The European Commission has for the first time imposed fines under the Digital Markets Act (DMA). What makes the proceedings against Meta particularly interesting is not just the size of the fine (€200 million), but also the data protection perspective involved. The basis for this is a breach of the DMA, specifically the obligation under Art. 5(2), first sentence, point (b) of the DMA, to give users genuine choice regarding the cross-service combination of their personal data.
This first fine decision highlights the enforcement of data protection principles through the competition law-related regulation of the DMA. At the same time, it points to the relevance of the debate surrounding 'Consent or Pay' models, which address fundamental user choice within the framework of the GDPR.
In-depth Analysis:
The European Commission justifies the imposed sanction on Meta by citing a breach of central obligations under the Digital Markets Act. At its core is the accusation that Meta disregards Art. 5(2), second sentence, point (b) of the DMA. This provision addresses the practice of data combination by gatekeepers and requires that end-users are offered an effective choice. Specifically, gatekeepers must ensure that users can freely decide whether their personal data from various core platform services of the gatekeeper (e.g., Facebook, Instagram, WhatsApp) are combined with data from third-party services.
The Commission criticises Meta for not complying with this obligation. It finds a lack of a sufficient option for users who wish to refuse the combination of their data. The DMA requires a less personalised, but equivalent alternative for this purpose, the use of which must not be conditional upon consent to data combination. In the Commission's view, the mechanisms implemented by Meta between May and November 2024 do not meet these requirements for freedom of choice.
This dispute takes place against the backdrop of a broader data protection debate, which has gained new impetus from Opinion 08/2024 of the European Data Protection Board (EDPB) on so-called 'Consent or Pay' models. Although the opinion does not specifically relate to this DMA case, it emphasises fundamental principles of the General Data Protection Regulation (GDPR). Central is the requirement that consent, according to Art. 4(11) GDPR, must be 'freely given'. The EDPB expresses concerns that voluntariness may be jeopardised if the only alternative offered to users for consenting to data processing (particularly for behavioural advertising purposes) is payment of a fee, without an equivalent free alternative being available that does not involve this type of data processing. The principles of choice and fairness discussed in the opinion are also relevant for assessing Meta's practices under the DMA. In this context, the EDPB also highlights the significance of the judgment of the Court of Justice of the European Union in Case C-252/21 (Bundeskartellamt v Meta Platforms et al.).
Meta is expected to challenge the decision: Meta argues that its pre-November 2024 'Subscription for No Ads' model already constituted a legally permissible consent option under EU law and met the requirements of Article 5(2) of the DMA. The choice between a paid subscription and free access with personalised advertising is a common business model. The solution introduced after November 2024 – which is under further investigation by the Commission – offers users even more choice with the option of less personalised advertising. Meta is convinced that its solutions comply with EU regulations, arguing that personalised advertising is the foundation of a free and inclusive internet. The design of the choice screens was developed in collaboration with European data protection authorities, taking into account requirements such as the GDPR and the ePrivacy Directive.
Outlook
This decision underscores the European Commission's determination to enforce the new rules of the DMA. Whether it will ultimately succeed will likely be decided by the CJEU. The case highlights the tension between innovative, data-driven business models and the protection of user autonomy and informational self-determination. Further developments, particularly potential legal challenges and the impact on the practices of other gatekeepers, will need to be closely monitored.
