According to Advocate General Szpunar, even the provision of an ostensibly free service for advertising purposes can constitute a form of direct marketing under Article 13 of the ePrivacy Directive. As a result, newsletters may be sent without prior consent if the conditions of Article 13(2) of the ePrivacy Directive (2002/58/EC) are met. The Advocate General further argues that in such a case, there is no need to rely on Article 6 GDPR.
What happened? A website offered limited free access to online content. Additional content was unlocked upon registration with an email address, while full access was only available behind a paywall. The user registered but did not subscribe to the paid plan. The provider then sent the user a newsletter highlighting new articles on the website.
Key legal questions:
1. Does the newsletter qualify as direct marketing under the ePrivacy Directive? - Yes, according to the Advocate General, the provision of a free service primarily for advertising purposes can fall under the definition of direct marketing.
2. Does sending the newsletter require prior consent under the ePrivacy Directive? - Generally, yes. However, Article 13(2) of the ePrivacy Directive provides an exception: if the newsletter relates to a previous sale of a product or service and the user is given a simple opt-out mechanism, prior consent is not required. The Advocate General appears to consider this exception applicable in this case.
3. Is a separate legal basis under the GDPR required for sending the newsletter? - No, the Advocate General argues that where Article 13(2) of the ePrivacy Directive applies, there is no need to rely on Article 6 GDPR as a separate legal basis.
The Advocate General concludes that the newsletter qualifies as direct marketing. The underlying business model is based on a so-called soft paywall. The commercial objective is to encourage recipients to quickly exhaust their quota of free articles and thereby persuade them to subscribe to a paid service.
Furthermore, the Advocate General finds that the email address was obtained in connection with the sale of a product or service within the meaning of Article 13(2) of the ePrivacy Directive. This applies even when a free service is offered for advertising purposes, as its costs are factored into the price of the advertised products or services. Additionally, it may be sufficient that the user provides their personal data instead of a financial payment in exchange for a service they consider valuable.
Notably, the Advocate General asserts that Article 13(2) of the ePrivacy Directive is exhaustive, meaning that no additional legal basis under Article 6(1) GDPR is required. This contradicts the widely held view that an additional legal basis under the GDPR is necessary. The German legislator, for instance, bases this interpretation on Recital 10 and Article 1(2) of the ePrivacy Directive, which suggest that the GDPR applies regarding the obligations of data controllers and the rights of individuals (see BT-Drs. 19/27441, 33).
Moreover, the GDPR and the ePrivacy Directive are based on different fundamental rights: the right to respect for communications (Article 7 CFR) and the right to the protection of personal data (Article 8 CFR). As a result, their parallel application arises from their distinct scopes of protection. The question of precedence under Article 95 GDPR only becomes relevant when both legal frameworks impose competing obligations on a data controller. The aim is not to exclude the applicability of the GDPR but rather to prevent an undue burden on controllers.
Obiter dictum, the Advocate General also notes that when imposing a fine, an authority is not required to provide a detailed analysis of every single criterion listed in Article 83(2)(a) to (k) GDPR. Instead, what matters is that the affected party can understand the reasoning behind the measure imposed on them.
What are the practical implications of this Opinion?
Although the Advocate General’s assessment - particularly regarding the relationship between Article 13 of the ePrivacy Directive and Article 6 GDPR - deviates from the prevailing opinion, especially that of data protection authorities, its practical impact may be less significant than it initially appears.
The most notable relief for businesses would likely be the stronger argument that the scope of Article 13(2) of the ePrivacy Directive also applies to ostensibly free offerings - whether because the costs of the free service are factored into the price of other services or because users provide their data in exchange for access.
However, the additional requirements for the exemption from the consent requirement must not be overlooked. Companies must particularly ensure compliance with the following conditions:
- The newsletter may only be used for direct marketing of the company’s own similar products or services.
- Users must be clearly and explicitly informed at the time of email collection that they can object to its use for marketing purposes.
- Additionally, every message sent must provide users with a simple and free-of-charge option to opt out, unless they have already objected beforehand.
This means that companies must adhere to these additional requirements both when collecting email addresses and when sending newsletters.
If the CJEU follows the Advocate General’s opinion and declares Article 6 GDPR inapplicable in this context, the practical impact is likely to be limited. This is because it has already been widely assumed that where an exception under Article 13(2) of the ePrivacy Directive applies, the processing of personal data is generally justified by the company’s legitimate interest under Article 6(1)(f) GDPR - meaning that separate consent under the GDPR would not have been required anyway.
An interesting question is whether the precedence of Article 13(2) of the ePrivacy Directive over the GDPR would also extend to Article 13(1), making it an exhaustive regulation of the consent requirement. If consent under Article 6(1)(a) GDPR were not required, this would be a relief for businesses, as it would mean that the GDPR’s substantive requirements for consent would not apply in addition to those under the ePrivacy Directive - potentially lowering the overall threshold for valid consent.
What the present case does not address: Newsletters often contain tracking functions, for which consent under Article 5(3) of the ePrivacy Directive is required. Article 5(3) of the ePrivacy Directive explicitly refers to the consent conditions under the previous Data Protection Directive. Systematically, it is not clear why, in this regard, the consent provisions in Article 13 of the ePrivacy Directive should be considered exhaustive.
What was the background?
Inteligo Media SA, the operator of the Romanian legal information portal avocatnet.ro, introduced a freemium model. Users could read six articles for free on the portal; for more access, a free account (“Serviciu Premium”) was required. During account creation, the email address was collected. The account provided two additional free articles per month and a daily email newsletter (“Personal Update”), unless the user actively selected an opt-out option during registration (“I do not wish to receive ...”). The newsletter contained summaries of new laws with links to articles on the website.
The Romanian Data Protection Authority (ANSPDCP) imposed a fine of approximately 9,000 EUR, as Inteligo processed the emails for the newsletter without explicit consent under Article 6 GDPR. After several appeals, the Bucharest Court of Appeal referred questions to the CJEU regarding the interpretation of Article 13 of the ePrivacy Directive and its relationship with the GDPR, specifically whether the email collection qualifies as “in connection with a sale” and whether the newsletter constitutes “direct marketing”.
