On 27 April 2026 I lodged a formal complaint with the Information and Data Protection Commissioner of Malta against Anthropic PBC. The complaint, filed under Article 77 GDPR and the corresponding Maltese Data Protection Act, concerned the silent and ongoing installation of native messaging host manifests onto my device by the Claude.app desktop application, in eighteen distinct write events between 9 March and 27 April 2026, without prior consent and without any legitimate basis under Article 5(3) of Directive 2002/58/EC. The complaint was assigned reference CDP/COMP/245/2026 and acknowledged on 29 April.
I did not anticipate, when I filed it, that the more significant story would turn out to be the response of the supervisory authority itself. The complaint against Anthropic stands and is documented, in full, in the public record. This piece is about something different. It is about the fact that the Maltese supervisory authority has, in a series of emails which I will reproduce below, formally confirmed that no Maltese citizen has any protection under the ePrivacy Directive against any tech company that is not established in Malta, a complete failure by Malta to appropriately implement EU law.
This isn't just my opinion, it is the position the IDPC has taken in writing. I am going to walk through the correspondence, the legal framework that the position cannot survive contact with, and the precedent for what happens when a Member State adopts an inadequate transposition of the ePrivacy Directive. By the end of the piece the reader should be in no doubt that Malta is in breach of the EU Treaties, that Maltese citizens are wholly unprotected against any non-Maltese controller writing to their terminal equipment, and that the European Commission needs to open formal infringement proceedings.
What I filed
The substantive complaint is documented elsewhere on this blog and I will not regurgitate it here in full. The shape of it matters. Anthropic PBC distributes the macOS desktop application Claude.app under its Apple Developer ID Application certificate. On every launch, the application's bundled Chrome MCP server reaches into the per-browser NativeMessagingHosts directories of seven Chromium-based browsers on the user's device, including browsers Anthropic publicly states it does not support, and writes a JSON manifest registering an out-of-sandbox helper as a pre-authorised native messaging host for three Chrome extension identifiers. None of those extensions is installed on my device. No consent surface is presented at any point. The behaviour continued after I served Anthropic with a written cease-and-desist on 21 April 2026.
The legal qualification is straightforward. Article 5(3) of Directive 2002/58/EC requires prior consent for the storing of information on the terminal equipment of a user, regardless of whether that information is personal data. The Court of Justice of the European Union confirmed this in Planet49 (Case C-673/17) and the European Data Protection Board codified it in Guidelines 2/2023. Anthropic stores 411 bytes of JSON into seven separate browser configuration directories on my device, on every launch, without consent. Each write event is an independent and free-standing breach of Article 5(3), as transposed into Maltese law by Subsidiary Legislation 586.01.
That was the complaint. Two days later it was acknowledged. Six days after acknowledgement, the IDPC dropped it.
The IDPC's first move
On 5 May 2026 at 14:02 local time, a Senior Officer for Regulatory and Technical Affairs at the IDPC, sent the substantive triage response. Three short paragraphs. I will quote them in full because every word matters.
Reference is made to the complaint you lodged with this Office against Anthropic.
In accordance with the controller's privacy policy, the controller for individuals residing in the European Economic Area (EEA), the United Kingdom, or Switzerland is Anthropic Ireland Limited. Consequently, your complaint has been transferred in its entirety by this Office to the Irish Data Protection Commission.
This Office will update you upon receipt of confirmation from the Irish supervisory authority that it has accepted to act as the lead supervisory authority for this case.
In any event, this Office's competence under the ePrivacy Directive (S.L. 586.01) is limited to entities established in Malta, which restricts our ability to investigate the matter further.
There are two distinct moves in that email and the second is the dangerous one. The first paragraph applies the GDPR's one-stop-shop mechanism and transfers the GDPR limb of the complaint to the Irish Data Protection Commission, on the basis that Anthropic Ireland Limited is the EEA controller named in Anthropic's privacy policy. That is a procedurally normal move under Article 56 GDPR, even if the Irish DPC's track record with cross-border cases is its own scandal which I will not address here.
The second move is the load-bearing one. The IDPC asserts that its competence under the ePrivacy Directive, as transposed into Maltese law by Subsidiary Legislation 586.01, is "limited to entities established in Malta". Anthropic is not established in Malta. Therefore, on the IDPC's own reading, the IDPC will not investigate the ePrivacy limb of the complaint. The Article 5(3) breach, the storage of information on a Maltese citizen's terminal equipment located physically in Malta, has no Maltese supervisory authority that will look at it.
The one-stop-shop mechanism under the GDPR does not apply to the ePrivacy Directive. The ePrivacy Directive has no equivalent cooperation and consistency mechanism. The Irish Data Protection Commission does not, on the IDPC's own logic, become the supervisory authority for the Article 5(3) limb when the Maltese authority disclaims competence (and in fact the Irish DPC actively refuses to investigate ePrivacy violations unless the complainant is located in Ireland; I know this because I received such a response from the DPC several years ago on a different complaint). The ePrivacy limb is therefore orphaned. No supervisor in Malta. No mechanism to transfer it to anyone else. No remedy.
My reply
Eighteen minutes later, at 14:20, I sent the following reply to the IDPC. I am reproducing it in full because the legal argument it sets out is the heart of why the IDPC's position cannot survive scrutiny under EU law.
Hi [name redacted],
Would you mind explaining to me why you are only competent for companies established in Malta for Directive 2002/58/EC, the Directive does not provide for such a limitation and in fact Member States are legally obligated to investigate under Article 15(2) of the Directive which states:
"The provisions of Chapter III on judicial remedies, liability and sanctions of Directive 95/46/EC shall apply with regard to national provisions adopted pursuant to this Directive and with regard to the individual rights derived from this Directive."
Article 94 of the GDPR shifts that to Articles 79 and 80 of the GDPR and Case C-645/19 from the CJEU supports and binds that to Member States.
If you refuse to investigate it would likely constitute a breach of the Principle of Effectiveness and the Right to an Effective Remedy (Article 47 of the EU Charter of Fundamental Rights) and as such I would be forced to file a legal complaint with the European Commission under their TFEU infringement procedures and I am pretty sure that you don't want me to do that.
As such, I would request that you revisit this decision and come back to me with your final response by end of week (Friday) because as big as these stories are (and they have attracted half a million reads so far) they will pale in comparison to me writing an article about the competent supervisory authority refusing to do their job and leaving citizens in a legal vacuum.
Three legal points stacked into one short message. Article 15(2) of the ePrivacy Directive expressly imports the judicial remedies, liability and sanctions regime from Chapter III of Directive 95/46/EC. Article 94 of the GDPR substitutes the GDPR's equivalent provisions, namely Articles 79 and 80, for the now-repealed 95/46/EC references. C-645/19, the CJEU's judgment in Facebook Ireland Ltd v Gegevensbeschermingsautoriteit, is binding authority that Member State supervisory authorities retain enforcement powers in defined circumstances notwithstanding the GDPR's one-stop-shop mechanism.
The combined effect is this. Maltese law, when properly read against EU law, must provide an effective remedy for breaches of the rights derived from the ePrivacy Directive. That obligation does not disappear because the controller is established in another Member State. Article 47 of the Charter of Fundamental Rights of the European Union, which has the same legal value as the Treaties under Article 6(1) TEU, requires that everyone whose rights and freedoms guaranteed by Union law are violated has the right to an effective remedy before a tribunal. The Court of Justice has been consistent that the Principle of Effectiveness, applied through Article 47 and Article 19(1) TEU, prohibits national procedural rules from rendering the exercise of EU-conferred rights "practically impossible or excessively difficult".
A reading of Maltese ePrivacy transposition that leaves a Maltese user with no remedy against any non-Maltese controller writing onto their terminal equipment located in Malta does not render the exercise of Article 5(3) rights merely difficult. It abolishes them entirely. And it does so in respect of, in practice, every actor that matters: every American big tech company, every Chinese big tech company, every European big tech company that has chosen to establish in Ireland or Luxembourg or the Netherlands (or frankly anywhere else except this tiny little rock in the South Mediterranean called Malta).
The IDPC's strawman
Three days later, on 8 May 2026 at 09:49, the IDPC's "Complaints" mailbox returned its substantive answer. The previous officers had stepped back. The reply is signed only as "Case Officer". I will quote the load-bearing parts.
Firstly, in relation to your email dated the 5th May 2026, the e-Privacy Directive does not establish a "one-stop-shop" mechanism comparable to that provided under the GDPR. This has also been confirmed by the CJEU in C-645/19, which provides that:
"In that regard, the Court observes that the European Data Protection Board, in its Opinion 5/2019 of 12 March 2019 on the interplay between the [Directive on privacy and electronic communications] and the [General Data Protection Regulation], in particular regarding the competence, tasks and powers of data protection authorities, stated that storing and obtaining access to personal data by means of cookies fell within the scope of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), and not within the scope of the 'one-stop shop' mechanism".
The reader will note something rather striking about that opening. The IDPC presents itself as rebutting my position. But I never claimed that the one-stop-shop mechanism applies to the ePrivacy Directive. I do not believe it applies. I have written, repeatedly and publicly, that it does not apply. My original complaint takes the IDPC's competence over the ePrivacy limb as a premise, precisely because the one-stop-shop mechanism does not export that limb to Ireland the way it exports the GDPR limb.
What I argued, in my 5 May email, was something the IDPC's response does not address at all. I argued that Article 15(2) of the ePrivacy Directive imports the judicial-remedies regime from the predecessor data-protection directive, that Article 94 of the GDPR substitutes the GDPR's effective-remedy provisions for the now-repealed references, and that the resulting framework, read against Article 47 of the Charter, requires the IDPC to provide an effective remedy for the Article 5(3) breach. My citation of C-645/19 was for the proposition that Member State authorities retain enforcement competence in defined circumstances. The IDPC pulled a different paragraph from the same judgment, the paragraph confirming that the OSS does not apply to the ePrivacy Directive, and presented it as a refutation.
It refutes nothing. It establishes the very premise on which my argument depends. Precisely because the one-stop-shop does not apply to ePrivacy, the obligation to provide an effective remedy must be discharged by the national supervisory authority of the Member State in which the user's terminal equipment sits. And that authority, for a Maltese user in Malta, is the IDPC.
The reply continues.
Secondly, given that the e-Privacy Directive does not contain an express provision regulating its territorial scope of application, this Office refers, for interpretative purposes, to the Internal EDPB Document 04/2021, which is also being attached for your reference. The EDPB considers that supervisory authorities competent for the enforcement of article 5(3) of the e-Privacy Directive are entitled to exercise the powers conferred upon them under national law in the following circumstances:
the controller/service provider is established in their territorial jurisdiction;
the processing is carried out in the context of the activities of an establishment located in their territorial jurisdiction, even when exclusive responsibility for collecting and processing belongs, for the entire territory of the European Union, to an establishment situated in another Member State; or
in the absence of controller/service provider or establishment in their territorial jurisdiction, the national law provides another criterion for its enforcement.
Pause on point three. The EDPB has expressly contemplated the possibility, and the necessity, of a Member State providing "another criterion" for the enforcement of Article 5(3) where the controller is not established in that Member State. The Member State has a positive obligation under EU law to ensure that its citizens enjoy the rights the Directive confers on them. If the controller is not established in the territory and there is no establishment in the territory, the Member State must provide an alternative trigger that captures the conduct. The EDPB document the IDPC itself relies on flatly says so.
The IDPC then proceeds to confess, without seeing what it has confessed to, that Maltese law does not provide such a trigger.
Furthermore, regulation 3 of S.L. 586.01 provides that the regulations shall apply to the processing of personal data in connection with the provisions of publicly available electronic communications services in public communications in networks in Malta, and also Part II of S.L. 586.01 regulates the national authorities in Malta.
Accordingly, in the absence of a controller/service provider or establishment within the Maltese territorial jurisdiction, and where the national legislation transposing the e-Privacy Directive does not provide an alternative criterion for enforcement, the Commissioner could not investigate the alleged infringement of Anthropic Ireland Limited under S.L. 586.01. You are therefore kindly guided to directly lodge your complaint in relation to the alleged infringement of the e-Privacy Directive directly with the Irish supervisory authority, in view of the existence of an establishment in Ireland.
Read that paragraph again, carefully. The IDPC's position, in its own words and on its own analysis, is that Maltese transposing law for the ePrivacy Directive does not provide a competence trigger that captures a controller established outside Malta which performs storage events on terminal equipment located inside Malta. The IDPC is not arguing that S.L. 586.01 protects me. It is conceding that S.L. 586.01 does not. It also illustrates that Maltese law is in direct contradiction of Case C-673/17 from the Court of Justice of the European Union in its binding judgment in October 2019 that ePrivacy Directive applies to "any information" not just "personal data" - a point explicitly called out in the ruling - this puts Malta in direct breach of TFEU.
That concession is the smoking gun.
What this actually means in practice
The conjunction of the IDPC's two moves leaves Maltese citizens in a position of total non-protection against any non-Maltese controller, in respect of any conduct that engages the ePrivacy Directive. Let me state that in flat numbered terms because it is so absurd that the abstract description does not land.
If a Maltese user's terminal equipment, sitting on the Maltese user's desk in Malta, is written to without consent by a controller established in another Member State, the Maltese supervisory authority will not investigate. You have ZERO protection from unlawful adtech, spam, adware, cookies, profiling - all of the biggest risks to our privacy in a data driven world.
The one-stop-shop mechanism does not apply to the ePrivacy limb of the complaint, on the IDPC's own correct citation of C-645/19, so the Irish or German or Luxembourgish DPA does not become the lead authority for that limb the way it does for the GDPR limb.
The IDPC's referral of the user to the Irish supervisory authority is, on the IDPC's own analysis, a misdirection. Irish ePrivacy transposition (S.I. 336/2011) is, like the Maltese transposition, network-located rather than terminal-equipment-located. The Irish Data Protection Commission is, on its own published practice, no more likely than the IDPC to investigate an Article 5(3) breach occurring on a device sitting in Malta.
The user has no remedy in Malta for the breach. The user has no remedy in Ireland for the breach. The user therefore has no remedy at all under the ePrivacy Directive for a breach committed against the user, in the user's own home, on the user's own device.
That is the regulatory reality the IDPC has put in writing and the question that follows is whether that reality is compatible with EU law. It is not.
The Charter Article 7 dimension
Article 7 of the Charter of Fundamental Rights of the European Union reads:
"Everyone has the right to respect for his or her private and family life, home and communications."
The Charter has the same legal value as the Treaties. Member States are bound by it whenever they implement EU law. The transposition of the ePrivacy Directive is the implementation of EU law. The Member State's Article 7 obligations attach to the transposition itself, not merely to its enforcement.
Recital 24 of the ePrivacy Directive describes the terminal equipment of users as "part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms". The Court of Justice in Planet49 confirmed that the protection of Article 5(3) extends to any information stored on the user's terminal equipment, regardless of whether that information constitutes personal data, precisely because the regulated locus is the user's private sphere as such.
Article 5(3) of the ePrivacy Directive is, in other words, the operative provision through which Article 7 of the Charter is given practical content in respect of the user's device. It is the provision that makes the Charter right enforceable against the conduct that threatens it. Without Article 5(3), the Charter right is rhetorical. Without effective enforcement of Article 5(3), the Charter right is rhetorical. And without a supervisory authority willing to investigate Article 5(3) breaches against users in its territory, regardless of where the controller is established, there is no effective enforcement.
The IDPC has just told every Maltese citizen that, in respect of every controller not established in Malta, there is no effective enforcement. The Article 7 right of every Maltese citizen against every non-Maltese controller is, on the IDPC's own confession, rhetorical. Read that sentence again and understand what it means. In a country where almost every consumer-facing technology product is published by a vendor established outside Malta, the regulator responsible for enforcing the Charter right to private life in your home, on your device, has just confirmed that it will not act.
Article 47 and the Principle of Effectiveness
Article 47 of the Charter provides that everyone whose rights and freedoms guaranteed by EU law are violated has the right to an effective remedy. Article 19(1) of the Treaty on European Union obliges Member States to provide remedies sufficient to ensure effective judicial protection in the fields covered by EU law. The Principle of Effectiveness, established by the Court of Justice in Rewe-Zentralfinanz (Case 33/76) and consistently reaffirmed in subsequent case law, prohibits national procedural rules from rendering the exercise of EU-conferred rights practically impossible or excessively difficult.
A national transposition of the ePrivacy Directive that leaves the user with no remedy at all against any non-domestic controller does not render the exercise of Article 5(3) rights difficult. It abolishes them in the only practical context in which the right has bite. Maltese citizens are not facing a procedurally awkward path to enforcement. They are facing no path at all. The IDPC will not investigate. The OSS does not apply. The Irish DPC has no obvious competence over the storage event in Malta. The user is left with the option of private litigation in Malta against an Irish-established subsidiary of an American parent over a 411-byte JSON write event, an option that exists on paper and is meaningless in practice for any individual data subject.
The Principle of Effectiveness is breached on its face. Article 47 of the Charter is breached on its face. Article 19(1) TEU is breached on its face. The transposition of Directive 2002/58/EC into Maltese law is, in consequence, inadequate as a matter of EU law.
The Phorm precedent
This is not the first time that a Member State's inadequate transposition of Directive 2002/58/EC has resulted in formal action by the European Commission. The precedent matters and I have first-hand knowledge of it.
In 2007 and 2008, BT, the United Kingdom's incumbent telecommunications operator, secretly trialled the Phorm Webwise behavioural advertising system on tens of thousands of its customers, intercepting and analysing their web traffic without consent. When the trials came to light, the UK government's response was to refuse to act on the ground that the conduct was lawful under the UK's transposition of the ePrivacy Directive. Civil society, including the campaign in which I was personally involved, lodged complaints with the European Commission. The Commission agreed.
On 14 April 2009, upon my request, the Commission opened formal infringement proceedings against the United Kingdom under what was then Article 226 EC (now Article 258 TFEU), in respect of the UK's failure to properly transpose Directive 2002/58/EC and the predecessor Directive 95/46/EC. The Commission's complaint, set out in IP/09/570, identified principal failures including the absence of an independent national authority capable of supervising the interception of communications, the UK's restriction of criminal liability under RIPA to "intentional" interception while leaving the broader confidentiality obligation unimplemented, and a definition of consent that fell below the EU standard. The Commission proceeded through reasoned opinion in October 2009 (IP/09/1626) and on to referral to the Court of Justice in September 2010 (IP/10/1215). The United Kingdom was ultimately compelled to amend its law.
The principle established by that proceeding is directly applicable to Malta now. Where a Member State adopts a transposition of Directive 2002/58/EC that leaves citizens without an effective remedy against the conduct the Directive prohibits, the Member State is in breach of its Treaty obligations and the European Commission is empowered, and indeed obliged, to act.
The substantive failure here differs from the Phorm case. The UK's failure was a failure to define consent and to provide for a competent authority capable of supervising interception. Malta's failure is a failure to provide a competence trigger that captures conduct on terminal equipment in Maltese territory by controllers established outside Malta. The principle is the same. The transposition is inadequate as a matter of EU law. The Commission's powers under Article 258 TFEU are engaged.
Treaty breach
To set this out cleanly. Malta is in breach of the following provisions of EU primary and secondary law.
Article 5(3) of Directive 2002/58/EC, in conjunction with Article 15(2) of the same Directive, by reason of the failure of the Maltese transposition (S.L. 586.01) to provide a competence trigger that captures storage events on terminal equipment located in Malta perpetrated by controllers established outside Malta.
Article 94 of Regulation (EU) 2016/679, by reason of the consequent failure to make available the judicial-remedies, liability and sanctions framework that Article 15(2) of the ePrivacy Directive imports through GDPR Article 94 substitution.
Article 47 of the Charter of Fundamental Rights of the European Union, by reason of the consequent absence of an effective remedy for Maltese citizens whose Article 5(3) rights are breached by non-Maltese controllers.
Article 7 of the Charter of Fundamental Rights of the European Union, by reason of the rendering rhetorical of the Charter right to respect for private life, home and communications in respect of the user's terminal equipment, in the only practical context in which that right is meaningfully engaged in 2026, namely the operations of multinational technology vendors.
Article 19(1) TEU, by reason of the failure to provide remedies sufficient to ensure effective judicial protection in the field covered by EU law.
Article 4(3) TEU (the principle of sincere cooperation), by reason of the IDPC's adoption of a position that frustrates rather than facilitates the effective application of EU law.
What happens next
Now I am forced to lodge a formal complaint with the European Commission under Article 258 TFEU, requesting the opening of infringement proceedings against the Republic of Malta in respect of the inadequate transposition of Directive 2002/58/EC, and inviting the Commission to refer the matter to the Court of Justice if Malta does not amend the transposition within a reasonable period.
I will continue to publish updates on this blog as the matter progresses.
The substantive complaint against Anthropic remains live. The Article 7 Charter rights of every Maltese citizen, in their own homes, on their own devices, against the only category of actor that materially threatens those rights in 2026, are presently rhetorical. The IDPC has put that in writing. The Commission needs to act.
