Author: Dora
Publication date: 23.04.2024
The European Data Protection Board (EDPB) adopted an opinion on April 17, 2024, on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, in response to the Dutch, Norwegian, and German Supervisory Data Protection Authorities' requests under the General Data Protection Regulation (GDPR). The EDPB indicated, that such models are often not compliant with GDPR.
“Consent or Pay” model
“Consent or pay" models are models in which a controller gives data subjects two options for gaining access to the controller's online platform service. The system allows the data subject to either consent to the processing of their personal data for a specific purpose in order to have access to the online platform or to pay a fee and avoid having their data processed for this reason.
The role of EDPB
The EDPB's primary responsibility is to guarantee that the GDPR is consistently applied throughout the European Economic Area (EEA). As a result, Article 64(2) of the GDPR establishes a process via which any supervisory authority can request that the EDPB examine a matter with broad application or that would have implications in more than one EEA Member State and issue an opinion.
Request for an opinion of the Authorities
On January 17, this year, the Dutch, Norwegian, and German Supervisory Data Protection Authorities jointly sought the EDPB to offer an opinion under Article 64(2) regarding “consent or pay” arrangements. The referring authorities specifically questioned whether such models can meet the standards for valid, freely provided permission and whether data subjects have "a real option."
The opinion of the EDPB
The EDPB Opinion emphasizes the importance of large online platforms complying with all GDPR rules, including obtaining valid consent. According to the EDPB, getting consent does not 'absolve' a controller from following the criteria specified in Article 5 of the GDPR (namely accountability, necessity and proportionality, purpose limitation, data minimization, and fairness) or any other GDPR responsibility.
The EDPB considers that in most cases, large online platforms will be unable to comply with the requirement to obtain valid permission if they provide users with the option of either paying a fee or agreeing to process their personal data for behavioral advertising purposes. The EDPB also feels that large online platforms should consider providing a free, equal alternative to their service that does not involve behavioral advertising, as this is an important aspect in determining valid consent.
The EDPB ruled that personal data cannot be considered a tradeable commodity, and large online platforms should keep in mind the importance of preventing the fundamental right to data protection from becoming a feature that individuals must pay for. As a result, the EDPB believes that large internet platforms should consider providing a free alternative to their service that excludes behavioral advertising.
Responding to the requests of the German, Dutch, and Norwegian Supervisory Data Protection Authorities, the EDPB came to the conclusion that consent collected by large online platforms in the context of “pay or consent” models relating to behavioral advertising may only be considered valid to the extent that such platforms can demonstrate, in line with the principle of accountability, that all the requirements for valid consent are met.
Principles for Processing of Personal Data
The EDPB remembers that Article 5 establishes the principles for personal data processing and observes that even if consent is received from a data subject, this does not exempt a controller from adhering to the principles outlined in Article 5 and elsewhere in the GDPR. As such, the EDPB states that:
Even if processing is consent-based, this does not justify collecting personal data beyond what is necessary for the intended purpose or in an unfair way for the data subjects.
Processing should adhere to the criteria of necessity and proportionality.
Respecting the concepts of purpose limitation and data minimization is critical. As a result, controllers should assess whether the relevant purposes may be achieved by less invasive means or by processing less personal data.
Processing should adhere to the values of fairness, accountability, openness, and data protection by design.
Conclusion
The EDPB opinion provides necessary advice in an area of data protection law that has been scrutinized and challenged for several years since the GDPR's implementation. It emphasizes the importance for large online platforms to verify that the consent they receive from users is valid and that they continue to follow all other GDPR requirements. In some cases, internet platforms may need to reconsider their business models to prioritize user privacy and data minimization. Failure to comply with GDPR rules might result in significant administrative fines.
You can also read about: