Showing posts with label compliance by design. Show all posts
Showing posts with label compliance by design. Show all posts

Tuesday, October 29, 2024

Pay or okay under the DMA and much more by other Speakers (even DMA "compliance by design")

Centre for a Digital Society, Video here.  

These are my very rough talking points on pay or okay in full length (more than I actually had the chance to say)

As we all know, contestability is one of the DMA’s two primary objectives, the other being fairness. The recitals that specifically refer to the obligations under Article 5(2) expressly address the goal of contestability. The General Court in its recent decision Bytedance ruling dismissing ByteDance’s action seeking the annulment of the European Commission’s designation decision of its TikTok service defines the objective of ensuring the contestability of markets as the ability of undertakings to effectively overcome barriers to entry and expansion and challenge the gatekeeper on the merits of their products and services. Importantly the Court also pointed out that the purpose of the DMA is to ensure the contestability of the position of gatekeepers not only by other gatekeepers but also, or even especially, by other operators which are not gatekeepers for a given CPS. contestability’ relates above all to the ability of undertakings which are not gatekeepers for a given CPS to challenge those gatekeepers on the basis of the merits of their products and services. What this provision aims to address are the advantages in terms of data accumulation, thereby raising barriers to entry, from which gatekeepers benefit. Thus, it aims to ensure that gatekeepers do not unfairly undermine the contestability of core platform services. 

Meta presented the pay or okay model as its compliance solution with Article 5(2) to the Commission. The issue before us is not so much whether the solution for compliance with Article 5(2) abstractly conforms to the objective of ensuring contestability, this is not how the DMA is supposed to work, but whether it is directly compliant with the obligations set forth in Article 5(2). Therefore, we must look to the letter and spirit of the obligation. The pay or consent model presents users with a binary choice. Either users subscribe for a monthly fee to an ads-free version of these social networks or to a free-of charge access to a version of these social networks with personalised ad. Users who do not consent if they want to continue using the service have to pay a monthly fee. 

This is clearly in breach of the DMA In terms of legislative history of the DMA it should be remembered that the elements laying down the requirements for consent under the DMA reveal that the legislators were very well aware of the shortcomings surrounding consent. As a matter of fact, the rapporteur proposed to remove the option of consent, arguing that informed consent is “virtually unachievable” and instead opt for an outright prohibition. Recital 36 emphasizes the necessity for gatekeepers to enable end users to freely choose to opt-in to data processing by offering a less personalized but equivalent alternative. This is the condition specified by the DMA to ensure that the user is able to choose freely. 

In order to be compliant what should Meta do then? First, users who do not consent should have access to a less personalized service. It should be noted that in this case, "less personalized" refers to the personalization of advertising – meaning a service that uses less data. Second, users who do not consent should have access to those social networking services are free. Otherwise this wouldn’t be equivalent to Meta’s social networking services which are also free. A paid subscription is not a valid equivalent to free access. Commission officials noted that Meta could still offer a subscription option, but any paid choice would need to be an additional offer (i.e. a third choice) on top of a free equivalent that does not demand users consent to being tracked. 

I think the DMA is clear and that Meta's pay or okay is in breach of the letter of the DMA. I find it quite surprising that this was proposed as a compliance solution, and the Commission must conclude the proceedings by reaching an infringement decision. Therefore, if users do not have access to a less personalized but equivalent alternative, there isn't a true choice, and it cannot be said that users are able to freely choose. The pay or okay model is thus non-compliant because it does not allow users to exercise their right to freely consent to the combination of their personal data. Consequently, citizens aren't able to take control of their data. 

Obviously, Meta claims that it is compliant with the DMA. They also argue that their pay or okay model was legitimized by the Court of Justice in the Meta ruling. This preliminary ruling, as I believe we all know here, stems from the German Facebook saga, which the Bundeskartellamt has recently managed to conclude. The judges stated in that ruling that a paid version of a service may be offered as an alternative to tracking ads, provided that the fee is appropriate and only if necessary - le cas écheant  (cumulative conditions). In the DMA context, the gatekeeper would therefore have to argue why a fee falls into "le cas échéant."  But is that fee truly really meets le cas échéant? In reality, Meta could offer an alternative service with ads that do not rely on any personal data for targeting — such as contextual advertising. Meta has never explained why it has not offered users a free, contextual ads option. 

Is the pay or consent model a complex case under the DMA that requires numerous panels? I would not say so, and the Commission is right to proceed swiftly to an infringement decision. This obligation is clear enough to be self-executing.

 This does not mean dealing a fatal blow to targeted advertising. No, because those users who prefer it can choose it, but those who do not want it can also make a choice. It's not that a paid option cannot be offered, but there must also be an equivalent and free option available. At this point, this offering could be supported in another way, such as through contextual advertising. Users who are also allergic to contextual advertising can choose to pay for an ad-free option. A model like the pay or okay, which is likely in breach of data protection laws, consumer protection laws, and the DMA, and could potentially also be an abuse of a dominant position, cannot be tolerated. Additionally, the Commission has issued a Request for Information (RFI) under the DSA, asking Meta to provide additional information on the measures it has taken to comply with its obligations concerning Facebook and Instagram's advertising practices, recommender systems, and risk assessments related to the introduction of that subscription option. 

Some final considerations.

The EU legislator, through the DMA, has taken seriously the need to ensure that consent is freely expressed, even when dealing with a gatekeeper, and has provided gatekeepers with the opportunity to adapt. In some ways, the Court of Justice's ruling in Meta reflects some concepts of the DMA. Of course, the reference to an appropriate payment if necessary ("le cas échéant") must be interpreted restrictively because it involves a fundamental right whose exercise should not become a privilege for the few. 

Here, data protection, consumer protection, and the DMA are aligned, which is also a sign that various enforcers can in some cases cooperate well with each other. This pay or ok model must be abandoned, and the sooner an enforcer achieves this ultimate goal, the better. The EDPB expansively interprets the GDPR to introduce an additional requirement, namely the requirement to provide a “free alternative without behavioural advertising”. This would in effect be a quasi-mandatory condition for obtaining valid consent. Meta will therefore need to truly comply and adopt a different solution. The alternatives must be compliant not only with the DMA but also with the GDPR and consumer protection laws, of course. 

The Meta ruling was significant, but the DMA had already anticipated many of the points made by the judges, including the topic of forward-looking collaboration among enforcers. A prime example of this is the High Level Group. From the outside, it already appears to be a very important institution in the DMA regulatory framework. From the perspective of civil society, we would appreciate greater transparency of its workings and, perhaps exceptionally, an invitation to participate 

The German Facebook saga has recently concluded. Long live Article 5(2) DMA? 

Certainly, but also long live Section 19(a) of the GWB. It would be better if other national authorities adopted similar provisions to alleviate the burden on Article 102 concerning the abuse of a dominant position. We'll see if the announced Draft Guidelines can somehow make this article more manageable, but at the moment, there may be many reasons to doubt it. In concluding the Facebook proceeding, the Bundeskartellamt clearly stated that not taking enforcement action based on its February 2019 decision does not imply Meta's behavior is fully compliant with obligations under competition, data protection, consumer protection laws, and the DMA. It suggested that other authorities could use their powers to further improve Meta's service offerings, turning the situation into a relay where the Bundeskartellamt's conclusion serves as a launch point for further enforcement by others. This indicates that improvements might also come from applying GDPR principles such as data minimization. 

Final reflection: it’s not about praising the DMA as such, but this specific provision is well-crafted and highly targeted. It anticipated developments that we later saw concerning the GDPR and complements consumer protection effectively. Other provisions may be less so. The synergy with Section 19a of the GWB is particularly promising, and it's unfortunate that authorities in other Member States are not equipped with similar measures in their own legislations.