Privacy advocate sues Hamburg DPA over 'Pay or OK' consent banner decision

On August 1, 2024, just two days ago, privacy advocacy group noyb (None of Your Business) announced it has filed a lawsuit against the Hamburg Data Protection Authority (DPA) in the Hamburg Administrative Court. The lawsuit challenges the DPA's decision to approve the controversial 'Pay or OK' consent banner system used by the German news magazine DER SPIEGEL on its website. This legal action marks a significant escalation in the ongoing debate over online privacy practices and the interpretation of consent under the General Data Protection Regulation (GDPR).

The case stems from a complaint originally filed by noyb in the summer of 2021, which questioned the legality of DER SPIEGEL's 'Pay or OK' system. This system presented website visitors with a choice: either consent to the use of their personal data for tracking and advertising purposes or pay for a subscription to access content. After nearly three years of deliberation, the Hamburg DPA recently ruled that this practice was permissible under GDPR guidelines.

According to noyb, the DPA's decision-making process and ultimate ruling raise serious concerns about the authority's impartiality and thoroughness in investigating GDPR complaints. The privacy group alleges that the DPA engaged in improper communication with DER SPIEGEL during the investigation, potentially compromising its ability to make an unbiased decision.

One of the key issues highlighted by noyb is the DPA's apparent failure to consider critical data regarding user behavior when confronted with 'Pay or OK' banners. The privacy group claims that studies show over 99.9% of users agree to tracking when presented with such systems, despite only 3-10% of users actually desiring personalized advertising. This discrepancy, noyb argues, calls into question whether the consent obtained through these banners can truly be considered voluntary and informed, as required by the GDPR.

Max Schrems, Honorary Chairman of noyb, expressed strong criticism of the DPA's decision, comparing the high consent rates achieved through 'Pay or OK' systems to levels of compliance seen in authoritarian regimes. He argued that such high rates of agreement clearly indicate a lack of genuine choice for users.

The lawsuit also raises concerns about the Hamburg DPA's conduct during the investigation. noyb alleges that the authority engaged in multiple meetings with DER SPIEGEL representatives, provided feedback on proposed changes to the consent system, and even invited company officials to its premises. This level of involvement, the privacy group contends, goes beyond the DPA's mandate to sensitize companies to data protection issues and instead veers into the territory of active legal consultation.

Adding to the controversy, noyb claims that the Hamburg DPA charged DER SPIEGEL only €6,140 for the administrative costs of the procedure. The privacy group suggests that this fee is significantly lower than what a law firm would typically charge for comparable legal advice, potentially creating a conflict of interest for the authority.

Perhaps most troublingly, noyb asserts that the complainant who initially brought the issue to the DPA's attention was not given an opportunity to be heard during the proceedings. The privacy group claims that the majority of the complainant's messages to the authority went unanswered, raising questions about the fairness and thoroughness of the investigation.

The case has broader implications for the digital media landscape in Europe. 'Pay or OK' systems have become increasingly common as publishers seek ways to monetize their content while complying with GDPR requirements. However, critics argue that these systems create a false choice for users, effectively coercing them into giving up their privacy rights to access information.

The European Commission has previously expressed doubts about the legality of 'Pay or OK' models, suggesting that the issue remains contentious at the highest levels of EU governance. This lawsuit could potentially lead to a clearer legal interpretation of what constitutes valid consent under the GDPR, with significant ramifications for online publishers and users alike.

Dr. Raphael Rohrmoser, the lawyer representing the complainant, criticized the Hamburg DPA's approach, suggesting that it had essentially provided DER SPIEGEL with discounted legal advice rather than conducting an impartial investigation. This dual role of advisor and adjudicator, he argued, compromises the authority's ability to make unbiased decisions in the future.

The lawsuit seeks to have the DPA's decision overturned, which would require the authority to reconsider the original 2021 complaint. If successful, this legal action could set a precedent for how data protection authorities handle similar cases in the future, potentially leading to stricter enforcement of GDPR consent requirements.

This case highlights the complex challenges facing data protection authorities as they attempt to balance the needs of businesses with the privacy rights of individuals in the digital age. It also underscores the important role that privacy advocacy groups play in holding both companies and regulatory bodies accountable for their actions.

As the lawsuit progresses, it will likely draw attention from privacy experts, legal scholars, and digital publishers across Europe. The outcome could have far-reaching implications for how consent is obtained and verified in online environments, potentially reshaping the relationship between websites and their users.

In October 2023, Meta, the parent company of Facebook and Instagram, introduced a new subscription model for users in the European Union, European Economic Area, and Switzerland. This move, which came in response to evolving European regulations, offers users the option to pay a monthly fee to use these platforms without advertisements. Meta stated that subscribers' information would not be used for advertising purposes, although they would retain access to all platform features.

This development is particularly relevant to the 'Pay or OK' debate, as it represents a major tech company's attempt to provide users with a clear choice between paid, ad-free service and free, ad-supported service. However, critics might argue that this approach still presents users with a dilemma: pay for privacy or accept data collection and targeted advertising.

Key facts about the noyb lawsuit against the Hamburg DPA

Filed on August 1, 2024, in the Hamburg Administrative Court

Challenges the DPA's approval of DER SPIEGEL's 'Pay or OK' consent banner

Original complaint filed by noyb in summer 2021

DPA took nearly three years to reach a decision

noyb alleges the DPA failed to consider critical data on user behavior

Claims over 99.9% of users agree to tracking when presented with 'Pay or OK' systems

Accuses the DPA of improper communication with DER SPIEGEL during the investigation

Alleges the complainant was not given an opportunity to be heard

Seeks to have the DPA's decision overturned

Outcome could set a precedent for GDPR consent requirements enforcement