by Dr. Alexander Golland //
Although it has always been discussed in jurisprudential literature, the so-called “prohibition of coupling” – making the provision of a service conditional on the user’s consent – has been lurking in the shadows under the former German Federal Data Protection Act. A change is foreseeable with the General Data Protection Regulation (GDPR): Art. 7 para. 4 GDPR clarifies that the provision of services may not be made dependent on the granting of consent. Nevertheless, this apparent novelty of data protection law raises many questions. While representatives of business practice in particular reject the application of the prohibition of coupling in numerous constellations, its apologists warn of the end of all data-driven services. This article proposes a solution that is equally suited to the protection of the privacy of data subjects and the economic interests of service providers.
1.Legal basis for personalised advertising
Many services on the internet are offered “for free”, but the service providers take advantage of the personal data obtained from the user by targeting them with personalised advertisements. Bearing in mind that providing data in exchange for service as a contractual condition between the controller and the data subject is considered to be invalid, Art. 6 para. 1 lit. b GDPR cannot serve as a legal basis for personalised advertisements making the service profitable.i However, as legal basis for data processing for the purposes of personalised advertisements and similar data processing operations, Art. 6 para. 1 lit. f GDPR may be taken into account. In principle, the placement of advertising can also be justified by weighing up interests, as can the evaluation of profile data and other data for such purposes, as long as the data subject has deliberately published this data. If the user provides personal data about himself and deliberately makes them accessible to the public, Art. 9 para. 2 lit. e GDPR implies that the interests of the controller prevail.
However, the vast majority of data processed in Web 2.0 services are not made publicly accessible. This applies, among other things, to the content of messages and the data generated during the service usage. In these cases, the interests and freedoms of the data subject outweighs. Consent is therefore the only way for using personal data to create interest profiles in order to target users.
Typically, the use of Web 2.0 service providers ask for consent to the data processing already at the moment of the users’ registration. In cases where the provision of the service depends on the granting of consent, the prohibition of coupling applies. Otherwise, if the service provider were to obtain consent without making the service’s use conditional on consent, the user would have no incentive to consent, which would create significant difficulties for the service provider to obtain a valid consent to rely its data processing operations on at all. The placement of impersonalised advertising or advertising personalised only on the basis of public data would remain possible, but such advertising generates far less profit. Users most likely click on advertisements that best match their interests and expectations.
2.The Concept of “Paid Alternative Access”
Nevertheless, there is a solution to this problem. Recital 42 Sentence 5 complements Art. 7 para. 4 GDPR by stating that genuine and free choice and the possibility of refusing consent without suffering disadvantages must be guaranteed. It is advisable for the service provider to provide at least two accesses to the services it offers which are equivalent in scope of service and of which at least one is independent of the consent given for the processing of usage data for commercial purposes.
For example, the operator could offer an access where the user does not pay any money but has to consent to the processing of personal data for the purpose of personalised advertising. An additional option would offer access to the service depending on the payment of a one-off or regular fee, but no consent for advertising purposes has to be given. Not relying on the users’ consent, the alternative access does not cause problems regarding the prohibition of coupling service and consent. The first, advertising-financed access makes the service dependent on consent, but does not violate Art. 7 para. 4 GDPR, because the users are granted equivalent access to the same service for a fee.
3.Pricing the “Paid Alternative Access”
The next question that arises is how high the access fee may be. There are concerns that monetization could lead to a “two-tier data society”. Only the wealthiest would be able to refuse such data exchange, making data protection an instrument that only the rich could afford. ii
However, such a danger does not threaten, because the charging of excessive fees for the granting of data protection consent would not be compatible with a “genuine and free choice”, as required by Recital 42 Sentence 5. The service provider must ensure that the paid alternative access provided is a genuine alternative from the perspective of the market counterparty. In this regard, the prohibition of price and condition abuse as it is presumed in the context of Art. 102 of the Treaty on the Functioning of the European Union can be used for the interpretation of Art. 7 para. 4 GDPR: prices are unreasonable if they are disproportionate to the economic value of the goods or services.iii Determining the market value is difficult, because Web 2.0 services are often not subject to effective competition and the platform is usually the only provider of the service. It is thus reasonable to form a hypothetical market based on the standard compensation received. This reciprocal action is the consent to the utilization of personal data for personalised advertisements. The starting point therefore is the achievable market value of the data, which can be utilised and which is provided in exchange for “free” usage.
The service provider would voluntarily refrain from using the data for personalised advertisements if received a monetary compensation for doing so, which is (at least) equivalent to the economic benefits of exploiting the data. The fee must therefore correspond economically to the consent. Nevertheless, the value of the utilization of personal data for advertising purposes stands and falls in particular with the quantity and quality of data provided by the individual user, the duration of individual usage and the usage frequency, which could lead to a wider spread of dynamic prices in the future. Furthermore, the market value of the consent obtained would have to be reduced by the profit generated even without the processing of personal data for which consent is required, e.g. by placing impersonalised advertising or by acquiring additional features for a fee.
As a result, the price of alternative access is likely to be relatively low. This is consistent with studies stating that users attribute a low monetary value to their privacy.iv Therefore, there is no threat of a “two-tier data society”.
Relatively clear is that for the purposes of personalised advertising and other processing, which primarily serve the profit of the service provider, it is allowed to use data that has been deliberately made public. Apart from that, the controller has to rely on the data subjects’ consent. That consent must be freely given, meaning that the controller is not allowed to couple the provision of the service and the user’s consent.
At a first glance, this may be a threat to data-driven businesses, as there are no incentives for the users to consent. A solution of the resulting monetarization dilemma is to offer an equivalent alternative access for a fee. The user then has the legally required free choice between consent to data processing and paid use of the service. This could also have the positive side effect of creating (better) awareness among users of the value of their data. As outlined, there are still some difficulties in calculating the users’ fee equivalent to his individual consent to the utilization of personal data.
To this date, many online platforms of newspapers are offering a “Paid alternative access” to their users.v Since the Austrian Data Protection Authority acknowledged that paid alternative accesses are a legal way to circumvent the prohibition of coupling, it is likely that this business model will spread even more.
// Dr. Alexander Golland is an attorney-at-law and part of PwC Legal’s IP, IT & Data Protection practice group, where he advises enterprises on data protection law with a special focus on innovative technologies. Furthermore, he is editor of the journal “Datenschutz-Berater” and author of numerous scientific publications on data protection law, including a commentary on the GDPR published by Taeger/Gabel.
The article is based on MMR 2018, pp. 130-135. It represents the author’s own opinions exclusively.
i European Data Protection Board, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, S. 8 f.; Article 29 Working Party, Guidelines on consent under Regulation 2016/679, S. 9; Federal Cartel Office of Germany, Decision of 6.2.2019 – B6-22/16, para. 671.
ii E.g. Härting, CR 2016, 648; Schulz, in: Gola (Ed.), DS-GVO, 2. Ed. 2018, Art. 7 para. 30.
iii ECJ, Slg. 1975, 1367 (1379) – „General Motors Continental“; ECJ, Slg. 1978, S. 207 (305) – „United Brands“; ECJ, Slg. 1986, 3263 (3304) – „British Leyland“.
iv Acquisti/John/Loewenstein, J. Legal Stud. 42 (2013), 249, 260 ff.; ENISA, Study on monetising privacy, S. 28 ff., Hess/Schreiner, DuD 2012, 105 (109).
v For example, see the website of the Washington Post, https://www.washingtonpost.com.