Search Results

ICLE Senior Scholar Lazar Radic was quoted in the French version of EurActiv in a story about the European Union’s Digital Markets Act and Digital Services Act. You can read the full piece here.

Les élections du Parlement européen de juin constituent une étape claire et définitive pour le DSA, incitant les décideurs politiques à agir rapidement, a expliqué à Euractiv Lazar Radic, chercheur principal en politique de la concurrence à l’International Center for Law & Economics et professeur adjoint de droit à l’IE University.

Il a toutefois prévenu que le DSA restait ambigu dans la définition de ce qui constitue de la désinformation.

« Il y a aussi la question de la censure et la menace que le DSA devienne un outil non pas pour éliminer […], mais pour perpétuer les préjugés ou la désinformation », a-t-il déclaré.

M. Radic a suggéré que les lignes directrices de la Commission sur les élections visent à clarifier ces définitions, notamment en ce qui concerne la désinformation avant les élections de juin.

…« Cela s’est produit immédiatement après l’atelier [qui] était censé favoriser la communication entre la Commission et les contrôleurs d’accès. D’autres personnes et moi-même nous sommes creusés la tête. Quel était le but de tout cela ? », a commenté M. Radic.

Selon lui, la Commission avait probablement planifié les enquêtes bien avant les ateliers. L’exécutif avait peut-être espéré que les contrôleurs d’accès aborderaient les problèmes identifiés lors des ateliers, mais les enquêtes ont pu être décidées indépendamment des résultats des ateliers.

M. Radic a ajouté qu’il pourrait également y avoir « un élément disciplinaire [dans les mesures]. La Commission veut montrer qu’elle est sérieuse ».

« La Commission ne cesse de répéter que le droit de la concurrence et le DMA sont deux choses totalement différentes. Mais nous avons ici un nouvel exemple de ce continuum entre les deux », a-t-il affirmé. « En effet, les deux sont déployés exactement au même moment».

M. Radic a ajouté que le DMA était présenté comme un règlement auto-applicatif, mais il a remis cela en question. « Comment est-il auto-applicatif si la Commission lance maintenant, [au] cours du premier mois, ces enquêtes ? »

Il s’est également interrogé sur la manière dont la Commission mesurerait l’adéquation des changements apportés par les contrôleurs d’accès pour atteindre les objectifs d’équité et de contestabilité du DMA.

Selon M. Radic, le « test final » de la réussite du DMA est de savoir si les parts de marché des concurrents augmenteront. C’est peut-être ce que la loi entend par « équité », a-t-il ajouté.

I thank the ICO for the opportunity to submit comments on “pay or consent.” My focus will be on the question of how to deal with consent to personal data processing needed to fund the provision of a service that does not fit the legal basis of contractual necessity.^[1]

Personalised Advertising: Contractual Necessity or Consent?

Under the GDPR, personal data may only be processed if one of the lawful bases from Article 6 applies. They include, in particular, consent, contractual necessity, and legitimate interests. When processing is necessary for the performance of a contract (Article 6(1)(b)), then that is the basis on which the controller should rely. One may think that if data processing (e.g., for targeting ads) is necessary to fund a free-of-charge service, that should count as contractual necessity. I am unaware of data protection authorities disputing this in principle, but there is a tendency to interpret contractual necessity narrowly.^[2] Notably, the EDPB decided in December 2022 that Facebook and Instagram shouldn’t have relied on that ground for personalisation of advertising.^[3] Subsequently, the EDPB decided that Meta should also not rely on the legitimate interests basis.^[4]

The adoption of a narrow interpretation of contractual necessity created an interpretative puzzle. If we set aside the legitimate interests basis under Article 6(1)(f)), in many commercial contexts, we are only left with consent as an option (Article 6(1)(a)). This is especially true where consent is required not due to the GDPR but under national laws implementing the ePrivacy Directive (Directive 2002/58/EC), including the UK Privacy and Electronic Communications Regulations (PECR). That is, for solutions like cookies or browser storage. Importantly, though, these are not always needed for personalised advertising. Perhaps the biggest puzzle is how to deal with consent to processing needed to fund the provision of a service that does not fit the narrow interpretation of contractual necessity.

Consent, as we know from Articles 4(11) and 7(4) GDPR, must be “freely given.” In addition, Recital 42 states that: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” The EDPB provided self-contradictory guidance by first saying that withdrawing consent should “not lead to any costs for the data subjects,” but soon after adding that the GDPR “does not preclude all incentives” for consenting.^[5]

Despite some differences, at least the Austrian, Danish, French, German (DSK), and Spanish data protection authorities generally acknowledge that paid alternatives to consent may be lawful.^[6] Notably, the Norwegian Privacy Board—in a Gridnr appeal—also explicitly allowed that possibility.^[7] I discuss below the conditions those authorities focus on in their assessment of “pay or consent” implementations.

The CJEU and ‘Necessity’ to Charge ‘An Appropriate Fee’

In its Meta decision from July 2023, the EU Court of Justice weighed in, though in the context of third-party-collected data, by saying that if that kind of data processing by Meta does not fall under contractual necessity, then:

(…) those users must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations.^[8]

Intentionally or not, the Court highlighted the interpretative problem stemming from a narrow interpretation of contractual necessity. The Court said that even if processing does not fall under contractual necessity, it may still be “necessary” to charge data subjects “an appropriate fee” if they refuse to consent. Disappointing some activists, the Court did not endorse the EDPB’s first comment I cited (that refusal to consent should not come with “any costs”).

Even though the Court did not explain this further, we can speculate that the Court was not willing to accept the view that all business models simply have to be adjusted to a maximally prohibitive interpretation of the GDPR. The Court may have attempted to save the GDPR from a likely political backlash to an attempt to use the GDPR to deny Europeans a choice of free-of-charge services funded by personalised advertising. Perhaps, the Court also noted that other EU laws rely on the GDPR’s definition of consent (e.g., the Digital Markets Act) and that this gives an additional reason to be very cautious in interpreting this concept in ways that are not in line with current expectations.

Remaining Questions

Several questions will likely be particularly important for future assessments of “pay or consent” implementations under the GDPR and ePrivacy/PECRs. The following list may not be exhaustive but aims to identify the main issues.

How Specific Should the Choice Be?

The extent to which service providers batch consent to processing for different purposes, especially if users cannot (in a “second step”) adjust consent more granularly, is likely to be questioned. This is problematic because giving users complete freedom to adjust their consent could also defeat the purpose of having a paid alternative.

In a different kind of bundling, service providers may make the paid alternative to consent more attractive by adding incentives like access to additional content or the absence of ads (including non-personalised ads). On the one hand, this means that service providers incentivise users not to consent, making consent less attractive. This could be seen as reducing the pressure to consent and making the choice more likely to be freely given. On the other hand, a more attractive paid option could be more costly for the service provider and thus require a higher price.

What Is an ‘Appropriate’ Price?

The pricing question is a potential landmine for data protection authorities, who are decidedly ill-suited to deal with it. Just to show one aspect of the complexity: setting as a benchmark the service’s historical average revenue per user (ARPU) from (personalised) advertising may be misleading. Users are not identical. Wealthier, less price-sensitive users, who may be more likely to pay for a no-ads option, are also worth more to advertisers. Hence, the loss of income from advertising may be higher than just “old ARPU multiplied by the number of users on a no-ads tier,” suggesting a need to charge the paying users more than historical ARPU merely to retain the same level of revenue. Crucially, the situation will likely be dynamic due to subscription “churn” (users canceling their subscriptions) and other market factors. The economic results of the “pay or consent” scheme may continue to change, and setting the price level will always involve business judgment based on predictions and intuition.

Some authorities may be tempted to approach the issue from the perspective of users’ willingness to pay, but this also raises many issues. First, the idea of price regulation by privacy authorities, capping prices at a level defined by the authorities’ view of what is acceptable to a user, may face jurisdictional scrutiny. Second, taking users’ willingness to pay as a benchmark implicitly assumes a legally protected entitlement to access the service for a price they like. In other words, to assume that users are entitled to specific private services, like social media services.^[9] This is not something that can be simply assumed; it would require a robust argument—and arguably constitute a legal change that is appropriate only for the political, legislative process.

Imbalance

Recital 43 of the GDPR explains that consent may not be free when there is “a clear imbalance between the data subject and the controller.” In the Meta decision, the EU Court of Justice admitted the possibility of such an imbalance between a business with a dominant position, as understood in competition law, and its customers.^[10] This, too, may be a difficult issue for data protection authorities to deal with, both for expertise and competence reasons.

The Scale of Processing and Impact on Users

Distinct from market power (dominance), though sometimes conflated with it, are the issues of the scale of processing and its impact on users. An online service provider, e.g., a newspaper publisher, may have relatively little market power but may be using a personalised advertising framework (e.g., an RTB scheme facilitated by third parties^[11]) that is very large in scale and with more potential for a negative impact on users than an advertising system internal to a large online platform. A large online platform can offer personalised advertising to its business customers (advertisers) while sharing little or no information about who the ads are being shown to. Large platforms have economic incentives to keep user data securely within the platform’s “walled garden,” not sharing it with outsiders. Smaller publishers participate in open advertising schemes (RTB), where user data is shared more widely with advertisers and other participants.

Given the integration of smaller publishers in such open advertising schemes, an attempt by data protection authorities to set a different standard for consent just for large platforms may fail as based on an arbitrary distinction. In other words, however attractive it may seem for the authorities to target Meta without targeting the more politically powerful legacy media, this may not be an option.

^[1] The comments below build on my ‘“Pay or consent:” Personalized ads, the rules and what’s next’ (IAPP, 20 November 2023) < https://iapp.org/news/a/pay-or-consent-personalized-ads-the-rules-and-whats-next/ >.

^[2] On this issue, I highly recommend the article by Professor Martin Nettesheim on ‘Data Protection in Contractual Relationships (Art. 6 (1) (b) GDPR)’ (May 2023) < https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4427134 >.

^[3] https://www.edpb.europa.eu/news/news/2023/facebook-and-instagram-decisions-important-impact-use-personal-data-behavioural_en

^[4] https://www.edpb.europa.eu/news/news/2023/edpb-urgent-binding-decision-processing-personal-data-behavioural-advertising-meta_en

^[5] https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf

^[6] David Pfau, ‘PUR models: Status quo on the European market’ (BVDW, October 2023) < https://iabeurope.eu/knowledge_hub/bvdws-comprehensive-market-overview-pur-models-in-europe-legal-framework-and-future-prospects-in-english/ >; for the view of the Spanish authority, see ??https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/aepd-actualiza-guia-cookies-para-adaptarla-a-nuevas-directrices-cepd

^[7] https://www.personvernnemnda.no/pvn-2022-22

^[8] https://curia.europa.eu/juris/document/document.jsf?mode=lst&pageIndex=1&docid=276478&part=1&doclang=EN&text=&dir=&occ=first&cid=163129

^[9] See also Peter Caddock, ‘Op-ed: “Pay or data” has its reasons – even if you disagree’, https://www.linkedin.com/pulse/op-ed-pay-data-has-its-reasons-even-you-disagree-peter-craddock

^[10] See para [149]. This is also referenced in the Joint EDPB-EDPS contribution to the public consultation on the draft template relating to the description of consumer profiling techniques (Art.15 DMA) (September 2023), page 14.

^[11] https://en.wikipedia.org/wiki/Real-time_bidding

Due to Meta’s adoption of a “pay or consent” model for Facebook and Instagram, the model became a key issue not only under EU privacy law but also under the new digital regulations: the Digital Services Act (DSA) and the Digital Markets Act (DMA). Given the barrage of pay or consent-related news in the past months, I thought it would be a good idea to take stock of where we are now.

Read the full piece here.

Through laudable competition on the merits, Google achieved a usage share of nearly 90% in “general search services.” About a decade later, the government alleged that Google had maintained its dominant share through exclusionary practices violating Section 2 of the Sherman Antitrust Act. The case was tried in U.S. District Court in Washington, D.C. last fall, and the parties made post-trial filings this year.

Read the full piece here.

The Federal Trade Commission’s (FTC) recent complaint challenging the proposed merger of the supermarkets Kroger Co. and Albertsons Companies Inc. has important implications for antitrust enforcement in labor markets. Central to the FTC’s case is how it chooses to define the relevant markets, and particularly the commission’s focus on unionized grocery workers. The complaint alleges that the combined firm would dominate these markets, substantially lessening competition for unionized labor.

Read the full piece here.

ICLE President Geoffrey A. Manne was quoted by StateScoop in a story about the proposed American Privacy Rights Act and how it could preempt state privacy laws. You can read the full piece here.

Geoffrey Manne, president and founder of the International Center for Law and Economics, said there’s an advantage to having a diversity of law. In a paper published last month by the American Enterprise Institute, he proposes preserving that diversity through a federal “choice of law” statute.

The “choice of law” statute, if added to APRA, would allow states to keep their privacy laws and prevent the federal law from preempting state authority. Businesses would be allowed their choice of which state’s privacy law they must follow.

“The idea was very much modeled on the state incorporation law, where the corporation picks the state in which it’s going to be incorporated, and it’s internal governance is governed by the laws of that state, no matter where it’s doing business, around the country,” Geoffrey Manne, an author of the paper and founder of the International Center for Law and Economics, told StateScoop.

An added benefit of the statute, Manne said, would be its encouragement of competition among states over their privacy statutes and among businesses over their privacy practices. This would also allow the more tailored privacy laws — such as the Illinois BIPA or the Washington My Health My Data Act — to make operating within certain states more appealing to the covered businesses.

Manne said he’s not in favor of undoing state efforts to regulate data privacy, but he’s skeptical of a federal privacy law that isn’t flexible enough to meet the varying needs of states.

“Neither all consumers nor all businesses have the same kind of privacy risks and preferences,” Manne said. “As a practical matter, it’s very hard to to prescribe rules that are optimal for 330 million people. And that’s true with all law. Instead, you could end up with a lot of different sort of much more tailored privacy regimes, and the opportunity for companies to kind of match their needs with privacy regimes being offered.”

Ayear after it was created by the Government of India’s Ministry of Corporate Affairs to examine the need for a separate law on competition in digital markets, India’s Committee on Digital Competition Law (CDCL) in February both published its report recommending adoption of such rules and submitted the draft Digital Competition Act (DCA), which is virtually identical to the European Union’s Digital Markets Act (DMA).

Read the full piece here.

ICLE Senior Scholar Lazar Radic was quoted by EurActiv in a story about the European Union’s Digital Markets Act and Digital Services Act. You can read the full piece here.

The June European Parliament elections serve as a clear and definitive milestone for the DSA, prompting swift action from policymakers, said Lazar Radic, a senior scholar for competition policy at the International Center for Law & Economics and adjunct professor of law at IE University, told Euractiv.

He warned, however, that there remains ambiguity in the DSA in defining what constitutes misinformation.

“There is also the question of censorship and the threat of the DSA becoming a tool for not suppressing misinformation but perpetuating biases or misinformation,” he said.

Radic suggested that the Commission’s guidelines on elections are intended to clarify these definitions, particularly regarding misinformation ahead of the June elections.

…“This was immediately after the workshop [which] was supposed to foster communication between the Commission and the gatekeepers. I and others have been scratching our heads. What was the point of this?” said Radic.

He said the Commission had likely had investigations planned way before the workshops. The Commission might have hoped the gatekeepers would address previously identified concerns during the workshops, but the probes may have been decided regardless of the workshop outcomes, the scholar said.

Radic added that there might also be “a disciplinary element to [the measures]. The Commission wants to signal that it’s serious.”

“The Commission keeps saying that competition law and DMA are completely different things. But here we have yet another example of that continuum between the two,” he said. “In fact, the two are deployed at the same exact time.”