publications

2025

1. Between Privacy and Profit: The Dual Role of PETs in Mobile Tracking

   Julia Krämer

   European Data Protection Law Review, 2025

   Abs DOI

   Mobile tracking poses significant risks to user privacy. Mobile advertising identifiers and Software Development Kits (SDKs) play a central role in this process, which is largely determined by the governance of mobile app stores and operating systems - both dominated by Apple and Google. Recently, both companies have made headlines for incorporating Privacy Enhancing Technologies (PETs) into their products that impact mobile tracking. While these initiatives represent a step toward addressing the issue of tracking, they have also faced criticism for raising competition law concerns as they ultimately do not apply to their native services. Their actual impact on compliance with data protection laws, however, has not yet been sufficiently assessed. This article examines the extent to which these PETs comply with the principles of the General Data Protection Regulation (GDPR). This article argues that most of the PETs introduced by Apple and Google are ’soft PETs’, ie they focus on transparency and leave critical data flows, including those supporting their native tracking ecosystems, largely untouched.

2. Word-Level Annotation of GDPR Transparency Compliance in Privacy Policies Using Large Language Models

   Thomas Cory, Wolf Rieder, Julia Krämer, and 3 more authors

   2025

   Abs DOI

   Ensuring transparency of data practices related to personal information is a fundamental requirement under the General Data Protection Regulation (GDPR), particularly as mandated by Articles 13 and 14. However, assessing compliance at scale remains a challenge due to the complexity and variability of privacy policy language. Manual audits are resource-intensive and inconsistent, while existing automated approaches lack the granularity needed to capture nuanced transparency disclosures. In this paper, we introduce a large language model (LLM)-based framework for word-level GDPR transparency compliance annotation. Our approach comprises a two-stage annotation pipeline that combines initial LLM-based annotation with a self-correction mechanism for iterative refinement. This annotation pipeline enables the systematic identification and fine-grained annotation of transparency-related content in privacy policies, aligning with 21 GDPR-derived transparency requirements. To enable large-scale analysis, we compile a dataset of 703,791 English-language policies, from which we generate a sample of 200 manually annotated privacy policies. To evaluate our approach, we introduce a two-tiered methodology assessing both label- and span-level annotation performance. We conduct a comparative analysis of eight high-profile LLMs, providing insights into their effectiveness in identifying GDPR transparency disclosures. Our findings contribute to advancing the automation of GDPR compliance assessments and provide valuable resources for future research in privacy policy analysis.

3. EU Data Protection Law in Action: Introducing the GDPR

   Julia Krämer

   In Digital Decade: How the EU shapes Digitalisation Research, 2025

   Abs DOI

   This chapter is intended to introduce the General Data Protection Regulation (GDPR) to social scientists, offering an overview of key legal concepts and provisions from Chapters II and III of the Regulation. The chapter has two main objectives: first, to bridge the gap between empirical and doctrinal research by explaining fundamental GDPR provisions to non-legal audiences; and second, to examine the extent to which these provisions have been explored through empirical research. This includes identifying common methods used, revealing that, only six years after the Regulation’s implementation, a rich body of empirical research has emerged to evaluate its effectiveness. The chapter concludes with a discussion of the challenges social scientists face when empirically investigating the impact of the GDPR, such as translating empirical findings into legal conclusions.

2024

1. Regulatory compliance with limited enforceability: Evidence from privacy policies

   Bernhard Ganglmair, Julia Krämer, and Jacopo Gambato

   ZEW-Centre for European Economic Research Discussion Paper, 2024

   Abs DOI

   We study how asymmetric enforceability of regulation affects firms’ compliance by leveraging the introduction of the General Data Protection Regulation and its transparency principle. The principle compels firms to disclose, in accessible language, details of their data collection. The disclosure requirements are objective, whereas the required readability is subjective and difficult to enforce. We document that firms increased disclosure in their privacy policies without improving readability. Firms facing better-funded data regulators and those anticipating higher scrutiny demonstrated a stronger response in readability compliance (neglected otherwise) without sizeable disclosure effects, suggesting a strategic response to the degree and asymmetry of enforcement.

2. The Death of Privacy Policies: How App Stores Shape GDPR Compliance of Apps

   Julia Krämer

   Internet Policy Review, 2024

   Abs DOI

   The General Data Protection Regulation (GDPR) obliges data controllers to inform users about data processing practices. Long criticised for inefficiency, privacy policies face a substantive shift with the recent introduction of privacy labels by the Apple App Store and the Google Play Store. This paper illustrates how privacy disclosures of apps are governed by both the GDPR and the contractual obligations of app stores and is complemented by empirical insights into the privacy disclosures of 845,375 apps from the Apple App Store and 1,657,353 apps from the Google Play Store. While the GDPR allows for the use of privacy labels as a complementary tool next to privacy policies, the design of the privacy labels does not satisfy the standards set in Art. 5(1)(a) GDPR and Art. 12-14 GDPR. The app stores may consequently distort the compliance of apps with data protection laws. The empirical data highlight further problems with the privacy labels. The design of the labels favours disclosures of developers that offer a variety of apps that can process data across different services and contradictory disclosures do not get flagged nor verified by app stores. The paper contributes to the overall discussion of how app stores in their role as intermediaries govern privacy standards and the impact of private sector-led initiatives.

3. Digital Governance: Confronting the Challenges Posed by Artificial Intelligence

   Kostina Prifti, Esra Demir, Julia Krämer, and 2 more authors

   T.M.C. Asser Press, The Hague, The Hague, 2024

   DOI
4. Effective Regulation and Firm Compliance: The Case of German Privacy Policies

   Jacopo Gambato, Bernhard Ganglmair, and Julia Krämer

   NBER Working Paper, 2024

   Abs DOI

   This chapter explores the interaction between the enforcement of and compliance with difficult-to-enforce rules in the context of data regulation. We focus on the effect of the introduction of the GDPR and its transparency principle on the readability of privacy policies for a large sample of German firms. Germany has a system of state-level data protection authorities. These data regulators enforce the same rules but face diverse funding situations, allowing for an ideal setting to study the role of a regulator’s capacity in firms’ compliance decisions. We find that while, on average, the GDPR lead to less readable policies, firms active in industries that have in the past received more regulatory scrutiny and those active in jurisdictions of better-funded data regulators exhibit a stronger compliance with the GDPR’s readability requirement. These results exemplify a more general interaction between regulators’ enforcement activity and firms’ regulatory compliance.