“Apps are deeply embedded in our everyday lives: we use them for communication, navigation, banking, health, and even accessing public services. Living without them would be increasingly difficult,” says Julia Krämer, PhD candidate at Erasmus School of Law. Precisely because apps have become so self-evident, she argues, it is important to consider what happens behind the scenes. Many apps collect and share personal data, sometimes on a large scale. The General Data Protection Regulation (GDPR) is intended to protect European citizens against such practices. In her dissertation ‘Data protection by platform: The role of private actors in shaping GDPR compliance in the mobile ecosystem’, Krämer examines how Apple and Google, through their app stores and mobile operating systems, influence GDPR compliance in practice. On 5 February 2026, she defended her dissertation under the supervision of Pieter Desmet, Professor of Quantitative Empirical Legal Studies, and Koen Swinnen, Professor of Private Law and Public and Private Interests.
Who determines how the GDPR works?
When discussing GDPR compliance, we usually think of supervisory authorities, courts and individual app developers. In practice, however, the picture is more complex. As Krämer explains: “The access to these apps is mediated by only two major actors: Apple and Google, through their app stores.” This is where tensions arise. Despite the existence of a strong European data protection framework, empirical research shows that non-compliance in the mobile ecosystem remains widespread. Tracking mechanisms continue to be deployed on a large scale, including in apps that process sensitive personal data.
Apple and Google determine the conditions under which apps are admitted, what information developers must provide, and which technical possibilities are available. In doing so, they influence how GDPR obligations are implemented in practice. According to Krämer, this is not a neutral role: platform-led initiatives do not automatically align with core GDPR principles, such as an actor-neutral allocation of tracking and the principle of data minimisation.
Transparency is not the same as protection
A central component of Krämer’s research is the analysis of so-called privacy labels in app stores. These are short disclosures in which developers indicate what data their app collects and with whom it is shared. The underlying idea is straightforward: if users know what happens to their data, they can make informed choices whether to download an app or not. However, transparency only works if the information is accurate and complete. As Krämer notes: “While these tools promise enhanced transparency and user control, the analysis demonstrates that they often fall short in practice.” Privacy labels are not systematically verified, and definitions of “tracking” may be narrow. As a result, an app may appear to collect limited data while certain forms of processing remain outside the scope of disclosure. Transparency, therefore, does not automatically amount to effective data protection.
Privacy is also shaped by infrastructure
The core message of the dissertation is that privacy is not merely a legal issue, but also a technical one. “If there is one thing I would like people to remember, it is that privacy and data protection are not shaped by law alone, it is also shaped by infrastructure.” By “infrastructure”, Krämer refers to the technical environment in which apps operate and get developed: the operating system, the app store, default settings, and available tools. If a platform permits or restricts certain tracking mechanisms, this immediately affects what developers can do. “My research shows that powerful private actors, such as Apple and Google, effectively set privacy standards through the design of app stores and operating systems. These infrastructural decisions can enable, reshape, or even undermine how data protection law works in practice.”
The ‘privacy champion’ reconsidered
Apple in particular presents itself as a privacy-friendly company. Yet Krämer cautions against an overly optimistic view. “My findings also suggest that claims by companies like Apple to be ‘privacy champions’ should be approached with caution.” Platforms may introduce privacy-enhancing tools that increase user control, while at the same time shaping the ecosystem in ways that also serve their own interests. As she argues: “That is why I argue in my dissertation that privacy can no longer be treated as a design feature or a marketing slogan by Apple and Google.” If mobile platforms have become essential infrastructure for participation in society, data protection must be treated as a structural responsibility rather than an optional add-on.
Combining law and data
What distinguishes the dissertation is its methodological approach. Krämer combined doctrinal legal analysis with large-scale empirical research. She developed a web scraper and over a period of three years, she collected data on approximately 2.5 million apps. “By complementing doctrinal (legal) analysis with large-scale observational data, it becomes possible to assess not only what the law demands, but how it operates in reality.” In a digital environment where millions of apps are active, such an approach is essential to uncover structural patterns rather than isolated incidents.
Who holds the gatekeeper accountable?
Krämer’s research demonstrates that effective data protection today requires more than clear legislation. It also requires attention to those who control digital infrastructure. Platforms are not merely intermediaries between developers and users; through design choices, disclosure formats and technical standards, they actively shape how the GDPR functions in practice. According to Krämer, policymakers and regulators must explicitly acknowledge this infrastructural power. Only then can it be assessed whether platform governance genuinely aligns with EU data protection principles. As she puts it: “If we want meaningful data protection, we need to look beyond formal rules and pay close attention to who controls the technical architecture through which those rules operate.”
Reflections and advice for new PhD researchers
With the completion of her dissertation, Krämer concludes an intensive yet rewarding period. She looks back particularly fondly on the international dimension of her field. “The most enjoyable moments of my PhD journey were undoubtedly the conference travels.” Presenting her work and engaging with other scholars gave her a strong sense of belonging to a broader academic community. Her PhD also taught her the importance of crossing disciplinary boundaries. Combining legal analysis with programming skills and large-scale data analysis required perseverance, but ultimately strengthened the research.
For those just beginning their PhD journey, she offers three pieces of advice: engage with your academic community early, invest in a strong literature management and note-taking system, and allow yourself to experience the process consciously. As she succinctly puts it: “Enjoy the ride!”
- PhD student
- More information
The dissertation can be read here. Krämer previously appeared on the podcast The Digital Period and authored a blog post published on The Digital Constitutionalist.
- Related content
