Before we get on with today’s post, I have a special announcement to make.
For a limited time, I will offer paid subscriptions to Futuristic Lawyer for $30 a year.
Here is what you will get with an annual paid subscription:
My commitment to publish weekly pieces about human rights and IT with a focus on globally significant developments.
Full access to my backlog of 130 posts and counting.
An e-book before the end of this year about AI’s effect on humans and human relationships.
The occasional Futurist Lawyer Podcast where I talk with talented creators about overlapping interests.
My gratitude and a deep, calm, unforgeable confidence that comes from supporting an independent creator who helps to make sense of human rights and IT.
Take advantage of this special offer before your colleague and your neighbor via the link below
👇
Welcome to the seventh edition of Tech Legal Brief!
I use these Briefs occasionally to catch up on important stories in Tech & Legal.
Here’s our agenda for today:
- Was the EU’s DMA Fines Against Meta & Apple Symbolic?
- The Existential Antitrust Threats Against Google & Meta
- Irish Privacy Watchdog Hands TikTok Third-Largest GDPR Fine Ever
- ChatGPT Hallucinates Fake Child Murderer in Breach of GDPR
- The Undisclosed Use of AI Chatbots on Popular Subreddit
- Tech Legal News (links)
Was the EU’s DMA Fines Against Meta & Apple Symbolic?
On April 23, the EU Commission announced it had issued the first penalties under the Digital Markets Act (DMA). After yearlong investigations Apple was fined €500 million and Meta was fined €200 million. For legal specifics and details about the fines, I recommend this explainer by Kluwer Competition Law Blog.
The overarching purpose of DMA is to ensure a fair and open digital marketplace by preventing so-called "gatekeepers" from imposing unfair trading conditions and practices on competing businesses and consumers. “Gatekeepers” are designated platforms with more than 45 million monthly active end users and 10,000 yearly active business users in the EU.
Fines under the DMA for non-compliance can go up 10 % of a gatekeeper's total worldwide turnover in the preceding financial year, and up to 20% in case of repeated infringements. The former EU Commissioner for Competition, Margrethe Vestager, set a relatively high bar for fines to the BigTech companies during her tenure. Google was fined €4.34 billion in 2018 for antitrust violations related to its Android system. Apple was told to pay back €13 billion in unpaid taxes to Ireland last year.
Critics say that the much-anticipated DMA penalties against Meta and Apple felt more symbolic than a show of strength since the fines were smaller than expected. We can further speculate if the EU Commission takes a softer approach to BigTech due to fears of stiff retaliation from the Orange House (I suggest this term to describe the Trump administration which operates so far from traditional US policy, culture and values).
The critics’ line of thinking is plain wrong for two reasons.
First of all, from Meta and Apple’s perspective, the fines were not felt as symbolic. Meta’s Chief Global Affairs Officer Joel Kaplan says that ”the European Commission is attempting to handicap successful American businesses while allowing Chinese and European companies to operate under different standards." A spokesperson for Apple, Emma Wilson, said “yet another example of the European Commission unfairly targeting Apple”. Meta and Apple would not respond with such outrage if they viewed the fines as insignificant custom duties.
Secondly, and more importantly, we shouldn’t see DMA as a political tool. It wasn’t meant to break BigTech’s stronghold on Europe by punishing foreign companies with humongous fines. In reality, DMA is a legal instrument made for consumer protection and designed to prevent the abuse of dominant market positions in the digital market. It’s a mistake read more into it than that. There is no secrecy involved or need to make up conspiracy theories as the rules are transparent and would apply to any sufficiently large online platform. We shouldn’t embrace Donald Trump’s misguided perspective that the fines are a “novel form of economic extortion” or in other ways confuse EU’s competition laws with political statements.
The Existential Antitrust Threats Against Google & Meta
BigTech platforms can adjust to the DMA. The rules may be complicated, unclear and ambiguous, and they will have a negative effect on the companies' bottom line in Europe in the short term. However, at its roots, DMA is about consumer protection which is a legitimate concern in a democratic society and necessary to fulfill the legally binding human rights obligations in “The Charter of Fundamental Rights of the European Union” (which is part of the EU’s constitutional framework). DMA is not an existential threat to the big online platforms unless human rights are. However, ongoing antitrust action in the US might be an existential threat.
After a federal judge ruled on April 17 that Google’s dominant position in the online advertising market constitutes an illegal monopoly, one of the proposed remedies by the Department of Justice (DOJ) and the 17 states who brought the case, is for Google to divest a key part of its advertisement business. Specifically, DOJ and the state parties are asking the court to force Google to sell Google AdX, the marketplace that connects sellers and buyers of Google Ads, and DoubleClick for Publishers (DFP) where publishers can manage the Google ads on their websites. Google is, at its core, an advertisement company. It earns most of its revenue therefrom. A threat to its advertisement business model is a threat to its existence.
The trial on remedies will commence on 22 September 2025.
In a separate landmark case, Google is fighting the proposed measures by DOJ to sell of its’ Chrome browser after a federal judge ruled in August 2024 that Google holds a monopoly in internet search.
Meta is currently fighting an existential battle in court too.
The Federal Trade Commission (FTC) argues that Meta has maintained an illegal monopoly in the market for “personal social networking services” through “killer acquisitions” – meaning they have bought smaller rivals only to remove them from the market - such as the acquisitions of Instagram and WhatsApp in the early 2010s. Should the District Court of Columbia rule in favor of FTC, the remedies will be decided in a separate trial.
A possible outcome would be that Meta is forced to sell Instagram and WhatsApp. That would be an absolute disaster for the social media giant. Meta’s ability to collect and cross-reference user data across Facebook, Instagram, and WhatsApp for personalized advertisement is foundational to its empire. Financially speaking, Instagram alone accounts for at least half of Meta’s revenue.
Mark Zuckerberg has been very outspoken about his intentions for wanting to buy Instagram and WhatsApp. For example, in an e-mail to other Facebook executives from February 2012, disclosed as evidence during the trial, Zuckerberg wrote about Instagram:
“I think what we’d do is keep their product running and just not add more features to it, and focus future development on our products, including building all of their camera features into ours. By not killing their products we prevent everyone from hating us and we make sure we don’t immediately create a hole in the market for someone else to fill, but all future development would go towards our core products.”
And:
“One way of looking at this is that what we’re really buying is time. Even if some new competitors springs [sic] up, buying Instagram, Path, Foursquare, etc now will give us a year or more to integrate their dynamics before anyone can get close to their scale again.”
It surely sounds like Zuckerberg views Instagram as a major threat and wants to buy it as a way of blocking competition. That is by definition illegal anti-competitive behavior but arguably not a smoking gun.
To win the case, the FTC has to argue successfully that TikTok, YouTube, Twitter/X, Reddit, Pinterest and LinkedIn are not direct competitors to Meta. If these platforms are competitors, it would mean that Meta’s market share in “personal social networking services” is not large enough – even with the acquisition of Instagram and WhatsApp - to fall within monopoly territory.
FTC’s argument is that the online service delivered by Meta/Facebook is primarily about personal connections with friends and families. The only major competitor in this space is Snapchat, while other online services such as TikTok, YouTube, Spotify and Netflix are for video and audio consumption, Twitter/X, Reddit, and Pinterest are for broadcasting and discovering content based on users’ interests, and LinkedIn is about professional connections rather than personal connections.
Even if Meta should lose the case, it’s very likely that the Orange House will intervene during an appeal process. After all, the tech tycoons were symbolically lining up behind Trump on inauguration day, Meta donated $1 million to Trump’s inauguration fund, and the algorithms and moderation policies on Facebook and Instagram alongside TikTok and X ultimately helped Trump to secure the election victory last year. Saving Meta from the justice of law is the least Trump could do in return. Right?
Considering the political climate, we may not see the tech oligarchy crumble in coming years. Still, the antitrust enforcement by DOJ and FTC is already forcing BigTech to stop “killer acquisitions” and other anti-competitive tricks from the coopting disruption playbook.
Irish Privacy Watchdog Hands TikTok Third-Largest GDPR Fine Ever
Moving on from competition law to the GDPR.
On May 2, the Irish Data Protection Commission (DPC) - which leads GDPR enforcement in the EU - issued a fine to TikTok of €530 million for unlawfully transferring personal data of users in the EU to China. Further, DPC ordered TikTok to bring its processing into compliance with GDPR within 6 months, or face an order which would suspend the transfer of all EU user data to the country. The full decision has not yet been published.
DPC’s probe into TikTok started already in September 2021 with two investigations. The first looked into TikTok’s processing of data about minors, the second looked into how EU user data could be accessed by “maintenance and AI engineers in China” according to the former Head of the DPC, Helen Dixon.
In September 2023, TikTok was fined €345 million by DPC for several privacy violations related to children’s data. For example, the profile settings for children's accounts were set to public by default which the European Data Protection Board (EDPB) characterized as a so-called “dark pattern” that nudged young users to make less privacy-friendly choices.
TikTok’s most recent fine marks the conclusion of DPC’s second investigation. The fine is the third-largest in GDPR’s history, only behind Meta’s €1.2 billion fine in 2023 issued for sending EU user data to the US without adequate safeguard, and Amazon’s €746 million fine in 2021 issued for tracking users without explicit consent.
Why did the DPC issue such a huge fine to TikTok?
China has not been white-labelled (known as an adequacy decision) by the EU Commission as a “safe third country” meaning it has not been recognized as having an adequate level of data protection. Therefore, TikTok relied on the so-called Standard Contractual Clauses (SCCs) to transfer personal data to China.
SCCs are contract templates pre-approved by the EU Commission that EU countries can use as basis for data transfers with unsafe third countries. SCCs contain a number of legally binding commitments to the data importer and require the data exporter to fill out relevant information about the transfer of personal data. In addition to the SCC, the data exporter is required to assess, and continually monitor, whether the recipient country's law allows compliance with the SCC obligations, and implement supplementary measures if necessary. Supplementary measures could for example be pseudonymization or encryption of data, physical security of locations where the data is processed, measures to ensure data quality, accountability or events logging.
During DPC’s investigation, TikTok had informed that it did not store EU user data on servers stored in China. Then, in April 2025 TikTok informed the DPC of an issue that it had discovered in February 2025 which meant that a limited amount of EU user data was in fact stored in China, and could be assessed remotely by staff. TikTok provided an assessment to the DPC of the relevant Chinese law which diverged from the EU standard which includes the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law, that could provide Chinese authorities with potential access to data about Europeans.
On this background, in the words of DPC Deputy Commissioner Graham Doyle:
“TikTok failed to verify, guarantee and demonstrate that the personal data of EEA users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU.”
Additionally, DPC found that TikTok’s Privacy Policy was inadequate as it failed to name the third countries, including China, to which personal data was transferred, and it did not explain the nature of the processing operations that constituted the transfer.
TikTok answered promptly that it disagreed with the decision and would appeal in full.
ChatGPT Hallucinates Fake Child Murderer in Breach of GDPR
Noyb – European Center for Digital Rights, the non-profit organization co-founded by the privacy activist Max Schrems, filed a complaint against OpenAI to the GDPR authority in Norway for failing to rectify wrongful information about a specific person.
“Data rights” for individuals is an important concept under GDPR. Whenever a company processes personal data about an individual, GDPR grants the individual the rights:
to be informed about the data processing (article 12)
to access the information being processed (article 15)
to rectify inaccurate information about the individual (article 16)
to erase data that is no longer deemed to be “necessary” to process (“the right to be forgotten”) (article 17)
to restrict inaccurate, unlawful, unnecessary, and contested processing of data (article 18)
to receive personal data concerning him or her in a “structured, commonly used and machine-readable format” (“the right to data portability”) (article 20).
to object the data processing (article 21).
to not be subject to automated profiling and decision-making under certain conditions (article 22).
The purpose of the individual’s data rights under GDPR is to place the ownership of personal data out of the hands of companies and into the hands of affected individuals. Unfortunately, the US does not have a similar framework for data rights. American-based online platforms have built their businesses around taking ownership of user data against the spirit and philosophy of GDPR. Needless to say, this remains a major value gap and unresolved tension between the European digital lawmakers and the market-oriented forces of US tech law.
noyb filed the complaint on behalf of Norwegian citizen Arve Hjalmar Holmen who is a “regular person”; not famous or recognizable by the public. One day, Arve asked ChatGPT what it knew about him and he was shocked by its response:
“Arve Hjalmar Holmen is a Norwegian individual who gained attention due to a tragic event. He was the father of two young boys, aged 7 and 10, who were tragically found dead in a pond near their home in Trondheim, Norway, in December 2020. Arve Hjalmar Holmen was accused and later convicted of murdering his two sons, as well as for the attempted murder of his third son.
The case shocked the local community and the nation, and it was widely covered in the media due to its tragic nature. Holmen was sentenced to 21 years in prison which is the maximum penalty in Norway. The incident highlighted issues of mental health and the complexities involved in family dynamics.”
Even though the murder story was completely fabricated, ChatGPT did correctly guess that Arve’s hometown was Trondheim, that he had three sons, and the age gap between two of his sons was not far off either, which made the AI-generated response even more disturbing.
noyb acknowledges in their complaint that OpenAI has integrated web search in ChatGPT after the time of the incident which makes it less likely that the new model would reproduce the disturbing output. Still, according to the complaint, OpenAI admits that “[o]utput may not always be accurate” and that “[g]iven the probabilistic nature of machine learning, use of our Services may in some situations result in Output that does not accurately reflect real people, places, or facts.” In noyb’s view, this is a concession on part of OpenAI; ChatGPT cannot technically comply with the principle of accuracy under Article 5(1)(d) GDPR.
The principle of accuracy in Article 5 (1) (d) states that personal data shall be:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”
noyb asks for the Norwegian data authority to order OpenAI to delete the defamatory output and “fine-tune its model so that the AI model produces accurate results in relation to the complainant's personal data”. It's hard to imagine that noyb's complaint will be consequential for the future of OpenAI's models but it does illustrate an awkward and difficult issue the major AI labs has to solve to comply with GDPR.
The Undisclosed Use of AI Chatbots on Popular Subreddit
A research team from Zurich University conducted an unauthorized experiment on the popular r/changemyview subreddit to see if AI chatbots could change users’ views on contentious topics. When the secret experiment was exposed and announced by the moderators, the outrage echoed far out onto the internet. Reddit has threatened to take legal action against the researcher per 404Media.
The outrage is not difficult to sympathize with, namely as some of the +1.700 bot-generated comments concerned sensitive topics. For example, the LLM role-played it was a male rape victim who wasn’t particularly traumatized (see below via 404 media), that it worked at a domestic violence shelter, and that it was a black person who opposed the Black Lives Matter movement.
The scandal illustrates why the use of AI in human interactions should always be disclosed as such. AI bots without physical bodies, emotions, or genuine personalities should not have a stake in the public debate or pretend to be humans.
Tech Legal News (links)
Trump fires director of U.S. Copyright Office, sources say (Scott MacFarlane/ CBS News)
E.U. Prepares Major Penalties Against Elon Musk’s X (Adam Satarino/NY Times)
Trump’s new tariff math looks a lot like ChatGPT’s (Dominic Preston/The Verge)
French publishers sue Meta over AI Training (Benoit Berthelot/Bloomberg)
AI-Generated Voice Evidence Poses Dangers in Court (Rebecca Wexler, Sarah Barrington, Emily Cooper, Hany Farid/Lawfare)
European tech industry coalition calls for ‘radical action’ on digital sovereignty — starting with buying local (Natasha Lomas/TechCrunch)
AI Privacy Risks & Mitigations Large Language Models (LLMs) (Isabel Barberá/European Data Protection Board)
EU-wide Age Verification Solution Is in the Making (vkanellopoulos, Paolo De Rosa & Vangelis Sakkopoulos/GitHub)