The Austrian Supreme Court has referred a case against Facebook to the Court of Justice of the European Union (CJEU). The case has been dubbed “Schrems III,” as it’s the third CJEU reference involving Facebook and campaigner Max Schrems.
If Facebook loses, the company’s entire business model could become unsustainable. But upcoming changes to EU privacy law might provide a solution—a paid version of Facebook.
First, we’ll look at the facts and arguments presented in this case. Then I’ll explain how it could, in theory, lead to a paid version of Facebook.
Bear with me. I promise this argument makes sense.
What’s the case about?
The Schrems III case is essentially about the GDPR’s “legal bases.”
Under the GDPR controller must establish a legal basis whenever processing personal data. There are six legal bases, and two are particularly relevant in this case: “contract” and “consent.”
The question at the heart of the Schrems III case is: Can a controller rely on the legal basis of “contract” to deliver targeted advertising using cookies?
Facebook relies on “contract” for ad-targeting purposes, which Schrems says “undermines the GDPR.”
But it’s important to note that Facebook hasn’t always relied on “contract” to deliver targeted ads. The company relied on “consent” until May 25, 2018—the day the GDPR came into force.
How did the GDPR affect Facebook’s legal basis for delivering targeted ads?
The GDPR brought several important changes to EU data protection law. One of the most significant was a new definition of “consent.”
The regulation requires controllers to obtain consent via a “clear, affirmative action.” Consent must also be easy to withdraw—and the data subject must not incur any detriment if they withdraw their consent.
Recital 43 of the GDPR also specifies that consent isn’t “freely given” if “the provision of a service… is dependent on the consent despite such consent not being necessary…”
Facebook previously requested its users’ consent for targeted advertising when they were signing up for an account. No consent? No Facebook account.
Whether this approach was lawful at the time is open to question. But in any case, it seems the company’s lawyers believed that Facebook’s existing consent request would be incompatible with the GDPR’s new rules.
So, on the day the GDPR came into effect, Facebook copied its consent request into its Terms of Service.
Et voila—Facebook was now relying on “contract” instead of “consent.”
What’s the case against Facebook?
Schrems argues that Facebook’s reliance on “contract” is unacceptable due to a combination of two laws—the GDPR and the ePrivacy Directive.
A controller can rely on “contract” when it needs to process personal data to perform its contractual obligations to the data subject.
For example, if you order a product from Amazon, Amazon needs your address to send the product to you. Therefore, the company can rely on “contract” to collect and use your address for this purpose.
Schrems says that this isn’t the case with Facebook.
Doesn’t Facebook “need” to provide personalized advertising?
Facebook says delivering targeted ads is “necessary” under its Terms of Service, which constitute a contract between the company and its users. Facebook claims these Terms of Service require the company to collect data about its users and serve them targeted ads.
Facebook says that this contract benefits its users because they get to use Facebook for free—and because targeted ads are supposedly more relevant than other types of ads.
But the contract also benefits Facebook because it supports the company’s business model. This argument is a core part of Facebook’s defense—no targeted ads, no Facebook.
That sounds reasonable?
Not according to the European Data Protection Board (EDPB).
The EDPB has a whole set of guidelines about providing online services on the legal basis of “contract.” The guidelines consider what types of activities are “necessary for the performance of a contract” under the GDPR.
The EDPB concludes that “activities (that) are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model” don’t count as “necessary.”
But remember—EDPB guidelines aren’t binding. And in fact, the EDPB’s interpretation was rejected by the Viennese Superior Court at an earlier stage of this case.
Can’t Facebook rely on “legitimate interest” instead?
Rather than “consent” or “contract,” the GDPR allows controllers to rely on the legal basis of “legitimate interest” for certain marketing activities.
But relying on “legitimate interest” wouldn’t work for Facebook because it delivers targeted ads using cookies (and similar technologies).
Cookies aren’t really a GDPR thing—they’re covered by the ePrivacy Directive. And under Article 5 (3) of the ePrivacy Directive, online service providers must obtain consent for setting non-essential cookies.
Schrems says this ePrivacy Directive rule is another reason Facebook shouldn’t be relying on “contract” for setting cookies. “Consent,” Schrems claims, is the only appropriate option. But consent means giving users certain rights over their personal data—rights that Facebook would rather not provide.
What happens if Facebook loses the case?
If Facebook loses, the company will most likely need to start obtaining GDPR-valid consent from its European users. This would mean getting opt-in consent before setting non-essential cookies on its users’ devices—and offering an opt-out to existing users.
Facebook already offers users opt-outs for certain third-party ads. But it seems that providing users with this level of control across the board would devastate Facebook’s business.
However, a potential change in the law might enable Facebook to continue its European operations.
What’s this upcoming legal change?
The ePrivacy Directive gets a long-overdue overhaul soon, with the ePrivacy Regulation.
As mentioned, under the ePrivacy Directive, service providers like Facebook must obtain consent for non-essential cookies. And due to the GDPR’s definition of consent, Facebook can’t require users to consent as part of its signup process.
But the ePrivacy Regulation could change these rules.
The European Council’s favored version of the regulation, published in February, would allow companies like Facebook to force users to consent to cookies, as long as they provided an “equivalent offer… that does not involve consenting to data use.”
Wouldn’t this cause most users to opt for the “cookie-free” version of Facebook? Not necessarily.
Under the Council’s proposals, service providers could charge users who did not wish to consent to cookies. So if this part of the ePrivacy Regulation passes into law, it could lead to a paid version of Facebook.
A paid version of Facebook? That seems highly unlikely
Let’s be clear—this would be a bad outcome for Facebook. The company almost certainly does not want to charge any of its users a fee if it means getting less access to their data.
But remember when Facebook’s signup page said, “It’s free and always will be?” The company quietly ditched this slogan in 2019. Then in May, faced with Apple’s tracking prevention policy on iOS, Facebook also reminded iPhone users that tracking “helps keep Facebook free.”
But how many people would actually want to pay for Facebook? Most users, presumably, would simply tick the “I consent” box and opt for the “free” version.
So perhaps—if Facebook loses Schrems III, and if the ePrivacy Regulation allows it—providing a paid version of its platform might be Facebook’s least bad option.