Hard setback for meta. The European Data Protection Board (CEPD) has found that Mark Zuckerberg’s company cannot apply its data protection regulations “Pay or accept” strategy that the company proposes on its platforms because it does not comply in line with EU data protection regulations.
«Online platforms must offer users real choice when using “pay or accept” models. Today’s models often require all data to be released or payment to be made. As a result, most users consent to processing in order to use a service and are not clear about the full impact of their decisions.he claimed Ana Talus, President of the CEPD. The European Committee points out that users are forced to accept cookies without making it clear or explaining the consequences.
Faced with this situation, the European organization has stated: “Simply offering a payment alternative should not be the default route«. Therefore, it is determined that they “Consider offering users an equivalent alternative that doesn’t incur a fee«. This free option must be free of behavioral advertising. The third way required by the EDPB cannot be based on behavioral advertising, which is based on cookies and the use of each user to provide personalized advertising. In this context he issued a warning: “is an important factor in obtaining valid consent according to GDPR«.
The EDPB emphasizes that obtaining consent does not release the controller from complying with all the principles described in Article 5 of the GDPR, such as purpose limitation, data minimization and fairness. In addition, also large online platforms must take into account compliance with the principles of necessity and proportionalityand are responsible for demonstrating that their processing is fundamentally in accordance with the GDPR.
Regarding the need for free consent:The following criteria must be taken into account: conditionality, disadvantage, power imbalance and granularity«. In this sense, the CEPD has indicated that charging a fee cannot make people feel obliged to give their consent: “Those responsible must assess on a case-by-case basis whether a fee is appropriate and what amount is appropriate under the circumstances.«.
In addition, large online platforms must also consider whether the decision not to provide consent may have negative consequences for the data subject, such as exclusion from a service offered, lack of access to professional networks or risk, content or connections to lose. The EDPB has highlighted that negative consequences are likely to arise if large online platforms use a “pay or accept” model to obtain consent for processing.
In this sense, those responsible must also assess on a case-by-case basis: whether there is an imbalance of power between the individual and the person in charge. Factors that should be evaluated include the position of the major online platforms in the market, the person’s level of trust in the service, and the service’s main target audience. In addition, the CEPD provides elements to assess the criteria for informed, specific and unambiguous consent that large online platforms must take into account when applying these models.
«Those responsible must always ensure that the fundamental right to data protection does not become a paid service feature. People need to be fully aware of the value and consequences of their decisions“, added Ana Talus.