In the past weeks, Meta and X set forth their intention to make their platforms ad-free in exchange for a monthly subscription of 10 euros and 16 dollars respectively. Initially, the announcements did not spark significant reactions among users. People compared the upcoming changes to the YouTube premium model, where users pay a monthly fee of 12.99 euros for an ad-free YouTube experience. This was not the case.
Last week, Facebook and Instagram users in the EU were greeted by a strange message from Meta: Pay a fee or your info will be used for ads.
This came as a great surprise, especially for users residing in the European Union, where personal data is strictly protected by the General Data Protection Regulation (GDPR), a reputable legislation. Previous examples, such as the ChatGPT and Google Bard releases, reveal the American companies’ general reluctance to introduce new features in the European market before confirming their compliance with the GDPR. On the contrary, Meta’s hasty decision to enforce this new model raises concerns about the company’s interpretation of the GDPR privacy requirements.
The “Pay or Okay” approach deployed by Meta was initiated by “Der Standard,” an Austrian liberal newspaper, which in 2018 introduced a monthly fee of initially 7 and now 8,90 euros for readers who did not wish for their personal data to be processed for advertising purposes.
Der Standard’s “PUR subscription” option resulted in big profits for the newspaper to the detriment of the right to privacy and soon other news media sites (SPIEGEL.de, Zeit.de, heise.de, FAZ.net, krone.at and t-online.de) followed suit. The wide implementation of the “Pay or Okay” model was vastly facilitated by an Austrian Data Protection Authority ruling in 2019 which failed to detect the model’s inconsistencies with the GDPR provisions. According to Max Schrems, the regulators’ leniency towards news media platforms in order to support journalism paved the way for big tech companies such as Meta to adopt similar systems.
In fact, the company allegedly based its new feature on a recent Court of Justice of the European Union (CJEU) judgment which primarily dealt with the legality of Meta’s use of personal data in the EU between 2018 and 2023 and although found it illegal, left subtle room for maneuver. In its lengthy judgment, the judicial body of the EU included an “obiter dictum,” a typically non-binding additional consideration, which stated that Meta should introduce an alternative to ads “if necessary for an appropriate fee.” This six-word sentence opened the door for Meta to launch its new paid version.
What is even more unsettling is the deafening silence from European Data Protection Authorities. Among the 45 authorities of the GDPR, only three commented on Meta’s new paid version, refraining from critically addressing the consequences of this ultimatum. Both Hamburg and Denmark stated that they are in a close dialogue with the Irish authority, while Norway moderately expressed its concerns and promised to further elaborate on the issue once it reaches a comprehensive conclusion.
For its part, just a few days before Meta’s announcement, the European Data Protection Board (EDPB) issued against Meta an urgent binding decision on personal data processing for behavioral advertising, calling the Irish DPA to “impose a ban on the processing of personal data for behavioral advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA)”.
Article 6 of the GDPR provides in an exhaustive list the legal bases for processing personal data. Following both the aforementioned CJEU judgment and the EDPB decision, Meta opted for the data subject’s consent as the legal basis for the processing, which according to article 7 of the regulation must be “freely given”, informed, explicit, clear and for a specific purpose.
In other words, Meta’s users should be in a position to make a genuine choice when it comes to the processing of their personal data without facing undue pressure or coercion. By conditioning the ads-free experience of its platforms on a monthly fee, Meta blatantly disregards the prerequisites of article 7.
By imposing what can be viewed as a blackmail, Meta does not offer much of a choice to users who have to either accept their data being sold or pay to protect it. Furthermore, there is limited information regarding the kind of data that is being collected. Meta receives data from third parties, among which information from apps that users might visit. Not providing specific clarifications about this data is highly problematic, since the latter could also contain sensitive information, such as sexual preferences when data is retrieved from dating apps like Tinder and Grindr.
In addition, pursuant to Recital 43 of the GDPR, consent cannot be considered freely given and thus constitute a legitimate basis for processing personal data when “there is a clear imbalance between the collector and the data subject.” In its 4th July judgment, the CJEU mentioned for the very first time the “dominant position” of Meta in the market, which should be taken into account when assessing if the users’ consent was freely given.
Although this dominant position does not essentially imply that consent was coerced, it may create a clear imbalance in favor of Meta, by allowing the company to impose particular data processing operations not necessary for the performance of the contract and thus giving users no choice but to adhere to its policies.
For a new or a business that does not have a dominant position in the market, the “pay or okay” solution may seem to be compliant with the GDPR, but when it comes to a tech giant like Meta and its influence as a powerful social media platform, the matter is entirely different.
First, Meta’s policy change is sudden and does not give the user any time to adapt. Users must either pay on the spot or accept to give away their personal information. Secondly, Facebook and Instagram are used by 400 million users in Europe alone, establishing an unarguably dominant position for Meta in the European digital landscape.
Meta’s platforms play a significant role in people’s everyday lives due to the widespread and prevalent use of their services, from communications to marketing and keeping up with the news and other pertinent updates. This leaves people with very few or no alternatives that would keep them connected to the world if they abandon platforms such as Instagram and Facebook. Lastly, the price tag for data protection seems much higher than necessary. The economic burden of a subscription cannot be borne by the most financially precarious users.
Meta’s new paid version raises major concerns about the company’s approach to basic human rights, such as the protection of personal data. It goes without saying that the EU authorities, such as the CJEU, the national DPAs or the EDPB, need to take a strong stance and commit to serious action against this new feature. Cornering people between paying or having their personal data exploited for advertising purposes cannot in any way be considered as a genuinely free choice.
From a human rights perspective, it is utterly unacceptable for people to be asked to pay for something that was theirs to begin with. Such a capitalistic approach will only lead to further monetization of inalienable human rights and will eventually establish a regime of egregious inequalities between people who can afford basic human rights and those who cannot. Associating the protection of human rights, such as the right to privacy and the protection of personal data, to one’s ability to pay for them renders the very concept of their protection null and void.
