GDPR vs Meta: EDPB Rejects Pay or Consent Model
Continuing a years-long saga, last week the European Data Protection Board (EDPB) issued its most recent verdict against tech giant Meta. As the most prominent corporate face behind the rise of social media and all the accompanying data privacy problems that followed, Meta has received fine after fine for its noncompliance with the EU’s landmark data privacy law, the GDPR.
In 2023 alone, Meta received the largest GDPR fine ever, €1.2 Billion, as well as a second fine for another €390 Million. The reasons behind the fines? The continued transfer of data from European users across the Atlantic to the U.S., as well as non-compliance with general data processing principles.
On the latter front, Meta’s argued legal basis under the GDPR for data collection and processing had switched from consent to legitimate interests several years back after a first wave of legal trouble. Last year, even this came under fire, as the Norwegian Data Protection Authority challenged Meta’s legitimate interest basis after privacy activist group Noyb brought forth another challenge.
Meta responded to this by formulating a “pay or consent” model it would offer users within the EU, whereby individuals had a choice: pay a monthly fee for an experience on Meta’s platforms that does not collect/process your data, or consent to the company’s standard data processing practices.
Now, less than half a year after the tech giant floated that idea, the EDPB has outright rejected it.
"Consent or Pay" primarily focuses on the application of a particular business model by "large online platforms." This term is newly coined and borrows from terminology found in the Digital Markets Act (DMA) and the Digital Services Act (DSA), such as "gatekeeper" and "VLOP." The EDPB defines "large online platforms" broadly as platforms that attract a significant number of users who are data subjects.
While the discussion appears to target specific social media platforms, the vague nature of the concept raises numerous questions. For instance, do prominent national publishers also fit the definition of "large online platforms" due to their importance within a national market? In terms of sheer numbers, they might have a substantial user base within a particular Member State, reminiscent of the "large scale" concept in the GDPR. Therefore, if a Member State has a sizable population, does that automatically classify these publishers as "large online platforms"? Although the DSA provides a definition for an "online platform," the term "platform" lacks definition in the GDPR. Consequently, it remains uncertain whether regulators will apply this analysis exclusively to DSA-type platforms or extend it to include publishers as well.
The EDPB indicates that there is a significant challenge for large online platforms in obtaining genuinely free consent under a "pay or consent" model, where agreeing to "consent" means using a service version filled with personalized, targeted, or behavioral advertising.
Additionally, the concept of "no adverse consequences at all" is derived from a specific statement within the EDPB's guidelines on consent under GDPR (referenced in paragraph 22 of these guidelines). This stance is quite extreme and untested in legal contexts, raising numerous practical concerns. For example, does experiencing any form of disparity, such as seeing one or more ads—which might reduce the content visible compared to a paid subscription—constitute an adverse consequence? The use of such definitive language places an unfair and excessive burden on data controllers.
The lack of clarity in the EDPB's decision likely means the ruling will face scrutiny and pushback, but the fact that Meta's behavior prompted a regulator to come out so firmly against a Pay or Consent model so soon is telling in both the battle against the tech giant and the future of GDPR compliance.