No such thing as a free lunch (or online service)

Would you prefer to be naked, pay to keep your clothes on, or settle on shorts and a T-shirt?

This might not seem like a dilemma for data lawyers to resolve, yet this was the question posed by the chair of the EDPB, Ana Talus, at IAPP’s annual Privacy Summit in Washington in April.

Ms Talus was referring to the paid subscription model Meta rolled out to EU users of Facebook and Instagram towards the end of last year. Under the new model, people in the EU, EEA and Switzerland can pay a monthly subscription to use Facebook and Instagram without seeing any ads (the so-called “fully clothed” option). Alternatively, they can continue using these services for free while seeing ads that are relevant to them. It’s this ad ‘personalisation’ that involves processing based on users’ platform activity. We assume that what this activity may reveal is what’s behind Ms Talus’s reference to a user being “naked”.

The move may have surprised some European users who have always been able to use Meta’s products for free. However, the new model did not arise out of thin air. Instead, it is the latest in a long-running legal saga in the EU surrounding what GDPR legal basis data controllers can rely on for personalised advertising.

As we covered last year, historically, Meta has relied on the ‘contractual necessity’ basis for personalised advertising, which forms part of its services “to provide [users] with personalised experiences across the Meta Products in accordance with [its] terms”. As the Irish Data Protection Commission has previously accepted, this is the fundamental bargain between users and platform providers: free use of services in exchange for the platform earning revenue through serving (personalised) third-party ads. However, the EDPB disagreed and instructed the IDPC to issue hefty GDPR fines to Meta in December 2022 for inappropriate reliance on the contractual necessity legal basis and an order to bring its advertising processing into compliance.

Since then, we saw a rare instance of the Norwegian data protection authority using Article 66 GDPR’s urgent procedure mechanism to bypass the one-stop-shop mechanism and issue a 3-month ban on Meta personalising ads to Norwegian users of Facebook and Instagram based on the contractual necessity legal basis and the legitimate interests legal basis. Subsequently, at the EDPB’s instruction, the IDPC extended that ban to users across the entire EEA on 10 November 2023. This essentially left consent as the only legal basis for Meta to rely on for serving personalised ads to users in the EEA.

This brings us, not so neatly, to Meta rolling out its pay-or-consent model in the EEA. This move was followed by complaints being filed by opponents of the business model (such as by the Austrian data rights organisation, noyb), the Dutch, Norwegian and Hamburg data protection authorities referring the matter to the EDPB and, last but not least, by the European Commission announcing that it is also investigating the model under the EU’s landmark new competition law, the Digital Markets Act.

This brings us up to date because on 17th April 2024, the EDPB published its opinion on such ‘pay-or-consent’ models, and, perhaps unsurprisingly, it does not believe that valid consent can be obtained by such models, at least not by a large online platform, such as Meta. Essentially, the EDPB requires that for consent to personalised advertising to be valid, as well as offering a paid, ad-free equivalent service, it should also offer a free-of-charge, equivalent service. The EDPB points out that personal data is not a commodity to be traded in exchange for money. One point that the EDPB doesn’t make, though, which would be interesting to hear, is how a large platform can fund any ‘free’ online service. Imposing unrealistic requirements identified by the EDPB pushes online services towards paid subscription models, thereby reducing consumer choice.

This article is part of our Data Protection Top 10 2024 publication.