EU EDPB opinion on "pay or OK" and "large online platforms" (with Eric Seufert)
I joined Eric Seufert on his Mobile Dev Memo podcast (link) once again, this time to discuss the EU EDPB opinion on "pay or OK" and "large online platforms," which I speculated about in my “EU authorities on “pay or consent”: mid-April 2024 update.”
Some of the key points I made in this podcast interview:
The EDPB opinion on the "pay or OK" model used by large online platforms like Meta is vague, conditional, and seems like the result of an unhappy compromise between data protection authorities (DPAs) with differing views. The real fight will happen through enforcement actions taken by individual national DPAs.
The EDPB had to admit that the "pay or OK" model is lawful in principle, as they cannot contradict the EU Court of Justice. However, they buried this conclusion in a manifesto-like opinion that is extremely vague and conditional.
The EDPB's definition of "large online platforms" is poorly defined and could potentially apply to a wide range of companies, not just Meta (Facebook). There's no clear limiting principle that would exclude entities like large German newspaper publishers. That said, the EDPB's opinion seems to be an attempt to target big tech companies, especially Meta, without harming other businesses like German newspapers. The real fight will happen through the actions of individual DPAs.
The EDPB and some DPAs seem to have been strongly influenced by the privacy activist community, as some DPAs appear to have been captured by their narrow mission of protecting privacy without considering the broader consequences of their actions.
National DPAs will likely start making their own decisions on "pay or consent" cases, following their interpretations of the EDPB opinion. The more activist DPAs will attempt to use it to curb the practice as much as possible.
The "one-stop-shop" mechanism, which allowed businesses to have a single interlocutor authority under the GDPR, may be dead due to a recent EDPB opinion. This could lead to a free-for-all among the most activist DPAs in taking action against American big tech companies. (By the way, Max Schrems’ NOYB already relied on this in their new complaint against OpenAI lodged with the Austrian DPA).
In summary, while the opinion admits "pay or consent" can be lawful, it leaves the door open for activist DPAs to restrict it in practice through aggressive interpretation and enforcement. The imprecise scope means it could impact many companies beyond Meta.