The European Data Protection Board’s Opinion on “Pay or Okay” Models – Surveillance-based Advertising is on Borrowed Time

Since the General Data Protection Regulation (GDPR) came into effect in 2018, civil society has hoped—and industry has feared—that its enforcement would spell the end of surveillance-based advertising and the ubiquitous tracking it requires. The latest development in the saga came on 17 April, when the European Data Protection Board (EDPB) issued a nonbinding opinion following the creation of Meta’s subscription option – itself in response to a ruling of the Court of Justice of the European Union – which for a monthly fee allows users in the EU, EEA, and Switzerland to access an ad-free version of Facebook and Instagram. The scheme’s rollout prompted an outcry from both civil society organisations and representatives from the European Parliament that this binary choice is tantamount to making privacy a luxury. Noyb, the strategic-litigation group helmed by Max Schrems, notably filed a complaint alleging that the “Pay or Okay” model does not provide users a legitimate consent option under the General Data Protection Regulation (GDPR).

On 17 April, the EDPB weighed in, opining that, in most cases, it will not be possible for data controllers to meet the requirements of valid consent under the GDPR if they only give users a choice between consenting to processing of personal data for behavioural advertising purposes or paying a fee – and that “pay or okay” models should offer users a real choice.

The EDPB’s opinion, issued following a joint request by European data protection authorities (DPAs), is not legally binding but rather is intended to guide the consistent enforcement of GDPR by DPAs across Europe. The scope of the opinion is limited to “pay or okay” models (i) offered by large online platforms and (ii) in relation to behavioural advertising, defined as advertising that is based on the observation of individuals’ behaviour over time. In this context a “large online platform” is undefined, but is distinct from a “very large online platform” (VLOP) under the Digital Services Act (DSA). The opinion provides a series of factors to be considered in order to determine whether a platform is “large,” including the number of users, market position, and large data processing operations. Video programming services that offer both ad-supported and ad-free models are not affected, nor are services supported by privacy-respecting ads, such as contextual and self-directed ads.

The opinion itself is frustratingly open to interpretation: it concludes that a binary choice between free access to a service supported by behavioural advertising on the one hand, or a fee-paying service without such ads on the other, is unlikely to be GDPR-compliant – but it might be acceptable in unspecified limited circumstances.

Unsurprisingly, interpretations of the opinion have run the gamut. In particular, the statement that “in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee” has been read by industry as imposing a “quasi-mandatory” requirement that a free privacy-preserving alternative be made available for obtaining valid consent. Civil society organisations have welcomed the EDPB opinion as a first step towards outlawing the binary choice between pay or okay, and in one case as an indication that “pay or okay” models are illegal.

By using the qualifier “in most cases,” however, the EDPB seems to accept, at least in principle, that it is possible for large online platforms to lawfully charge for access to privacy-preserving models. In such cases, the EDPB advises data controllers – those determining the purposes and means of processing personal data – to consider what fee amount may be acceptable on a case-by-case basis, cautioning that too high a fee would inhibit data subjects from providing valid consent. This is the argument advanced by noyb in its complaint.

The EDPB’s assertion that binary choices will most likely flout EU privacy legislation is in tension with its implied concession that offering privacy-preserving options for a fee may be acceptable and begs the question: in what cases will it be acceptable for a large online platform to charge a fee? 

Whether consent to a behavioural advertising model is genuine depends on multiple factors. As the EDPB’s opinion re-states, the GDPR stipulates key factors to be considered when assessing the validity of consent:

• Degree of detriment – Measured by reference to the role played by the platform, namely if it is commonly and systematically used or is a key forum for public debate, and any network or lock-in effects. 

• Imbalance of power – Taken into account even if a platform is not “dominant” within the meaning of EU competition law. 

• Conditionality – Based on the individual option to opt out of data processing operations not strictly necessary for performing a contract, without refraining from using the platform altogether.
  
• Availability of an equivalent alternative version – Such a version need not be identical, but should be functionally equivalent to the version with behavioural advertising.

The EDPB opinion does not provide an example where all these factors would come together to make consent invalid. However, it is easy to imagine a situation where an online platform would be considered to be so ubiquitous and indispensable that the absence of an equivalent alternative free of charge may preclude valid consent.  

The EDPB opinion does not exclude the possibility that an equivalent service may be offered “if necessary, for an appropriate fee,” but notes “that certain circumstances should be present for a fee to be imposed,” and that controllers must ensure that the fee “does not hinder data subjects to withhold consent, nor make them feel compelled to consent.” There is no ceiling to the fee that can be charged, but that fee must at least be fair.

The current landscape in Europe

The European legal landscape is in flux. Since February this year, the DSA has been fully applicable, and among other provisions, it bans the presentation of ads to children based on profiling (Article 28(2)) and the presentation of ads to anyone based on profiling reliant on sensitive data (Article 26(3)). As the EDPB opinion acknowledges, profiling and behavioural advertising are intertwined, noting that the latter concept “necessarily pertains” to the former. 

There is some overlap here between the EDPB opinion and the DSA. The latter applies to “very large online platforms” (VLOPs) – defined as platforms that have more than 45 million users per month in the EU – which currently include Facebook, Instagram, Linkedin, Snapchat, and TikTok. These and other VLOPs will need to make changes to their platforms to comply with the DSA, free of charge, that will significantly limit behavioural advertising.

The DSA, however, does not prohibit behavioural advertising entirely. Yet the EDPB opinion has the potential to deter VLOPs from maintaining any level of behavioural advertising, as well as other online platforms which fall short of the definition of VLOP under the DSA, but nonetheless are likely to qualify as large online platforms under the opinion.

How online platforms will apply this nuanced opinion will largely depend on their tolerance of risk. The opinion lays down the groundwork to enable DPAs to make a finding of invalid consent when presented with a “pay or okay” model, and is therefore best interpreted as a call to action to DPAs and a signal to large online platforms that they may only have limited time before they are taken to task at national level. 

Conclusion 

This is the first opinion issued by the EDPB on “pay or okay” models, but it will not be its final positioning on the issue: the EDPB will be producing guidelines on these models with a broader scope. The timeline for this is unknown. However, the next battle on “pay or okay” may well take place at national level, as it remains to be seen whether DPAs will proactively take large online platforms to task in the absence of free-of-charge, privacy-preserving alternatives. Nonetheless, companies should proactively take steps to offer GDPR-compliant options to users, instead of waiting for a regulatory action that is now reasonably likely.