18 April 2024
At the request of the Dutch, Norwegian and German (Hamburg) supervisory authorities to the European Data Protection Board ("EDPB"), the EDPB has addressed the issue of providing clarity on the implementation of "consent or pay" models considering Meta's business model. These models are particularly relevant for large online platforms such as Meta, which use behavioural advertising to offer personalised advertising. Such business models have been criticised as they may not meet the strict requirements of the GDPR, particularly in relation to voluntary consent.
The GDPR requires that user consent must be voluntary, specific, informed, and unambiguous. In the opinion of the EDPB, Meta and other controllers must implement these requirements stringently. The user must have a real choice and must not feel forced to give consent or face negative consequences. Data controllers are obliged to observe the principles of necessity, proportionality, purpose limitation, data minimisation and fairness.
To meet the requirements of the GDPR, the EDPB believes that platforms such as Meta should offer a "truly equivalent alternative" to behavioural advertising services that does not charge a fee. If a fee is charged for access, an additional, fee-free alternative without behavioural advertising must be offered, which may process less or no personal data. This is the only way to ensure that users have a real choice and can give their consent under fair conditions.
About voluntariness, the EDPB refers not least to the judgement of the Court of Justice in Case C-252/21, which underlines the need for consent to be voluntary without putting data subjects at a disadvantage. This is particularly relevant when platforms such as Meta make access to their services dependent on consent to data processing or alternatively charge a fee. The EDPB wants to determine whether consent is voluntary based on the following points:
The European Commission has also launched investigations into major technology companies such as Apple and Meta to determine whether they have breached provisions of the Digital Markets Act ("DMA"). The focus there is also on Meta's new "consent or pay" model, which may be in breach of the DMA requirements as it requires users in the EU to give consent to the combination or overarching use of their personal data.
The DMA aims to regulate the power of large, dominant technology companies ("gatekeepers") in the digital market, particularly with regard to the handling of users' personal data:
The "consent or pay" models of platforms such as Meta need to be carefully reviewed and possibly adapted in order to fully comply with the requirements of the GDPR. Guidelines announced by the EDPB could be helpful in this regard. As could a judgement in case C-446/21, as the Court of Justice will probably also deal with the "consent or pay" in this case.
by multiple authors
by Dr. Nicolai Wiegand, LL.M. (NYU) and Alexander Schmalenberger, LL.B.
Paul Voigt and Alexander Schmalenberger look at Germany's progress on NIS2 implementation.
by Dr. Paul Voigt, Lic. en Derecho, CIPP/E and Alexander Schmalenberger, LL.B.