Rarely has a European Data Protection Board plenary generated so much aggravation and heated opinions as what we are seeing this week.

The EDPB issued its opinion on the pay-or-consent models being deployed by large online platforms as a legal construct to support behavioral advertising. This follows a January 2023 decision by Ireland's Data Protection Commission invalidating contract as a legal basis for the processing of personal data carried out for behavioral advertising. The DPC issued Meta a 390 million euro fine and forced the company to rethink its practice.

Meta did so by deploying a subscription model across the European Union and European Economic Area, which in turn triggered requests by the Dutch, Norwegian and Hamburg data protection authorities for EDPB analysis. In its opinion this week, the EDPB concluded that, "In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee."

A lot has been and will be written on this thorny debate, including by the IAPP's very own editorial and research and insights teams. It does bundle immensely complicated notions of: interpretation of the legal basis under the EU General Data Protection Regulation and validity of consent; data subject's literacy in data privacy basics and balancing consumer interest between privacy rights and the convenience of accessing content quickly and "for free"; and a free and open internet vis-à-vis expectations that commercial entities be able to determine how they charge (or not) their customers.

All that and more is to be assessed against existing jurisprudence of the EU Court of Justice  — for example, on valid consent — and newly introduced legislative obligations under the Digital Services Act and the Digital Markets Act, including regarding profiling based on special categories of data and gatekeepers' reliance on consent for online advertising services.

It is safe to say there may not even be a key to untangling that Gordian knot. What transpires of this evolution for me is somewhat a parallel to what we observed on data transfers over the last decade in Brussels. A theoretical design of how transfers could be done, clashing with different stakeholders' realities, leading to an erosion of options. Replace transfers with legal bases for processing and you catch a new tide.

When looking at the evolution of legal bases during the GDPR lifespan, that tide has caused erosion, as well, progressively cropping the options for consent to emerge ever more clearly as the only acceptable option in the eyes of European regulators. In that sense, behavioral advertising is to legal bases what the Privacy Shield was to data transfers: one of the most recent and visible waves, but part of a current that appears unstoppable.

Elsewhere:

  • On 18 April, the European Commission held its annual European Consumer Summit. Although a wide range of topics were discussed, many, at least in the digital field, were looking forward to hearing about the outcomes of the Cookie Pledge. The Cookie Pledge was introduced by the Commission in March 2023 to work with various stakeholders in the digital field to develop principles addressing "cookie fatigue." The EDPB reviewed the draft principles in late 2023 and expressed support for the initiative, while clarifying that companies' implementation of the principles would not equal compliance with the GDPR and e-Privacy Directive.
    The final version of the voluntary principles were targeted to be presented at this year's Consumer Summit but the agenda of the event did not explicitly mention it. Hence, it is unclear where the Cookie Pledge stands now and what the initiative's future holds, but it might mean the future Commission will put new policy options on the table.
  • On 11 April, the Court of Justice of the European Union published Advocate General Priit Pikamäe's opinion regarding the obligation of a German data protection authority to act in response to a reported data breach. The opinion concerns a case in which a customer of a savings bank notified one of the German data protection authorities of a personal data breach, requiring action to be taken.
    While the DPA established the GDPR was indeed breached, no further measures were taken against the savings bank as it had already implemented disciplinary measures against the responsible person.
    The complainant was not satisfied with this outcome and sought a court order for the DPA to impose a fine against the savings bank. Pikamäe concluded that while the DPA is obliged take action in case of a personal data breach, the DPA is not required to adopt the measures requested by the data subject, as such measures must be determined by the DPA itself ensuring they are appropriate, proportionate and necessary.
  • Spain's data protection authority, the Agencia Española de Protección de Datos, released its annual report overviewing the state of privacy in 2023. The AEPD said 21,590 complaints were received in 2023, the largest to date at nearly twice the amount reported in 2022. Unsolicited advertising, video surveillance and issues related to internet services were among the issues surfacing the most in the complaints.