How the New Interoperability Mandate Could Violate the EU Charter
Previously published by Lawfare on 6 July 2023.
Among the regulatory tools created by the European Union’s Digital Markets Act (DMA)—landmark competition legislation that took effect across the EU last November—is a mandate that the largest digital-messaging services must be made interoperable. In the name of promoting fairness in digital markets, these gatekeeper services are asked to allow external services to connect with them, enabling new and smaller players to compete.
But even proponents of legally mandated interoperability have also long acknowledged that it comes with enhanced privacy and security risks. Such risks have also been highlighted by the Organization for Economic Cooperation and Development and by academic commentators. According to a new paper by Cambridge University computer security experts Jenny Blessing and Ross Anderson, making messaging services interoperable not only increases their levels of technical and organizational complexity, but it forces users to trust service providers even more than they already do. The authors argue that it may simply be inherent to interoperability that it makes services less secure.
To the extent that this is true, the DMA has a problem. Increasing the level of privacy and protection of personal data through the law is notoriously difficult even if that is the explicit goal of legislation. The DMA was not aimed to promote privacy. Its stated goals are economic: enhancing “contestability” and “fairness” in the digital economy. This may explain why privacy concerns were sidelined during the DMA’s legislative process and dismissed with a claim that several references to the EU’s General Data Protection Regulation (GDPR) addressed the new privacy risks created by the DMA. However, it is not the GDPR that sets the standards with which laws like the DMA must comply. Those overarching standards come from the EU Charter of Fundamental Rights and its Articles 7 and 8, which establish the rights to privacy and to the protection of personal data.
The DMA mandates that messaging interoperability be implemented in a way that preserves the levels of security—and, arguably, the privacy and protection of personal data—that users currently enjoy. This creates an interpretive question: How should we understand this “preservation” safeguard? If interoperability can’t be accomplished without reducing security, then the mandate arguably should remain a dead letter until that becomes possible. Indeed, it is a feature of EU law, stemming from the EU Charter—as interpreted by EU courts—that it prioritizes the preservation of user privacy over the DMA’s chief goals of competition and economic fairness.
The DMA’s Security-Preservation Safeguard
Article 7 of the DMA creates a duty for the largest digital services—those identified as “gatekeepers” by the European Commission—to ensure the “interoperability of number-independent interpersonal communications services.” The commission has yet to formally identify which platforms will be deemed gatekeepers, but it’s fair to speculate that the interoperability mandate would extend to services such as Google Chat and Meta’s WhatsApp.
Article 7(3) specifies that “[t]he level of security, including the end-to-end encryption, where applicable, that the gatekeeper provides to its own end users shall be preserved across the interoperable services.”
This statutory text is straightforward. It does not appear to permit any reduction in user security for interoperable services. That the level of security available to those users remained “reasonable” would not be a defense, nor would it matter if the level of security provided was one the European Commission found to be appropriate. The DMA says clearly the existing level of security “shall be preserved.” Any attempt to water down that safeguard would encounter a significant obstacle in the form of the EU Charter.
Articles 7 and 8 of the charter secure the rights to privacy and to the protection of personal data, respectively. The EU Charter is considered “primary” law with which all secondary law—like the DMA or the GDPR—must be consistent. Where there is an inconsistency that cannot be resolved through legal interpretation, the secondary law is invalid.
There is precedent for the Court of Justice of the European Union (CJEU) to find secondary EU law invalid on grounds that it conflicts with the charter-protected rights to privacy and the protection of personal data. Indeed, the court has generally seen the rights to privacy and the protection of personal data as particularly significant and likely to “win” against other interests in most balancing exercises. In the Digital Rights Ireland case, for example, the CJEU deemed the entire Data Retention Directive to be invalid. The directive created a scheme under which the contents of phone and internet communications of EU citizens would be stored and made available to law enforcement. This was argued to be a necessary and effective response to terrorist threats, including the then-recent 2005 attack in London. The CJEU rejected the argument that even such an important objective justified the restriction of fundamental rights imposed by the directive. The CJEU has also invalidated specific provisions of other laws on the same grounds.
If implementing the DMA’s interoperability mandate were to diminish a user’s level of security, the CJEU would likely see this as a restriction of the rights protected by Articles 7 and 8 of the charter. This is not to say that security is identical with privacy or with the protection of personal data. In fact, some efforts to improve user security could restrict the users’ rights to privacy and to the protection of personal data. This is why, as the European Data Protection Supervisor (EDPS) noted in his opinion on planned amendments to EU cybersecurity rules, if identifying risks to user security requires additional processing of user data (IP addresses or device identifiers) specifically for security purposes, then such activity must be done in accordance with privacy and personal data protection principles like data minimization. However, as the EDPS also noted, “security is essential for compliance with EU data protection law,” which is recognized by the GDPR itself (security is one of the chief principles of personal data processing in Article 5).
The kind of reduction of the level of user security that would be needed to implement the messaging interoperability mandate would be a reduction in security measures that ensure privacy and the protection of personal data. The messaging interoperability mandate would not, for example, mean a reduction in how much user data is being transferred among various entities to facilitate risk intelligence. To the contrary, this is a mandate for more processing of personal data or at least for processing it in a way that puts a considerably higher burden of maintaining privacy and data protection on the user. Hence, it is hard to see how it could be anything other than a restriction of the rights to privacy and to the protection of personal data. A restriction is not necessarily an infringement of those rights, but such restrictions are allowed only if they are “proportionate.” While the potential issues that could be raised in proportionality analysis are legion, one notable standard that the CJEU established in the Digital Rights Ireland case was that there must be “clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter.”
Therefore, the CJEU is unlikely to accept efforts to water down an interpretation of the DMA’s Article 7(3) that is contrary to its literal meaning. If implementing the interoperability mandate will “inherently” reduce a user’s level of privacy and security, then it cannot be done.
Does Mandated Interoperability Really Diminish Security?
Another way to defend the messaging-interoperability mandate would be to argue that it can be implemented in a way that preserves current levels of user security and that there is no restriction of the rights to privacy and to the protection of personal data protected by the EU Charter.
The aforementioned Cambridge paper is decidedly modest in its conclusions. The authors do not argue that interoperability mandates should not be explored, nor that a “reasonable” level of security cannot be achieved with interoperable systems. Their finding is simply that achieving that reasonable level will be difficult and necessarily requires additional complexity that may compromise both user security and the overall user experience.
One notable mistake the authors identify in the public discourse about interoperability and security is the prevailing focus on technical solutions, particularly cryptographic ones, when the greatest challenges are nontechnical. Ultimately, they note: “There is simply no getting around the fact that interoperability represents a dramatic expansion in the degree of trust a user will need to place not only in their own messaging service but also in any used by their communication partners.” And in an accompanying blog post, Anderson adds: “Interoperability will vastly increase the attack surface at every level in the stack—from the cryptography up through usability to commercial incentives and the opportunities for government interference.”
The authors’ conclusion that a “reasonable” level of security can be achieved needs to be seen in this context. Given how much interoperability will increase the risks and the need for trust, immense effort will be required to address these increases in the potential attack surface. The soon-to-be-designated gatekeepers will need to try to protect their users, while avoiding running afoul of the DMA’s “anti-circumvention” rule or being accused of employing “dark patterns.” Meanwhile, some of the tools that messaging services have already deployed to address the risks of client-side interoperability—such as the blue/green message bubble differentiation on iOS—face criticism as being anti-competitive. And even with those efforts, Blessing and Anderson suggest, the resulting level of security will simply not be as high as what the users enjoy now.
As I have argued elsewhere, the DMA clearly betrays its authors’ choice to prioritize what are, at best, speculative gains in the “contestability” of digital markets over avoiding entirely predictable risks to user privacy and data security. This preference, however, will likely not survive the strict scrutiny that EU law applies to restrictions of the rights to privacy and to the protection of personal data.
Consequences for the DMA
The lack of attention to the rights protected by the EU Charter of Fundamental Rights during the legislative process will need to be corrected, either by interpretation of the DMA (the results of which may surprise its authors) or by even more drastic intervention by the CJEU. The court has often engaged in very far-reaching interpretations of the text of EU regulations and directives to bring them into conformity with the EU Charter. Thus, the user privacy and data security concerns that were largely overlooked during the DMA’s legislative process are likely to play a much more significant role moving forward and very well might lead to litigation.