A coalition of more than two dozen digital and democratic rights groups, NGOs and not-for-profits, including noyb and Wikimedia Europe, have written to the European Union’s regulatory body for data protection urging it to reject a tactic that’s been controversially seized upon by Meta in its latest bid to circumvent the bloc’s privacy laws.
If the European Data Protection Board (EDPB) fails to move against so-called “consent or pay” approaches to processing citizens’ personal data it will create a fatal loophole in the bloc’s flagship data protection regime that could gut people’s privacy rights and reshape the web for the worse, the organizations warn. (See the base of this post for a full list of the signatories to the letter.)
Last year in the EU Meta switched to claiming it would gather regional users’ consent to track and profile them to run its microtargeting ads business — following successful challenges, under the bloc’s General Data Protection Regulation (GDPR), against the legal bases it had previously claimed for the same purpose (first performance of a contract; then legitimate interest). But Meta’s version of consent offers users a Hobson’s choice — of paying at least €9.99/month for an ad-free subscription (per each account they have on Facebook and Instagram); or agreeing to its tracking.
No other choices are available, despite the GDPR stipulating that for consent to be a valid legal basis for processing people’s information it must be freely given. (Meta seems to be playing on ‘free’ in a monetary sense here; but the law actually requires that users feel free to consent or not consent… which is basically the opposite of the costly scenario the adtech giant has concocted that puts a literal premium on privacy.)
The NGOs are dubbing this tactic “pay or okay”. And the concerns they’re raising with the EDPB have been aired by noyb for several years, including — most recently — in two GDPR complaints filed with data protection authorities (DPAs) last year which are challenging Meta’s approach as unlawful.
The privacy rights group has actually been fighting consent or pay (or pay or okay) for years — bringing a raft of earlier challenges against a number of European news publishers which devised the tactic to extract consent from their own users by putting their journalism behind a cookie paywall that demands readers accept tracking or cough up for a subscription. And, in some cases, news publishers have gained, if not full-throated approval from their local data protection authorities, then the equivalent of a wink and a nod and been allowed to carry on. So more of these cookie paywalls have been popping up on news sites around the region.
However Meta is not in the journalism business. Indeed, it typically denies it’s a publisher — saying it’s just an intermediary (platform) connecting users. Yet it’s now appropriating the same tactic as the publishers. (And, indeed, it may not be the only adtech giant to sniff the chance of a privacy-crushing tracking victory here — see, for example, TikTok’s international test of an ad-free subscription last year. )
The coalition of democratic and digital rights — and pro-access-to-information — groups are getting involved in this now because, earlier this month, a trio of DPAs (Norway’s, the Netherlands and the Hamburg authority) wrote to the EDPB asking for it to weigh in on the controversial tactic. (Possibly as a strategy to avoid Ireland’s DPA setting the de facto weather here as, under the GDPR’s one-stop-shop, it’s Meta’s lead oversight authority and has been reviewing its consent mechanism since last summer but has yet to pronounce a view on whether or not it complies with the law.)
The Board’s role in this regulatory patchwork is to work towards harmonizing (as much as possible) the application of the GDPR by the DPAs, including by producing opinions and guidance on how the law should be interpreted. Given that steering body function, one may argue the EDPB should have been rather more proactive in responding to the rise (and creep) of ‘pay or okay’. But, in the event, its hand has finally been forced by the three members’ request this month to opine on whether ‘pay or okay’ is okay (or nay).
Blogging about the request earlier this month, the Norwegian DPA warned the issue is a “huge fork in the road” for privacy rights in Europe. “Is data protection a fundamental right for everyone, or is it a luxury reserved for the wealthy? The answer will shape the internet for years to come,” wrote Tobias Judin, the authority’s international head.
Asked about this last week, a spokeswoman for the EDPB told TechCrunch: “We can confirm that we have received a request for an Art. 64 (2) Opinion on the topic of Consent or Pay. This will be an opinion on a matter of general application, in line with the requirements set out in Art. 64 GDPR.”
She added that the opinion would “look into the general concept of Consent or Pay”; and “will not look into any specific companies” — but declined to provide any further information, noting: “We cannot comment on the progress of ongoing files.”
The EDPB has eight weeks to adopt an opinion — starting from January 25 (when it received the DPAs’ request). But as the Norwegian authority notes this deadline may be extended by a further six weeks (“if necessary”). Which means the Board should be weighing in with a view on how the law on consent applies in this context either by late March or early May at the latest. So there’s a relatively short window before guidance on a very contentious issue drops that could significantly impact companies with surveillance business models like Meta’s — and the regional internet.
“We are highly concerned about this vote and we urge the EDPB to issue a decision on the subject that aligns with the Fundamental Right to Data Protection,” write the NGOs in their letter to the Board. “When ‘pay or okay’ is permitted, data subjects typically lose the ‘genuine or free choice’ to accept or reject the processing of their personal data, which was a cornerstone of the GDPR reform and repeatedly upheld by the CJEU, also in C-252/21 Bundeskartellamt [aka Germany’s Federal Cartel Office’s (FCO) case against Meta’s ‘exploitative abuse’ of users’ data].
“With ‘pay or okay’ any website, app, or other consumer-facing company can simply put a price tag on any ‘reject’ option, ensuring that the vast majority of data subjects must accept the use, sharing, or selling of personal data – or pay a fee that can be more than 100x more expensive than the revenue generated by the use of personal data.”
In the letter the NGOs also argue that ‘pay or okay’ has failed to sustain the business models of the struggling news industry which first deployed it — suggesting: “The profits stay with large advertising networks and big tech platforms that heavily rely on a surveillance business model.”
“If ‘pay or okay’ is permitted, it will not be limited to news pages or social networks but will be employed by any industry sector with an ability to monetise personal data via consent,” they go on to warn. “The GDPR does not provide for a different treatment per industry sector. In practice, this would successfully undermine the GDPR, the high European data protection standard and wash away all realistic protections against surveillance capitalism.”
The letter also raises allegations that Meta has been lobbying individual DPAs to support pay or okay in votes that will inform the Board’s opinion.
A vote of Board members will be taken to determine the position adopted in the opinion, with each EU Member State getting one vote via a representative DPA on the body. The EDPB aims for consensus in its official positions but only a simple majority is needed. And it’s not clear whether most member DPAs oppose — or indeed support — ‘pay or okay’. So it’s hard to predict which way the vote will go, hence the NGOs’ concern. (We’ve previously delved into some of the views DPAs have themselves published on consent or pay here.)
“We… urge the EDPB and all SAs [supervisory authorities] to firmly oppose ‘pay or okay’ to prevent creating a substantial loophole in the GDPR,” the organizations write. “The EDPB’s opinion will shape the future of data protection and the internet for years to come. It is of utmost importance that the opinion truly ensures data subjects a ‘genuine and free choice’ regarding the processing of their personal data.”
While the Board’s guidance will be important in steering how the GDPR is applied in this area in the coming months it may not be the final world on the legal bounds of consent. Rather the EU’s top court, the Court of Justice (CJEU), is likely to be asked to weigh in to set definitive limits on the issue.
The Court has already tossed the proverbial cat among the pigeons on consent or pay after — last summer — it made passing mention in a referral related to the aforementioned German FCO’s case challenging Meta’s collection of data that allowed for the possibility, “if necessary”, of an “appropriate fee” being charged for access to an equivalent alternative service that lacks tracking and profiling.
“Necessary” and “appropriate” are major caveats but Meta quickly seized on the line to justify its ‘consent or pay’ rollout. Whereas noyb dismissed the mention as a mere orbiter dictum — and continues to suggest a future referral asking the CJEU to determine exactly where (and how) the consent line lies will be the final word here.
However, any referral to the bloc’s top court is likely to take years to deliver a verdict. And the Board’s opinion will stand on its own in the meanwhile — shaping developments on a contentious and impactful issue, for both web users (wanting privacy) and adtech giants (wanting people’s data), for the foreseeable future. So, again, that’s why rights watchers are nervous.
The stakes are certainly high: For Europeans’ privacy rights; for the prospect of the bloc showing it can — finally — enforce its own laws and defend fundamental rights from privacy-hostile Big Tech business models; and for tech giants like Meta trying to force their mass surveillance microtargeting ad businesses onto unwilling users by making the only alternative an unobtainable luxury and framing a ‘choice’ where they always win.
As a spokesman for noyb suggests, an EDPB opinion “in favor of Big Tech” could allow the controversial ‘pay or okay’ model to spread further and get entrenched, shuttering the possibility of better — pro-user and pro-information — business models taking the place of the data industrial tracking complex that lurks behind so much of today’s antisocial media and online toxicity.
The letter also warns Board approval for consent or pay could see it creep into other industries — where it would further impact web users’ ability to freely access information without having their activity and interests watched and recorded, and their attention sliced, stickered and sold for commercial gain.
If the last five+ years of GDPR enforcement have demonstrated anything it’s that trying to unpick online wrongs once they’re baked in is a battle that’s almost impossible to win. All eyes will therefore be on the EDPB’s move. The opinion it produces in the coming weeks could cement all these past failings — and lead to the champagne corks popping in Meta’s Dublin HQ. Or — just possibly — it could lay a path out of years of privacy rights stalemate.
Here’s the full list of NGOs signing the letter to the EDPB:
ApTI – Association for Technology and Internet, RomaniaBits of FreedomCorporate Europe Observatory (CEO)The Daphne Caruana Galizia FoundationDefend DemocracyDFRI – Föreningen för digitala fri- och rättigheterDigital Rights IrelandDržavljan D / Citizen DDeutsche Vereinigung für DatenschutzElectronic Frontier NorwayEkōThe Electronic Privacy Information Center (EPIC)European Federation of Public Services (EPSU)epicenter.works – for digital rightsEticas FoundationForbrugerrådet Tænk/The Danish Consumer CounselForbrukerrådet (Norwegian Consumer Council)Hermes CenterHomo DigitalisIrish Council for Civil LibertiesIT-Pol Denmark#jesuislànoyb – European Center for Digital RightsPanoptykon FoundationResource Center for Public ParticipationStichting Onderzoek MarktinformatieWikimedia EuropeXnet, Institute for Democratic Digitalisation