Apple DMA Compliance Workshop
Update: The video for the workshop has been made available at https://webcast.ec.europa.eu/compliance-with-the-dma-apple-2024-03-18. I’ve updated the blog post with timecodes for each of the questions and answers listed herein.
On March 18th I attended an EC-hosted workshop1 in Brussels on Apple’s compliance measures for the Digital Markets Act. It was a grueling 8-hour affair in a hot windowless room. There were around 75 attendees by my count, from a wide cross-section of organizations, few of whom seemed to feel that Apple was upholding the letter and spirit of the law in their compliance efforts.
Apple’s team of three, headed by Kyle Andeer (formerly an FTC trial lawyer), gamely managed to fend off the barrage, mostly by appealing to Apple’s paramount respect for “user security, privacy and safety” over and over again. The questions tended to be hostile and self-serving, and the responses tended to be vacuous, non-committal, and lacking any technical substance. In short, it went as one might expect.
Questioners were selected randomly from the attendees (both in-person and online). I managed to get two in. Following are my questions and their responses (pulled out of a whisper-generated transcript from the video, which can be accessed here).
Question (Marc Prud’hommeaux, the App Fair Project) [12:25:41] (transcript link):
Hi, my name is Marc Prud’hommeaux, and I’m here representing the nonprofit App Fair Project, which is building an app marketplace to create and distribute free and open source apps as non-commercial digital public goods.
To be approved for an iPhone app marketplace entitlement, Apple is currently requiring that an organization, either 1: have been an Apple developer program member for two years and have an app that has been downloaded one million times in the EU in the previous year.
We’ve been a developer program member since April of 2022, but it’s impossible for us to satisfy the download count requirement because the web browser app that we submitted that year was rejected by Apple.
Option number 2: provide a one million euro standby letter of credit from an A-rated institution as has been discussed.
That number presents a discriminatory and insurmountable barrier to a nonprofit organization such as ours.
I’ve requested an exemption from our Apple representative and was denied.
My question is, since nonprofit organizations are exempt from the core technology fee, what is the rationale for requiring any letter of credit at all?
And what is the objective fairness and reasonableness standard that prevents Apple from increasing that number to 10 million euros or 100 million euros or some arbitrarily high amount that would effectively exclude all alternative app marketplaces at some point in the future?
Answer (Kyle Andeer, Apple Vice President of Products and Regulatory Law) [12:33:24] (transcript link):
Again, when we think about alternative marketplaces and this was something we thought about for a long period of time, we wanted to assure that we had credible and accountable operators of stores and we want to have a single set of objective criteria.
We did not want to have special deals.
We did not want to have special assessments because as soon as you do that, you open yourself up to charges of discrimination.
And so what we focused on was what is a set of criteria that we could apply to make sure that the operators of these stores were credible and accountable and responsible.
And those were the two criteria that we established in addition to some of the other things I talked about, which is the other commitments, whether it’s engaged and ongoing monitoring of fraud to comply with laws like the DSA or the GDPR to publishing transparent data collection policies.
All these other things are important, but at the end of the day, if you don’t have an accountable and responsible operator, then those things mean nothing.
And so what we tried to do, and again, I think I answered this in response to an earlier question, we looked to find criteria that would allow us to have some confidence that the operator is someone we can trust to operate a store in the best interest of our users.
There may be others, and so we welcome feedback about what other criteria could we use to accomplish the goal that we’ve set out.
So we’re going to continue and see how things emerge.
Clearly, it hasn’t been an issue for a number of different developers, some of which we’ve heard from today, some of which we know are out there in terms of being able to secure the line of credit to allow them to enter this program.
Question (Marc Prud’hommeaux, the App Fair Project) [16:04:26] (transcript link):
Hi, Marc Prud’hommeaux from the App Fair Project.
The specific apps that people install and run, including where and when they launch them, can be considered sensitive information when it comes to political and social activity, women’s health and free speech.
Does Apple track personally identifiable information about which apps are installed from third-party marketplaces and where and when they are when the apps are launched?
If so, Apple may be compelled to disclose this information to any of the various legal jurisdictions they operate in.
This could jeopardize vulnerable users.
Will this app installation launch activity still be reported to Apple, even when they opt out of sharing analytics with Apple?
Answer (Gary Davis, Apple Data Protection Officer) [16:08:24] (transcript link):
In that instance, I’m going to somewhat highlight Apple track record in relation to responding to requests from law enforcement where we consider that the requests are disproportionate or inappropriate and clearly in such circumstances we have shown that we will raise questions about those requests and where appropriate pushback.
Obviously, if a request is lawful and is proportionate, we do our best to assist law enforcement in those circumstances.
Where we do have personal data associated with the download of an app, it is simply the download of an app.
It doesn’t indicate anything about usage.
We do not collect any information about your individual usage of an app in a personally identifiable way.
Some will come from analytics that is shared with developers, but that’s across the population of users, not individual users.
And the same installed information that we have from the App Store will be available for app marketplace downloads as well.