publications

2026

1. Data Protection by Platform: The Role of Private Actors in Shaping GDPR Compliance in the Mobile Ecosystem

   Julia Krämer

   Dissertation, Erasmus University Rotterdam, 2026

   Available online: Erasmus University Repository

   Abs

   Mobile tracking has far-reaching implications for privacy. In the European Union (EU), although the General Data Protection Regulation (GDPR) is intended to establish a baseline level of data protection, unlawful data processing through mobile applications remains widespread. This dissertation examines how mobile app stores and mobile operating system providers influence the GDPR compliance of mobile applications, and to what extent this role is currently addressed within EU data protection law frameworks. While app stores, given their intermediary position and market power, appear well suited to support GDPR compliance, this dissertation identifies substantial limitations in the current approaches adopted by both Apple and Google to address mobile tracking. In particular, this dissertation critically examines the tools and governance mechanisms that Apple and Google implement in the mobile ecosystem to limit tracking practices, and identifies significant discrepancies between their design and implementation on the one hand, and the requirements and underlying principles of the GDPR on the other.

2. Balancing Privacy and Platform Power in the Mobile Ecosystem: The Case of Apple’s App Tracking Transparency

   Julia Krämer

   Computer Law & Security Review, 2026

   Abs DOI

   In 2021, Apple shook up the AdTech industry by introducing the iOS 14.5 update, which not only changed the default access to an app’s advertising identifier but also restructured the process of user consent within mobile apps through the App Tracking Transparency (ATT) framework. Given that Apple dominates one of the main mobile operating systems (iOS), and one of the major mobile app store (Apple App Store) in the European Union (EU), the question arises to what extent such a powerful private party is able to govern privacy standards at this scale. While the introduction of the ATT has already raised competition concerns, its impact on privacy and data protection within the EU legal order remains largely unexplored. Therefore, this article investigates how the ATT affects EU privacy and data protection compliance and explores the extent of the General Data Protection Regulation (GDPR) in restricting the privacy regulator role of app stores and mobile operating systems. While the ATT limits certain privacy risks by limiting disclosures to third-parties, Apple is redefining core privacy concepts such as tracking. This may lead to the emergence of “walled gardens”, closed ecosystems which are managed and curated by their owners, which may alter the structure of the mobile ecosystem in general. The paper contributes to the overall discussion about the impact of private sector-led initiatives and powerful private actors in setting privacy standards.

3. Word-Level Annotation of GDPR Transparency Compliance in Privacy Policies Using Large Language Models

   Thomas Cory, Wolf Rieder, Julia Krämer, and 3 more authors

   Proceedings on Privacy Enhancing Technologies (PoPETs), 2026

   Abs DOI

   Ensuring transparency of data practices related to personal information is a fundamental requirement under the General Data Protection Regulation (GDPR), particularly as mandated by Articles 13 and 14. However, assessing compliance at scale remains a challenge due to the complexity and variability of privacy policy language. Manual audits are resource-intensive and inconsistent, while existing automated approaches lack the granularity needed to capture nuanced transparency disclosures. In this paper, we introduce a large language model (LLM)-based framework for word-level GDPR transparency compliance annotation. Our approach comprises a two-stage annotation pipeline that combines initial LLM-based annotation with a self-correction mechanism for iterative refinement. This annotation pipeline enables the systematic identification and fine-grained annotation of transparency-related content in privacy policies, aligning with 21 GDPR-derived transparency requirements. To enable large-scale analysis, we compile a dataset of 703,791 English-language policies, from which we generate a sample of 200 manually annotated privacy policies. To evaluate our approach, we introduce a two-tiered methodology assessing both label- and span-level annotation performance. We conduct a comparative analysis of eight high-profile LLMs, providing insights into their effectiveness in identifying GDPR transparency disclosures. Our findings contribute to advancing the automation of GDPR compliance assessments and provide valuable resources for future research in privacy policy analysis.

2025

1. Between Privacy and Profit: The Dual Role of PETs in Mobile Tracking

   Julia Krämer

   European Data Protection Law Review, 2025

   Abs DOI

   Mobile tracking poses significant risks to user privacy. Mobile advertising identifiers and Software Development Kits (SDKs) play a central role in this process, which is largely determined by the governance of mobile app stores and operating systems - both dominated by Apple and Google. Recently, both companies have made headlines for incorporating Privacy Enhancing Technologies (PETs) into their products that impact mobile tracking. While these initiatives represent a step toward addressing the issue of tracking, they have also faced criticism for raising competition law concerns as they ultimately do not apply to their native services. Their actual impact on compliance with data protection laws, however, has not yet been sufficiently assessed. This article examines the extent to which these PETs comply with the principles of the General Data Protection Regulation (GDPR). This article argues that most of the PETs introduced by Apple and Google are ’soft PETs’, ie they focus on transparency and leave critical data flows, including those supporting their native tracking ecosystems, largely untouched.

2. EU Data Protection Law in Action: Introducing the GDPR

   Julia Krämer

   In Digital Decade: How the EU shapes Digitalisation Research, 2025

   Abs DOI

   This chapter is intended to introduce the General Data Protection Regulation (GDPR) to social scientists, offering an overview of key legal concepts and provisions from Chapters II and III of the Regulation. The chapter has two main objectives: first, to bridge the gap between empirical and doctrinal research by explaining fundamental GDPR provisions to non-legal audiences; and second, to examine the extent to which these provisions have been explored through empirical research. This includes identifying common methods used, revealing that, only six years after the Regulation’s implementation, a rich body of empirical research has emerged to evaluate its effectiveness. The chapter concludes with a discussion of the challenges social scientists face when empirically investigating the impact of the GDPR, such as translating empirical findings into legal conclusions.

2024

1. Regulatory compliance with limited enforceability: Evidence from privacy policies

   Bernhard Ganglmair, Julia Krämer, and Jacopo Gambato

   ZEW-Centre for European Economic Research Discussion Paper, 2024

   Abs DOI

   We study how asymmetric enforceability of regulation affects firms’ compliance by leveraging the introduction of the General Data Protection Regulation and its transparency principle. The principle compels firms to disclose, in accessible language, details of their data collection. The disclosure requirements are objective, whereas the required readability is subjective and difficult to enforce. We document that firms increased disclosure in their privacy policies without improving readability. Firms facing better-funded data regulators and those anticipating higher scrutiny demonstrated a stronger response in readability compliance (neglected otherwise) without sizeable disclosure effects, suggesting a strategic response to the degree and asymmetry of enforcement.

2. The Death of Privacy Policies: How App Stores Shape GDPR Compliance of Apps

   Julia Krämer

   Internet Policy Review, 2024

   Abs DOI

   The General Data Protection Regulation (GDPR) obliges data controllers to inform users about data processing practices. Long criticised for inefficiency, privacy policies face a substantive shift with the recent introduction of privacy labels by the Apple App Store and the Google Play Store. This paper illustrates how privacy disclosures of apps are governed by both the GDPR and the contractual obligations of app stores and is complemented by empirical insights into the privacy disclosures of 845,375 apps from the Apple App Store and 1,657,353 apps from the Google Play Store. While the GDPR allows for the use of privacy labels as a complementary tool next to privacy policies, the design of the privacy labels does not satisfy the standards set in Art. 5(1)(a) GDPR and Art. 12-14 GDPR. The app stores may consequently distort the compliance of apps with data protection laws. The empirical data highlight further problems with the privacy labels. The design of the labels favours disclosures of developers that offer a variety of apps that can process data across different services and contradictory disclosures do not get flagged nor verified by app stores. The paper contributes to the overall discussion of how app stores in their role as intermediaries govern privacy standards and the impact of private sector-led initiatives.

3. Digital Governance: Confronting the Challenges Posed by Artificial Intelligence

   Kostina Prifti, Esra Demir, Julia Krämer, and 2 more authors

   T.M.C. Asser Press, The Hague, The Hague, 2024

   DOI
4. Effective Regulation and Firm Compliance: The Case of German Privacy Policies

   Jacopo Gambato, Bernhard Ganglmair, and Julia Krämer

   NBER Working Paper, 2024

   Abs DOI

   This chapter explores the interaction between the enforcement of and compliance with difficult-to-enforce rules in the context of data regulation. We focus on the effect of the introduction of the GDPR and its transparency principle on the readability of privacy policies for a large sample of German firms. Germany has a system of state-level data protection authorities. These data regulators enforce the same rules but face diverse funding situations, allowing for an ideal setting to study the role of a regulator’s capacity in firms’ compliance decisions. We find that while, on average, the GDPR lead to less readable policies, firms active in industries that have in the past received more regulatory scrutiny and those active in jurisdictions of better-funded data regulators exhibit a stronger compliance with the GDPR’s readability requirement. These results exemplify a more general interaction between regulators’ enforcement activity and firms’ regulatory compliance.