In november 2023 introduceerde Meta haar “ Pay or Ok model”, naar aanleiding van een arrest van het Europees Hof van Justitie in juli van dat jaar tussen Meta en de Duitse mededingingswaakhond. Kort gezegd oordeelde het Hof dat Meta gepersonaliseerde advertenties alleen op basis van toestemming mag verwerken. En dat Meta aan gebruikers die geen toestemming geven, een gelijkwaardige dienst moet bieden - zonodig tegen een redelijke vergoeding. Sinds die introductie is er veel over het Pay or OK model te doen. Zo kwam een groep Europarlementariërs in verzet, oordeelde de European Data Protection Group dat het model niet conform de AVG is, diende Max Schrems via zijn NOYB vehikel klachten tegen Meta in, en kwam de Europese Commissie tot een voorlopig standpunt dat het model ook de Digital Markets Act schendt. In een - deze keer Engelstalige - blog, gaat Menno Weij nader op deze ontwikkelingen in.
As I am sure you know, Meta introduced its Pay-or-OK model at the end of last year. Users of Facebook and Instagram received notifications in which they were presented with a choice between the following two options:
- a paid subscription without ads to use your Facebook and Instagram accounts; or
- a free subscription with personalized ads.
Actually, if you ask me, users have three options. Since you may also choose not to use Facebook or Insta, but use an alternative instead.
Meta introduced its Pay-or-OK model after the Meta decision of the European Court of Justice dated 4 July 2023. Meta is leaning on the following, important consideration (number 150) of the ECJ:
“Thus, those users must be free to refuse (…) to give their consent (…), without being obliged to refrain entirely from using the service (…), which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations.”
Important to know: the ECJ explicitly takes into account the market power of Meta and states that users should be able to refuse, without being forced to completely give up the use of the social media service.
The Pay-or-OK model has lead and still leads to considerable discussion. I’ll explain below.
Firstly, on 15 March this year, 39 members of the EU Parliament sent a letter to Sir Nick Clegg, President Global Affairs of Meta, urging Meta to scrap the 'pay or okay' model. I’ll quote the part where the MEPs deal with the pay-or-OK model:
“Privacy must not become a luxury. (…) The cost of your subscription appears both unjust and inappropriate, since it does not seem to account for any alleged profit losses resulting from the inability to personalise advertisements, as compared to non-personalised ones. We believe that any such potential loss would be, at most, marginal—a tiny fraction of the fee you are charging. The European Court of Justice has allowed you to charge non-consenting users only if a fee is “necessary”, but no such fee is needed to fund your services.”
To me, the MEPs are missing the point. If a business model is based upon paying with your data in return for a free service, you bet one will lose profits if you can refuse to pay with your data, but you still need to offer a similar service.
Privacy activist Max Schrems has already filed two complaints against Meta via his None Of Your Business vehicle (“NOYB”).
On 28 November 2023, NOYB filed the first complaint against Meta with the Austrian data protection authority. According to NOYB:
“EU law requires that consent is the genuine free will of the user. Contrary to this law, Meta charges a “privacy fee” of up to €250 per year if anyone dares to exercise their fundamental right to data protection.”
The second complaint was filed on 11 January this year and concerns the withdrawal of consent. In NYOB’s own words:
“while one (free) click is enough to consent to being tracked, users can only withdraw their consent by going through the complicated process of switching to a paid subscription. This is illegal, as the GDPR clearly states that withdrawing your consent must be “as easy as” giving it.”
The European Data Protection Board (“EDPB”) was asked to issue this opinion under Art. 64(2) GDPR to address the validity of consent in the context of ‘consent or pay’ models deployed by large online platforms, when consent is sought to process personal data for the purposes of behavioural advertising, in view of the earlier mentioned Court of Justice judgment (C-252/21).
The EDPB considers that offering only a paid alternative to services which involve the processing of personal data for behavioural advertising purposes, “should not be the default way forward for controllers”.
When developing alternatives, large online platforms should consider providing individuals with an ‘equivalent alternative’ that does not entail the payment of a fee. According to the EDPB, if controllers do opt to charge a fee for access to the ‘equivalent alternative’, they should give significant consideration to offering an additional alternative. This free alternative should be without behavioural advertising, e.g. with a form of advertising involving the processing of less or no personal data.
Hence, the EDPB advocates two alternative options. The EDPB's free alternative, which processes less data, shows that it clearly has no understanding of the advertising industry. Advertisers have no confidence in this alternative. There is even great uncertainty about whether an equivalent alternative exists at all. In short, the market does not embrace the EDPB's proposal.
Furthermore, in my view, the Opinion of the EDPB does not hold water. Why should offering only a paid alternative not be the norm? Is this mentioned anywhere in the GDPR? The answer is no.
The argument for a "free" alternative also goes directly against the ECJ's ruling. The ECJ explicitly allows for a "reasonable fee" for the alternative that does not process any data.
Finally, the EDPB seems to suggest that privacy is an absolute right. "The fundamental right to data protection must not be turned into a feature for which users have to pay." This is upside-down logic, in my view. The GDPR explicitly states in the 4th recital that it respects all fundamental rights and freedoms and observes the principles recognized in the Charter as enshrined in the Treaties, in particular the right to the protection of personal data and the freedom to conduct a business.
Fortunately, the EDPB's Opinion is not binding, and the ECJ still has the final say.
On top of this all, the European Commission (“EC”) recently published its preliminary view that Meta's “pay or consent” advertising model is not compliant with the Digital Markets Act (“DMA”).
According to the EC, Meta’s model does not meet the necessary requirements set out under Article 5(2) DMA. In particular, Meta's model:
does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the “personalised ads” based service; and
does not allow users to exercise their right to freely consent to the combination of their personal data
Hence, the EC advocates that gatekeepers must seek users' consent for combining their personal data between designated core platform services and other services. According to the EC, users who do not consent should still get access to an equivalent service which uses less of their personal data - in this case for the personalisation of advertising - to ensure compliance with the DMA.
Article 5(2) DMA states the following:
“The gatekeeper shall not do any of the following:
process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper;
combine personal data from the relevant core platform service with personal data from any further core platform services or from any other services provided by the gatekeeper or with personal data from third-party services;
cross-use personal data from the relevant core platform service in other services provided separately by the gatekeeper, including other core platform services, and vice versa; and
sign in end users to other services of the gatekeeper in order to combine personal data,
unless the end user has been presented with the specific choice and has given consent within the meaning of Article 4, point (11), and Article 7 of Regulation (EU) 2016/679.”
It will be interesting to learn from the EC in its final findings, how it will substantiate its view. For instance, Article 5(2) DMA does literally not refer to any “equivalent”. Moreover, it does explicitly refer to the GDPR and the requirements for consent under the GDPR. And that brings me back again to the ECJ, which explicitly opened the door for requesting a fee if necessary, where users do not provide consent.
It seems to EU institutions like the EDPB and EC are going in circles.
As the title states, the Pay or OK saga will continue, that’s for sure. But I hope and expect that the force may be with Meta with the principle as such. That would only leave the discussion about the whether the price itself is fair. But to mee, that’s not a GDPR question nor should it be.
