EU to impose €700m Fines for Apple and Meta
I. Introduction: EU Asserts DMA Authority with First Fines for Apple and Meta
A. Overview of Enforcement Action
The European Union's regulatory landscape for digital markets entered a new phase on April 23, 2025, as the European Commission (EC) levied its first fines under the landmark Digital Markets Act (DMA). Technology giants Apple and Meta Platforms were the recipients of these inaugural penalties, signaling a shift from legislative formation to active enforcement. Apple was fined €500 million (approximately $570 million USD), while Meta received a €200 million penalty (approximately $228 million USD), bringing the total to €700 million.
These financial sanctions are the culmination of non-compliance investigations initiated by the EC in March 2024. The investigations scrutinized whether the companies, designated as 'gatekeepers' under the DMA, were adhering to the specific obligations designed to foster more contestable and fair digital markets within the EU. The DMA represents a significant departure from traditional antitrust enforcement, imposing ex-ante rules on dominant platforms to prevent market distortions before they become entrenched.
B. Purpose and Scope of the Article
This technical article provides a detailed analysis of these first DMA enforcement decisions. It dissects the specific violations cited by the EC against Apple and Meta, examines the technical and commercial practices deemed non-compliant under the DMA, outlines the core arguments presented by the regulators, and summarizes the immediate responses from the companies and the Commission.
C. Key Takeaways Summary Table
The following table offers a concise overview of the core findings and penalties:
| Company | Fine Amount | Violated DMA Article | Core Violation Summary (Technical Focus) | Compliance Deadline |
|---|---|---|---|---|
| Apple | €500 million | Art. 5(4) | Imposing technical & commercial restrictions (fees, 'scare screens') preventing free steering of users to alternative offers outside the App Store. | 60 days |
| Meta | €200 million | Art. 5(2) | Implementing a "Consent or Pay" model lacking a genuine choice & equivalent alternative for users refusing personal data combination for ads. | 60 days (for compliance with decision) |
D. Signaling Intent with First DMA Fines
The imposition of these substantial fines, the first under the DMA, serves as a clear indication of the Commission's resolve to actively enforce the new rulebook from the outset. While the DMA allows for fines up to 10% of a company's global annual turnover , and these initial penalties are lower than some previous antitrust fines levied against the same companies , their issuance marks a critical step. It moves beyond preliminary findings or cease-and-desist orders to establish tangible financial accountability for non-compliance shortly after the DMA's obligations became fully binding. This action sets a precedent and sends a strong message to all designated gatekeepers regarding the seriousness of DMA compliance and the potential financial consequences of failing to adhere to its provisions.
II. Apple's €500m Penalty: Deconstructing Anti-Steering Violations (DMA Art. 5(4))
A. The DMA Obligation (Art. 5(4))
Article 5(4) of the Digital Markets Act imposes a specific obligation on gatekeepers controlling core platform services like app stores. It mandates that these gatekeepers must permit business users, such as app developers, to communicate offers to their end users and promote those offers, including directing users towards purchasing options available outside the gatekeeper's own ecosystem (e.g., the Apple App Store). Critically, this communication and steering must be allowed free of charge. The explicit goal of this provision is to enhance competition by allowing developers to bypass the gatekeeper's potentially high commission fees and offer consumers potentially lower prices or different purchasing models directly.
B. EC Findings: How Apple Breached the Rules
The European Commission concluded that Apple's practices failed to comply with the anti-steering obligations under DMA Article 5(4). Despite Apple implementing changes ostensibly to comply with the DMA, the EC found that the company imposed a combination of technical and commercial restrictions that effectively nullified the "free of charge" principle and hindered developers' ability to steer users effectively.
Technical Restriction 1: Prohibitive Fees: A central element of the violation was Apple's fee structure associated with steering. Developers who opted into Apple's new terms allowing steering were subjected to recurring fees that the EC deemed incompatible with the "free of charge" mandate. Specifically, Apple introduced a structure that could include a 5% "initial acquisition fee" for users acquired via the App Store, plus an additional 10% "store services fee" on subsequent digital goods and services purchases made through external links within a 12-month period following the initial app install. The EC viewed these fees as a direct charge for the act of steering, making it economically unattractive or prohibitive for many developers, thus undermining the purpose of Article 5(4).
Technical Restriction 2: Burdensome Link-Out Process: Apple's implementation required developers using external links to present users with a specific, Apple-designed in-app disclosure sheet. While intended to inform users, the EC perceived this as a "scare screen" designed to discourage users from leaving the perceived safety of the App Store environment by warning that Apple would no longer be responsible for privacy, security, or purchases. Furthermore, Apple imposed limitations on the format, content, and timing of these prompts, restricting how developers could communicate alternative offers.
Commercial Restrictions: Beyond the specific fees and technical prompts, the EC found that the overall contractual terms imposed by Apple on developers wishing to steer created an environment where free communication and promotion of alternative offers were unduly restricted.
C. EC's Technical Argument
The Commission's core argument was that Apple's combination of fees and technical hurdles prevents app developers from leveraging the benefits of alternative distribution channels as intended by the DMA. Consequently, consumers are denied the ability to easily discover and benefit from potentially cheaper or different offers available directly from developers. The EC explicitly rejected Apple's potential justifications, stating that the company failed to demonstrate that these specific restrictions were "objectively necessary and proportionate" to safeguard the integrity of the App Store ecosystem or protect user security. While the DMA allows for necessary and proportionate measures, Apple's implementation was deemed to exceed this threshold.
D. DMA Reaching into Platform Design and Business Models
This enforcement action against Apple clearly illustrates the DMA's capacity to delve into the granular technical design choices and commercial policies of gatekeeper platforms. The decision moves beyond abstract principles, directly addressing the specific fee structures and user interface elements (like the disclosure sheet) that the EC found to be non-compliant. By finding these technical and commercial restrictions in breach of the "free of charge" steering requirement, the EC demonstrates its willingness to scrutinize the practical implementation details of compliance measures. It signals that gatekeepers cannot merely pay lip service to DMA obligations; the implementation must genuinely facilitate the intended outcomes, such as effective steering, without imposing undue friction or economic disincentives. This interventionist approach impacts core aspects of platform architecture and business model design, indicating a significant shift in regulatory oversight compared to traditional competition law enforcement.
III. Meta's €200m Penalty: "Consent or Pay" Model Fails DMA Scrutiny (DMA Art. 5(2))
A. The DMA Obligation (Art. 5(2))
Article 5(2) of the DMA addresses the combination and cross-use of personal data by gatekeepers. It prohibits gatekeepers from processing personal data sourced from one of their core platform services (e.g., Facebook) with personal data from another core platform service (e.g., Instagram) or from third-party services for the purpose of providing online advertising services. This prohibition applies unless the end user has been presented with a specific choice and has given consent in the sense defined by the General Data Protection Regulation (GDPR). A critical component of this obligation is the requirement that users who withhold consent must be offered a "less personalised but equivalent alternative" service by the gatekeeper, ensuring that refusal of consent does not lead to denial of service or a significantly degraded experience.
B. EC Findings: How Meta Breached the Rules
The EC's investigation focused on Meta's "Consent or Pay" model, introduced in November 2023 across the EU for its Facebook and Instagram services. This model presented users with a stark binary choice: either consent to the combination and use of their personal data across Meta's services for personalized advertising while using the platforms for free, or pay a monthly subscription fee (initially around €9.99) for an ad-free experience. The Commission found this model non-compliant with DMA Article 5(2) on two primary grounds:
Violation 1: Lack of Genuine Choice / Free Consent: The EC determined that forcing users into a binary choice between paying a fee or consenting to extensive data processing did not constitute a genuine opportunity to provide free consent as required by both the DMA and the GDPR. The structure effectively meant that the "price" for not consenting was a monetary payment, which the EC, aligning with views from data protection authorities like the EDPB , considered potentially coercive and undermining the voluntariness essential for valid GDPR consent.
Violation 2: Lack of Equivalent Alternative: The EC explicitly found that the paid, ad-free subscription offered by Meta did not qualify as the "less personalised but equivalent alternative" mandated by Article 5(2) for users who refuse consent. The requirement suggests an alternative that maintains the core functionality of the service (e.g., social networking) but operates with less reliance on combined personal data for ads, rather than simply removing ads in exchange for payment.
C. EC's Technical Argument
The Commission argued that Meta's model failed to provide the necessary specific choice regarding data combination, instead bundling consent with free access to the service. The €200 million fine specifically addresses the period during which this binary "Consent or Pay" model was the only option offered to EU users, running from March 2024, when DMA obligations took effect, until November 2024. In November 2024, Meta introduced modifications, including an option purportedly using less personal data for ads. The EC acknowledged this change and stated it is currently assessing its compliance, but the fine relates to the prior non-compliant period.
D. Interplay of DMA and GDPR Defining Consent and Equivalence
The Meta decision vividly illustrates the symbiotic relationship between the DMA's competition-focused rules and the GDPR's fundamental data protection principles. The EC's interpretation of DMA Article 5(2) hinges significantly on the GDPR's strict definition of freely given consent. By rejecting the "Consent or Pay" model, the Commission signals that gatekeepers cannot easily use subscription fees as a mechanism to obtain consent for data processing practices that might otherwise be questionable under GDPR. Furthermore, the emphasis on the need for an "equivalent alternative" sets a potentially high bar. It suggests that users refusing data combination must still be offered a service that is functionally comparable, implying that business models heavily reliant on cross-service data tracking for advertising may need substantial redesign to offer a genuinely equivalent, less data-intensive option that isn't simply a paid tier. This interpretation could have far-reaching consequences for the viability of certain ad-funded models within the EU digital market.
IV. Enforcement Dynamics, Reactions, and Future Implications
A. EC Justification and Stance
In announcing the fines, European Commission officials stressed that the actions were taken to uphold core DMA principles: ensuring free business and consumer choice, protecting citizens' control over their data, and leveling the playing field in digital markets. Executive Vice-Presidents Teresa Ribera and Henna Virkkunen characterized the enforcement as "firm but balanced" and based on "clear and predictable rules". They explicitly refuted suggestions that the decisions targeted American companies, stating that all companies operating in the EU must adhere to its laws. The Commission also noted that the decisions followed extensive dialogue, allowing the companies to present their arguments.
B. Company Responses and Appeals
Both Apple and Meta reacted strongly to the fines and announced their intentions to appeal the decisions.
Apple: Accused the EC of "unfairly targeting" the company in a manner detrimental to user privacy and security. Apple contended that the EC was forcing it to "give away technology for free" and persistently "moving the goalposts" despite significant engineering efforts undertaken to comply with the DMA, changes it claimed users had not requested.
Meta: Chief Global Affairs Officer Joel Kaplan described the fine as part of an effort to "handicap successful American businesses" while allowing others (Chinese, European) different standards. He argued the decision effectively imposes a "multi-billion-dollar tariff," forces Meta to offer an "inferior service," and harms European businesses reliant on personalized advertising. Meta maintained its pre-November 2024 model was legally sound.
C. Compliance and Next Steps
The EC decisions require Apple and Meta to comply within 60 days or face the prospect of periodic penalty payments for continued non-compliance. Apple received a specific cease-and-desist order mandating the removal of the identified technical and commercial restrictions on steering. For Meta, while the fine pertains to a past period, the decision invalidates the original "Consent or Pay" model under the DMA, pending assessment of its newer approach.
Simultaneously, the EC demonstrated a degree of flexibility. It closed its investigation into Apple's compliance with DMA rules concerning browser choice screens and default app settings, acknowledging "early and proactive engagement" and "constructive dialogue" leading to satisfactory changes. Additionally, the Commission de-designated Meta's Facebook Marketplace as a gatekeeper service under the DMA, accepting Meta's evidence that it no longer met the threshold for business user numbers. However, the EC also signaled continued scrutiny, issuing preliminary findings (a form of charge sheet) against Apple concerning its terms for alternative app marketplaces, potentially leading to further enforcement actions.
D. Potential for US-EU Trade Friction
The forceful responses from Apple and Meta, explicitly characterizing the fines as unfair targeting and akin to tariffs , significantly elevate the risk of these DMA enforcement actions becoming embroiled in wider US-EU trade tensions. This rhetoric resonates with previous statements from the US administration threatening countermeasures against European digital regulations perceived as discriminatory towards American tech firms. Reports indicated the White House labeled the fines a "novel form of economic extortion". While the EC insists its actions are strictly rule-based and non-discriminatory , the perception and framing by major US corporations, potentially amplified by political actors, could fuel diplomatic friction and potentially lead to retaliatory trade measures, impacting transatlantic economic relations well beyond the digital sector.
V. Conclusion: DMA Enforcement Commences, Reshaping the Digital Landscape
A. Recap of Findings
The European Commission's imposition of €700 million in fines (€500 million for Apple, €200 million for Meta) marks the first direct financial penalties under the Digital Markets Act. The decisions found Apple in breach of anti-steering obligations (Art. 5(4)) through restrictive fees and technical hurdles, and Meta in breach of consent and data combination rules (Art. 5(2)) via its initial "Consent or Pay" model lacking genuine choice and an equivalent alternative.
B. Significance of the Decisions
These inaugural fines are highly significant, establishing a clear precedent for the EC's interpretation and enforcement approach under the DMA. They demonstrate a commitment to scrutinizing the technical and commercial implementation details of gatekeeper practices and holding companies financially accountable for non-compliance. The decisions clarify the expected standards for facilitating user choice, ensuring fair access for business users, and managing personal data in line with both DMA and GDPR principles.
C. Broader Implications
The path forward involves likely appeals from both companies , continued EC assessment of Meta's revised advertising model , and potential further enforcement against Apple regarding its alternative app marketplace terms. The unresolved tensions between EU digital sovereignty goals and US concerns about the targeting of its major tech companies remain a critical backdrop. Ultimately, these first DMA fines signal the beginning of a potentially more interventionist regulatory era for dominant digital platforms operating within the European Union, demanding significant adjustments to long-standing business practices and platform designs.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
GTS Security,
Exo Building,
North Wall Quay,
Dublin 1,
D01 W5Y2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Forum SPONSORS
Invitations for Annual Sponsorship of IISF has now reopened.
(your logo & profile link here)
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more
