On the 17th April 2024, the EU Data Protection Board (“EDPB”) adopted Opinion 08/2024 on the lawfulness of “consent or pay” models by large online platforms under the General Data Protection Regulation (“GDPR”). The EDPB opined that in most cases, it will not be possible for large online platforms to comply with the GDPR’s requirements for a “valid consent”, if they confront their users with a choice only between consenting to the processing of personal data for behavioural advertising purposes and paying a fee to access the respective service.
The issuance of the Opinion by the EDPB followed a request by the Dutch, Norwegian and German (Hamburg) data protection supervisory authorities, which had requested the EDPB to opine on the question of under which circumstances and conditions “consent or pay” models relating to behavioural advertising can be implemented by large online platforms in a way that constitutes a valid consent in terms of “GDPR”, and particularly “freely given” consent, taking into account the judgement C-252/21 of the European Court of Justice.
“Consent or pay” models are such models where a data controller offers data subjects a choice between at least 2 options in order to gain access to an online service which the controller provides, namely a model whereby a data subject (user) can either (1) consent to the processing of their personal data for a specified purpose (in this case, behavioural advertising) or (2) decide to a pay a fee and gain access to the respective online service without their personal data being processed for such purpose.
In opining on the matter, the EDPB recalled that the term “large online platforms” is not defined in terms of the GDPR and notes that the Opinion is limited to “consent or pay” models implemented by such large online platforms. The EDPB thus felt it was appropriate to specify the meaning of the concept, and in doing so, it stated that for the purposes of this concept, the term (large) “online platforms” may cover, but is not limited to, the definition of “online platforms” under the Digital Services Act (Regulation EU 2022/2065, the “DSA”), namely:
“a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation.”
The EDPB also highlights that certain elements need to be assessed on a case-by-case basis, and notes that account needs to be taken of certain elements which may be more relevant for certain controllers than for others. A non-exhaustive lists of such elements is indicated including that “large online platforms” are platforms that attract a large number of data subjects as their users.
The position of the company in the market is another element that may be relevant to assess whether the controller can be considered as a “large online platform” as is whether it conducts “large scale processing”. Elements to consider would include for instance, the number of data subjects concerned, the volume of data and the geographical extent of the processing activity.
Further, the definition may also cover entities designated as “gatekeepers” pursuant to the Digital Markets Act (Regulation EU 2022/1925).
In providing its Opinion, the EDPB recalled that personal data cannot be considered as a “tradable commodity”, and large online platforms should bear in mind the need of preventing the fundamental right to data protection from being transformed into a feature that data subjects have to pay to enjoy.
Should controllers decide to provide data subjects with an “equivalent alternative” which involves the payment of a fee, in order to ensure a genuine choice and avoid presenting users with only a choice between paying a fee and consenting to processing for behavioural advertising, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, e.g. with a form of advertising involving the processing of less (or no) personal data. Such alternative would be an important factor in the assessment of certain criteria for valid consent under the GDPR and would in most cases have a substantial impact on the assessment of the validity of consent, in particular with regard to the detriment aspect.
In considering whether consent is deemed “freely given”, the EDPB also opined on the concepts of consequences for not consenting or withdrawing consent, imbalance of power between the user and the platform, equivalent alternative, and whether any fee imposed is such as to inhibit data subjects from making a genuine choice or nudge them towards providing their consent. The EDPB also notes that under the GDPR, for consent to be valid, it has to be informed, an unambiguous indication of wishes, and specific. Further, the obtainment of consent does not absolve large online platforms from complying with other rules and principles of the GDPR.
For more information or assistance on Data Protection & Privacy please contact Dr Ian Gauci and Dr Terence Cassar.