The Latest Instalment in the Privacy Battle between Max Schrems and Meta Just Dropped

Last month we wrote about the latest development in a long-running saga to make Meta abide by the EU’s GDPR privacy law. It’s a vital battle for two reasons: first, because Meta is a huge company that impacts the lives of billions of people around the world, so it’s important that it not only follows the law, but is seen to do so. The second reason derives from this: the rules Meta abide by will also apply to every other major company operating in the EU. The outcome is also likely to determine the shape of the online privacy landscape globally, such is the influence of the GDPR.

Last month’s post detailed how the privacy expert and activist Max Schrems, and his noyb.eu organization, have filed a complaint against Meta with the Austrian data protection authority because of Meta’s new ad-free subscription scheme. The principal concern was that this was not “free consent” as required by the GDPR, and that Meta’s subscription fee to remove ads was far too high: €120 (about $130) a year on websites, or €156 (about $170) a year on iOS and Android apps. Schrems pointed out that this was a big problem, because industry numbers quoted by noyb.eu suggest that only 3% of people want to be tracked, but that more than 99% decide against a payment when faced with any kind of “privacy fee.” Setting the subscription level so high almost guarantees that few people will take that option – doubtless what Meta hopes. Noyb.eu’s latest complaint builds on the issue of expensive ad-free subscriptions.

Meta’s seriously flawed approach to free consent isn’t the only issue at hand. Once users have consented to being tracked, there’s no easy way to withdraw it at a later date. This is illegal. Despite Article 7 of the GDPR clearly stating that “it shall be as easy to withdraw as to give consent”, the only option to “withdraw” the (one-click) consent, is to buy a € 251.88 subscription. In addition, the complainant had to navigate through several windows and banners to find the page where he could actually revoke consent.

According to noyb.eu, GDPR rules mean withdrawing consent must be as easy as giving it. But paying €251.88 (about $275) – the annual amount required for a Facebook account together with a linked Instagram account – is clearly much more difficult than simply pressing an on-screen button to accept Meta’s tracking. As noyb.eu points out:

The European Data Protection Board (EDPB) [the top EU data protection body] even mention monetary costs as an example of a burden that is incompatible with the principle of Article 7 GDPR in its guidelines, making it clear that Meta is making the withdrawal of consent not nearly as easy as to give consent.

Noyb.eu has filed a complaint with the Austrian data protection authority (DSB) on behalf of one complainant. It requests that the DSB should order Meta to bring its processing operations in compliance with European data protection law and to provide users with an easy way to withdraw their consent – without having to pay a fee. In addition, noyb.eu wants the Austrian data protection authority to impose a fine on Meta “to prevent further violations of the GDPR.” Interestingly, the DSB has an FAQ about precisely the kind of “pay or okay” system that Meta introduced last year. In the opinion of the Austrian data protection authority, the following points must be observed by any company that adopts the “pay or okay” approach (translation by DeepL):

• full compliance with all data protection regulations (in particular the GDPR) for data processing that takes place on the basis of consent (“okay”)
• the requirements for the granularity of consent must nevertheless be taken into account
• no authorities or other public bodies are involved;
• no exclusivity with regard to the content or services offered, i.e. companies with an explicitly public (supply) mandate or universal service providers cannot use “pay or okay” permissibly;
• no monopoly or quasi-monopoly position of the company on the market;
• a reasonable and fair price for the payment alternative (“pay”), i.e. the payment alternative must not be offered pro forma at a completely unrealistically high price;
• if a user gains access to the website with the help of the payment alternative, no personal data may be processed for advertising purposes.

The DSB emphasizes that this is just its “current view” and that there is no case law from the EU’s top court, the Court of Justice of the European Union (CJEU) yet. Noyb.eu believe that the DSB will forward the case to the Irish Data Protection Commission (DPC), which is the “lead authority” for Meta in the EU. The tendency of the DPC to be supportive of Meta has been one reason why the Schrems versus Meta saga has dragged on for so long – since May 2018 – as we reported in December 2022.

It will be interesting to see whether the DPC takes Meta’s side again on this issue. Even if it does, the EDPB could once more overrule it. At stake is whether internet giants like Meta can bring in unreasonably expensive ad-free subscriptions that no one is willing to pay for, in order to game a key GDPR requirement for users to give “free consent” to being tracked online. Equally, if the DPC, the EDPB or the CJEU decide that Meta’s approach is illegal under the GDPR, it will set a new standard for companies operating in the EU, with knock-on effects around the world.

Featured image by noyb.eu.