Three reasons why the EDPB ‘consent or pay’ opinion lets Meta off the hook 

April, 2024 - Shoosmiths LLP

Do social media users have a fair choice between giving up their privacy and paying a subscription fee? The European Data Protection Board has given its opinion on what’s fair for large platforms in the latest shake up of personalised online advertising.

When it comes to justifying processing personal data for targeted advertising under EU data protection laws, Meta (along with other online platforms) has been feeling the squeeze.

Gone are the good old days when it could claim that behavioural advertising was a necessary part of its service that users signed up to, or rely on its own ‘legitimate interests’ as a lawful basis. So like a warming polar bear, it has hopped onto the final iceberg – user consent – as a legal foundation under the GDPR for carrying out user profiling. And, in order to create an alternative funding stream for users who don’t want to give up their data, it has asked European users to subscribe to ad-free services for up to €9.99 a month: the ‘consent or pay’ model.

This has stoked fury in some quarters. The central question is whether it counts as GDPR-quality ‘consent’ when users are (to quote an old phrase) choosing between rotten apples. In response to urgent requests from three European data protection authorities, the European Data Protection Board (EDPB) has just given its opinion on whether or not this type of model is lawful under the GDPR. Those wanting to see the collapse of paid-for Facebook services in Europe may have sniffed victory: the final summary of the opinion says: “in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice”.

However, a closer look at the detail reveals three key reasons for optimism for the big platforms – at least for now. Here’s why.

The Bundeskartellamt problem

The CJEU’s Bundeskartellamt decision of 4 July 2023 removed legitimate interests as a lawful basis for profiling. But in doing so, it opened the door to ‘consent or pay’ by saying that users refusing to give consent to profiling for ads must be offered an equivalent alternative service ‘if necessary for an appropriate fee”. By doing this the court (which has the final say, not the regulator) has made it difficult for the EDPB to reject the model out of hand. In its opinion, the regulator does its best to get past this problem – in particular with clever arguments about what ‘necessary’ means in different languages - but can’t really get rid of it. So fees must be ‘appropriate’, or used ‘where applicable’, but they are still very much in the frame. 


One ingenious argument against ‘consent or pay’ (used by Max Schrems’ rights group, NOYB) is based around the principle that under the GDPR, consent must be able to be withdrawn ‘without detriment’ to the data subject. Under ‘consent or pay’, the withdrawal of consent to data-driven services means that users have to pay instead, to their obvious detriment. Job done.

But the EDPB is reluctant to follow this line of argument. It says plenty about detriment, but follows a different logic – it looks at the consequences of ‘detriment’ from the perspective of loss of service: that is, the person who can no longer use Facebook to keep up with friends or know when the school play is. It insists that the act of withdrawing consent, and re-signing up to a service again on alternative terms, are separate actions and that loss of access to the utility of Facebook is the direct and immediate detriment contemplated by the GDPR. This is useful in establishing that when a user rejects one rotten apple,  platforms can’t automatically present users with the other. But the enforced separation suggests that the detriment of payment cannot be causally linked to the rejection of tracking, thereby cutting the NOYB argument off at the root. The detriment argument is an extremely powerful one, and perhaps too powerful: the prospect of threatening an end to free services – and annoying all those EU citizens who are quite happy to pay for services in data rather than euros - feels like a step too far for the regulator.

One case at a time

In true data protection style, the EDPB is at pains to stress that each platform and each circumstance is different, and makes very few generalised statements about anything. Even its loudest calls to action, like personal data not being ‘a tradeable commodity’, are not translated into absolutes in the fine detail. It suggests that provision of a contextual-ad only version of a service would be very nice, and will demonstrate data protection law compliance, but does not go so far as to say that such an option must be provided in every case. The EDPB also treads very carefully around anything which looks like market interference, saying that platforms have ‘no obligation’ to offer services free of charge. All this means that the big platforms have plenty of time to refine their models and marshal their arguments – and perhaps lower subscription fees to a regulator-friendly level – before anything bad happens.

Where is all this heading?

Although there’s plenty left unsaid, there are some takeaways. Firstly, using children’s data for targeted ads is going. We know that this is already doomed under the EU Digital Services Act, and this opinion puts the final nail into the coffin. Second, there will be changes to how platforms track us, which commentators are thinking through now (one for next time).

Third: we can see that the EDPB is desperately trying to steer the big platforms towards offering free services equivalent to the old, but relying on contextual advertising only, without risking withdrawal of services or the rise of expensive ‘premium’ offerings. It’s a game of high stakes poker and both sides hold potentially winning cards, but it looks as if they aren’t putting them all down on the table just yet.


Link to article


WSG Member: Please login to add your comment.