On 17 April 2024, the European Data Protection Board (EDPB) adopted an opinion following an Article 64(2) request under the General Data Protection Regulation (GDPR) by the Dutch, Norwegian & German Supervisory Data Protection Authorities.
The EDPB Opinion highlights the need for large online platforms to comply with all requirements under GDPR, and particularly the requirement to obtain valid consent. The EDPB notes that obtaining consent does not ‘absolve’ a controller from adhering to the principles outlined in Article 5 of the GDPR (namely the principles of accountability, necessity and proportionality, purpose limitation, data minimisation, and fairness) or any other GDPR obligation.
Ultimately, the EDPB believes that in most cases, it will not be possible for large online platforms to comply with the requirement to obtain valid consent if they confront users with a binary choice between consenting to processing of their personal data for behavioural advertising purposes or paying a fee. The EDPB further believes that large online platforms should consider offering a free equivalent alternative to their service that does not include behavioural advertising – noting that this is a particularly important factor in the assessment of valid consent.
What is a “Pay or OK” consent model?
“Pay or OK” consent models, also known as “consent or pay” models, can be described as models where a controller (e.g. a large online platform) offers data subjects (e.g., platform users) a choice between two options in order to gain access to the online platform service the controller provides. Under the system, the data subject can either consent to the processing of their personal data for a specified purpose in order to access the online platform or decide to pay a fee and gain access to the online platform without their personal data being processed for this specified purpose. The EDPB Opinion focuses on models in which the option relates to the processing of personal data for behavioural advertising purposes (i.e., targeted ads), and where the relevant controller is a large online platform.
Request for an Opinion
The EDPB’s main role is to ensure that there is a consistent application of the GDPR throughout the European Economic Area (EEA). As such, the GDPR provides a mechanism under Article 64(2) whereby any supervisory authority can request that a matter which has general application or would produce effects in more than one EEA Member State be examined by the EDPB and an opinion to be provided.
On 17 January of this year, the Dutch, Norwegian and German Supervisory Data Protection Authorities together requested the EDPB to issue an opinion pursuant to Article 64(2) in relation to ‘consent or pay’ models. In particular, the referring authorities questioned whether such models can satisfy the requirements for valid, free given consent, and whether data subjects are able to exercise “a real choice”. The referring authorities also asked that these questions should be considered in the light of the European Court of Justice’s judgment in the decision in Meta Platforms Inc. v Bundeskartellamt (C-252/21). In Bundeskartellamt, the Court of Justice had stated that while the dominant position of a provider of an online social network did not preclude the users of such networks from being able to validly consent to the processing of their personal data, the dominant position was an important factor in determining whether the consent was in fact valid and, in particular, freely given.
The Opinion
The EDPB Opinion, through an examination of the various requirements of the GDPR and in particular consent, concludes that consent collected by large online platforms in the context of “Pay or OK” consent models relating to behavioural advertising may only be considered valid to the extent that such platforms can demonstrate that all the requirements for valid consent are met.
Scope of the EDPB Opinion
Notably, the EDPB Opinion is limited in its scope to “Pay or OK” consent models relating to data processing for behavioural advertising, where the data controller is a ‘large online platform’ only. While an online platform is not defined within the GDPR, the EDPB noted that for the purposes of its opinion, the concept may cover, but is not limited to, the definition of an online platform under the EU’s newly introduced Digital Services Act (DSA). The DSA defines an online platform as a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public. The EDPB highlights a number of elements, which are non-exhaustive and to be assessed on a case-by-case basis, that point towards a data controller being considered as a large online platform:
- Whether the platform attracts a large number of data subjects as their users;
- The position of the company in the market;
- Whether the platform conducts ‘large scale’ processing; and
- Whether the controller is a ‘very large online platforms’ for the purposes of the DSA or a ‘gatekeeper’ for the purposes of the Digital Markets Act (DMA).
As such, it is clear that the EDPB is taking a wider approach as to the definition of a large online platform, which is likely to encompass a number of platforms beyond the obvious social-media giants designated under the DSA or DMA.
Principles for Processing of Personal Data
The EDPB recalls that Article 5 sets out the principles for processing of personal data and notes that even where consent has been obtained from a data subject, this does not absolve a controller from adhering to the principles set out in Article 5 and elsewhere in the GDPR. As such, the EDPB outlines that:
- Even if processing is consent-based, this does not justify collecting personal data beyond what is necessary for the specified purpose or in a manner that is unfair to the data subjects;
- Processing should respect the principles of necessity and proportionality;
- Respecting the principles of purpose limitation and data minimisation is crucial. As such, controllers should verify whether the relevant purposes can be achieved by less intrusive means, or by processing less personal data; and
- Processing should respect the principles of fairness, accountability, transparency, data protection by design and default.
In the specific context of behavioural advertising, the EDPB made the following observations:
- Excessive tracking is harder to reconcile with the principle of data minimisation;
- Children benefit from special protection and as such should not be subject to behavioural advertising and therefore should not be confronted with ‘consent or pay’ models seeking consent for such processing; and
- Following the decision in Bundeskartellamt, “a controller must be able to demonstrate that the data subject’s consent was freely given in light of the circumstances of the processing situation, and that all other conditions for valid consent were met”.
Requirements for Valid Consent
The EDPB Opinion examines the cumulative requirements that make up consent under the GDPR in great detail and make a number of observations in relation to ‘consent or pay’ models for behavioural advertising.
Freely Given Consent
The EDPB notes that controllers must ensure that data subjects have a real freedom of choice when asked for consent and should not limit data subjects’ autonomy by making it harder to refuse rather than to consent. As data subjects should enjoy a real and genuine freedom of choice, the EDPB Opinion found that the offering of only a paid alternative to a service which includes processing for behavioural advertising purposes should not be the default way forward for controllers. Should controllers decide to provide data subjects with an ‘equivalent alternative’ which involves the payment of a fee, controllers should also consider offering a further alternative free of charge model without behavioural advertising (which could rely on processing less or no personal data). This, the EDPB notes, would enhance users’ freedom of choice and be a particularly important factor to consider when assessing whether data subjects can exercise a real choice.
The EDPB Opinion outlines that the following criteria should be taken into account when determining whether consent is valid:
- Detriment: Data subjects need to have a genuine choice to refuse or withdraw their consent without detriment, experiencing harm or damage. Large online platforms should consider whether the decision not to consent would negatively affect a data subject’s ability to access a prominent service, their connections and professional network or lose access to content or followers.
- Conditionality: The EDPB notes that a situation of conditionality, where consent is required in order to gain access to a service which is not objectively necessary for the contract, can lead to invalid consent. Therefore, data subjects opting to consent must be offered an equivalent alternative.
- Imbalance of Power: Where a clear imbalance exists, the EDPB notes that consent can only be used in ‘exceptional circumstances’ and where the controller, in line with the accountability principle, can prove that there are no ‘adverse consequences at all’ for the data subject if they do not consent. The EDPB notes that the offering of a free alternative without behavioural advertising could suffice in this context.
- Granularity: A data subject should be free to choose the individual purposes they accept, rather than having to consent to a bundle of processing purposes. The EDPB states that as behavioural advertising uses technically advanced infrastructure, controllers cannot present data subjects with blanket consent for a number of different purposes. Data subjects should be free to choose which purpose they accept, rather than being confronted with one consent request bundling several purposes.
Informed Consent
In order for consent to be valid under the GDPR, it must be informed consent. In the context of consent or pay models, the EDPB Opinion provides that large online platforms should provide information that is sufficiently granular, so that data subjects can understand the service they consent to while retaining the possibility not to consent to others. Similarly, the choices presented to data subjects need to align with the information they are provided with.
Unambiguous Indication of Wishes
The GDPR also requires that for consent to be valid, it must be an unambiguous indication of the data subject’s wishes. As such, the EDPB Opinion notes that in the context of ‘consent or pay’ models, controllers should ensure that users are not exposed to deceptive design patterns when consenting to processing of their data. The EDPB provides the example where consent is collected by wording such as ‘simply continue’ or ‘continue without payment’. Questions on payment should be asked in an accurate and transparent method, and consent to processing of personal data should not be presented as just a method of avoid paying a fee.
Specific Consent
The GDPR requires that consent must be given for one or more specific purposes. The EDPB Opinion provides that considering the complex system of data processing behind behavioural advertising, large online platforms should precisely define and delimit the purposes of their processing activities.
Conclusion
The EDPB concluded that in most cases, it will not be possible for large online platforms to comply with the requirement to obtain valid consent if they confront users with a binary choice between consenting to processing of their personal data for behavioural advertising purposes or paying a fee. The EDPB stated that personal data cannot be considered a tradeable commodity and large online platforms should bear in mind the need to prevent the fundamental right to data protection from being turned into a feature that individuals need to pay to enjoy. As such, the EDPB believes that large online platforms should consider offering a free equivalent alternative to their service that does not include behavioural advertising.
Ultimately, in response to the referral from the Dutch, Norwegian & German Supervisory Data Protection Authorities, the EDPB concluded that consent collected by large online platforms in the context of ‘pay-or-consent’ models relating to behavioural advertising “may only be considered as valid to the extent that such platforms can demonstrate, in line with the principle of accountability, that all the requirements for valid consent are met”.
Implications
The EDPB Opinion is welcome and essential guidance in an area of data protection law that has faced scrutiny and challenge for several years since the introduction of the GDPR. It highlights the need for large online platforms to ensure that the consent they are receiving from users is truly valid, and that they continue to meet all other obligations under the GDPR. In some situations, it may require online platforms to reassess their business models to ensure prioritisation of user privacy and data minimisation. Failure to adhere to GDPR obligations can lead to large administrative fines.
The EDPB Opinion can also be examined the context of the European Union’s wider Digital Reform Package, which introduces a number of new frameworks to enhance individual privacy and protection online. For example, earlier this year, the European Union utilised the newly-applicable DSA to send a ‘Request for Information’ to Meta seeking details of how their ‘consent or pay’ model complied with its obligations in relation to advertising, recommender systems, and risk assessments.
For further updates, advice and insights on data protection law issues, please contact Leo Moore, Rachel Hayes or your usual William Fry contact.
Contributed by Róisín Culligan, Kevin White.