As of now, the parent company of Instagram and Facebook, Meta, sells European users a monthly subscription between €9.99 and €12.99 to experience ad-free services (Photo: Kyra Preston)
Since last week, Mark Zuckerberg’s Meta corporation is forcing its European users to either accept their intrusive privacy practices — or pay €156 per year to access Facebook and Instagram without tracking advertising.
For the EU, it is yet another test of the General Data Protection Regulation (GDPR)’s credibility. To respond, the EU must focus on three things: swift enforcement of binding rulings, settling the validity of the legal ground for Meta’s new model, and comprehensive GDPR review to ensure more effective enforcement.
But it also raises questions about the GDPR — why were their such high hopes, and so few results?
GDPR was passed in 2016 with the expectation that it would rein in Big Tech’s ‘surveillance capitalist’ model and guarantee data privacy in Europe after a host of scandals.
Now, just shy of its fifth birthday, GDPR has not delivered on its promise.
A significant problem has been the lack of enforcement caused by the so-called ‘one-stop-shop mechanism’ — that entrusts the bulk of work to national Data Protection Authorities (DPAs).
As most tech conglomerates have European headquarters in Ireland for tax reasons, it is the Irish Data Protection Commission (DPC) that has the frontline job of ensuring that they comply with GDPR rules.
This has been a task the Dublin regulator has not always willingly carried out.
In the case of Facebook and Instagram, it has ostensibly held the position that Meta’s subsidiaries are essentially acting within EU law, despite opposite views by other national regulators. Eventually, this led to a damning overruling of the Irish DPC by the European Data Protection Board (EDPB) and to a landmark decision prompted by the Norwegian DPA’s temporary ban under urgent GDPR enforcement.
Thanks to the Irish DPC’s ‘business friendly’ attitude and fault lines in the GDPR framework, Big Tech has repeatedly gotten away with non-compliance. Fines have been too few, too late and too weak. For example, in 2020, Meta paid €747m in fines for its misdeeds, which amounted to little more than 0.6 percent of the $116.60bn the company earned that same year.
Is Meta’s new ‘pay or okay’ model really okay?
Recent actions seem to have finally prompted Zuckerberg’s company to rethink its data collection methods in Europe. However, instead of choosing the path of compliance, Meta has adopted a controversial ‘pay for your rights’ model. As of a few weeks ago, the company sells European users a monthly subscription between €9.99 and €12.99 to experience ad-free services.
This development comes at a crucial time for Europe and the future of its digital policies and has sparked fundamental debates on both the legality and legitimacy of Meta’s action.
According to noyb, Max Schrems’s privacy advocacy NGO, the question of legality stands on the interpretation of two loopholes. The first is a judgement regarding media outlets pioneering cookie paywalls. The second loophole is an ‘obiter dictum’ [something said in passing by a judge] of just six words by the Court of Justice of the European Union (ECJ) establishing that, in case of refused consent to particular data processing practices, companies may provide alternative “if necessary for an appropriate fee.”
Sign up for EUobserver’s daily newsletter
All the stories we publish, sent at 7.30 AM.
What is sure, however, is that the expensive subscription is not within everyone’s economic reach.
Capitalising on this aspect, Meta is ingeniously offering users a ‘free like before’ option that comes at the cost of continuous personal data harvesting. This is clearly a discriminatory practice with great potential to feed into pre-existing digital inequalities.
There can be no doubt that Meta has yet again thrown down the gauntlet to the EU, and this time, the way the EU reacts will have global ramifications. Indeed, Meta itself has revealed that Europe will serve as an experiment to see whether rolling out similar subscriptions to other countries is feasible and desirable.
This is a significant moment for Europe. Effective GDPR enforcement stands, together with the implementation of the Digital Services Act and Digital Markets Act, as critical tests of the EU’s capacity to rein in Big Tech’s most abusive and socially damaging practices.
Therefore, resolute action is essential. History has shown that the Irish DPC has repeatedly taken its task too lightly and accepted that Meta could bypass GDPR. This can no longer be the case.
It is of utmost importance that the Irish DPC ensures that Meta fully complies with the EDPB’s urgent binding decision or is otherwise banned from collecting data across the EEA. Additionally, the regulator needs to recognise that the new subscription model promotes a ‘blanket consensus’ approach that is not compatible with GDPR’s understanding of consent as “freely given, specific, informed and unambiguous.”
Then, the CJEU needs to clarify its stance on the fine print of the Meta Platforms Inc. v. Bundeskartellamt case. Schrems has already filed his first complaint against Meta, but it is up to the court to clarify its position regarding the July ruling and bring legal certainty to the validity of the obiter dictum.
Meanwhile, the European Consumer Organisation (BEUC) also filed a group complaint against Meta’s “unfair pay-or-consent model” with the network of consumer protection authorities on Thursday (30 November).
Lastly, it is imperative that the EU reviews GDPR.
In July, the EU Commission tabled a proposal to streamline enforcement. However, this initiative falls short of addressing major GDPR fault lines, among which is the commission’s own lack of enforcement. Thus, against DG JUST’s best wishes, it seems to be time to reopen GDPR.
In doing so, there is a hold-out chance that the regulation can be turned into a success story. However, it requires more significant reform than what is on the table and a clear signal that privacy is not for sale in Europe.