"At the same time, only 1-7% of all users want to be tracked for online advertisement if asked openly. However, "pay or okay" gets 99.9% of users to agree to online tracking. If more than 90% of users do not get what they genuinely want, we have everything but a "genuine" choice."
If I got to the shop and don't want to buy the product I should just get it for free, because that is what I genuinely want? Genuine choice = I get to choose exactly what I want, always?
Edit, because people seem to miss the point:
Just because populist politicians want to legally restrict business from offering a choice does not mean that a "genuine" choice is not presented.
Paid access is okay, so is showing advertising, and even requiring that you pay to access a service (they don’t have to give it away for free). What isn’t okay is requiring either paying or selling your data (selling away privacy) for advertising.
So yes businesses are doing something okay by offering a paid version, but it doesn’t matter if they’re saying “pay or let us sell your data” as the latter is illegal.
There’s an obvious workaround - require the payment for everyone, and on the side offer to pay the customer $x (which coincidentally is the same as the payment needed) for personal information.
I don't think this trick would do anything - you're still conditioning a contract on consent (and it's no more necessary than before), so still don't have "freely given consent" if you wanted to rely on that basis for data processing.
> > Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
"The latter is illegal" has been a point of debate since the GDPR was inacted because it is certainly not obvious in the GDPR.
IMHO, decisions that have upheld that it is indeed illegal have tended to be "militant" and ignored that users had a genuine choice, and in fact 3 options: Accept cookies, etc or pay or leave. In practice we see that 99% of users choose to accept cookies/tracking, but this is not because the choice isn't genuine, it is because they don't care about cookies/tracking as long it means free access and that pisses off some people.
You cannot say that users as a whole accept cookies/tracking as it’s heavily region dependent. At a previous job we implemented a cookie consent banner and tracked statistics of accept/reject, and while some regions were very high (95+%), Germany was particularly low (70%), so it’s hard to paint a picture in a general way.
Regardless, I’m not sure if you’re right that it’s contentious about what is allowed with respect to GDPR here. My understanding is that it is illegal to do what’s here (not just in Austria but in the GDPR directly), and the companies that do this are doing it in bad faith (and/or following in the footsteps of Meta), and in reality what they’re doing is banking on the fact that going through the courts takes a long time. We wouldn’t even be having this discussion if these companies just put ads without tracking/selling user data, which, as mentioned, is fine.
I was taking data from the OP's quote: "However, "pay or okay" gets 99.9% of users to agree to online tracking.". Anyway that's nitpicking as whatever the exact number it is the vast majority.
> My understanding is that it is illegal to do what’s here (not just in Austria but in the GDPR directly),
That's exactly my point. The GDPR does not say that it is illegal. It says that people must have a genuine choice, "genuine" meaning free of coercion. Now, "accept or be fired", "accept or you can't have surgery" are obviously not genuine choices. But arguing that "accept or you need to pay to access this news website" is the same and not a genuine choice is almost pushing the interpretation ad absurdum (what are genuine choices, then?), hence my previous comment.
> We wouldn’t even be having this discussion if these companies just put ads without tracking/selling user data, which, as mentioned, is fine.
The real world never so simple. In the real world if they don't "just" do that it is probably because it isn't working commercially.
> That's exactly my point. The GDPR does not say that it is illegal. It says that people must have a genuine choice [...] arguing that "accept or you need to pay to access this news website" is the same and not a genuine choice is almost pushing the interpretation ad absurdum
"Genuine choice" alone isn't sufficient - from the GDPR:
> > Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
It seems difficult to argue that DerStandard's "pay or okay" approach satisfies this - and indeed the court found it did not.
My impression as a non-lawyer is that the "freely given consent" basis is intended to cover where users opt to give data truly of their own violition, but is instead being used as the "continue on selling data as we were" basis (funnel users into clicking a button, then use that as a carte blanche for effectively any processing).
> The real world never so simple. In the real world if they don't "just" do that it is probably because it isn't working commercially.
I feel the problem is that as soon as one party starts using invasive ads, other parties are at a relative disadvantage and will be paid less than before if they don't follow suit. Seems like the kind of game theory problem that the market is bad at, but regulation can resolve favorably.
> It seems difficult to argue that DerStandard's "pay or okay" approach satisfies this
Why not? Is it not necessary to pay for the service? As long as they are only processing what is necessary for the ads to work then I argue that it is necessary, and they are given a choice, too.
We're going in circle a bit... And always come back to my previous point that in general those decision interpret the GDPR in the most extreme way possible, ignoring real world scenarios and the whole range of circumstances, which I can only describe as a "militant" approach. Unfortunately this is quite common on most issues these days.
> I feel the problem is that as soon as one party starts using invasive ads
It's not invasive ads, it's targeted ads. Targeted ads are more valuable than non targeted ads because they work better. That's it. And, frankly, if I am going to see ads I might as well see targeted ones, which at least I have a chance of finding interesting (that's the whole point) rather than having to endure tampon ads while I am reading the news.
The whole thing is purely political, even ideological.
It doesn't seem to allow separate consent to different personal data processing operations to be given, for one.
> Is it not necessary to pay for the service?
That it is possible to pay instead implies that the processing of the data is not necessary (which is taken as being objectively necessary for the core functions of the contract, not financial convenience).
To my understanding the reason that "despite such consent not being necessary for such performance" wording is there in the first place is because necessity for performance of the contract is already its own basis. Their attempt to obtain freely given consent is because their purpose is not actually necessary, else they could use that on its own as the basis for the processing.
> always come back to my previous point that in general those decision interpret the GDPR in the most extreme way possible, ignoring real world scenarios, which I can only describe as a "militant" approach. Unfortunately this is quite common on most issues these days.
The idea that "it is necessary for our balance sheets to sell your data" would be sufficient for any and all processing seems the most extreme one to me.
> It's not invasive ads, it's targeted ads. [...] And, frankly, if I am going to see ads I might as well see targeted ones,
Ads targetted by building up a profile of where you live, who you interact with, what sites you browse, maybe even what you're susceptible to (FOMO, gambling), etc.
GDPR doesn't prevent you from opting to receive targeted ads if you really do freely give your consent (with no detriment if you were to decline).
> Targeted ads are more valuable than non targeted ads because they work better.
Invasive ads work better for gaining market share in the same way a JS bitcoin miner that uses more of website visitors' GPUs works better. The first sites to deploy it get paid more, but then when all sites are using it we're pretty much back where we started (because it's largely a zero-sum game) but with waste and harm disproportionate to benefits when allowed to go too far.
That's where I think it makes sense for regulation to impose a limit, to stop the downwards slide to a worse overall outcome that can happen when each party is acting in their own immediate interest.
> Their attempt to obtain freely given consent is because their purpose is not actually necessary, else they could use that on its own as the basis for the processing.
Why would the GDPR even describe consent and consent in relations to contract, then?
> The idea that "it is necessary for our balance sheets to sell your data" would be sufficient for any and all processing seems the most extreme one to me.
That's an obviously disingenuous interpretation of my point.
> GDPR doesn't prevent you from opting to receive targeted ads if you really do freely give your consent (with no detriment if you were to decline).
This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.
Again, this is all extreme and ideological. That's the big issue with both the GDPR and its interpretation. And we're right back to my initial point that the issue is in the hands of militants.
More broadly, this is a strange take in the EU: The same people that are happy to have to carry ID cards, to have "free speech" controlled, to have this, to have that, are up in arms at the thought of targeted ads. My hypothesis is that this is because, at the core, the issue is not "privacy" or targeted ads, but commercial companies making money, i.e. bad capitalists (c.f. previous paragraph), which is a political angle that we're seeing very often in Europe, along with the idea that people are allowed free will as long as they make the "right" choices...
> This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.
What do you mean the latter isn’t reasonable? It is perfectly reasonable to make your website only accessible to paying users.
> More broadly, this is a strange take in the EU: The same people that are happy to have to carry ID cards, to have "free speech" controlled, to have this, to have that, are up in arms at the thought of targeted ads.
Ignoring the obvious geopolitical spin to this: The EU considers privacy a right, i.e. something you can’t sell away in a contract, so I don’t see the issue with people being upset about their right to privacy being affected.
> Why would the GDPR even describe consent and consent in relations to contract, then?
Freely given consent is a lawful basis, allowing for processing even if it's not necessary for legal/contractual reasons that would qualify the processing for another basis (or a mix of necessary and unecessary).
But here they're clearly not meeting the "allow separate consent to be given to different personal data processing operations" requirement, and if they only met the second requirement by nature of all of their processing being necessary (which seems highly doubtful) then it seems like they would've already been covered by the "processing is necessary for the performance of a contract" basis.
> That's an obviously disingenuous interpretation of my point.
Necessity for the performance of a contract is a lawful basis for processing under the GDPR, and to my understanding you're suggesting "necessity for the performance of a contract" should be interpreted loosely to include a kind of "financial necessity" that permits selling personnal data to adtech companies.
To me it seems like that same justification could be used for any selling of personal of data (maybe I go too far by saying any processing, since it wouldn't necessarily justify non-commercial processing). If you don't think that's a consequence of your interpretation, I'd be interested to hear why.
> This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.
Websites can use most forms of monetization they always have - just not selling of personal data (unless the user freely gives consent). Regular ads, selling an ad-free version, upsell nags, all the badges/superchats/cosmetics/etc. are all still fine.
What you miss is that the EU has decided that your business can not depend on people selling their privacy. This is very far from crazy, we disallow many other types to businesses too.
Tracking is not payment nor is the company entitled to track people. Der Standard is free to ask for money. They are not free to make tracking condition of a service.
This is great but how can we disincentivize businesses from trying to play games like this with the law? Simply telling them to stop once someone had to go through a lengthy court case against them is not going to be enough.
At this point I think that this kind of tracking should be forbidden by law.
People should not have an option to accept "being spied at all times on their personal behavior". It is creepy, it is dangerous and it is inhuman.
The exceptions should be the ones that currently already exist in GDPR. Financial institutions can use data to track fraud, law enforcement can use data from ongoing criminal cases, etc.
To have an option "to be spied" is a dystopian result of the lawlessness and bad faith on the Internet.
I feel that's only really true in the way it is of a JS bitcoin miner. Locally appears to make something free (if ignoring time/energy) that wasn't before, but is overall a detriment to average affordability because it's a net loss of resources (mostly just a zero-sum game, with some small side benefits).
Absolutely crazy interpretation:
"At the same time, only 1-7% of all users want to be tracked for online advertisement if asked openly. However, "pay or okay" gets 99.9% of users to agree to online tracking. If more than 90% of users do not get what they genuinely want, we have everything but a "genuine" choice."
If I got to the shop and don't want to buy the product I should just get it for free, because that is what I genuinely want? Genuine choice = I get to choose exactly what I want, always?
Edit, because people seem to miss the point: Just because populist politicians want to legally restrict business from offering a choice does not mean that a "genuine" choice is not presented.
The law says that personal data is not a valid form of payment. Businesses have to adjust their business models accordingly.
Prostitution is legal here in austria (where derStandard is based) and germany
Why should selling your personal data be illegal?
Isn't offering paid access exactly that? Or what do you have in mind?
Paid access is okay, so is showing advertising, and even requiring that you pay to access a service (they don’t have to give it away for free). What isn’t okay is requiring either paying or selling your data (selling away privacy) for advertising.
So yes businesses are doing something okay by offering a paid version, but it doesn’t matter if they’re saying “pay or let us sell your data” as the latter is illegal.
There’s an obvious workaround - require the payment for everyone, and on the side offer to pay the customer $x (which coincidentally is the same as the payment needed) for personal information.
I don't think this trick would do anything - you're still conditioning a contract on consent (and it's no more necessary than before), so still don't have "freely given consent" if you wanted to rely on that basis for data processing.
You're repeating a claim that is widespread but that appears nowhere in the GDPR.
> > Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
That's not the same as your previous comment.
"The latter is illegal" has been a point of debate since the GDPR was inacted because it is certainly not obvious in the GDPR.
IMHO, decisions that have upheld that it is indeed illegal have tended to be "militant" and ignored that users had a genuine choice, and in fact 3 options: Accept cookies, etc or pay or leave. In practice we see that 99% of users choose to accept cookies/tracking, but this is not because the choice isn't genuine, it is because they don't care about cookies/tracking as long it means free access and that pisses off some people.
You cannot say that users as a whole accept cookies/tracking as it’s heavily region dependent. At a previous job we implemented a cookie consent banner and tracked statistics of accept/reject, and while some regions were very high (95+%), Germany was particularly low (70%), so it’s hard to paint a picture in a general way.
Regardless, I’m not sure if you’re right that it’s contentious about what is allowed with respect to GDPR here. My understanding is that it is illegal to do what’s here (not just in Austria but in the GDPR directly), and the companies that do this are doing it in bad faith (and/or following in the footsteps of Meta), and in reality what they’re doing is banking on the fact that going through the courts takes a long time. We wouldn’t even be having this discussion if these companies just put ads without tracking/selling user data, which, as mentioned, is fine.
I was taking data from the OP's quote: "However, "pay or okay" gets 99.9% of users to agree to online tracking.". Anyway that's nitpicking as whatever the exact number it is the vast majority.
> My understanding is that it is illegal to do what’s here (not just in Austria but in the GDPR directly),
That's exactly my point. The GDPR does not say that it is illegal. It says that people must have a genuine choice, "genuine" meaning free of coercion. Now, "accept or be fired", "accept or you can't have surgery" are obviously not genuine choices. But arguing that "accept or you need to pay to access this news website" is the same and not a genuine choice is almost pushing the interpretation ad absurdum (what are genuine choices, then?), hence my previous comment.
> We wouldn’t even be having this discussion if these companies just put ads without tracking/selling user data, which, as mentioned, is fine.
The real world never so simple. In the real world if they don't "just" do that it is probably because it isn't working commercially.
> That's exactly my point. The GDPR does not say that it is illegal. It says that people must have a genuine choice [...] arguing that "accept or you need to pay to access this news website" is the same and not a genuine choice is almost pushing the interpretation ad absurdum
"Genuine choice" alone isn't sufficient - from the GDPR:
> > Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
It seems difficult to argue that DerStandard's "pay or okay" approach satisfies this - and indeed the court found it did not.
My impression as a non-lawyer is that the "freely given consent" basis is intended to cover where users opt to give data truly of their own violition, but is instead being used as the "continue on selling data as we were" basis (funnel users into clicking a button, then use that as a carte blanche for effectively any processing).
> The real world never so simple. In the real world if they don't "just" do that it is probably because it isn't working commercially.
I feel the problem is that as soon as one party starts using invasive ads, other parties are at a relative disadvantage and will be paid less than before if they don't follow suit. Seems like the kind of game theory problem that the market is bad at, but regulation can resolve favorably.
> It seems difficult to argue that DerStandard's "pay or okay" approach satisfies this
Why not? Is it not necessary to pay for the service? As long as they are only processing what is necessary for the ads to work then I argue that it is necessary, and they are given a choice, too.
We're going in circle a bit... And always come back to my previous point that in general those decision interpret the GDPR in the most extreme way possible, ignoring real world scenarios and the whole range of circumstances, which I can only describe as a "militant" approach. Unfortunately this is quite common on most issues these days.
> I feel the problem is that as soon as one party starts using invasive ads
It's not invasive ads, it's targeted ads. Targeted ads are more valuable than non targeted ads because they work better. That's it. And, frankly, if I am going to see ads I might as well see targeted ones, which at least I have a chance of finding interesting (that's the whole point) rather than having to endure tampon ads while I am reading the news.
The whole thing is purely political, even ideological.
> Why not?
It doesn't seem to allow separate consent to different personal data processing operations to be given, for one.
> Is it not necessary to pay for the service?
That it is possible to pay instead implies that the processing of the data is not necessary (which is taken as being objectively necessary for the core functions of the contract, not financial convenience).
To my understanding the reason that "despite such consent not being necessary for such performance" wording is there in the first place is because necessity for performance of the contract is already its own basis. Their attempt to obtain freely given consent is because their purpose is not actually necessary, else they could use that on its own as the basis for the processing.
> always come back to my previous point that in general those decision interpret the GDPR in the most extreme way possible, ignoring real world scenarios, which I can only describe as a "militant" approach. Unfortunately this is quite common on most issues these days.
The idea that "it is necessary for our balance sheets to sell your data" would be sufficient for any and all processing seems the most extreme one to me.
> It's not invasive ads, it's targeted ads. [...] And, frankly, if I am going to see ads I might as well see targeted ones,
Ads targetted by building up a profile of where you live, who you interact with, what sites you browse, maybe even what you're susceptible to (FOMO, gambling), etc.
GDPR doesn't prevent you from opting to receive targeted ads if you really do freely give your consent (with no detriment if you were to decline).
> Targeted ads are more valuable than non targeted ads because they work better.
Invasive ads work better for gaining market share in the same way a JS bitcoin miner that uses more of website visitors' GPUs works better. The first sites to deploy it get paid more, but then when all sites are using it we're pretty much back where we started (because it's largely a zero-sum game) but with waste and harm disproportionate to benefits when allowed to go too far.
That's where I think it makes sense for regulation to impose a limit, to stop the downwards slide to a worse overall outcome that can happen when each party is acting in their own immediate interest.
> Their attempt to obtain freely given consent is because their purpose is not actually necessary, else they could use that on its own as the basis for the processing.
Why would the GDPR even describe consent and consent in relations to contract, then?
> The idea that "it is necessary for our balance sheets to sell your data" would be sufficient for any and all processing seems the most extreme one to me.
That's an obviously disingenuous interpretation of my point.
> GDPR doesn't prevent you from opting to receive targeted ads if you really do freely give your consent (with no detriment if you were to decline).
This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.
Again, this is all extreme and ideological. That's the big issue with both the GDPR and its interpretation. And we're right back to my initial point that the issue is in the hands of militants.
More broadly, this is a strange take in the EU: The same people that are happy to have to carry ID cards, to have "free speech" controlled, to have this, to have that, are up in arms at the thought of targeted ads. My hypothesis is that this is because, at the core, the issue is not "privacy" or targeted ads, but commercial companies making money, i.e. bad capitalists (c.f. previous paragraph), which is a political angle that we're seeing very often in Europe, along with the idea that people are allowed free will as long as they make the "right" choices...
> This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.
What do you mean the latter isn’t reasonable? It is perfectly reasonable to make your website only accessible to paying users.
> More broadly, this is a strange take in the EU: The same people that are happy to have to carry ID cards, to have "free speech" controlled, to have this, to have that, are up in arms at the thought of targeted ads.
Ignoring the obvious geopolitical spin to this: The EU considers privacy a right, i.e. something you can’t sell away in a contract, so I don’t see the issue with people being upset about their right to privacy being affected.
> Why would the GDPR even describe consent and consent in relations to contract, then?
Freely given consent is a lawful basis, allowing for processing even if it's not necessary for legal/contractual reasons that would qualify the processing for another basis (or a mix of necessary and unecessary).
But here they're clearly not meeting the "allow separate consent to be given to different personal data processing operations" requirement, and if they only met the second requirement by nature of all of their processing being necessary (which seems highly doubtful) then it seems like they would've already been covered by the "processing is necessary for the performance of a contract" basis.
> That's an obviously disingenuous interpretation of my point.
Necessity for the performance of a contract is a lawful basis for processing under the GDPR, and to my understanding you're suggesting "necessity for the performance of a contract" should be interpreted loosely to include a kind of "financial necessity" that permits selling personnal data to adtech companies.
To me it seems like that same justification could be used for any selling of personal of data (maybe I go too far by saying any processing, since it wouldn't necessarily justify non-commercial processing). If you don't think that's a consequence of your interpretation, I'd be interested to hear why.
> This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.
Websites can use most forms of monetization they always have - just not selling of personal data (unless the user freely gives consent). Regular ads, selling an ad-free version, upsell nags, all the badges/superchats/cosmetics/etc. are all still fine.
What you miss is that the EU has decided that your business can not depend on people selling their privacy. This is very far from crazy, we disallow many other types to businesses too.
Tracking is not payment nor is the company entitled to track people. Der Standard is free to ask for money. They are not free to make tracking condition of a service.
This is great but how can we disincentivize businesses from trying to play games like this with the law? Simply telling them to stop once someone had to go through a lengthy court case against them is not going to be enough.
At this point I think that this kind of tracking should be forbidden by law.
People should not have an option to accept "being spied at all times on their personal behavior". It is creepy, it is dangerous and it is inhuman.
The exceptions should be the ones that currently already exist in GDPR. Financial institutions can use data to track fraud, law enforcement can use data from ongoing criminal cases, etc.
To have an option "to be spied" is a dystopian result of the lawlessness and bad faith on the Internet.
This! What benefit does any of this current system provide us anyway?
Devil's Advocate? It pays for the services we use for free.
I feel that's only really true in the way it is of a JS bitcoin miner. Locally appears to make something free (if ignoring time/energy) that wasn't before, but is overall a detriment to average affordability because it's a net loss of resources (mostly just a zero-sum game, with some small side benefits).
From another noyb article: personalized ads account for < 10% of revenue for newspapers
"Free" services that are unable to pay for themselves distort the market. And eventually they price out honest and non tracking competition.