Media companies

throughout Europe struggle with a difficult economic environment: Shrinking sales

figures for print products, the digitalisation and consumer demand force

publishers to offer their content also on the internet. However, generating

money for online publications is not quite easy as – at least in Austria – online

subscription against renumeration has not been well accepted by customers. This

partially has its root in the lack of suitable micropayment means in the past

and users thus getting acquainted to online information being offered for free.

Thus, publishers have instead focused on financing their platforms by online marketing

activities such as placement of banners. Nowadays such digital advertisement is

usually targeted to the specific user. For this purpose, cookies are stored on the

user's computer upon his first visit of the website, which then collect data

about his location, technical equipment used and online behaviour. This finally

allows to display specific, user targeted advertisements. However, such cookies

may cause issues with applicable consent requirements under the

telecommunication and data protection regulations:

Strict consent regime

Both the ePrivacy

Directive, implemented in Austria by the Telecommunications Act

("TKG"), as well as the GDPR set out a strict consent regime for the

setting of cookies respectively the subsequent data processing. In this light,

media companies struggled how to satisfy both, the legal requirements and their

need for funding of its online activities. It seemed that the media industry

all over Europe had more or less the same idea: On multiple platforms a banner

was installed which gave customers two options: Either to accept the setting of

cookies, which allows the company to proceed with targeted online marketing

based on the data collected on its basis, or to pay for a cookie and marketing

free online access by signing up for a paid-up subscription. But is such an

approach in line with the legal requirements? The Austrian Data Protection

Authority ("DPA") rendered a confirmatory decision

(DSB-D122.931/0003-DSB/2018 of 30.11.2018):

Decision of the DPA

In Austria, a user

filed a complaint against a quality newspaper which implemented such a "consent or pay banner". In case of

a subscription, the first month of cookie-free access was not charged, starting

from the second month 6 Euro were due. The user argued that any consent to

cookies and marketing activities must not be deemed freely given as it is

rendered to avoid the payment obligation, only and forces him to accept data

processing.

The DPA held that for

the specific case the consent requirements of the ePrivacy Directive respectively

Para 96 Sec 3 of the Austrian TKG implementing the provisions would prevail as

lex specialis (see Art. 95 GDPR and recital 173 GDPR). As the specific

regulations do not provide for the details on how the required consent may be

obtained, the general provisions of the GDPR do apply. According to Art 7 Sec 4

GDPR any performance of a contract, including the provision of a service, must

not be conditional on consent to the processing of personal data that is not

necessary for the performance of that contract. According to a detailed paper

of the former Art 29 Working Party, any consent is thus deemed to be involuntarily

if its refusal may generally cause severe disadvantages for the user (see Art

29 Working Party 2016/679, WP 259 and recital 42 GDPR).

The DPA held that in

the particular case the user may as an alternative chose the paid-up

subscription. This would allow the user to also access the content without

having to accept any cookies or targeted online marketing activities. The DPA further

held that the specific subscription price of EUR 6 would be reasonably,

adequate and fair. If the user would not like to accept the subscription, he could

still visit other websites as an alternative. In total, user's refusal to

accept cookies would thus not cause him significant disadvantages. To the

contrary, the user would be given a reasonable advantage in exchange for his

consent as both, the free and the paid access, do offer same content. Thus, the

"consent or pay" concept

would be in line with the TKG and GDPR requirements. Consequently, the DPA rejected

the complaint. There has been no information on a filing of an appeal, which is

no surprise as the complaint was made – as it actually happens quite often – on

an anonymous basis, only.

Crucial points

The decision was

received with great relieve by the Austrian media industry and may have quite

some cross-border impact. Taking the arguments of the authority into

consideration, the following issues are crucial for the establishment of a valid

"consent or pay" scheme:

of transparent information on the alternatives and a clear privacy notice;

must be set prior to user's decision;

adequate pricing for the alternative subscription;

targeted marketing activities under the alternative subscription;

content under the access against consent and paid up subscription.

Although being

non-binding in other jurisdictions, the decision of the DPA may at least be

employed as basis for an argumentation in similar cases abroad. Even if the

opinion of the DPA is not shared by other local authorities, it should at least

be reflected if it comes to the crucial question if and which fine shall be

imposed for the alleged infringement. Following a decision of a national data

protection authority, particularly one which has been and is still known for

its stringent approach, should at least help with arguing that there is only

slight negligence involved and that no or a small fine is due, only. Further,

industry associations may – as in Austria – use the decision as a basis for

initiating codes of conduct based on Art 40 GDPR to establish a joint market

standard.

Axel Anderl, Managing

Partner and Head of the IT, IP and Data Protection Practice at >DORDA Rechtsanwälte GmbH