As the DMA’s enforcement is in full swing, the complexities of its specific provisions and questions regarding their interpretation are beginning to surface. On 25 March 2024, the European Commission launched formal proceedings to investigate Meta’s ‘pay-or-consent’ model, introduced in November 2023 for Facebook and Instagram, sparking a significant discussion on the interpretation of Article 5(2) DMA. This provision permits gatekeepers to process and combine certain types of personal data, provided users are presented with a genuine choice and provide valid consent. Recital 36 of the DMA further clarifies that, to ensure contestability, ‘gatekeepers should enable end users to freely choose to opt-in to such data processing … by offering a less personalised but equivalent alternative’ (emphasis added). According to the preliminary findings of the Commission’s ongoing investigation, Meta’s model – offering users a binary choice between free access to Facebook and Instagram without personalised ads and a paid, ads-free version of these services – violates Article 5(2) DMA. This is because this model fails to provide users with the option to use a service that processes less of their personal data and restricts their ability to freely give consent.
The Commission’s investigation is noteworthy not only for the reason of ensuring compliance with the DMA, but also for bringing to the fore a fundamental issue: the relationship between economic power and individual freedom. Can individuals have agency and freely consent to data processing when interacting with powerful entities like gatekeepers or dominant firms? And can granting users more freedom shift the balance of power, potentially fostering pro-competitive outcomes and market contestability?
Although understanding the interplay between power and freedom is crucial from the perspectives of the DMA, competition law, and the GDPR, this relationship has yet to be thoroughly explored. So far, discussions under the GDPR about power imbalances and their impact on free consent have largely focused on employment relationships or interactions with public bodies, for example. The question about imbalances caused by economic power more specifically arose in the legal saga initiated by the Bundeskartellamt’s Facebook decision issued in 2019, which concluded recently with Meta implementing a set of measures, and it was central to the CJEU’s 2023 ruling in Meta and Others v Bundeskartellamt. Even though the judgment offered some clarifications, the arrival of the DMA provides a timely and necessary impetus for a deeper reflection on this issue – a reflection that would benefit not only the DMA but also the enforcement of competition law and the GDPR.
How, then, does the DMA – particularly Article 5(2) – articulate and address the relationship between power and freedom? And is the DMA’s interpretation of this relationship aligned with the GDPR? Ensuring compatibility is essential, as Article 5(2) DMA explicitly references the GDPR’s concept of consent. While this explicit reference to the GDPR is a welcome step towards coherence between the DMA and the GDPR, a unified approach from the relevant enforcement authorities throughout enforcement remains crucial for providing legal clarity and predictability. To assess the coherence between the DMA and the GDPR, the remainder of this contribution will compare the DMA’s approach to the requirement of free consent with that of the GDPR, as interpreted in the recent opinion by the European Data Protection Board (EDPB) on the pay-or-consent model and the 2023 Meta judgment mentioned earlier. Although the Meta case examined the interactions between the GDPR and practices by undertakings with a dominant position, rather than those with a gatekeeper status, it offers valuable insights into the GDPR’s perspective on the relationship between economic power and individual freedom.
The basic premise: consent can be free when given to a powerful undertaking
The fundamental premise of Article 5(2) DMA is that consent can – at least in theory – be freely given to a gatekeeper. The DMA indeed permits certain forms of data processing and data accumulation, provided users give valid consent, which, according to Article 4(11) GDPR, must be free, specific, informed, and unambiguous. Interestingly, during the drafting of the DMA, policymakers considered introducing in Article 5(2) DMA an outright ban on personal data accumulation by a gatekeeper, but ultimately deemed this disproportionate. Instead, they opted to give users control, assuming that agency – and therefore freedom – can still be exercised despite the clear power imbalance between individuals and gatekeepers. In the Meta case, the CJEU expressed a similar view, stating that dominance, hence a power asymmetry, ‘does not, as such, prevent the users (…) from validly giving their consent’ (para. 147). Both the DMA and the GDPR can thus be interpreted as operating on the assumption that consent can be freely given to a powerful undertaking.
‘Equivalent alternative’ as a mechanism for correcting power imbalance
However, both the DMA and the GDPR, impose certain conditions. According to recital 36 of the DMA’s, to ensure contestability, ‘gatekeepers should enable end users to freely choose […] by offering a less personalised but equivalent alternative’. Providing such an equivalent alternative appears to be one of the primary – if not the primary – mechanisms the DMA envisions to correct the power imbalance between gatekeepers and individuals, thereby ensuring that the free consent requirement is satisfied. This is underscored by the Commission’s investigation into Meta, which demonstrates that the requirement to offer an alternative is taken seriously.
In Meta, the CJEU articulated a similar view, noting that while dominance does not outright prevent individuals from freely consenting, it can still affect their freedom of choice, as they ‘might be unable to refuse or withdraw consent without detriment’ (para. 148). The Court further remarked that a dominant position ‘may create a clear imbalance […] favouring, inter alia, the imposition of conditions that are not strictly necessary for the performance of the contract’ (para. 149). In such situations, individuals should not be ‘obliged to refrain entirely from using the service’ and should be offered ‘an equivalent alternative’ that does not involve such data processing operations (para. 150). Like the DMA, the GDPR, as interpreted by the CJEU, also appears to recognize the provision of an alternative, less personalised service as a mechanism to address the imbalance of power.
Both the DMA and the GDPR seem to therefore assume that consumers are likely to suffer detriment when denied access to a powerful undertaking, whether it be a gatekeeper or a dominant firm. In its Opinion on the consent-or-pay model, the EDPB outlines examples of individual detriment, which can occur when individuals are unable to use a service that is integral to their daily lives and has a prominent role. Based on the EDPB’s interpretation of detriment and the conditions under which it arises, it is challenging to envision situations in which individuals would not experience detriment when denied access to a powerful undertaking.
Interestingly, the EDPB’s 2020 Guidelines on consent – which the DMA seems to be aligned with – assert that consent cannot be considered free if a data controller claims that there are choices available in the market, for example an alternative equivalent service provided by another undertaking. This is due to the fact that freedom of choice and free consent cannot depend on the actions of other firms. Therefore, the solution to ensure free consent in contexts characterised by power imbalances is to provide an equivalent, less personalised alternative.
What about charging a fee for an equivalent alternative?
But can such an equivalent alternative be offered for a fee? The DMA does not explicitly prohibit the imposition of a fee. However, the Commission’s investigation suggests a restrictive interpretation of Article 5(2) DMA, favouring the provision of a free alternative.
Is this restrictive interpretation consistent with the GDPR’s approach to fees? In the Meta judgment, the Court allows for the possibility of offering an equivalent alternative ‘if necessary for an appropriate fee’ (para. 150, emphasis added). Unfortunately, the Court does not clarify when a fee might be considered necessary. One interpretation could be that a fee is necessary when the alternative service is entirely free from advertising. However, the Court’s statement can also be interpreted as meaning that a fee might also be justified in other circumstances, even if companies pursue an ad-based business model.
It is also worth highlighting that in Meta, the CJEU mentions the need for dominant companies to offer an alternative service – if necessary for a fee – when they bundle consent with contract, imposing data processing conditions that are not necessary for the contract’s performance. This raises the question: in situations where consent and contract are not bundled, would it still be necessary to provide an equivalent alternative? While it seems reasonable to conclude that this would indeed be the case, the Court’s ruling does not provide complete clarity on this point.
Regarding the EDPB’s position on the necessity of a fee, it emphasizes that a dual choice – pay or consent – should not be the default for large online undertakings. Instead, firms should also provide a third option: a less personalised or non-personalised, free service. At the same time, the EDPB acknowledges that the necessity of a fee is to be assessed on a case-by-case basis, leaving room for scenarios where pay-or-consent models could be legal – even though such scenarios are likely to be rare.
Interestingly, the DMA, by requiring the alternative service to be provided free of charge, adopts a stricter stance on the interpretation of freedom of consent than the GDPR, which does not impose an absolute prohibition on pay-or-consent models. One possible explanation for the DMA’s stricter approach is its broader objective of ensuring market contestability. While pay-or-consent models offered by large undertakings might not always violate individual freedom (even though in most circumstances they would due to significant power imbalances), such models are problematic from a contestability perspective. If users are presented only with a dual choice, there may not be a sufficiently large group of individuals opting for the paid alternative. Empirical evidence shows that when faced with such dual choices, nearly all users choose the free option. This raises a substantial risk that if the pay-or-consent remains legal for gatekeepers, the status quo will remain unchanged, preventing contestability from being realized. From the standpoint of coherence between data protection law and the DMA, the latter’s more stringent approach does not create any conflict with the GDPR. On the contrary, by replacing pay-or-consent models with models offering a genuine choice, individuals’ freedom is expected to be enhanced.
Data minimisation: preventing the clash between the DMA and the GDPR
While the DMA and the GDPR seem generally aligned in their approach to the relationship between economic power and individual freedom, a potential conflict between the two regulations exists in relation to the principle of data minimisation. Enshrined in Article 5(1)(c) GDPR, this principle requires that data be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. At the same time, Article 5(2) DMA appears to be granting the permission to accumulate various types of data for personalised advertising, provided valid consent is obtained. It is important to note that even if gatekeepers secure valid consent, they must still comply with other data protection rules, including the data minimisation principle.
On 4 October 2024, the CJEU issued a judgment in Schrems v Meta, addressing, among other things, data minimisation in the context of targeted advertising. The Court highlighted that Meta’s collection of personal data concerning Facebook users’ activities both on an outside the social network ‘is particularly extensive as it related to potentially unlimited data and has a significant impact on the user’ (para. 62). The Court further noted that ‘the indiscriminate use of all the personal data held by a social network platform for advertising purposes’ (para. 64) constitutes a serious interference with individuals’ fundamental rights and ‘does not […] appear to be reasonably justified in light of the objective consisting in enabling the dissemination of targeted advertising’ (para. 63).
This is a significant finding, also for the DMA enforcers. Article 5(2) cannot be interpreted to mean that, as long as valid consent is obtained, a gatekeeper is free to engage in unrestricted data accumulation and processing. The interpretation of the DMA should therefore take into account the GDPR and the CJEU’s case law. This issue should be clarified within the framework of the High-Level Group envisaged by the DMA or through bilateral discussions with data protection authorities.
________________________
To make sure you do not miss out on regular updates from the Kluwer Competition Law Blog, please subscribe here.
Kluwer Competition Law
The 2022 Future Ready Lawyer survey showed that 79% of lawyers are coping with increased volume & complexity of information. Kluwer Competition Law enables you to make more informed decisions, more quickly from every preferred location. Are you, as a competition lawyer, ready for the future?
Learn how Kluwer Competition Law can support you.