Due to Meta’s adoption of a “pay or consent” model for Facebook and Instagram, the model became a key issue not only under EU privacy law but also under the new digital regulations: the Digital Services Act (DSA) and the Digital Markets Act (DMA). Given the barrage of pay or consent-related news in the past months, I thought it would be a good idea to take stock of where we are now.

Read the full piece here.

It’s been an eventful two weeks for those following the story of the European Union’s implementation of the Digital Markets Act. On April 18, the European Commission began a series of workshops with the companies designated as “gatekeepers” under the DMA: Apple, Meta, Alphabet, Amazon, ByteDance, and Microsoft. And even as those workshops were still ongoing, the Commission announced noncompliance investigations against Alphabet, Apple, and Meta. Finally, the European Parliament’s Internal Market and Consumer Protection Committee (IMCO) held its own session on DMA implementation.

Many aspects of those developments are worth commenting on, and you can expect more competition-related analysis on Truth on the Market soon. Here, I will focus on what these developments mean for data privacy and security.

Read the full piece here.

You may know that the culprit behind cookie consent banners is not the GDPR but the older ePrivacy Directive, specifically its Article 5(3). The EDPB, a representative body of EU national data protection authorities, has just issued new Guidelines on this law. Setting aside that they arguably didn’t have the authority to issue the Guidelines, this new interpretation is very expansive. They would expect consent for e-mail pixel tracking, URL tracking, and IP tracking. In general, in their view, consent would be required for all Internet communication unless very limited exceptions apply (even more restrictive than under the GDPR).

Read the full piece here.

“What is an appropriate fee?” is among the key questions in the current conversation around Meta’s move to introduce paid subscription options with no ads on Facebook and Instagram. As I discussed previously, the EU’s highest court suggested that businesses may be allowed under the GDPR to offer their users a choice between (1) agreeing to personalised advertising and (2) “if necessary” paying “an appropriate fee” for an alternative service tier. In that text, I also raised some of the legal and economic difficulties in determining an appropriate fee. Eric Seufert followed with a thoughtful analysis. (By the way, don’t miss the next episode of Eric’s podcast in which we’ll discuss this and related issues.) Eric proposed two alternative “conditions for calculating whether a ‘pay-or-okay’ price point represents an ‘appropriate fee’”:

1. The price achieves, at most, overall ARPU parity between the pre-subscription and post-subscription periods, and;
2. The fee doesn’t materially exceed those charged by comparable services.

Read the full piece here.

Meta gave European users of Facebook and Instagram a choice between paying for a no-ads experience or keeping the services free of charge and with ads. As I discussed previously (Facebook, Instagram, “pay or consent” and necessity to fund a service and EDPB: Meta violates GDPR by personalised advertising. A “ban” or not a “ban”?), the legal reality behind that choice is more complex. Users who continue without paying are asked to consent for their data to be processed for personalized advertising. In other words, this is a “pay or consent” framework for processing first-party data.

I was asked by IAPP, “the largest privacy association in the world and a leader in the privacy industry,” to discuss this. I also thought that the text I wrote for them could use some additional explanations for this substack’s audience. What follows is an expanded version of the text published by IAPP. (If this text is too long, I suggest reading just the next section).

Read the full piece here.

In a widely discussed move, Meta gave Facebook and Instagram users the choice between paying for an ad-free experience or keeping the services free of charge using ads. The legal reality behind that choice is more complex. Users who continue without paying are asked to consent to the processing of their data for personalized advertising. In other words, this is a “pay or consent” framework for the processing of first-party data. 

Read the full piece here.

Ayear ago, we cautioned that the EU Cybersecurity Certification Scheme for Cloud Services (EUCS) threatened to embed ill-conceived economic protectionism into the EU’s cybersecurity rules. And, indeed, the European Commission, which has made clear its commitment to pursue “digital sovereignty” for the European Union, can claim some preliminary successes on that front.

A recent draft of EUCS shows that the European Union Agency for Cybersecurity (ENISA) heeded the Commission’s call, contrary to ENISA’s own prior recommendations. Most notably, the draft would preclude entities outside the EU and those under foreign ownership or control from receiving  the highest level of cybersecurity certification.

Read the full piece here.

This is a big week for Meta-related EU privacy news. On Monday, Meta announced that it would allow users to pay for ad-free versions of Facebook and Instagram. I explained what arguably went wrong in EU law to force Meta to do this in a previous newsletter. Now, the European Data Protection Board (EDPB) has reportedly ruled that Meta broke EU privacy law by processing personal data for personalised advertising. See below for what I can tell so far about the new decision and for a brief overview of its background. More to follow once the EDPB decision is published.

Read the full piece here.

Meta officially announced that Facebook and Instragram will offer a paid subscription service tier without any ads. The move was prompted by recent enforcement actions by European privacy authorities and a judgment by the EU’s highest court, the Court of Justice. I’ll dive deeper into those developments in future posts. I believe that much of this is both bad law and bad policy. Today, I start with an overview, aiming to provide a simplified explanation.

Read the full piece here.