Pay or consent offering and the legal challenge of free and genuine choice

#inadequate data processing #lawfulness of processing #consent #personalised advertising #digital platforms #competition #dma 

spiral staircase, hamburg, stairwell-8503799.jpg2023 had a significant privacy weight for Meta. Regulators from different European countries penalised the Californian technology conglomerate for inadequate data processing practices. The lawfulness of combining data across Meta’s suite of social platforms for personalised advertising purposes, dubbed as super-profiling, was at the core of privacy and competition actions ultimately decided upon by the Court of Justice of the EU (CJEU) in its landmark Decision C-252/21. 

 

In its ruling, CJEU appreciated that the controller’s dominant position on the market creates the presumption of a clear imbalance between its users and the controller. This circumstance might amount to insidiously pressurising individuals into providing their consent to processing activities to which otherwise, they would not consent. The controller has the burden of proving otherwise. 


That is to say that, for the processing at hand, as with regards to the applicability of Article 6 of the GDPR, all lawful bases other than consent, have been ruled out by the CJEU. In other words, CJEU decided that “consent is the only appropriate lawful basis for the tracking and profiling driven ‘personalized’ content and behavioural advertising that Meta monetizes.” 


CJEU decision was appreciated as giving the authorities a leverage in prohibiting personalised advertising by large digital service providers, like Meta, unless a valid consent is obtained under the auspices of Article 7 of the GDPR

Most importantly, the CJEU judgement underscores the premises that the market power should play a role in the assessment of the validity of (i.e., freely given) consent. 

By the moment of the ruling, Meta, forced by the circumstances outlined at the beginning of this text, changed its data processing lawful basis from contractual necessity to legitimate interest and finally, in the aftermath of CJEU Decision C-252/21, to consent. Nevertheless, Meta’s consent proposition is energetically contested by activists and data privacy pundits who have been quick to note that it requires users to pay monthly subscriptions to access advertising free versions of Meta’s products. It is worthwhile mentioning that the subscriptions fee is quite consistent while no breakdown of the costs is available, let alone that users are asked to subscribe for each Meta account they own (i.e., Facebook, Instagram). 


Meta’s ad-free subscription for regional users has an initial cost of €9.99/month on web or €12.99/month on iOS or Android per linked Facebook and Instagram accounts in a user’s Accounts Centre (with an additional fee of €6/month on web and €8/month on iOS or Android set to apply for each additional account listed in a user’s Account Centre from March next year. 


From a legal standpoint, there are multiple issues vis-à-vis what Meta interprets to be “a subscription service as part of a model to obtain valid consent.” 


Recital 43 of the GDPR provides that: “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all circumstances of that specific situation.” 


Regarding the latter, in its Guidelines 05/2020 on consent under Regulation 2016/679, version 1.0, adopted on 4 May 2020, paragraph 21, the European Data Protection Board, clarifies that: “Imbalances of power are not limited to public authorities and employers, they may also occur in other situations. As highlighted by the WP29 in several Opinions, consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion, or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure, or inability to exercise free will.” 

 

The problem of freely given consent. 

Article 7(4) of teh GDPR provides that: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” 

It seems difficult to reconcile this requirement with a take-it-or-leave-it approach that forces individuals to consent to their data being combined across Meta’s suite of social platforms for personalised advertising purposes, or otherwise leave the services. 

Nevertheless, individuals who leave the services, lose their contacts and interactions, often built up over years. This is even more problematic when users do not have a real choice among different providers for similar services. 
 

The problem of real choice.  

According to Article 7(3) of the GDPR: It shall be easy to withdraw as to give consent”. Or, in the case at hand withdrawing consent requires users to sign up for a monthly subscription, needles to point out that this model does not fit the easiness of consent withdrawal codified by the regulator. 


Plus, according to guidelines provided by the French Data Protection Authority (Commission nationale de l’informatique et des libertés or CNIL): “This monetary compensation must not, however, be such as to deprive internet users of a real choice: we can therefore speak of a reasonable price.” 


Or, in a recent complaint submitted to the Austrian Data Protection Authority (Datenschutz behorde – DSB) an individual shows that Meta’s fee in exchange for his right to opt-out is not affordable to him, citing a financially difficult situation, where he must choose between his right to privacy and basics for his survival. 


The same CNIL shows that: “The publisher who wishes to implement a paywall must be able to justify the reasonableness of the monetary compensation proposed. For greater transparency towards Internet users, the CNIL encourages publishers to publish their analysis.” 


On the cost of the subscription, Meta’s spokesperson declared that pricing is in line with other ad-free premium subs offered by streaming services such as YouTube Premium, Spotify Premium, Netflix Standard and Twitch Turbo.


However, privacy advocates notice that these rivals don’t always offer blanket pricing across the EU, making comparisons challenging. Additionally, in the case of Spotify and Netflix, both are services that stream professional licensed content, making them a very poor comparison with Meta’s products. 

 

Clear imbalance.

The element of imbalance of power is relevant in monopolised markets as well as in markets in which consumer choice is undermined, through strong network effects or lock-ins. In other words, this is the case where the user has only few or no alternatives to the service, and thus has no real choice as to the usage of cookies for instance in case of service providers in dominant positions whose services they feel that are indispensable to them. As proved above, the GDPR contains provisions which could render consent invalid when: 
 
  • the data controller is dominant, and users do not have alternatives on the market and 
  • the data controller does not give users a choice but to accept its terms if they want to use its service. Nonetheless, so far market domination has not played a role in the assessment of the validity of consent by different Data Protection Authorities. 

The new EU digital legislation could mark a turning point in this respect. 

Marking the turning point. 

On 6th of September 2023, the European Commission has designated Meta, as gatekeeper under the Digital Markets Act (DMA). Meta has until 06th of March 2024 to ensure full compliance with the DMA obligations for each of their designated core platform services.
 
According to Recital 36 of the Digital Markets Act: “To ensure that gatekeepers do not unfairly undermine the contestability of core platform services, gatekeepers should enable end users to freely choose to opt-in to such data processing and sign-in practices by offering a less personalised but equivalent alternative, and without making the use of the core platform service or certain functionalities thereof conditional upon the end user’s consent.” 
 
Given that the DMA is designed, among other things, to regulate the behaviour of gatekeepers like Meta which can unilaterally impose terms on users, the definition of gatekeeper is useful for GDPR purposes as well. The high threshold to reach a gatekeeping status means that Meta can be considered dominant for the purposes of GDPR enforcement. 
 
Meta  falls under the definitions of competition law and the DMA and, by using these definitions, the Data Protection Authorities have a solid ground on which to determine whether market power impedes consent from being given freely. When doing so, the Data Protection Authorities can follow guidance used by competition authorities when assessing dominance and make use of the increased collaborations taking place with competition authorities. 
 

Sources: 

1. Meta faces another EU privacy challenge over ‘pay for privacy’ consent choice 

https://techcrunch.com/2024/01/10/meta-pay-or-okay-noyb-complaint-2/?guccounter=1

2. CJEU ruling on Meta referral could close the chapter on surveillance capitalism

 https://techcrunch.com/2023/07/04/cjeu-meta-superprofiling-decision/ 

3. Cookie walls : la CNIL publie des premiers critères d’évaluation

https://www.cnil.fr/fr/cookie-walls-la-cnil-publie-des-premiers-criteres-devaluation 

4. Market Power and the GDPR: Can consent given to dominant companies ever be freely given?

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4492347 

5. Meta’s EU ad-free subscription faces early privacy challenge 

 https://techcrunch.com/2023/11/28/meta-ad-free-sub-noyb-complaint/

6. Digital Markets Act 

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925

7. Is Meta’s ad-free service just another way to make people pay for privacy?

https://www.theguardian.com/technology/2023/dec/05/is-metas-ad-free-service-just-another-way-to-make-people-pay-for-privacy 

Author:

Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law at EU Digital Partners