“Pay or Okay”: A Timeline

26 Feb “Pay or Okay”: A Timeline

Posted at 11:53h in Privacy and Data Protection by ICTLC Italy

ICT-Insider-Pay-ok-okay-ICTLC

Authors: Martim Taborda Barata, Andrea Strippoli, Miriam Fadda

The “Pay or Okay” Notice

From the start of November of last year, readers will have noticed, upon loading the Facebook or Instagram apps on their devices, a new notice blocking their use of these services. This notice[1] prompted users to decide whether they wish to subscribe to these services, subject to a monthly payment, or continue to use them for free. The trade-off for choosing free use, as suggested by this notice, was that user information would be used to present personalised advertising[2] to the user (whereas subscribing users would not see advertisements on these platforms, nor have their information processed for personalised advertising)[3]. This has been colloquially called the “Pay or Okay” model.

Less attentive users will have been surprised by this notice. However, Meta had already anticipated this outcome as early as 1 August 2023, when they first announced their plans to base their processing of Meta service user data for behavioural advertising on user consent, under Regulation (EU) 2016/679 (i.e., the General Data Protection Regulation, or “GDPR”)[4]. This announcement actually marked a second shift in the GDPR legal basis used by Meta for these processing activities, after first moving from exclusively relying on the purported need for these activities to perform a contract with their users to also leveraging the pursuit of legitimate interests for a majority of their personalised advertising operations[5].

Out of the many questions that this notice may have sparked in user’s mind, one which presumably came up was: ‘Why am I seeing this?’. In this article, we will try to explain this by briefly describing the events leading up to this notice, and also update readers on events in the horizon which may further challenge Meta’s approach to behavioural advertising in Europe.

The “Pay or Okay” Timeline

Though the thread could be unravelled further, a relevant starting point for the events that lead to this notice is an initial set of decisions made by the Irish Data Protection Commission – i.e., the GDPR supervisory authority for Ireland – regarding personal data processing by Meta in connection with their Facebook and Instagram services. Following a complaint initially raised on 25 May 2018, alleging that Meta was breaching a number of GDPR and Charter of Fundamental Rights of the EU provisions, notably by allegedly relying on “forced consent” regarding the processing of personal data for online behavioural advertising^[6], the Commission (deemed competent to address the complaint under the GDPR) issued a preliminary draft decision on 14 May 2021, in which they disagreed with most of the points raised by the complaint. In particular, the Commission concluded that Meta was not relying on “forced consent” for these activities, but rather relying on their necessity for the performance of the contract with Facebook and Instagram users – which, in the Commission’s opinion, they could, in principle, do[7].

After sharing this decision with other European supervisory authorities, as required under the GDPR, the Commission was met with a number of objections (from 10 other EU authorities), which ultimately lead the matter to be referred to the European Data Protection Board[8]. After analysing the arguments presented not only by the differing authorities, but also by Meta itself, the Board concluded (among other conclusions) that Meta could not lawfully rely on the “contractual necessity” legal basis they had relied on thus far for behavioural advertising, and that Meta could be required to rely on user consent, at least in some cases[9].

Following this decision, the Commission revised its draft and, on 31 December 2022, found Meta to be in breach of the GDPR. The Commission’s final decision ordered Meta to bring its processing of personal data for behavioural advertising, regarding Facebook and Instagram, into compliance with GDPR legal basis requirements within 3 months[10]. This triggered Meta’s first legal basis shift announcement of 30 March 2023, mentioned above[11], according to which they would mostly replace the “contractual necessity” legal basis with another option afforded by the GDPR: “legitimate interests”. However, this change in approach was not met well by all European supervisory authorities – after learning of this, several asked the Commission for clarifications and expressed reservations as to whether this new legal basis would be appropriate[12].

In the meantime, the Court of Justice of the European Union was called to answer several questions related to the lawfulness of Meta’s behavioural advertising under EU law – in particular, whether these activities could lawfully be based on GDPR “contractual necessity” or “legitimate interests” – in the “Bundeskartellamt Case”[13]. Importantly, this decision focused primarily on behavioural advertising using data collected by Meta on its service users from their use of other Meta services (e.g., collecting data on Facebook users from their activity on Instagram), or from their visits to third-party websites or apps. The Court analysed the applicability of the “contractual necessity” and “legitimate interests” legal bases to this form of advertising, and – on 4 July 2023 – strongly suggested that Meta would not be in a position to lawfully leverage either one[14].

In the aftermath of this judgment, the Norwegian Datatilsynet – i.e., the GDPR supervisory authority for Norway – imposed a temporary ban on Meta’s behavioural advertising regarding Norway-based users, on 14 July 2023, given that it understood Meta as continuing to rely on “contractual necessity” and “legitimate interests” for these purposes[15]. Meta responded to the judgment and surrounding discussion by announcing its intention to shift legal bases once more, this time to “consent”, culminating in their previously mentioned announcement of 1 August 2023[16]. This announcement led to some friction between EU supervisory authorities, with the Commission maintaining that Meta should be allowed to show how it would implement consent lawfully before any further coercive measures were taken[17], while the Datatilsynet pushed for an immediate ban on Meta’s behavioural advertising without consent[18]. Called to decide on this, the Board, based on the Bundeskartellamt Case, its previous guidance on the matter[19], and input provided by several European supervisory authorities, took the Datatilsynet’s stance and validated an EEA-wide ban[20].

The final event in this timeline, to date, is the notice mentioned at the start of this article. Meta has now sought to implement “consent” as a legal basis for its behavioural advertising, allowing users to choose whether to accept it when using Meta services, or to pay a monthly fee.

What’s next?

Meta’s consent implementation has not been well received by everyone. Examples of reactions to these efforts include (1) the complaint filed by noyb, an Austrian non-profit organisation focused on European commercial privacy issues[21], with the GDPR supervisory authority for Austria, which claims, for example, that consent collected by Meta in this fashion is not freely given, specific or informed (and is, thus, invalid)[22], and (2) the joint request filed by the Datatilsynet and the GDPR supervisory authorities of the Netherlands and Hamburg, Germany for an opinion from the Board regarding lawfulness of Meta’s new consent mechanism[23].

Conclusions

It is not clear how the mentioned complaint will be processed, how the Board will ultimately decide, or whether any other challenges will come up in the future. One of the main issues seems to be the price point applied by Meta to subscription, in combination with its dominant position in the online social network market – the problem is not so much that a price is charged[24], but rather whether the amount they charge genuinely allows users to choose freely between subscribing or not. The issue of how to decide on a fair price which does not unduly pressure users into accepting behavioural advertising appears very difficult to resolve objectively. The Board’s future guidance on this is expected to help clarify this issue, and to represent a landmark decision regarding the lawfulness of social network behavioural advertising in Europe.

[1] An example can be seen, as of the date of this article, at: https://i.imgur.com/bGMbgxb.jpeg.

[2] ‘Personalised advertising’, often used interchangeably in the EU with ‘behavioural advertising’, refers, as suggested by EU supervisory authorities, to “(…) advertising that is based on the observation of the behaviour of individuals over time[, and that] seeks to study the characteristics of this behaviour through their actions (repeated site visits, interactions, keywords, online content) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their inferred interests” – see Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising (22 June 2010), available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf (p. 4).

[3] Meta, Facebook and Instagram to Offer Subscription for No Ads in Europe (30 October 2023), available at: https://about.fb.com/news/2023/10/facebook-and-instagram-to-offer-subscription-for-no-ads-in-europe/.

[4] Meta, How Meta Uses Legal Bases for Processing Ads in the EU (4 January 2023), available at: https://about.fb.com/news/2023/01/how-meta-uses-legal-bases-for-processing-ads-in-the-eu/ (see 1 August 2023 update).

[5] Ibid. (see 30 March 2023 update). Note that, while Meta suggests they fully shifted to the “legitimate interests” legal basis in this announcement, EU supervisory authorities have considered that, at this stage, Meta was still relying on the “contractual necessity” legal basis for certain activities which qualify as “behavioural advertising” regardless – see European Data Protection Board, Urgent Binding Decision 01/2023 requested by the Norwegian SA for the ordering of final measures regarding Meta Platforms Ireland Ltd (Art. 66(2) GDPR) (27 October 2023), available at: edpb_urgentbindingdecision_202301_no_metaplatformsireland_en_0.pdf (europa.eu) (e.g., pp. 25-26, ¶97).

[6] European Data Protection Board, Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR) (5 December 2022), available at: https://edpb.europa.eu/system/files/2023-01/edpb_bindingdecision_202203_ie_sa_meta_facebookservice_redacted_en.pdf (p. 5, ¶3).

[7] Ibid. (p. 12, ¶32).

[8] Ibid. (pp. 6-7, ¶5).

[9] Ibid. (p. 117, ¶482 – 484, 485 – 487).

[10] European Data Protection Board, Urgent Binding Decision… (p. 4, ¶2-3).

[11] Meta, How Meta Uses… (see 30 March 2023 update).

[12] European Data Protection Board, Urgent Binding Decision… (pp. 4-8, ¶4-10).

[13] Judgment of the Court (Grand Chamber) of 4 July 2023, Case C-252/21, available at: https://curia.europa.eu/juris/documents.jsf?num=C-252/21.

[14] Ibid., ¶102-103, 117, 150-151.

[15] European Data Protection Board, Urgent Binding Decision… (p. 10, ¶24).

[16] Meta, How Meta Uses… (see 1 August 2023 update).

[17] European Data Protection Board, Urgent Binding Decision… (pp. 12-13, ¶38).

[18] Ibid. (pp. 13-14, ¶44).

[19] See, e.g., European Data Protection Board, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (8 October 2019), available at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf.

[20] European Data Protection Board, Urgent Binding Decision… (pp. 75-76, ¶296, 302-303).

[21] See noyb’s website, available at: https://noyb.eu/en.

[22] noyb, noyb files GDPR complaint against Meta over “Pay or Okay” (28 November 2023), available at: https://noyb.eu/en/noyb-files-gdpr-complaint-against-meta-over-pay-or-okay.

[23] Datatilsynet, Request for an EDPB opinion on “consent or pay” (26 January 2024), available at: https://www.datatilsynet.no/en/news/aktuelle-nyheter-2024/request-for-an-edpb-opinion-on-consent-or-pay/.

[24] It is worth pointing out that the Bundeskartellamt judgment suggested that it may be appropriate to charge users “an appropriate fee” for the provision of an equivalent service not accompanied by processing which is unnecessary for service provision (such as, in certain circumstances, is the case for behavioural advertising). See Judgment of the Court…, ¶150.

Tags:

behavioural advertising, contractual necessity, EU Commission, EU court of Justice, ICT Legal Consulting, ICTLC, lawfulness, legalbases, legitimate interest, meta, noyb, payorok, profiling

ICTLC Italy

[email protected]