18 December 2023

Dime and punishment: Is charging for privacy a fair game?

Tom Kench

elevenM’s Tom Kench unpacks Meta’s proposal to introduce a subscription model to address privacy regulation in the EU and asks ‘can Meta require users to pay for their right to privacy?’

Meta has announced plans to introduce a subscription model to Facebook and Instagram users in Europe. For a monthly fee, subscribers can use the platforms without being subjected to personalised advertising or tracking. Users unwilling or unable to pay the subscription fee will still be able to use the platforms for free whilst being tracked and profiled for targeting advertising and other purposes.

Prima facie, this might be seen as a reasonable business model that reduces Facebook’s reliance on advertising (97% of their revenue) by offering consumers a paid alternative. On the other hand, many are viewing this as Meta’s latest attempt to skirt European privacy laws by obtaining questionable consent from customers and based on non-binding court commentary.

The question is: can Meta require users to pay for their right to privacy?

Why is Meta doing this?

It was only as recently as mid-2019 that Facebook’s landing page proudly claimed: “Facebook is free and always will be.” Meta often touted the benefits of an ad-supported internet to ensure all users receive the same service.

Mid-2019 Facebook’s reputation was suffering on the back of the Cambridge Analytica scandal, in which 87 million Facebook users’ data was sent to the data analysis firm as part of their work on the 2016 US election. In response to the scandal, Chief Operating Officer Sheryl Sandberg first referenced the subscription idea. Sandberg stated “We don’t have an opt-out at the highest level. That would be a paid product.” Fast forward half a decade, amidst ongoing privacy litigation, controversies and court rulings in the EU, the model has arrived.

These persistent controversies have backed Meta into a corner where there is no longer a valid contractual right nor legitimate interest to track and profile users for targeted advertisements. In January, the Irish Data Protection Commission confirmed that contractual necessity is not an appropriate basis for processing personal data for behavioural ads, meaning Meta would require consent to do so. Meta’s subsequent argument of a legitimate interest for tracking and profiling users was rejected by the European Court of Justice in July. In the same month, the Norwegian privacy regulator decreed Meta’s approach to behavioural advertising as illegal and began fining the company $100,000 a day.

Consequently, Meta needs to obtain freely given consents from users to be able to continue these activities in accordance with European data protection legislation. Meta’s approach to ‘freely given consent’ is ‘pay us with money or your privacy’. Users unwilling or unable to pay the monthly fee would have to accept Meta tracking and profiling their activity to create personalised ads.

According to the pricing for an iOS or Android account, your privacy on the site is worth $21 AUD a month. Company spokesperson Al Tolan announced, “we are confident that our product solution is compliant with evolving legal requirements in the EU.”

Naturally the concept of paying for a human right will attract the ire of privacy advocates and regulators (on top of the individuals using these services). Max Schrems, the privacy advocate who famously sued Meta for privacy violations under the GDPR in the wake of the Snowden scandal, commented:

Fundamental rights cannot be for sale. Are we going to pay for the right to vote or the right to free speech next? This would mean that only the rich can enjoy these rights, at a time when many people are struggling to make ends meet. Introducing this idea in the area of your right to data protection is a major shift. We would fight this up and down the courts.

Tobias Judin from the Norwegian Data Protection Authority views this as Meta’s latest attempt to resist the real change necessary to comply European privacy law, an attempt that “essentially amounts to extortion”, in part due to Meta’s market dominance leading to a lack of reasonable/comparable/substitutable alternatives.

The basis for doing it

Meta is relying on wording in a recent CJEU judgment (Meta v Bundeskartellamt) to facilitate this service, as follows:

Thus, those users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely form using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations

“If necessary for an appropriate fee” are the words Meta are seeking to rely upon. Alternatively, users can consent to the free, ad-supported service. However, this excerpt is from the obiter of the judgment, rendering it non-binding commentary that is likely to be challenged by regulators, advocates and courts. As to whether the fee is appropriate, Meta have noted the pricing is in line with services such as YouTube, Spotify, Twitch and Netflix, which contain subscription models endorsed by the EU Court of Justice.

Not-for-profit European privacy rights group, None of Your Business (NOYB), of which Max Schrems is founder and honorary chairman, has already signalled their intent to take Meta to the courts if they opt to proceed based on case law that NOYB views as unstable. In the past 2 years, NOYB has filed complaints with data protection authorities against news websites adopting similar practices through the use of cookie paywalls, termed “pay or okay”.

However, data protection authorities have shown a willingness to allow news websites to adopt these approaches as commercial entities producing their own content, in part to support journalism, and in part due to the rise of big tech in online news.

This sits in contrast to Meta effectively pay-walling user generated content. Meta gets content for free, which raises questions as to why it is ‘necessary for an appropriate fee.’ There is definitely an argument that Meta is creating a fallacy by providing users with this choice in bad faith in order to maintain a privacy invasive business model reliant on surveillance.

Additionally, the ‘pay for privacy’ debate was considered in America in 2015, as AT&T sparked controversy by providing customers with a $29 monthly discount in exchange for permission to use their web browsing data for personalised advertisements. Critics pointed to the ramifications of turning privacy into a luxury product and the harm to economically disadvantaged persons. As Schrems stated in relation to the present plans: “If Europe accepts Meta’s new model, that would imply privacy is only a commercial right that only the top 10 percent can afford. Everybody else is just going to have to strip down and give their data.”

Conversely, supporters such as Thomas Lenard of the Technology Policy Institute states these models help lower-income consumers, by giving them the “option of paying for a service with money or with data…a pay-for-privacy plan offers a discount in exchange for data.”

The case against

GDPR commentary

Article 4(11) of the GDPR states that consent must be freely given, specific, informed and unambiguous as well as given via a statement or a clear affirmative action. Article 7 of the GDPR prescribes the conditions for consent. Article 7(3) gives the right to withdraw consent, noting that it should be as easy to withdraw consent as it is to give it, and 7(4) notes that an assessment of freely given consent involves considering whether the provision of a service is conditional on consent to data processing that is not necessary in providing the service.

Recitals 42 and 43 state that consent should not be considered valid if there is a clear power imbalance and is not freely given if refusing or withdrawing consent would lead to a detriment. Based on these GDPR excerpts, the validity of Meta’s approach to consent is questionable at best. NOYB data protection lawyer Felix Mikolasch said in a statement: “EU law requires that consent is the genuine free will of the user. Contrary to this law, Meta charges a ‘privacy fee’ of up to 250 euros per year if anyone dares to exercise their fundamental right to data protection.”

However, it seems as though the Courts may need to clarify GDPR interpretation surrounding freely given consent.

EDPB commentary

The European Data Protection Board (EPDB) issues guidelines and recommendations and identifies best practices in relation to GDPR interpretation and application. The below commentary is a non-binding (albeit authoritative) interpretation of the GDPR by the board in relation to best practice in consent withdrawal and validity.

Section 3.1.4 of the EPDB Guidelines 05/2020 states that controllers need to demonstrate that withdrawing consent does not lead to any costs or clear disadvantage for data subjects who do so. Controllers should be able to prove that the data subject had a free or genuine choice about whether to consent and that it was possible to withdraw consent without detriment. This section also states that the GDPR does not preclude all incentives, but the onus is on controllers to demonstrates that consent was still freely given. This guidance could be interpreted as either facilitating or blocking the model, as to whether it provides an incentive or imposes a detriment and is thus limited in use.

Other considerations

At the moment, there is no information on whether Meta will use paid subscriber data for other purposes such as product development, AI training or modelling purposes. This is a significant gap in the overall picture and may impact both the regulatory response and individuals’ perspectives on the model.

What’s Next

Two complaints have been lodged at the time of writing. The European Consumer Organisation (BEUC), the largest consumer group in Europe, view the service as an unfair commercial practice imposing an “unfair choice for users.” A complaint with consumer protection authorities has been submitted on the bases of GDPR breaches and misleading information from Meta. BEUC Deputy Director General Ursula Pachl said in a statement:

Meta is breaching EU consumer law by using unfair, deceptive and aggressive practices, including partially blocking consumers from using the services to force them to take a decision quickly, and providing misleading and incomplete information in the process.

NOYB has filed a complaint with the Austrian privacy regulator, making good on Schrems’ promise to fight it “up and down the courts.” Meta’s competitors will be keeping a close eye on whether the subscription model is permissible, noting TikTok have been testing an ad-free subscription version of its service outside of the US. If the CEJU obiter is upheld, or a decision is made that not subscribing constitutes opting into data harvesting, this could lead to a domino effect across the apps industry.

NOYB’s submission noted the average person has 35 applications on their phone, and it would cost $14,446 AUD as an annual privacy fee if each of these applications followed Meta’s model.

In conclusion

An ad-supported internet has enabled users to access largely the same services and funded the internet as we know it today. We have accepted incursions into our online privacy as part of this trade-off, although regulators and legislators are now seeking to reign this back. Meta’s response, charging for their product at a rate commensurate with competitors such as YouTube, Netflix and Spotify, allows for a shift away from advertising and tracking whilst giving users choice in a (potentially) GDPR compliant way. This response is somewhat borne out of necessity, following European regulator and court commentary that cuts to the core of their ad-supported business model and their ability to supply the platforms for free.

However, the matter of the questionable consumer and privacy law footing that Meta seeks to rely upon remains. This case study also represents the growing cross-over between these branches of law, visible in Australia through proposed changes to the Privacy Act such as the ‘fair and reasonable test’ and ongoing ACCC inquiries into data collection and competition harms stemming from big tech.

In the digital age, Facebook and Instagram are key to our social lives. They are also monopolies in an industry with high barries to entry and could increase the subscription fee in future. Perhaps this is more of a competition issue than a privacy one, and BEUC’s complaint is more appropriate than NOYB’s.

Maintaining your privacy online is demanding, requiring time and expertise that many people don’t have. This proposal from Meta signals a concerning possibility that it may soon also require money, becoming a luxury of the few rather than a right of the many.

Contact us

If you’re interested in learning more about privacy management, contact us at hello@elevenM.com.au or on 1300 003 922.