Privacy for sale, and the problem with regulating if we see ads
Keep your eyes on Europe later this month for a critical decision which could re-shape the Internet – and the protection of our privacy – for decades to come.
Described by Tobias Judin, Head of International at the Norwegian Data Protection Authority Datatilsynet, as the “now or never” decision, the European Data Protection Board (EDPB) is set to answer the question: if privacy is fundamental human right, can companies force us to pay for it?
As a result, the legal basis for the surveillance ecosystem which underpins online behavioural advertising is about to be determined, and the stakes are high.
How did we get here?
Many digital platforms and online services depend on ads to generate revenue, and online advertising in turn depends (so some businesses claim) on tracking, profiling and targeting users on an individuated basis. But that business model is now under increasing regulatory, legislative and community scrutiny.
The commencement of the GDPR in May 2018 was a pivot point in this journey. The GDPR prohibits the processing of personal data unless it is lawfully authorised, under one of six grounds.
‘If the data subject has given consent’ is one of those six grounds. Pre-GDPR, ‘with consent’ was the basis on which many companies had claimed their authority to collect the personal information of millions of people around the world, collate that information into profiles, and then target those individuals with personalised advertising.
However because the GDPR defined ‘consent’ as a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”, no longer could a valid consent be inferred via mandatory T&Cs, pre-ticked boxes, opt-out, silence or inactivity.
So on the eve of GDPR commencement, Facebook (now Meta) updated its terms of service, and switched to rely on a different ground: ‘contractual necessity’. Other companies sought to rely on a third ground: ‘legitimate interest’. (The other three grounds are not applicable.)
Privacy activist Max Schrems laid a complaint about Facebook, which has taken more than five years (and counting) to resolve. It has featured various twists and turns, including disagreement between the Irish and fellow European privacy regulators about whether ‘contractual necessity’ or ‘legitimate interest’ could be used to authorise the delivery of personalised advertising via Facebook and Instagram (or other platforms) to users.
In December 2023 the EDPB finally imposed a ban on Meta Ireland processing personal data for behavioural advertising purposes, because both ‘contractual necessity’ and ‘legitimate interest’ have now been rejected as grounds on which to base tracking, profiling and targeting activities of Meta’s users. This has put Meta in the position of now having to seek the ‘affirmative’ consent of data subjects in the EU.
In response, Meta has introduced a ‘choice’ for its users in Europe: either a paid subscription for €10-13 per month (that’s about $16-21 p/m in Aussie dollars), or a free ad-supported service. Meta argues that people who choose the ‘free’ service are thereby ‘consenting’ to online behavioural advertising.
But is it a valid consent, if the alternative will cost you cold hard cash? And if you do pay, will you actually get privacy, or will your data still be monetised anyway?
The EDPB discussed this question at their February 2024 meeting, and their decision is expected at the end of March.
Pay or OK – or no way: the false choice that could undermine the claim of ‘consent’
Offering consumers a choice between ‘pay or consent’ – i.e. a paid ad-free service, or a free (or discounted) ad-supported service – is not new; think Netflix or Spotify for example.
So what is different about Meta now offering a paid subscription alternative to their ad-supported model?
As Tobias Judin from the Norwegian DPA argued in a Linkedin live chat hosted by the IAPP, for people whose lives or businesses are built on platforms like Facebook and Instagram, ‘no way’ (leaving the platform) doesn’t feel like an option – but nor can they necessarily afford to pay.
In other words, digital platforms like Facebook and Instagram are closer to essential services or public utilities than many other online businesses.
As a result, Meta has more profound market power than a service like Netflix, by example. (Netflix has plenty of streaming competitors, and Netflix is not a platform on which people or businesses rely in a meaningful sense, either for their livelihood or social connection.)
This raises the question about whether consent to online behavioural advertising can be described as ‘freely given’, if the alternatives are to pay, or leave an essential service.
Piling pressure on the EDPB, last week a coalition of eight consumer groups, representing multiple countries from Slovenia to Spain, lodged complaints with their national data protection authorities, alleging that Meta’s data collection practices are unlawful under the GDPR.
Describing the ‘pay or consent’ move by Meta as a “fake choice” and a “smokescreen”, the BEUC coalition argues that the switch to ‘pay or OK’ is simply an attempt “to cover up what is, at its core, the same old hoovering up of all kinds of sensitive information about people’s lives which it then monetises through its invasive advertising model”.
Putting a price on privacy
The GDPR states that “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. So the EDPB’s decision this month may turn on whether it believes that asking users to pay a subscription fee, or leave a platform, poses a ‘detriment’.
For those seeking to avoid online surveillance, the choice to pay or leave is stark, and even leaving has its own cost.
These costs are not experienced equally. As Salinger Privacy alumnus and now Head of Policy at Digital Rights Watch Samantha Floreani has noted, some people depend on Facebook or Insta “to connect with community they may otherwise lose access to, such as fellow LGBTQ+ people, or family members from their home country”. A pay-for-privacy business model therefore “forces us to grapple with the relationship between privacy, privilege and power”.
So users will end up paying, no matter what they do. They will pay with cash, with their data, or with the loss of income or connections.
A pay-for-privacy model also raises concerns about further entrenching the commodification of data. As Judin has asked: “Is privacy a fundamental human right, or is it reserved essentially for the wealthy?”
The counter arguments
Nathalie Laneret, Vice President of Government Affairs and Public Policy at French AdTech business Criteo, put the counter arguments in the IAPP debate.
Online content and journalism is funded by publishers, who need to generate income (if not from subscribers, then from advertising); and the public benefit from free access to such content. This is true of course, but in my view this does not necessarily lead to the conclusion that the only way to deliver advertising revenue is via individuated tracking, profiling and targeting.
(Plus any claim from Meta in particular that its platform helps to support journalism or make news available for free must be met with scepticism, given its recent announcement that the reason it will no longer pay publishers for news content is that “users do not use Facebook for news or political content”: “news makes up less than 3 per cent of what people around the world see in their Facebook feed, and is a small part of the Facebook experience for the vast majority of people”.)
Laneret also argued that the ‘no detriment’ test in the GDPR should not be interpreted to mean ‘at no cost at all’, and challenged the idea that users are entitled to access a platform or particular online content, such that blocking access would create a detriment.
If Meta loses…
If Meta is told that ‘with consent’ is not available as a lawful ground for processing personal data for online behavioural advertising (if the alternative to that purported ‘consent’ is to pay or leave), what next for Meta?
It will have run out of GDPR options, so expect Meta to either quit the European market, force all users onto an ad-free paid subscription, or switch its advertising to the less-profitable (but also less-harmful) contextual ads model. Or, they might ignore the EDPB and wait for a court ruling, meanwhile lobbying furiously to water down the GDPR.
And will the decision affect other companies?
The EDPB may confine itself to consideration of Meta’s circumstances, or it may go for guidance with broader application.
If a market power analysis is first needed to consider whether a consent can be considered freely given, then privacy regulators will increasingly be looking at similar factors to competition regulators, such as whether monopoly power or locked-in content create an economic imbalance between service provider and data subject.
A decision based on market power won’t necessarily apply to all companies operating in the EU. For some businesses, ‘legitimate interest’ as a lawful ground may succeed, where Meta failed, on the proportionality component to that test.
If Meta wins…
Judin described this as a “point of no return for the internet”. If the outcome of the EDPB’s decision is that users must pay to have privacy when using online services, he predicts that “the GDPR would not survive such a development”.
In other words, this would be the case to crack open the GDPR, and have European legislators go back to the drawing board, to tighten their laws further.
Does paying actually guarantee privacy?
One of the concerns with the new choice being offered users – pay to not see ads – is that the act of ‘seeing’ ads is not the only privacy harm from online behavioural advertising.
Meta has “declined to comment on whether subscribers’ data would be used for anything other than ads”, and as US law professor Stacy-Ann Elvy points out, personal information of paid subscribers could still be used by Meta to “improve products or train face recognition technology”.
Another problem with a ‘pay or OK’ model is that it doesn’t offer a lawful ground for processing the personal data of people who neither paid nor said ‘ok’. There will remain the question of lawful authority for all the data Meta holds on people who have never used Facebook or Instagram (including yours truly).
We know that Meta collates ‘shadow profiles’ of people who are not users of their services, based on information scraped from other people, over which we non-users have zero transparency or control. The scraping includes when non-users have been tagged in photos by other people, included in the ‘contacts’ lists of users accessible by Meta, or simply browsed a webpage containing a Meta tracking pixel.
As far back as 2011 I argued, with my co-author Steve Wilson, that such indirect collection practices would be unlawful without consent under Australian privacy law. I never consented to any of that. Yet here we are.
Implications for the Privacy Act review
There are lessons to be learned for the Australian Attorney-General as the Privacy Act reform Bill is being prepared.
Whether we go with a pay-for-privacy model, an opt-out model, or an opt-in model for online behavioural advertising, the focus on whether or not we see ads is just the tip of the iceberg.
The real problem is not the ads, but the intrusive data collection, tracking, sharing, profiling and re-use of data behind the scenes, which exists to support surveillance-based business models, including online behavioural advertising and data brokering.
It is surveillance-based business models which generate privacy and other online harms, including harms relating to children’s development, mental health, access to healthcare, justice, journalism, democracy, competitive markets and national security protections against foreign interference.
As the Electronic Frontier Foundation in the USA states, “the ills of today’s internet have a single thing in common: they are built on a system of corporate surveillance”.
It is surveillance as a business model which must be stopped. It’s now or never.
Photograph © Shutterstock
UPDATE 18 April 2024: The EDPB’s Opinion is now available. A media release states: “As regards ‘consent or pay’ models implemented by large online platforms, the EDPB considers that, in most cases, it will not be possible for them to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.”