Data protection by platform

Mobile tracking has significant implications for the protection of the right to privacy and the right to data protection in the European Union. Although the General Data Protection Regulation (GDPR) aims to establish a baseline level of data protection, unlawful data processing through mobile apps continues to be widespread. This persistent non-compliance points to significant enforcement gaps and has resulted in systematic privacy viola­tions of millions of EU citizens. These shortcomings draw attention to powerful private actors within the mobile ecosystem, most notably Apple and Google. Owing to their intermediary position and control over app distribution via the Apple App Store and the Google Play Store, both companies are, in principle, well positioned to contribute to the enforcement of data protection law by shaping which applications become accessible to users.

Against this background, this dissertation of Julia Krämer investigates how mobile app stores and mobile operating system providers influence the GDPR compliance of mobile applications, and to what extent this role is currently recognised and addressed within EU data protection law frameworks. The analysis adopts an interdisciplinary approach that combines doctrinal legal analysis with empirical legal research, draw­ing on large-scale empirical evidence from disclosures of approximately 2.8 million mobile apps collected over a three-year period. This interdisciplinary approach enables a systematic assessment of whether platform governance mechanisms translate legal requirements into practice. The findings show that the approaches adopted by Apple and Google to address mobile tracking are subject to substantial limitations and frequently diverge from the requirements and underlying principles of the GDPR.

The dissertation critically analyses several platform-led initiatives aimed at limiting mobile tracking, including app store privacy labels, app store rules governing health applications, Apple’s App Tracking Transparency framework, and other privacy-enhancing technologies (PETs). While these tools promise enhanced transparency and user control, the analysis demonstrates that they often fall short in practice. For example, privacy labels rely on narrow definitions of tracking that systematically exclude Apple and Google’s own tracking practices, diverging from the GDPR’s actor-neutral approach. Empirical evidence from 845,375 apps in the Apple App Store and 1,657,353 apps in the Google Play Store further reveals that privacy labels are not subject to systematic verification, with contradictory and inaccurate information widespread.

The analysis further shows that platform enforcement practices prioritise transparency and disclosure obligations over substantive GDPR principles, such as data minimisation. This imbalance is particularly evident in the context of health and fitness applications, where extensive tracking persists despite overlapping regulatory oversight. Empirical evidence demonstrates that, although platforms impose contractual rules on developers, these are applied unevenly in practice, especially with respect to popular apps.

Overall, the dissertation identifies three overarching themes: misaligned responsibilities under the GDPR, the division between first- and third-party tracking, and the infrastructural control exercised by Apple and Google over app production environments. These dynamics raise concerns about the effective protection of the right to data protection in the mobile ecosystem. While the 
challenges are substantial, the dissertation demonstrates that existing data protection law provides mechanisms which, if properly operationalised, could bring mobile platform governance more closely into alignment with EU data protection principles.

Krämer defended her dissertation on February 5th 2026 at Erasmus University Rotterdam. Supervisors: prof. dr. Pieter Desmet and prof. dr. Koen Swinnen. 


Julia Krämer 
Data protection by platform: The role of private actors in shaping GDPR compliance in the mobile 
ecosystem


The dissertation can be accessed via the repository of Erasmus University Rotterdam. 


ISBN: 978 94 6496 531 5

Privacy Digitalisering Digitale inhoud
Over de auteur(s)
Redactie
GERELATEERDE ITEMS
Nieuws
Europese Commissie: ontwerp TikTok is te verslavend
9 februari 2026
Nieuws
AP: chauffeurs in openbaar vervoer mogen niet permanent in beeld
28 januari 2026
Nieuws
Onderzoekers: sterke toename online manipulatie Tweede Kamerverkiezingen
15 januari 2026
Nieuws
Advies Raad van State over initiatiefwetsvoorstel enkelband als hoofdstraf
23 december 2025
blog
Een Omnibus voor big tech
10 december 2025