In a recent case, the Austrian Data Protection Authority (ADPA) decided for the first time on the permissibility of a consent for the use of cookies, as well as the concept of freely given consent under the GDPR. The case involves the cookie consent on the website of an Austrian newspaper. In this decision, the ADPA has seen a hybrid cookie wall / paywall solution as permissible, but has failed to address several important issues potentially arising in such cases.
Facts of the case
As many other providers of free online content, the Austrian newspaper relies on advertisement in order to be able to provide a free online version of its newspaper. After the GDPR entered into force, the Austrian newspaper implemented a hybrid solution, whereby users could either consent to the use of cookies for analytic and advertisement purposes, or choose a paid subscription model, which allowed access to the website cleared of cookies in exchange for a fee (€1 for the first month and € 6 for subsequent months). The consent to the use of cookies could either be expressed by clicking on the corresponding “OK” button, but also by simply clicking anywhere else on the screen, as the notice stated that the continued use of the site is considered to be a consent to the use of cookies for the abovementioned purposes. The solution does not allow the user to grant consent only for one of the purposes.
This solution was subject to a complaint by a user, which the ADPA has recently decided upon. The Austrian newspaper has reported about the complaint and the decision of the ADPA on their website last week. As the decision of the ADPA is not final yet, it was not officially published, but rather only reported on by the Austrian newspaper. However, due to the great interest by the public, the ADPA has in the meantime officially published an anonymised decision of 30 November 2018 regarding an unknown newspaper, which is presumably, based on the similarities of the case and the legal assessment, the same decision.
The decision
Following the wording of the complaint, the ADPA has mainly addressed the question whether or not the consent in the case at hand was freely given. The ADPA has firstly briefly assessed the relationship between the GDPR and the (Austrian implementation of) the ePrivacy Directive, seeing the Directive as a lex specialis but ultimately concluding that the requirements for consent under the GDPR have to be observed as well, since the ePrivacy legislation does not contain an autonomous definition of “consent” but rather refers to the data privacy legislation.
As the core question, the ADPA has focused on the issue of freely given consent. In its reasoning, the ADPA applied the Article 29 Working Party (Art29WP) Guidelines on consent (WP 259), pointing out in particular that a consent is not freely given if significant negative consequences are to be expected in lack of consent.
In the specific case, the ADPA argues that no material disadvantage and no considerable negative consequences are apparent, as the decision to give consent is deliberate, the data use is described in a sufficiently transparent manner, and the main consequence of not giving consent is that the user may subscribe for the service, which was considered as not disproportionately expensive. The ADPA supported its view further by referring to its own case law from 2006, which states that consent may be considered to be freely given if the processing leads to an obvious advantage of the data subject. The argument is concluded with the statement that, if neither of the two options represents a viable option for the users, they are still free to use other online newspapers as a source of information.
As a result, the ADPA has dismissed the complaint and confirmed that in their view the solution as used by the Austrian newspaper is in line with the GDPR and the consent was freely given.
Commentary
While ADPA’s reasoning points out some important aspects and consideration, in our opinion some issues were not, or were only superficially, considered.
First and foremost, while the ADPA mentions Art 7 Para 4 GDPR as applicable, it does not specifically assess in further detail whether the approach in the case at hand constitutes a prohibited conditional consent. While pointing out that a consent is not freely given if the data subject is confronted with significant negative consequences (quoting also the WP 259), the ADPA did not consider the question whether and to what extent conditionality pursuant to Art 7 Para 4 is a distinct situation where a stricter assessment is necessary. It was in particular not considered whether Art 7 Para 4 outright prohibits using data as “mandatory consideration for the performance of a contract” where data use is unnecessary for the contract, regardless of the existence of other options to obtain the service, as seems strongly implied in the WP 259.
Another argument which was used in this respect was a possibility of the users to obtain alternative services, which the ADPA used as one of the two main arguments that the consequences of not giving consent are not material (the other being the proportionality of the subscription fees). This argumentation clearly contravenes the opinion of the Art29WP, which clearly states that consent cannot be considered as freely given if a choice must be made between consenting to unnecessary data processing and obtaining an equivalent service elsewhere. While in the case at hand this argument is used together with the alternative provided by the Austrian newspaper themselves (namely the subscription model), it is still surprising that no in-depth assessment as to why this view of the Art29WP does not apply in the case at hand was not provided.
Further, the ADPA has not addressed in any way the fact that the consent is given for two somewhat distinct purposes (“web analysis” and “digital marketing”), whereby the consent can only be given for both or neither. This lack of granularity of the consent could itself contravene the requirements for a consent under the GDPR (see WP 259, Item 3.1.3, wherein granularity of purposes is explicitly required).
The ADPA has further not assessed the technical functionality of the website, which recognizes any click on the website as consent to data processing via cookies and even states explicitly that continuing to use the website equals consent. Such implied consent might be considered to not be in line with the GDPR, which (Art 4 No. 11) requires a “specific indication” and a “clear affirmative action”. The validity of this implied consent appears doubtful also in the light of criteria that were developed by the Art29WP (WP 208) on obtaining consent for cookies, wherein an active choice that is an unambiguous and an active indication of the users’ wishes was required.
Finally, looking forward, the European Data Protection Board has already stated in its Statement on the revision of the ePrivacy Regulation that cookie walls are not compatible with consent as defined under GDPR. While the EDPB does not explicitly address “hybrid” cookie wall / paywall solutions, it could be plausibly argued that such hybrid solutions could be just as incompatible with the concept of freely given consent as defined in GDPR.
Outlook
This decision of the ADPA is certainly a boon for the business models of various content providers which provide advert-financed free online content. Nevertheless, if appeal procedures are pursued in this case, the question remains whether the decision and the reasoning of the ADPA will be confirmed by administrative courts or the ECJ. In our opinion, the courts will at the very least have to make considerable additional considerations and assessments, which may well lead to a different outcome in the final decision.
For further information please contact Miroslav Jakúbek (Associate, Austria) or Stefan Panic (Senior Associate, Austria).