Data Protection Paternalism vs. Digital Autonomy: Recent Decisions by EU Privacy Watchdogs
The EU’s General Data Protection Regulation (GDPR) has long been considered a gold standard in privacy regulation by many. In it, legislators took a balanced approach towards a privacy framework that respects fundamental rights in all respects. Not only an individual’s right to privacy that is, but also their digital autonomy and freedom to contract for services involving data processing.
In recent months, however, the European Data Protection Board (EDPB) has issued a number of decisions, overruling the relevant national data protection authority and sometimes, questionably, instructing and directing that authority to commence new investigations. This direction has since been formally challenged multiple times in the European Courts.
To keen observers, these decisions signal a new wave of enforcement for the GDPR, where the EDPB calls the shots in pursuit of its own policies and objectives over those expressed by the legislator in the GDPR itself. But this new approach has not come without critique.
Professor Dr. Martin Nettesheim of the University of Tübingen published a thought-provoking article last month: “Critical Comments on the European Data Protection Board’s Understanding of Contracts as a Ground to Process Personal Data”. Nettesheim’s article, which is also available here, delves into recent EDPB decisions relating to Facebook and Instagram. It provides a useful reminder that the GDPR must be interpreted in light of EU fundamental rights, like that of contractual autonomy, and not as superior to those rights.
In these recent decisions, the EDPB ruled against the use of contracts to justify behavioural advertising for services where behavioural advertising actually is at the very core of the service being contracted. This clearly raises existential questions for many free services that consumers enjoy today. But as Professor Dr. Nettesheim points out, legal scholars should also be troubled to see that the EDPB appears to fill important legal gaps with flawed interpretations of the GDPR directed by the EDPB’s own preferences of what constitutes a “good” or “bad” contract and business model.
Headlines back in January focused on the EDPB’s conclusion that a contract does not constitute a lawful ground to process personal data for the purpose of behavioural advertising. In practice, this means that users cannot contract for free online services that are supported by behavioural ads.
An in-depth reading of the decisions, however, reveals that this outcome is based on an ideological approach to data protection, under which consent prompts would become the only way for companies to process personal data whenever the EDPB does not approve of their business models. In effect, the EDPB appears to elevate consent as the primary “highest order” legal basis for processing, and makes it impossible for certain companies to practically use any of the other bases originally established in the GDPR by EU lawmakers.
For example, the EDPB initially claims, and rightfully so, that there is no hierarchy between the legal bases found in Article 6 GDPR and recognised under Article 8 of the EU Charter of Fundamental Rights (CFR). Yet, it then proceeds to contradict its position and assume that data subjects must always have the right to exercise consent (or refuse consent), and any other grounds would then (logically) “deprive” them of at least some of their data protection rights.
The elevation of consent as the only legal ground to process data for behavioural advertising can also be seen in the EDPB’s superficial assessment of the contractual legal basis upon which Meta relied. As Professor Dr. Nettesheim’s article reveals, the EDPB failed to assess the actual subject matter of the contract between Meta and its users.
Indeed, at no point does the EDPB review the object or the content of the contract holistically to determine whether the processing is in fact necessary to fulfil the ultimate objective of the contract. Instead the EDPB distinguishes parts of the contracted service that are in its subjective view unworthy of data processing, regardless of how inextricable those parts are to the performance of the contract as a whole.
Finally, the EDPB’s decision reveals another significant deficit insofar as its analysis is confined to Article 8 of the CFR, failing to take into account all other requirements under EU primary law. The EDPB fails to evaluate other fundamental rights: the freedom to conduct a business under Article 16 of the CFR is simply overlooked – or considered irrelevant. The fundamental freedoms of the data subjects, which include the right to enter into contracts for services involving the processing of personal data, are also missing. Even with respect to Article 8 of the CFR, the EDPB never elaborates on what specific purposes, values, and protected interests are impacted by behavioural advertising.
The EDPB’s absolutist data-protection paternalism offers only a siloed and one-sided approach to assessing data processing under the GDPR, and conflicts with deeper and more fundamental rights related to individuals’ digital and contractual autonomy. None of this appears to serve the meaningful protection of personal data as codified by EU legislators in the GDPR. Worse, the accumulation of consent prompts for services – which in other contexts the EDPB has (rightfully) disapproved of – undermines the freedom of individuals to conclude transparent and fair contracts, as well as their practical ability to exercise digital autonomy.
Professor Dr. Nettesheim’s article is certainly thought provoking, calling into question the EDPB’s approach to GDPR enforcement and the EDPB’s apparent disregard for equally important fundamental rights, and behavioural advertising in general. It now remains for the European Courts to determine whether the EDPB has free reign to reinterpret the GDPR as a paternalistic instrument, or to stay true to the balanced approach to data protection and fundamental rights that EU legislators adopted when crafting the GDPR.