credits. Limited supply would still be an issue, however.

Uber struck a deal with the New York City Taxi and Limousine Commission. That means New York’s iconic yellow taxis will soon be available to order through Uber. The integration is set to go into effect later this spring. It marks a milestone for Uber as its first partnership with taxi operators in the U.S.


From the AI Act to the Data Act all the way to the DMA and the DSA, the EU is reinforcing its digital policy arsenal. Keen to know more? Wait no longer and join POLITICO Live’s AI & Tech Summit on April 21st to dissect those issues with top decision makers.

Learn more

On Protocol

Google will let Spotify try out giving users non-Android billing options. While it’s just a small “pilot” that benefits a longtime antagonist of the big mobile OS providers, the move signals our current app store model will wither away sooner or later, and sets off a scramble between Google and Apple over all the details of what comes next.

On that note, mobile app developers don’t intend to ease pressure after the Google-Spotify deal. “Our mission is more important than ever as momentum grows for enforceable policies that level the playing field, including the Open App Markets Act and the Digital Markets Act,” Rick VanMeter, the executive director of the Coalition for App Fairness lobbying group, told Protocol.

Exxon will test using natural gas to power mobile generators that mine crypto. The program is part of a partnership with Crusoe Energy Systems, a company backed by Bain Capital and the Winklevoss twins. The gas would normally be burned off, sending methane into the atmosphere. The new method will still send methane into the atmosphere — it just happens to also simultaneously power crypto mining. Apparently this is what it means to “go green” in 2022.

Microsoft will expand its cybersecurity training program to 23 countries chosen based on “elevated cyberthreat risk.” The skilling initiative started in the U.S., where Microsoft partnered with 135 community colleges to help train workers for the industry. The initiative involves plans to work with schools, nonprofits and businesses in new regions.

Around the world

Malaysia’s deputy finance minister said the country won’t adopt cryptocurrencies as legal tender. The clarification came in response to the deputy minister of the Communications and Multimedia Ministry calling for Malaysia to follow El Salvador’s lead in embracing crypto as the national exchange currency. Deputy Finance Minister Mohd Shahar Abdullah cited volatility and security vulnerabilities as reasons not to use cryptocurrencies for payments.

The United Nations gathered 167 nations to establish deep-sea mining guidelines. We’re facing a global shortage of nickel, cobalt and lithium — all of which can be extracted from the seafloor. There are still serious ecological ramifications associated with deep-sea mining, and some scientists are ringing alarm bells.

Police in the UK arrested an unnamed 16-year-old who was allegedly a leader of hacker gang Lapsus$, which appears to have breached companies including Microsoft and Okta. The police said they had arrested seven people age 21 or under in their investigation so far, but they have all been released without charge.

The Justice Department charged four Russian officials with hacking U.S. infrastructure in incidents ranging from 2012 to 2018. The hacks reportedly targeted more than 500 global companies and several government agencies, including the Nuclear Regulatory Commission.

In data

$500 billion: That’s reportedly around how much Sen. Joe Manchin wants allocated for climate in a revised version of the Build Back Better bill. With that change and the roughly $1 trillion in new revenue from taxes, Manchin’s version would be much smaller than the $3.5 trillion bill initially proposed by Biden.

That time Grimes canceled a blog

Eagle-eyed viewers noticed Grimes claimed in that Vanity Fair interview that, back in 2012, she got a friend who worked for a video game company to launch a DDoS attack against a gossipy culture blog that published photos of her. In what Grimes described as her “coolest hacker moment,” the two then “basically blackmail[ed]” the site into taking down the story. Reportedly, they also deleted backups — but would now be beyond the statute of limitations for any alleged crimes.


From the AI Act to the Data Act all the way to the DMA and the DSA, the EU is reinforcing its digital policy arsenal. Keen to know more? Wait no longer and join POLITICO Live’s AI & Tech Summit on April 21st to dissect those issues with top decision makers.

Learn more

Thanks for reading, see you Monday!

Recent Issues