As we warned they might do, today, under the guise of advancing interoperability, EU regulators have taken another major step backwards when it comes to protecting user trust, privacy and security – by requiring Apple to unlock iOS and disable key security features in order to let other third parties access core features and encrypted user messages.  As we indicated earlier this year, such wrongheaded moves that ignore privacy and security warnings and weaken existing safeguards will have broad implications for consumers and businesses alike.

The EU’s “specification decision” is the first time a government regulator has laid out detailed specifications and instructions for how an operating system must be designed and built – effectively becoming an operating system software designer – and strikingly doing so without conducting any kind of review for privacy or security impacts.  In their consultation documents, the Commission failed to even ask about the security implications of its proposed changes. This decision to micromanage the software engineering process – without an eye to how decisions impact privacy and security – will certainly create long term harm for consumers.  

Regulators haven’t made the full text of the “specification decision” public yet – it is rumored to be over 100 pages of detailed specifications that software engineers must follow. However, the broad impact of their unprecedented order is already clear.  

For example, one result is that security updates that impact interoperability will necessarily be delayed while software engineers seek approval from impacted third parties and the EC before making critical software updates. This could lead to significant security delays and avoidable privacy harms. The decision is also likely to delay European access to cutting edge features and technology while they undergo specification review, red tape, approvals, and requirements to make the innovations available to competitors and potential competitors. If Apple were to attempt to roll out improvements to U.S. and EU consumers and businesses at the same time, the mandatory EU delays mean U.S. users would be denied these innovations until EU regulators approved the latest innovation.

What’s an innovator to do? Delay to all? Or delay or deny to EU consumers? Consumers deserve the ability to control their privacy and security, but this approach to interoperability puts that control in the hands of third parties.  

The EU today also singled out Google with potentially massive fines under the Digital Markets Act for the way it runs its Play store. 

One thing that is especially odd is that if these are good rules and are about competition in the digital marketplace, then they should be applied to everyone in the digital market. But that’s not what is happening here. Instead, the EU is forcing only the U.S.’s most dynamic innovators to hand over their technology and intellectual property to companies that don’t have to play by the same rules and did not make the risky investments in the same kind of innovation. While EU regulators, in announcing their decisions, tried to imply that nobody was being treated unfairly on the basis of their Americanness – it is odd that their decision only applies to two U.S. companies.

Because these anti-innovation requirements require U.S. innovators to give away their intellectual property to European competitors for free (and potentially require enormous funds to be transferred to the EU government in the form of fines), it will be interesting to see how U.S. leaders react after a presidential memorandum from last month warned that rules designed to “transfer significant funds or intellectual property from American companies to the foreign government or the foreign government’s favored domestic entities” would trigger U.S. tariffs.

Stay tuned.