Since the first week of November, Meta has forced its European users to accept intrusive privacy practices or pay €156 per year to access Facebook and Instagram without tracking advertising. For the EU, this is a significant moment. Effective GDPR enforcement stands, together with the implementation of the
Digital Services Act (DSA) and
Digital Markets Act (DMA), as critical tests of the EU’s capacity to rein in Big Tech’s most abusive and socially damaging practices. Therefore, in responding to Meta’s latest challenge, the EU must focus on three things:
- Enforcement of the latest binding decision by the relevant European authority.
- Settle the validity of the legal ground on which Meta is basing its new model.
- Provide a comprehensive GDPR review to ensure more effective enforcement.
GDPR, why high hopes and so few results?When GDPR was passed in 2016, it was expected to rein in Big Tech’s ‘
surveillance capitalist’ model after a
host of scandals and guarantee data privacy in Europe. Now, just shy of the fifth anniversary of its implementation, it is clear that GDPR has unfortunately not delivered on its promise.
A significant problem has been a lack of enforcement. To reduce administrative burden, the regulation established a '
one-stop-shop mechanism' entrusting enforcement to national Data Protection Authorities (DPAs). However, what was initially meant to ensure swift enforcement quickly became a significant obstacle to effective privacy protection.
Most tech conglomerates such as Meta, Alphabet, Microsoft, and X (formerly known as Twitter) have European headquarters in Ireland for tax reasons. Therefore, the Irish Data Protection Commission has had the frontline job of ensuring that the GDPR rules are being complied with.
This has not always been a successful undertaking for the Dublin regulator. In the case of Facebook and Instagram, it has - despite several complaints – ostensibly held the position that Meta’s subsidiaries are essentially acting within EU law, a view forcefully challenged by other national regulators. Eventually, this led to a
damning overruling of the Irish DPA by the European Data Protection Board (EDPB) earlier this year.
In July, the Norwegian DPA,
Datatilsynet, went even further by using its
urgency powers under the GDPR to take action against Meta with a three-month ban against its behavioural advertising based on the profiling of users in Norway. It also
requested a binding decision from the EDPB for the EU. This request was ultimately upheld on 1 November in a
landmark judgment establishing that Meta is unlawfully processing data in Europe and instructing the Irish DPA to ban the company from data processing across the entire European Economic Area (EEA).
Past years have not only thoroughly exposed the Irish Data Protection Commission’s
critical shortcomings but also pointed to fault lines in the GDPR framework as a whole. These shortfalls have resulted in regulatory bottlenecks and have been aggravated by the lack of willingness and resources to enforce; Big Tech has repeatedly gotten away with non-compliance. Fines have been too few, too late and too weak. To put things into perspective, in 2020,
Meta paid €747 million in fines for its misdeeds, which amounted to little more than 0.6% of the $116.60 billion the company earned that same year.
Is Meta’s new ‘pay or okay’ model really okay?It seems that
Datatilsynet’s actions have finally prompted Zuckerberg’s company to rethink its data collection methods in Europe. However, instead of forsaking tracking advertising and profiling altogether, Meta has adopted a controversial ‘pay for your rights’ model previously pioneered by
media outlets. As of the first week of November, the company started selling European users a monthly subscription between €9.99 and €12.99 to experience ad-free products.
This development comes at a crucial time for Europe and the future of its digital policies and, therefore, has sparked some fundamental debates on both the legality and legitimacy of Meta’s action.
According to
noyb, the privacy advocacy group set up by activist Max Schrems, it seems that the question of legality of the situation appears to hinge on two loopholes. On the one hand, there is the
precedent set by media outlets that first implemented cookie paywalls to ask for support against strong competition from Big Tech. On the other hand, there is an
obiter dictum of just six words in an 18.548-word judgment by the Court of Justice of the European Union (CJEU). Specifically, for the Court, if a data user refuses to give their consent to particular data processing practices, companies may provide alternative “if necessary for an appropriate fee”.
Notwithstanding the legal doubts, what is sure is that its expensive subscription will not be within everyone's economic reach. Capitalising on this aspect, the company is ingeniously offering users the choice of a ‘free like before’ version of the platforms but at the cost of continuous personal data harvesting. This is clearly a discriminatory practice with great potential to feed into pre-existing digital inequalities and exacerbate the digital exclusion and marginalisation of already vulnerable subjects.
There can be no doubt that Meta has thrown down the gauntlet again to the EU as a champion of privacy rules, testing its determination and capacity to protect personal data from Meta’s and other internet giants’ profit-maximising strategies.
The EU’s reaction will have global ramifications given its role in international standard-setting, often known as the ‘
Brussels Effect’. Indeed, Meta itself has
revealed that Europe will serve as an experiment to see whether rolling out similar subscriptions to other countries is feasible and desirable.
The way forward?As a matter of priority, resolute action within the legal bounds offered by today’s framework is essential. History has shown that Meta's regulator, the Irish DPC, has repeatedly taken its task too lightly and accepted that the company could bypass GDPR. This can no longer be the case.
The EDPB has the authority to issue binding decisions to settle disputes between national supervisory authorities, which it has done in this case. Therefore, it is of utmost importance that the Irish DPC ensures that Meta fully complies with the EDPB’s urgent decision on processing personal data or is otherwise banned from performing it across the EEA. In doing so, the Irish regulator needs to recognise that Meta’s new subscription promotes a ‘blanket consensus’ approach that is not compatible with GDPR’s understanding of consent as “freely given, specific, informed and unambiguous”.
Second, given the uncertainty surrounding the CJEU’s stance on the fine print of the
Meta Platforms Inc. v. Bundeskartellamt case, it is important that Meta’s own ‘Pay or Okay’ model is formally challenged. It will then be up to the Court to clarify its position regarding the July ruling and bring legal certainty to the validity of the obiter dictum and Meta’s practices.
Thirdly, and lastly, it is imperative that the EU urgently reviews its GDPR enforcement framework to avoid the errors of the past repeating in the future. In July, the Commission tabled a
proposal for a regulation to harmonise cross-border cooperation among DPAs. However, this proposal falls short of addressing major GDPR shortcomings and will not solve the Commission’s agency, or lack thereof, in ensuring that member states comply with EU regulations. Thus, more substantial reform is needed, which might require reopening GDPR against the
DG JUST’s best wishes.
In all this, there is a hold-out chance that the GDPR can still be turned into a success story. But it very likely requires more significant reform than what is on the table while sending a strong signal that privacy is not for sale in Europe.
Giulia Torchio is a Programme Assistant in the Europe’s Political Economy Programme at the European Policy Centre.The support the European Policy Centre receives for its ongoing operations, or specifically for its publications, does not constitute an endorsement of their contents, which reflect the views of the authors only. Supporters and partners cannot be held responsible for any use that may be made of the information contained therein.
