Facebook, Instagram, "pay or consent" and necessity to fund a service

Meta officially announced paid subscriptions for Facebook and Instagram. I explain what (arguably) went wrong in EU law to force Meta to do this.

Meta officially announced that Facebook and Instragram will offer a paid subscription service tier without any ads. The move was prompted by recent enforcement actions by European privacy authorities and a judgment by the EU’s highest court, the Court of Justice. I’ll dive deeper into those developments in future posts. I believe that much of this is both bad law and bad policy. Today, I start with an overview, aiming to provide a simplified explanation.

The GDPR and the Notion of ‘Contractual Necessity’

At the heart of this issue lies the EU’s General Data Protection Regulation (GDPR), which stipulates that personal data can only be processed if it falls under one of the GDPR’s “lawful bases.” User consent is one basis, but another is “contractual necessity.” This means that personal data processing can be justified if necessary for the performance of a contract between the service provider and the user.

Meta, like many other digital platforms, initially relied on “contractual necessity” to process user data for personalized advertising. They argued that this data processing was necessary to fund the provision of their services, as they are not obligated to offer them for free. This is where the controversy begins.

The original sin: funding a service rejected as being “necessary”

Critics have argued that Meta could sustain its services through non-personalized advertising alone. However, industry experts have cast doubt on the viability of this approach (Eric Seufert is excellent on this). Despite this, no privacy authority or court ever seriously attempted to show that non-personalized advertising could fully fund such services, but claims about such a theoretical possibility keep appearing in enforcement decisions.

A second argument against Meta’s use of “contractual necessity” asserts that it should only cover technical necessities for service provision, excluding economic or business necessities such as the need to generate revenue.

The Shift to User Consent

Relying on those two, I’d argue erroneous arguments, EU privacy authorities have been pushing Meta to abandon contractual necessity. In response to these challenges, Meta transitioned from relying on “contractual necessity” to other legal bases, initially adopting the “legitimate interest” basis. However, they ultimately chose to rely on user consent. Hence, I’ll skip straight to consent.

When a business relies on user consent, it must adhere to certain restrictions, such as allowing users to withdraw consent at any time and ensuring that consent is “freely given.” The GDPR even suggests that requiring consent as a condition for accessing a service may be problematic.

The “Pay or Consent” Dilemma

This problem would have been far more straightforward if there had been an acknowledgment that data processing can have a valid lawful basis when it is essential for financing a service. In such a scenario, platforms like Facebook would not be compelled to seek consent for data processing crucial to offering their services for free. Regrettably, this path remains unexplored, at least for the time being.

So, in a situation where funding a service does not fall under the umbrella of “contractual necessity,” and consent is the sole option, can businesses give users a choice between granting consent, such as for personalized advertising, or opting for a subscription fee?

The critical question is whether attaching a price to non-consenting users effectively coerces them into consenting. In cases where consent only pertains to non-essential add-ons, with contractual necessity covering essential aspects like funding the service, this argument carries some weight. However, by arguably misinterpreting the GDPR, EU authorities, including—to some extent—the Court of Justice, have cornered themselves. Will they argue that certain services cannot be offered entirely free of charge (if personalized advertising remains the sole viable funding option)? Or will they contend that some services must be provided below their economic cost?

The Court of Justice’s Solution

The solution that the Court of Justice seems to have adopted for now is to allow “pay or consent” (“if necessary for an appropriate fee”). As I said elsewhere:

What is the “appropriate fee” meant to be “necessary” for? Necessary for the service provider to be able to fund providing the service? How is that not a “contractual necessity”? This shows rather well the stilted formalism of the narrow interpretation of “contractual necessity.”

Implications for Meta and Beyond

Meta’s decision is bound to face pushback. Max Schrems, the activist, frames Meta’s move as requiring payment for fundamental rights, comparing it to payment for the right to vote or free speech. Even if the framing could be pushed so far as Schrems suggests, he seems to forget that despite a recognised right to adequate food, we pay for groceries.

Setting aside such strained attempts to make headlines, legal battles will likely be fought over the phrasing used by the Court of Justice (“if necessary for an appropriate fee”). First, some will likely still argue that the fee is not “necessary.” Second, what should count as an “appropriate fee”? Is average revenue per user the proper benchmark? Some may call for audited “cost+” schemes used in energy or telecom regulation. But even a cursory comparison between energy/telecoms markets and modern digital services shows the folly of going down that path.

What may complicate both “necessity” and “appropriate fee” questions is that Meta is giving the users a choice between (A) consent to personalized advertising and (B) no ads at all. Given that the second option means that Meta will not show even non-personalized advertising, some may argue that this makes the price higher than it would have been with non-personalized advertising.

Ultimately, the best way forward may be to recognize that funding a free service is indeed a “contractual necessity.” Privacy authorities and courts may not be the most suitable entities to rule on business models, especially in the dynamic landscape of digital services.

This is not just a “Meta” issue: given their strong market position, if anyone can shoulder what the regulators throw at them, Meta probably can. But as the analyst Ben Thomson points out, this way of interpreting the GDPR may make it impossible for future large-scale digital services to emerge because they will not be able to bootstrap by being “free of charge” and relying on personalized advertising.

In other words, this myopic, siloed approach to the GDPR puts privacy enforcement at odds with other goals that the EU is pursuing in its digital regulation - especially the EU Digital Markets Act. But this is a story for another day.