1548415750397
Data Privacy & Security

Validity of consent coupled with free online services - Chair of EDPB opens a path


The Austrian Data Protection Authority, headed by the chair of the European Data Protection Board (EDPB), provided a clear way forward for advertising-based business models.

Following a complaint against an Austrian newspaper, the Austrian Data Protection Authority (DPA) decided that the prohibition on making the provision of a service conditional on consent (“coupling prohibition”; Article 7(4) GDPR) can effectively be circumvented by additionally offering a consent-free equivalent service for a reasonable remuneration (case no. DSB-D122.931/0003-DSB/2018; the decision is final).

In the case at hand, the newspaper offered its website only to users who either (i) consented to the use of cookies for personalized advertising or (ii) paid a subscription fee of 6 Euro per month. In its analysis, the DPA focused in particular on whether data subjects could refuse their consent “without detriment” (Recital 42 GDPR). The DPA considered that the consequence of not giving one’s consent was (i) having to pay 6 Euro per month to access the newspaper website without ads or (ii) having to use another online newspaper. Neither of these consequences was considered to be to the “significant detriment” to the data subject. Thus, the consent was ruled valid by DPA.

This decision is fully in line with the European Data Protection Board’s guideline on consent (WP259 rev.01). This guideline provides that a consent is valid where data subjects are able to choose between:

  • a service that includes consenting to the use of personal data for additional purposes, and

  • an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes.

According to the guideline, it is sufficient that the two services are “genuinely equivalent”. Notably, the guideline does not require that the second, consent-free alternative be offered free of charge – a “no further costs” requirement was conspicuously dropped when the draft 2017 guideline was finally adopted in April 2018.

In stark contrast to the Austrian DPA’s decision, the UK Information Commissioner's Office (ICO) examined essentially the same business model used by a US newspaper but reached a different conclusion. In an informal letter to the newspaper in November 2018, the ICO took the position that, for the user to have a genuine choice, a consent-free alternative would have to be offered free of charge. This illustrates how unpredictable GDPR enforcement outcomes still are.

However, given that the head of the Austrian DPA also serves as Chair of the European Data Protection Board until 2023, the Austrian landmark decision is likely to set an EU-wide standard.

While this decision does not close the door on other possibilities of getting around the coupling prohibition, it shows at least one clear way forward for advertising-based online business models: Offering the online service in two versions:

  • in an advertising-financed version that requires the data subject’s consent to personalized advertising.

  • in an ad-free version that requires the payment of an adequate remuneration.

This interpretation of the coupling prohibition recognizes the necessity of online services to generate revenue – either from advertisers paying for personalized advertising or from users paying for the online service. In doing so, it strikes the necessary balance between the fundamental right to data protection and the fundamental right to conduct a business (Article 16 of the Charter of Fundamental Rights in the EU).

This ruling also draws the GDPR closer in line with standards in other jurisdictions. For example, in the United States, the Federal Trade Commission generally permits the collection and use of consumer data for advertising purposes so long as suitable notice and choice options are provided, such as through mechanisms offered by the Digital Advertising Alliance ("DAA"). In addition, the emerging standards under the California Consumer Privacy Act ("CCPA") generally restrict a business from treating a consumer differently based on the consumer's privacy choices, except where a different price or level of service "is reasonably related to the value provided to the consumer by the consumer's data". These developments suggest perhaps some hopeful signs that there may be more convergence in privacy regulation and interpretation that recognize the fundamentals of how business is conducted online.