Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Privacy and competition walk into a bar, but they don't use the same door. Where do they meet?
For the last year, privacy regulators have looked at pay-or-consent models, with the European Data Protection Board issuing its opinion 058/2024 in April 2024 on "Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms."
Meanwhile, the European Commission's competition team has been conducting its own investigation into Meta's pay-or-consent model. The directorate-general for competition opened proceedings almost one year ago on Meta's approach under Article 5(3) of the Digital Markets Act which requires gatekeepers to obtain consent from users when they intend to combine or cross-use their personal data.
The Commission issued preliminary findings in July 2024 establishing the binary choice of the pay-or-consent model "forces users to consent to the combination of their personal data and fails to provide them a less personalized but equivalent version of Meta's social networks."
In its 6 March DMA compliance report, Meta counteracted. It stated that offering a choice between a paid subscription and free access to a service funded by personalized ads is a "well-established business model and a valid legal consent choice under EU law."
The company added that it "remains fully convinced that its Subscription for No Ads compliance solution for Article 5(2) is fully compliant with the requirements of the DMA."
Despite "concerted efforts to comply with EU regulation," Meta said it "continued to receive additional demands that go beyond what is written in the law," prompting the company to add new options for EU users in November 2024.
The European Commission's final decision is expected by 25 March to meet the 12 month deadline laid out in the DMA.
As an example of how conversations are progressing in member states, France's data protection authority, the Commission nationale de l'informatique et des libertés, published the conclusion of a study entrusted to the former president of the competition authority, the Autorité de la Concurrence, which looks at the nature of the interplay between competition and data protection. The report makes 15 proposals to deepen convergence between the two regulatory frameworks, from the perspective of data protection and to deepen authorities' cooperation and coordination.
Among the proposals, the report suggests: the CNIL should experiment with the concept of "data power" as a doctrinal insight when assessing the relationship between data subject and data controller, when this concept would be more appropriate than existing competitive concepts of dominance or market power; develop within the CNIL's practice the consideration of competitive unlawfulness under Article 5.1(a) of the GDPR; initiate a specific joint reflection on the right to portability of personal data, and its consequences in terms of personal data protection and competition; and better proportion sanctions to the company's behavior by making it, where applicable, an aggravating factor, for example by increasing the penalty based on benefits derived from the breach, the severity of harm to individuals, and the possible negative ecosystemic effects.
Isabelle Roccia, CIPPE, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
