Data protection in focus
A new legal dispute is shaking up the German data protection landscape. The Austrian data protection organization Noyb has sued the data protection authorities in Hesse and North Rhine-Westphalia. The reason? Their alleged inaction in relation to complaints about the controversial "pay-or-consent" models of publishing sites on the Internet. What is behind these models and why is the reaction of the data protection authorities so important?
What are "pay-or-consent" models?
The "pay-or-consent" models, also known as "pure subscription", present users with a choice: either they allow their personal data to be processed and passed on for advertising purposes, or they take out a paid subscription. This practice has caused quite a stir in recent years as it directly conflicts with the General Data Protection Regulation (GDPR), which requires voluntary consent to data processing.
Noyb, a data protection organization, filed complaints against such models on various German news portals back in August 2021. Including against heise.de, faz.net and t-online.de. However, the responsible data protection authorities in Hesse and North Rhine-Westphalia have not yet made any decisions, which has led to the current complaint.
Inactivity of the data protection authorities
Noyb sharply criticizes the delays of the data protection authorities. The complaint to the NRW data protection authority had been lost for over a year, while the Hessian supervisory authority referred to the complexity of the case and the ongoing development of new guidelines. Jonas Breyer, the complainant's lawyer, described the delay as "extremely regrettable" and wondered "what the authorities are actually doing with taxpayers' money".
In 2023, the Federal and State Data Protection Conference declared that "pure subscription approaches" are generally permissible as long as all requirements for informed and effective consent under the GDPR are met. However, reality shows that the implementation of these requirements often leaves a lot to be desired.
And the authorities: What is being done?
A spokesperson for NRW Data Protection Commissioner Bettina Gayk told the authorities that the company had "by no means been inactive". There had been intensive discussions about the data protection compliance of t-online.de and improvements had been achieved. Users are now no longer tracked as soon as they access the website and have the option of rejecting some processing purposes on a second cookie banner level.
Nevertheless, the proceedings have not yet been concluded, as data protection issues remain. Gayk has informed both the website operator and Noyb that it reserves the right to take further action, particularly in light of current case law.
Slow response from the authorities is unacceptable
The situation is symptomatic of the challenges in data protection and shows that there is still a lot to be done to effectively enforce the protection of user privacy. It is alarming that despite the clear requirements of the GDPR, many companies continue to find ways to circumvent or enforce user consent. The authorities must act faster and more decisively to stop such practices. Privacy must not come at a price - an omission that could cost us all dearly. A wake-up call that will hopefully be heard!
