The news that Facebook and Instagram could become paid services sent shockwaves throughout the masses of influencers and other social media enthusiasts. Would they really have to pay a monthly fee starting at 12 euros for their daily fix of reels, posts and pictures? Fortunately for Europe’s young and trendy, the subscription model is not mandatory. This so-called pay-or-consent (or pay-or-ok) model depends on whether Meta collects and processes your data for the purpose of personalized advertising. For those who do pick the paid subscription, Facebook and Instagram would come without ads and without the use of their personal data (and without tracking? This remains unclear). So, we can all breathe easy, who cares about privacy anyway? Spoiler alert: it turns out many – or at least the European regulators – still do.
By Jasper van den Boom
The European Data Protection Board’s Opinion on Pay-or-ok
The question whether pay-or-consent models are allowed is being answered from two perspectives. On the one hand, we have the recent European Data Protection Board´s (EDPB) Opinion on the matter. On the other, we have the Commission’s investigation into Meta under Art. 5(2) DMA, aiming to answer the same question. On the 27th of May in a cosy meeting room in the sunny Amsterdam, I joined a roundtable hosted by the Data-Driven Marketing Association (DDMA, coincidentally) where we discussed the question whether it is ok to ask for a monthly fee of users who do not consent to have their data collected. In its Opinion, the EDPB debates whether and when asking a monthly fee in lieu of tracking is acceptable under the General Data Protection Regulation (GDPR). However, this Opinion pays a somewhat surprising amount of reverence to the Digital Markets Act and Digital Services Act in motivating its considerations. Consequently, we see a move towards some convergence between the different types of regulation for the digital sector, and gain some insights into what the findings of the Commission under the DMA may look like.
The EDPB’s Opinion arrived on 17 April 2024, after national data protection authorities had asked them to look into the pay-or-consent model introduced by Meta. With this new model, Meta would offer users two options related to their data processing. Under the first option, users would consent to have their data collected and used for personalized advertising. Under the second option, for those users who refuse tracking, a monthly subscription fee of 12 euros for the first platform and 4 euros for each subsequent platform is due (although the price has recently been halved to 6 euros for the first platform, possibly in an attempt to appease regulators). The EDPB – on the request of interested Data Protection Authorities (DPAs) – wondered whether – and under which conditions – ’consent or pay’ models relating to behavioural advertising can be implemented by large online platforms in a way that constitutes valid, and in particular freely given, consent. The EDPB ruled – in short – that especially large platforms should offer a third option where they neither track or ask for a subscription fee, but instead use contextual ads (as opposed to personalized ads) to fund their businesses. The long answer is, as expected, far more complicated.
Before diving into the depths of the Opinion, it should be noted that the DPAs asked of the EDPB to look at this case particularly in light of the CJEU’s judgement in the Meta case, where the Meta and the Bundeskartellamt litigated the question whether the bundling of data across platforms without users’ consent constitutes anti-competitive behaviour. The CJEU opened the door for the confluence of competition law and data protection by ruling that this could indeed constitute a competition law infringement. With this competition law case involved at the offset of the analysis, the framing of the question already invited some cross-referencing, which ultimately made the Opinion not only complex but also somewhat ambiguous. As one observer noted during the roundtable, it seems that the Opinion takes both a firm stance, while also leaving room for almost every possibility. If true, a remarkable achievement! So what prompted this assertion, and is that what the Opinion really does?
The Opinion indeed has a paradoxical feel. On the one hand, it is incredibly clear about what it expects of companies like Meta in how they design their consent options. The EDPB even develops an alternative to pay or consent that it calls the third option. Users would then be able to choose to either pay (a monthly subscription fee), consent (to data collection), or not pay and not consent while receiving an equivalent alternative. This equivalent alternative would then rely on contextual advertising instead of targeted advertising. With this, the pay-or-consent-or-don’t model was born. Commentators however raised one problem with this new and (from a user perspective desirable) model: if users have access to the third option, they are not likely to choose the first two. If users do not select the first two, the company will make significantly less money from its contextual ads than it would from behavioural ads. While sympathy for the multinational may not be a societal priority at this time, the impact would likely be most devastating for smaller companies that cannot keep threading water with this new rule weighing them down. In a way, we had the same discussion that has haunted the GDPR since its inception: is increased data protection harming competition by raising barriers to entry for new start ups?
But, as the Amsterdam-born Louis van Gaal might say, the soup is not eaten as hot as it is served. Meaning, small businesses may not have as much to fear from the Opinion as a reading of the third option might suggest. Despite the attention that is paid to the third option in the Opinion, it is not a hard rule, and it does not apply in the same way to every company. Instead, the EDPD’s Opinion has a very specific focus, with specific reference to the Meta judgement. The Opinion explains, at length, that this third option should be seriously considered, depending on a number of circumstances. Moreover, they should be considered especially by very large online platforms that engage in ‘large scale’ processing of personal data, for the purpose of online behavioural advertising. Particularly interesting, and discussed in-depth in the next section, is that the EDPB refers specifically to very large platforms as defined in the DSA, and gatekeepers as defined in the DMA, when clarifying who should be wary of introducing pay-or-consent models.
The question of free and informed consent
The EDPB’s Opinion sets out a number of conditions that invite reflection as to whether pay-or-ok is ok. This reflection starts by thinking whether the consent is freely given, meaning that the user was not pressured, coerced, or otherwise manipulated into giving anything other than free consent. Freely given consent does not refer specifically to free of charge, but to the question whether the decision to consent is an ‘unambiguous indication of the data subject’s wishes’. So, it may still be appropriate to ask some kind of compensation. Whether or not asking for compensation is appropriate depends on many things: the size of the undertaking and the scale of its data processing, the existence of lock-in, network externalities, market concentration and (a lack of) competition, the imbalance of power, the dependence of the consumer on the platform, and the target group or audience that uses the platform.
This lengthy yet non-exhaustive list shows that there is a spectrum of what one can consent to freely. On one side of the spectrum is a (hypothetical) perfectly competitive market, where you and I have a choice between many equivalent platforms that offer similar services. If platform A asks me to pay-or-consent, I can move the platform B which does not use the same consent model, or platform C that offers the three options. There is no dependency and no detriment with refusing consent, so if I do decide to pay I am doing so by my own will. At the opposite end of the spectrum is the (equally hypothetical) unavoidable monopoly platform. If I depend on the platform to fulfil my daily activities (or survival, for the sake of hyperbole), I should not be excluded for refusing consent to processing my personal data. Here, introducing a pay-or-ok model would be unacceptable.
The Opinion is mindful of the controversial history of the GDPR in terms of its impact on competition and seems to say that as long as there is healthy competition, pay-or-ok is fine, but if there is monopoly it is not. This comes quite close to introducing a sort of special responsibility as we know from competition law, where dominant undertakings must ensure not to distort competition further. Now, similarly, dominant companies must be sure to respect the fundamental right to data protection and privacy more than others. This helps one to understand the viewpoint that the EDPB takes both a firm stance while leaving the door completely open: it is clear in what you are not allowed to do and when you are not allowed to do it, but we have no idea as to how the DPAs will actually assess and enforce this. Does it suffice to say that an undertaking that is designated as a VLOP or a gatekeeper can never introduce a pay-or consent model according to the EDPB? Perhaps, but there seems to be a broader spectrum considered by the EDBP than just regulated or unregulated entities, depending on their size. Hereunder, let’s dive more into the problem raised by this approach: how do we practically deal with such a convergence of laws and legal disciplines?
Fundamental rights and economics: a match made in…?
So, do fundamental rights and economic assessments mix? As mentioned multiple times during the DDMA roundtable, it is the duty of a DPA to protect the fundamental right to privacy first and foremost. They exist to protect the end-user, or data-subject, from possible infringements on their rights. Economic considerations should – especially on the side of the DPA – be a minor consideration in this equation. This does however not mean that the DPA does not need to balance the fundamental right to privacy on the one hand, and the fundamental right to conduct one’s business on the other. When raised by the investigated entity, the DPA should weigh the parties’ freedom of contract and whether the processing of certain data is necessary for commercial or public interests.
While this is no news, it seems exceptionally explicit in the recent pay-or-ok opinion. The study of concentration, market power, and competitive pressures is something that is generally considered the domain of the competition authority, not the DPA. The Meta judgement seems to have opened the door for convergence between the two, but does this work both ways? Proponents of the Opinion could argue that the EDPB has expertly avoided the problem of hindering competition that has (supposedly) plagued the GPDR. Opponents could however say that the Opinion introduces a complexity of assessment that will harm the enforcement of data protection laws in the long-run. Will it now be required for DPA’s to define product and geographic markets, assess market power, and declare dominance before they are able to decide on the pay-or-ok(-or-don’t) model, or will the assessment be a lot more intuitive? If the DPAs do not have the answer to these questions, then how could the business entity that is considering to introduce such a model engage in self-reflection? This will be – for better or worse – have to be made concrete through case-by-case assessments. However, there are some shortcuts that may help businesses in conducing their own assessment.
Something old, something new, something borrowed, something blue?
Are the DPAs and competition authorities (and thereby data protection and competition law) married to one another after this Opinion? Probably not, but it makes for a nice title and analogy, so we will act as if they are. For a good marriage, one must follow every cliché advice that is given at weddings. First and foremost, communication between the different authorities will be vital. Secondly, trust becomes increasingly important as the domains converge and the authority in one area may start to encroach on the competences of the other. Third, one should never go to bed angry (which does not work well for the sake of the analogy, but is common advice nonetheless).
In this particular case, one may also find some wisdom in superstition. In particular where it concerns the early stages of convergence, the matrimony. We have something old, namely competition law and data protection, two regimes that are well established and follow their own principles. We now also have something new, namely the DMA and the DSA and their specific rules for gatekeepers. In the Opinion, we find something borrowed, as the EDPB mentions the concepts of VLOPS and gatekeepers from the DSA and DMA explicitly. Now, we must make sure that this mixture of concepts does not leave us blue. There is, especially in relation to borrowing, a particular danger of things getting lost (just like when you start an analogy in a blog and it takes way too long to make your point).
During the DDMA roundtable, the data protection authority clarified on multiple instances that – in principle – the Opinion discussed pay-or-ok with large online platforms such as Meta in mind, or more generally VLOPs as we find in the DSA. So, this would be platforms with 45 million monthly users or more. However, it also applied to entities that engage in large scale data processing, a term found in the GDPR. Besides this, it also applies specifically to gatekeepers, meaning that you need at least 45 million end-users, as well as 10.000 business users, have a market cap of over EUR 75 billion and EUR 7.5 billion in revenue, and that you must have been entrenched for at least 3 years. One may already wonder, if the addition of gatekeepers in the Opinion was really necessary, or if this leads to confusion as to what the thresholds actually are.
What does this mean for the DMA investigation?
The EDPB’s opinion indicates that whether pay-or-consent should be an option depends largely on the size of the undertaking. Here, they seem to consider a wide spectrum of very small to very large. However, by making reference to the DSA and DMA, one may get the idea that the EDPB intended to set a clear threshold, namely that an undertaking is a VLOP according to the DSA or gatekeeper according to the DMA. The truth may however be more complex.
In light of coherence between different areas of EU law, one could argue in favuor of establishing such a threshold. If the regulators would establish that VLOPs and gatekeepers are indeed not allowed to introduce a pay-or-consent model at all, this Opinion may already spoil the surprise of the outcome of the Commission’s investigation into Meta under Art. 5(2) DMA. However, the EDPB´s opinion does not clearly state that all gatekeepers and VLOPs are prohibited from using a pay-or-ok model, and it does not mean that the assessment under the DMA, competition law, and data protection law are fully aligned. As the EDPB still speaks of a spectrum of larger and smaller, and Meta is one of the largest and most prominent collectors and users of personal data, placing additional restrictions on a company the size of Meta do not necessarily apply to all other gatekeepers or VLOPs.
There may still be more room for serious consideration by VLOPs that barely pass the thresholds of 45 million end-users, or gatekeepers that operate only one core platform service, than there is for undertakings with expansive ecosystems of products like Meta. Moreover, the EDPB’s opinion is still just an opinion, to which the DPA’s will likely give more concrete thresholds through case-by-case enforcement. Thus, there may still be quite some room for the European Commission to develop their own considerations and standards. However, in light of the EDPB’s Opinion, the interest of DPA’s, and the Commission’s swiftness in opening the non-compliance investigation into Meta’s changes following Art. 5(2) DMA, it is likely wise that Meta already starts working on their plan B (or option three) just in case.
This ambiguity of the EDPB´s opinion invites some closing thoughts: while convergence between digital regulation can – and likely should – be welcomed, it is important to ensure that borrowed terms from one regulation are used consistently and remain easily interpretable. Reliance on the definition of VLOPs and gatekeepers as used under the DSA and DMA may set certain expectations, while the reality of the assessment by Data Protection Authorities – which relies on this undefined spectrum – is more complex. This, paired with the idea that there will be more of an economic assessment required by the DPAs, may stir some confusion amongst the regulators, regulated and other stakeholders. After all, DPAs are tasked with protection personal data in light of one’s fundamental rights, not in light of the existence of complementary economic regulations. We will have to wait and see how much weight the Commission gives to the prerogatives of the data protection authorities in their decision on the basis of Art. 5(2) DMA, if at all. If not, the reverence paid to the Commission by the EDPB may prove to be a one way street.