Recently, prominent online service platforms, notably Meta, have introduced a "consent or pay" model, garnering significant attention. This model presents users with a choice: to consent to the collection and analysis of their personal data for advertising purposes or to opt for a fee-based service without advertisements. Absence of a decision may result in restricted access to the platform's services.
On January 26, 2024, the Norwegian Data Protection Authority, Datatilsynet, together with the Dutch Data Protection Authority, announced a collaborative effort with the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) to examine the implications of the "consent or pay" model in the context of personal data protection and targeted advertising. They seek guidance from the European Data Protection Board (EDPB) for a clearer interpretation of this model under the General Data Protection Regulation (GDPR) Article 64(2), aiming for more defined regulations or guidelines.
This initiative stems from varying approaches to the "consent or pay" model across Europe. While some jurisdictions permit its application, others, and notably the Court of Justice of the European Union (CJEU), have yet to delineate the legal boundaries of its application. Therefore, the establishment of a unified standard is deemed crucial for safeguarding the privacy of citizens throughout the European Union.
The EDPB is expected to issue a response within 8 weeks, providing critical guidance on the application of the GDPR concerning the "consent or pay" model across the European Economic Area. This decision will have a direct impact on stakeholders involved in personalized advertising using personal data.
Regulatory Perspective Simplified
In Europe, the "consent or pay" model is being used a lot in digital services, but there's no one set of rules for it yet. Data protection groups look at how much data is being used and how it affects people to decide on rules.
Take, for example, well-known newspapers like Spiegel, Zeit, and Bild, which let their readers choose between giving consent or paying. These cases have been checked by data protectors, who have been more forgiving with magazine services. On the other hand, big online companies like Facebook and Instagram, with their huge number of users and big influence from ads targeted based on user data, have gotten more attention and concern from data protection authorities in many places.
Legal Controversy
- Compliance with "Free Consent" Requirement
The GDPR delineates clear protocols for the processing of personal data, placing the "consent or pay" model under scrutiny. A pivotal question is whether the consent obtained under this model constitutes a freely given, informed, and unambiguous indication of the user's wishes.
Article 6 of the GDPR enumerates the legal bases for processing personal data, including but not limited to the data subject's consent. Absent such bases, data processing may be deemed unlawful. Thus, the assessment of whether the "consent or pay" model aligns with GDPR hinges on the nature of consent as freely given.
The GDPR preamble highlights that consent should not be regarded as freely given if the data subject has no genuine or free choice, or is unable to refuse or withdraw consent without detriment. Consequently, for consent to be valid under the "consent or pay" model, it must be presented as a choice free from adverse consequences. However, requiring payment for refusal of consent complicates this premise, raising questions about the freedom of choice.
Despite these considerations, the EDPB has acknowledged that incentives for obtaining consent do not inherently violate the GDPR. Furthermore, the CJEU has indicated that companies may offer alternatives for a fee if consent for specific data processing is not granted, introducing a nuanced interpretation of GDPR compliance.
- Impact on Low-Income Users
The Norwegian Data Protection Authority's Tobias Judin has articulated concerns regarding whether data protection will remain a universal right or become a privilege for the affluent. This discourse is pivotal in shaping the future landscape of internet governance.
Although subscription fees for most services are deemed affordable, the core issue lies in the binary choice between service usage and privacy concession, potentially exacerbating digital inequality and undermining the rights of economically disadvantaged groups.
Privacy advocates, including Max Schrems of the organization NOYB, have criticized the potential discriminatory impact of the "consent or pay" model on low-income groups. Schrems's stance—that fundamental rights, including privacy, should not be commodified—underscores the ethical considerations at play. NOYB's complaint against Meta's implementation of the model, highlighting the prohibitive costs of preserving privacy across multiple applications, further accentuates the debate on whether privacy protection should entail significant financial expenditure.
Event Implications
As EU data protection authorities deliberate on the "consent or pay" model, and with legislative clarity still forthcoming, businesses are advised to proceed with caution. Ensuring compliance with the GDPR and keeping abreast of regulatory updates remain paramount.
The process of obtaining user consent is a cornerstone of lawful data processing under the GDPR, emphasizing the necessity for clear communication and genuine choice. Companies shall not only articulate the purposes and methods of data processing transparently but also ensure that consent can be freely given or withheld, maintaining the ability for users to withdraw consent effortlessly and without prejudice.
More Resources:
1. https://www.datatilsynet.no/en/news/aktuelle-nyheter-2024/request-for-an-edpb-opinion-on-consent-or-pay/
2. https://www.autoriteitpersoonsgegevens.nl/actueel/ap-privacy-is-een-grondrecht-niet-alleen-voor-rijke-mensen
3. https://datenschutz-hamburg.de/fileadmin/user_upload/HmbBfDI/Pressemitteilungen/2024/240129_PM_payment_models_EDPB_request_EN.pdf
