Some European data protection authorities ask EDPB for a formal opinion on the model of “pay or okay”

16 Febbraio 2024

The Data Protection Authorities (“DPAs”) in Norway, the Netherlands, and Hamburg have requested the European Data Protection Board (the “EDPB”) to take a position on the “pay or okay” model (also known as “pay or consent” or “pay for data”) by issuing a formal opinion pursuant to Article 64(2) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

The “pay or consent” model is a proposed approach implemented by online platforms that has recently sparked debate. It offers users a choice between:

  • paying a subscription fee, granting access to the service without personalized advertising and limiting personal data collection;
  • consenting to personal data collection, allowing the service provider to use data subjects’ data for personalized advertising in exchange for free access.

In this regard, the Norwegian Data Protection Authority (Datatilsynet) has pointed out that several large internet services have recently started charging users who do not agree to their data being used for behavioural marketing. Indeed, recently, an increasing number of services (e.g., Meta and Instagram) are offering users a decision: either consent to being tracked and profiled for marketing purposes or opt to pay a fee. Failure to select either option may result in a user being prohibited from utilizing the service.

However, pursuant to Article 4(11) of the GDPR, the consent of the data subject must be freely given, specific, informed, and unambiguous. Therefore, when a data controller requests consent to utilize data subjects’ personal data, the choice must be entirely voluntary.

The question arises regarding the extent to which the approach of “pay or consent” meets the criteria of voluntariness.

According to the Guidelines 5/2020 on consent adopted by the EDPB, the requirement of the “free” consent established in Article 4(11) of the GDPR implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent, or will endure negative consequences if they do not consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his/her consent without detriment.

When assessing whether consent is freely given, one should also take into account whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. However, since Article 7(4) of the GDPR contains the term “inter alia”, this means that there may be a range of other situations, which are caught by the Article. In general terms, any element of inappropriate pressure or influence upon the data subject, manifested in many different ways, which prevents a data subject from exercising their free will, shall render the consent invalid.

In light of the above, consent must be voluntary. Moreover, since this means that there must be no pressure to consent, and there must be no negative consequences if one refuses to consent, compulsion to agree with the use of personal data additional to what is strictly necessary limits data subjects’ choices and stands in the way of free consent. As data protection law aims at the protection of fundamental rights, an individual’s control over their personal data is essential, and there is a strong presumption that consent to the processing of personal data that is unnecessary cannot be seen as a mandatory remuneration in exchange for the performance of a contract or the provision of a service. Therefore, whenever the request for consent is linked to the performance of a contract by the data controller, a data subject who does not wish to make his/her personal data available for processing by the data controller bears the risk of being refused the services requested.

Considering the above, some data supervisory authorities in Europe have opened up the possibility of charging users who do not consent under certain circumstances, while others have not. The European Court of Justice (“CJEU”), with the judgment C-252/21, has also mentioned this type of solution, but without elaborating on when they are possibly legal. Specifically, the CJEU has established that a data user must be free to refuse individually, in the context of the contractual process, to give his/her consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that such a user is to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations. At the same time, the CJEU has also emphasized the importance of voluntary consent.

The dilemma of choosing between consenting or paying can pose challenges, especially with large, popular services boasting extensive user bases. Many individuals may perceive themselves reliant on such services due to factors like social circles, professional networks, or access to crucial information and popular content. A pertinent question arises regarding whether such circumstances exercise undue pressure on consent, particularly for those who cannot afford the payment.

The issue of online data protection holds significant implications, with varying enforcement practices across different countries. Recognizing this disparity and the need for uniform practice, the DPAs have jointly requested the EDPB to issue a formal opinion at the European level, in accordance with Article 64(2) of the GDPR. This opinion will serve as a guiding framework for future law enforcement throughout the European Economic Area.

As outlined by a representative of the Datatilsynet, the question to be clarified is, specifically, whether data protection is a universal human right or a privilege reserved for those who can afford to pay a fee.

The EDPB is mandated to issue an opinion on the matter submitted to it within eight weeks, with an extension of the period by a further six weeks, if necessary, extending the deadline to a total of fourteen weeks.

If approved, the EDPB’s opinion could also lead to a significant step forward in the round of investigations started by the Italian Data Protection Authority (Garante per la protezione dei dati personali) aimed at ascertaining the compliance with data protection regulations of a number of initiatives undertaken by several Italian online newspapers, websites, and TV companies operating on the Internet that have adopted cookie walls on their sites.

2024 - Morri Rossetti

I contenuti pubblicati nel presente sito sono protetti da diritto di autore, in base alle disposizioni nazionali e delle convenzioni internazionali, e sono di titolarità esclusiva di Morri Rossetti e Associati.
È vietato utilizzare qualsiasi tipo di tecnica di web scraping, estrazione di dati o qualsiasi altro mezzo automatizzato per raccogliere informazioni da questo sito senza il nostro esplicito consenso scritto.
Ogni comunicazione e diffusione al pubblico e ogni riproduzione parziale o integrale, se non effettuata a scopo meramente personale, dei contenuti presenti nel sito richiede la preventiva autorizzazione di Morri Rossetti e Associati.