Op-ed on what we know of the EDPB opinion on Pay or OK
April 17, 2024, 5:15 p.m. (Brussels)
Today, the EDPB plenary had a moment. It discussed an opinion on the Pay or OK models for social media. It was not its role, but it was likely trapped to do, as Art. 64(2) GDPR didn’t consider that national data protection authorities would sometimes use tactics similar to privacy activists to weaponize fundamental rights in a fight that has very little to do with privacy at its core. The discussion is much more about the Internet we want (or not).
“In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioral advertising purposes and paying a fee” says the opinion (according to the leak from POLITICO).
Subject to reading more than one paragraph (as I anticipate the opinion to be more nuanced than what POLITICO and NOYB leaked this afternoon) and looking at the elements that the EDPB is providing to assess the criteria of valid consent (according to its press release), this outcome (potentially) contradicts not only a ruling from the Court of Justice of the European Union (C-252/21) in Meta Platforms Inc. v. Bundeskartellamt (that probably also went one step too far but here we are), but also the fundamental right to conduct a business. More fundamentally, it is unlikely that it even adequately protects users’ privacy, or that it will lead to an outcome that most users will find themselves supporting.
As much as “free” doesn’t exist, social media companies (but not only) helped come up with business models that attached value to personal data. It doesn’t have any moral hazards to it; everyone realizes it, users included. If this is a fundamental intrusion into privacy, it is up to policymakers to ban the practice completely. But they didn’t. To the contrary, boundaries have been set in more recent market regulations, such as the DMA and the DSA on the models. Profiling based on special categories of data (as defined under GDPR) are prohibited under the DSA, while in practice the DMA requires consent for gatekeepers’ online advertising services. It’s not a ban, you might not like it, but there it is.
Waves after waves, gatekeepers’ business models have been constantly under attack. Prior to the adoption and entry into force of the DMA and the DSA, privacy was used as a weapon at the core of the fight on the legal basis to process personal data. According to a cocktail of regulators and courts (but not policymakers), it cannot be performance of a contract (while in fact it is, as long as the necessity test is passed), it cannot be legitimate interest, it has to be consent … but with this opinion, it is now the regulators’ view that such consent will not “in most cases” (meaning that it might still be, opening the door for another try and fail?) be capable of being obtained because of a binary choice. But it is not binary. It is not Pay or OK; it is Pay and OK, two very different business models that work on different basis, with very different outcomes. If you choose to receive content based on your relevant interests (or the interest that your browsing patterns suggest, noting that nudging the system is fairly easy to do), then you will get that tailored content. It is, in that respect, very different from paywalls, as paywalls are there to monetize access to the exact same content (an article or some other form of content you have not chosen to be served to you but one you want to get access to). Guess what? Even if they are not popular, paywalls are not given the same level of attention by enforcers, probably because they are funding domestic publishers, rather than social media giants.
Access to social media is not a fundamental right (I know my teenagers might disagree), but what the opinion might lead to is depriving users of what they want; content that they are interested in. Max Schrems has been quoted in a statement today that “Pay or Ok shifts consent rates from above 3pc to more than 99pc” saying that it is “as far from freely given consent as North Korea is from a democracy.” I hate caricatures and I am not sure of the value of a statistic that existed in a world where pay models did not exist and consent was not sought, but where are we when individual actions disappear, and our fundamental rights are patronized by public authorities willing to step into a what is right or wrong, or direct business models for an industry?
I am worried that this opinion is the beginning of a new era. What comes next, guidelines for publishers?, challenge of legal basis in loyalty programs?, who knows but the Pandora’s box for regulators to act as policymakers has been opened. I hope that the upcoming GDPR reform will introduce a filter for Article 64 (2) on the ground of merits, an idea that never crossed my mind before. Let’s not have privacy trapped in discussions that are not within its remit; data protection authorities, privacy professionals and privacy activists shouldn’t step into market and business models’ discussions. Brussels is even more crowded with antitrust professionals on both sides of the trenches rather than privacy pros. Let’s have them embrace those topics unless policymakers want to step in and decide to ban targeting advertising completely (but this is not for now).