Background and context
At the request of the Dutch, Norwegian and German (Hamburg) supervisory authorities to the European Data Protection Board ("EDPB"), the EDPB has addressed the issue of providing clarity on the implementation of "consent or pay" models considering Meta's business model. These models are particularly relevant for large online platforms such as Meta, which use behavioural advertising to offer personalised advertising. Such business models have been criticised as they may not meet the strict requirements of the GDPR, particularly in relation to voluntary consent.
Consent requirements under the GDPR and the role of the controller
The GDPR requires that user consent must be voluntary, specific, informed, and unambiguous. In the opinion of the EDPB, Meta and other controllers must implement these requirements stringently. The user must have a real choice and must not feel forced to give consent or face negative consequences. Data controllers are obliged to observe the principles of necessity, proportionality, purpose limitation, data minimisation and fairness.
Detailed version of alternative models
To meet the requirements of the GDPR, the EDPB believes that platforms such as Meta should offer a "truly equivalent alternative" to behavioural advertising services that does not charge a fee. If a fee is charged for access, an additional, fee-free alternative without behavioural advertising must be offered, which may process less or no personal data. This is the only way to ensure that users have a real choice and can give their consent under fair conditions.
Checkpoints for voluntary consent
About voluntariness, the EDPB refers not least to the judgement of the Court of Justice in Case C-252/21, which underlines the need for consent to be voluntary without putting data subjects at a disadvantage. This is particularly relevant when platforms such as Meta make access to their services dependent on consent to data processing or alternatively charge a fee. The EDPB wants to determine whether consent is voluntary based on the following points:
- No disadvantage: No high fees that limit users' options.
- Power imbalance: Assessment of the market position of providers and the dependence of users on the services offered. This applies to services that were initially free to use and have built up a large user base as a result. In these cases, users may feel pressurised into consenting to the processing to continue using the service free of charge.
- Freedom from conditions: Consent must not be required for access to necessary services if the data processing is not necessary for this.
- Granularity : Users should be able to consent specifically for individual processing purposes without bundling multiple purposes.
Pressure also from the Commission
The European Commission has also launched investigations into major technology companies such as Apple and Meta to determine whether they have breached provisions of the Digital Markets Act ("DMA"). The focus there is also on Meta's new "consent or pay" model, which may be in breach of the DMA requirements as it requires users in the EU to give consent to the combination or overarching use of their personal data.
The DMA aims to regulate the power of large, dominant technology companies ("gatekeepers") in the digital market, particularly with regard to the handling of users' personal data:
- Recitals 36 and 37 of the DMA explain the obligations of gatekeepers when collecting and processing personal data. Gatekeepers may not combine or use personal data for other services without the specific consent of the user. Users must be offered a less personalised but qualitatively equivalent alternative without making the use of the main platform or certain functions dependent on it.
- Article 5 of the DMA explicitly prohibits gatekeepers from using the internet without the express consent of users:
- We process personal data that is required for the provision of online advertising,
- ocombine data from core platform services with data from other services and
- The use of personal data from core platform services in other, separate services.
What comes next?
The "consent or pay" models of platforms such as Meta need to be carefully reviewed and possibly adapted in order to fully comply with the requirements of the GDPR. Guidelines announced by the EDPB could be helpful in this regard. As could a judgement in case C-446/21, as the Court of Justice will probably also deal with the "consent or pay" in this case.