In August 2023, MyData Japan provided public comment on “Competition Assessment of the Mobile Ecosystem - Final Report” which was prepared by Cabinet Secretariat, Japan.
MyDataJapan public policy committee
１． Evaluation of the Final Report by MyData Japan
It is analyzed in the Final Report that the major layers in the current mobile ecosystem are in an oligopolistic situation by a limited number of platform operators respectively. The Report also analyzes that (A) the oligopoly is raising concerns of (1) deterioration of an equitable competition environment, (2) stifling competitions through innovation, and (3) reduced choices for consumers and (B) the oligopoly is not easily being fixed and corrected. These analyses of the current situation in the Report are convincing for us. From our point of view, the Final Report demonstrates sound judgments in the following points.
(1) It confirms that security and privacy must be ensured at each layer of the mobile ecosystem.
(2) It states that an approach which prohibits or mandates certain types of conduct in advance by law is appropriate to ensure security and privacy.
(3) It admits that co-regulation does not adequately address the issue.
(4) It proposes legislation regarding orders to correct violations, fines, injunctions by private parties, etc. to ensure the effective enforcement of the law.
Thus, the Final Report is commendable in many respects. However, in some respects, there is a lack of a consumer protection perspective. It is true that consumer protection in the mobile ecosystem is being provided as a result of rule setting by platform operators. It should be noted that excessive government intervention in setting such rules may reduce the level of consumer protection.
２．Display rules for tracking in OS
According to the rules established by Apple, the third party developers must display boilerplate texts highlighting the risk of tracking users at the time of requesting permission to show tracking advertisements using an IDFA. In contrast, an explanation in positive terms is displayed for personalized ads by Apple itself. The Final Report points out this is unfair.
However, there is a clear difference between Apple's advertising model using the first party data and third party developers’ advertising model using the third party data from a privacy perspective. Many users are generally aware that through services they consciously use the providers of such services, collect and use data about their use of such services. On the other hand, the users do not expect that third parties to whom they do not intend to access collect and use various data about themselves.
Therefore, it is reasonable from the standpoint of protecting user privacy that the risk is highlighted in the display for the developers' advertising models that use third-party data while the explanation in positive terms is displayed for Apple's advertising model using first-party data.
In addition, there is a particular need in Japan for this type of user privacy protection measures to be taken by rules set by platform operators. Because in the mobile ecosystem, information such as cookies and advertising IDs, which serve as user IDs, are not subject to Act on the Protection of Personal Information (APPI). Those identifiers that identify an individual in an advertisement are not personal information on the APPI and there are only a few restrictions on their acquisition and use of such identifier/information under our data protection laws. In this respect, Japan has a different environment from Europe and the U.S., where cookies and advertising IDs are subject to laws and regulations as personal information.
In other words, in our country, where laws and regulations against cross-site and cross-app tracking are weak, there is a greater reliance on the rules set by platform operators to protect user privacy in relation to such tracking. The first priority is to review our country's data protection legislation, and to bring cookies and advertising IDs under the laws and regulations as personal information as soon as possible, as well as to strengthen the regulation on external transmission of the personal data and expand the right of the users to consent or refuse to the acquisition of third-party data.
３．Mandatory use of payment/billing systems
The Final Report states that requiring developers to use payment/billing systems provided by platform operators should be prohibited, because it discourages the entry of other business operators offering alternative payment/billing methods and prevents developers from offering a variety of fee plans and services, and because users are deprived of choices regarding payment/billing systems.
We agree with some of the above analysis of the current situation in the Final Report, but in the current situation, it is undeniable for us that platform operators play an important function in consumer protection regarding payment and billing. For example, it is widely known that if a developer makes improper payments and/or charges, consumers may be able to obtain refunds from the platform operator even if they cannot obtain refunds from the developer. It is not appropriate to ignore the functions of such platform operators and simply try to promote the use of alternative payment/billing systems. The use of alternative payment and billing should be promoted in policy together with built-in consumer protection mechanisms in such alternatives.
４．Allowing alternative distribution channels for apps
The Final Report points out (1) no competitive pressure on fees in the App Store, (2) limited transparency and fairness in app review in the App Store and (3) loss of opportunities for business operators other than Apple to enter the iOS app store business. Those problems are caused by app distribution channels being limited to the App Store. These points in the Final Report are justifiable.
It is also highly commendable that the Final Report considers the assurance of security and privacy to be a condition for accepting alternative distribution channels for apps.
However, the Final Report states that, with respect to the protection of privacy, OS providers may implement measures for legal compliance by alternative app stores and app developers, but should not implement higher level of measures than legal compliance. This raises the following questions. First, if OS providers are unable to take measures beyond legal compliance, the level of privacy protection will no longer be a differentiating factor for OS providers. Second, it is unconvincing that there are such restrictions only on privacy but not on security. Third, as mentioned earlier, in Japan, where the level of user privacy protection by law is low, there is a high degree of dependence on voluntary rules set by platform operators, and in this respect the situation differs from that in Europe and the U.S.
It is understandable that the Final Report is wary of OS providers' attempts to prevent the actual use of alternative distribution channels for apps by citing privacy protections. However, it is clear that OS providers' attempts to protect users' privacy beyond the level of legal compliance itself should be something to be admired rather than prohibited. This should be discussed separately and independently of compliance with laws and regulations and from the perspective of "whether the privacy protection measures taken by the OS provider are reasonable and desired by the users, and whether the measures unreasonably suppress alternative app stores, etc. We cannot agree with the view in the Final Report that all measures that exceed the level of legal compliance are "excessive measures".
Apple requires that their own social login service, Sign in with Apple (SIWA), is displayed as an option when developers using the AppStore provide social login. In this regard, the Final Report determines that Apple is using its position as the App Store operator to favor its own service, without evaluating Apple's claim that "SIWA minimizes the amount of information it shares with developers". However, users are concerned that information about themselves will be shared with developers by social login service vendors who have large amounts of information about them. Therefore, if Apple is "minimizing the amount of information it shares," as they claim, it is a welcome service for social login users that protects their own privacy. Also, Apple's requirement to display their social login can be considered a reasonable measure for user protection, even if it has the effect of favoring Apple's own service. Hence, it should first be examined whether Apple's social login service is truly "minimizing the amount of information to be shared".
６．Access restrictions to UltraWideBand and on voice assistants
Developers are in an inferior position compared to OS providers in accessing UltraWideBand (UWB) which is used to recognize devices in the vicinity and voice assistants. In this regard, the Final Report states that "the providers of OSs above a certain market size should be obliged to allow third parties to have interoperability with and access to functions equivalent to those allowed to their own OSs and other functions". The Final Report also states that OS providers are allowed to take necessary and proportionate measures to ensure security and protect privacy. But, the measures "to ensure privacy, etc." here are limited to measures to ensure compliance with laws and regulations, and while those necessary for the compliance may be implemented, measures at a level higher than the compliance should not be implemented, the Report states. This has the same issue as those described in 4. Allowing alternative distribution channels for apps, and we cannot agree with the Final Report on this point.
Based on each of the aforementioned issues, we would like to provide addenda for the Final Report.
First, the overall tone to disregard user privacy should be remedied. The balance between the protection of user privacy through voluntary measures by platform operators and the suppression of developers brought by the measures will continue to be debated. If the prescription to make that balance is "voluntary measures by platform operators shall be capped at the level of compliance with laws and regulations," it will be difficult to achieve user privacy protection in the mobile ecosystem, given the lower level of protection afforded by our laws and regulations compared to other countries. It is reasonable and sensible to assume that voluntary measures by platform operators which go beyond the level of legal compliance should basically be allowed but if the measures unduly suppress developers, they should not be allowed. Whether it is unduly oppressive to the developer should be judged comprehensively from the following perspectives:
(1) Are the voluntary measures consistent with the expectations of a substantial number of users?
(2) Are there any foreign legislative cases where the same privacy protection effects have been achieved by laws and regulations as the one brought about by the voluntary measures?
(3) Are there any imbalances between the effects of privacy protection and the burdens on developers?
Second, while the references to the measures to ensure effectiveness of enforcement, such as orders to correct violations, fines, and the creation of the right to demand an injunction by a private individual, are highly commendable, more concrete proposals should be made. Regarding monetary sanctions, the goal should be to make the amount meaningful, taking into account the lesson learned from the Act on Improving Transparency and Fairness of Digital Platforms which legislated a fine with an extraordinary amount of up to 1 million yen (7,000USD!) for violation of an order. With regard to the right to demand an injunction against prohibited acts as a measure that a private individual can take against illegal acts, not only developers but also consumers (individuals and organizations) should naturally be able to stand as plaintiffs because the prohibited acts have the effect of depriving consumers' choices in the future.
Third, many problems with app stores ultimately come down to the issue of expensive fees. Considering the current power balance between app store operators and developers, the issue of the expensive fees is not one that can be resolved by leaving it to negotiations between the two parties, but rather government intervention through the legal system is expected.
The summary of the Final Report by Cabinet Secretariat, Japan (EN) : https://public-comment.e-gov.go.jp/servlet/PcmFileDownload?seqNo=0000258244
The website of the public comments (JP): https://public-comment.e-gov.go.jp/servlet/Public?CLASSNAME=PCMMSTDETAIL&id=060230619&Mode=0