Mixed signals from GDPR regulators spark industry confusion

“It’s frustrating that DPAs across the EU have different interpretations of the same law,” said Matthias Matthiesen, director of privacy and public policy for the Interactive Advertising Bureau Europe. “The point of the GDPR is that the law is the same across the EU.”

Austrian publishers were recently thrown a bone by the country’s data protection authority when it dismissed a complaint against an online media publisher over its GDPR consent approach. The publisher, which wasn’t named fully in the DPA’s ruling, has created a paid-subscription offer of €6 ($7) per month for users who don’t want their data to be used for any advertising and tracking purposes. The publisher provides two other options: Users can browse all content for free in exchange for giving consent to being served personalized ads, or they can have partial access to content in return for giving consent.

The Austrian DPA deemed this approach totally fine and dismissed the complaint, citing the importance of publishers being able to maintain advertising revenue models. The regulator also stated that the €6 charge per month wasn’t regarded as high enough to be prohibitive for users. Other major Austrian publications including derStandard.at also use the paid model in return for no tracking.

In the U.K., however, the Information Commissioner’s Office has taken a stricter stance on the Washington Post’s consent strategy, which offers a $9 per month premium subscription option for users who don’t wish to be served personalized ads, and only partial access to content in exchange for consent.

The ICO hasn’t published an official ruling against the Washington Post but sent a letter informing the publication that the current approach is in breach of GDPR, according to the ICO. In its letter, the ICO stated: “The Washington Post has not offered a free alternative to accepting cookies on their website, and therefore in this case consent cannot be freely given and is invalid.”

The question of whether a publisher can block site access in return for consent, or give users a no-tracking option in exchange for a micropayment under GDPR, has been debated for some time. The GDPR states clearly that user consent must be freely given as well as specific, unambiguous and informed. The ICO has determined that in the Washington Post’s case, users shouldn’t have to pay not to be tracked.

In its letter, the ICO requested that the Washington Post improve its information rights practices and ensure its website users have the option to access all levels of subscription without having to accept cookies.

Although the two cases are subtly different (the Austrian publication does provide an option where users can have partial access in return for not giving consent, whereas the Washington Post has no free non-consent option), the different stances have concerned privacy experts. “This [Austrian] model looks very much comparable model with what WashPost is offering, which means that the two DPA decisions refer to comparable cases with contradictory results,” said Oliver von Versch, Hamburg-based publisher consultant.

“The fundamental change within the EU is that they are defining privacy as a ‘human right,’ which means that the concept of using privacy as a form of currency is illegal,” said Thomas Baekdal, Denmark-based publisher consultant. In other words, site visitors should be allowed to read all the free content regardless of whether they have given consent or not. “It seems pretty clear that publishers can’t do ‘give up your privacy or pay us,’” added Baekdal.

The European Data Protection Board, formerly known as the Article 29 Working Party, comprises the 28 EU regulators, is intended to help ensure DPAs align. The aim of this group is to provide consistency and discuss country-specific DPA decisions such as those made by French regulator CNIL last November. If a company operates across multiple countries, each with a DPA that has taken a different interpretation, the EDPB’s “consistency mechanism” kicks in, according to Matthiesen. However, no official clarification has yet been issued by the EDPB on how to resolve any discrepancies in approach. Digiday contacted the EDPB and will update this story if it responds. The ICO didn’t want to comment on another regulator’s decision until it had time to examine it in full.

Ultimately it’s the Court of Justice of the European Union, which gets the final say on any DPA opinion and decision. However, that can be a very lengthy process which could take years to be finalized, according to Matthiesen.

Meanwhile, the specter of the ePrivacy regulation which specifically targets the use of cookies, continues to loom. “Most countries are basically just evaluating things, and waiting for [the] ePrivacy [Regulation] to be formalized,” said Baekdal. “To me, it looks like it will just be a mess until we get ePrivacy in place, and then only after that will we start to see some lawsuits and real clarifications across the industry.”