Barely two weeks after the obligations under the Digital Markets Act (DMA) kicked in, the European Commission has launched compliance investigations into several gatekeepers i.e. the large digital platforms that provide core platform services (including online advertising services). Amongst other things, the Commission is investigating whether Meta's “pay or consent” model complies with consent requirements under the DMA (and therefore by extension the GDPR).
Put simply, such models provide users with two choices – use the service for free (and consent to personalised advertising) or pay a subscription. See further here. The outstanding question is whether such models are compliant. The ICO and the European Data Protection Board (“EDPB”) are set to have their say on the lawfulness of these models and now it seems that the Commission will wade in with its view.
The Commission is investigating whether Meta’s proposed implementation of such a model complies with the DMA which requires gatekeepers to obtain consent from users when they intend to combine or cross-use their personal data across different core platform services. The Commission is particularly concerned that the binary choice imposed by Meta's “pay or consent” model may not provide a real alternative if users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers.
This investigation highlights the intersection between GDPR and the DMA and the respective roles of the Commission and EDPB. The DMA leverages definitions and concepts, such as consent from the GDPR. Traditionally, the EDPB has had sole competency to interpret the provisions, however, with respect to the DMA the Commission is entitled to take its own view. For the sake of clarity, let’s hope the Commission and EDPB will be aligned on their interpretation otherwise this might cause quite the headache for privacy lawyers!
In its Compliance Report, Meta notes that it has invested significantly” to comply with the DMA consent requirements by giving end users “a new choice” with respect to their personal data, while continuing to provide end users, “where possible, with a meaningful alternative experience.” Meta also suggests that its solution has been endorsed by the CJEU. Meta notes it has “carefully designed” the choice to ensure that end users provide valid consent by using what they say is a “recognisable format” which is “familiar and easy to understand, easily navigable and intelligible”.
It’s also interesting to note that the Commission is not investigating Google in relation to the same consent requirements. In its DMA Compliance Report Google states that, amongst other measures to ensure compliance, its EU user consent policy already required advertising partners to obtain consent on Google's behalf, and that to enhance this framework Google has introduced new requirements for advertising partners to send Google affirmative signals representing users' consent statuses. Therefore, presumably the Commission is satisfied that this approach is compliant.
The Commission intends to conclude the proceedings within 12 months.