Meta's controversial 'approve' or payment option for users in the EU is facing questions from the European Commission. The bloc said today that it has sent the owner of Facebook and Instagram a formal request for information (RFI) under the Digital Services Act (DSA), asking it to provide more details about the “ad-free subscription options” it provides to regional users of its two main companies. social networks.
“In particular, Meta must provide additional information about the measures it has taken to comply with its obligations regarding Facebook and Instagram’s advertising practices, recommendation systems and risk assessments related to the introduction of this opt-in,” the commission wrote in a press release.
Meta has been contacted to respond to the committee's information request. But spokesman Matthew Pollard told us he had no comment at this time.
Meta made the controversial switch to a so-called “consent or pay” business model in the European Union last fall, after challenges to two other legal bases that it claimed processed user data to target ads forced it to rethink its approach.
Meta's ad-free subscription is controversial because under EU data protection law consent must be informed, specific, and free if it is to be valid. But the choice made by Meta requires users to either pay monthly subscriptions to it (starting at €9.99 per month) in order to access ad-free versions of the social networks – or else they must agree to be tracked and profiled depending on their goals. Advertising.
There is currently no way for EU users to access Facebook or Instagram for free without being tracked.
Privacy and consumer rights groups quickly took issue with Meta's self-serving tactic, and a host of complaints have since been filed under EU data and consumer protection law — violations of which can result in fines of up to 4% of global annual turnover. (See: here, here, here, here).
Now the EU itself is stepping in by requesting information under the DSA, the bloc's recently updated e-commerce rulebook.
This separate pan-EU regulation has – since last August – applied a set of algorithmic accountability and transparency rules to larger online platforms (also known as VLOPs), including Facebook and Instagram.
The DSA is very relevant because it states that larger platforms must get people's consent to use their data for advertising; This consent must comply with the bloc's data protection rules and be as easy to withdraw as it is to provide.
The regulation also strictly prohibits the use of sensitive data or data of minors for advertising – and it is not clear how Meta prevents sensitive data from being processed by its ad targeting engines given how – for example – people's political views can be inferred by tracking their behavior and the agents used to target ads in categories Sensitive. (The company claimed, in 2021, that it removed advertisers' ability to target sensitive groups. But constant tracking and profiling of users creates opportunities for advertisers to target agents.)
It's also not clear how successful (or otherwise) Meta is at blocking minors from accessing Facebook and Instagram. Obviously, children won't be able to sign up and pay for a monthly subscription to access ad-free versions of these services – so minors may have to accept being tracked, despite the DSA's ban on using minors' data for ads.
While data protection complaints against Meta are usually directed back to the Irish Data Protection Commission (DPC), which oversees Meta's compliance with the General Data Protection Regulation (GDPR) – but has yet to offer a view on the extent of legality. For Meta's 'approval or pay' model – the Commission itself is responsible for enforcing a subset of the DSA's additional rules for VLOPs. Penalties for per diem law violations can be up to 6% of total global annual sales.
In the first six months of its enforcement role, the EU has sent a raft of information requests to the platforms – including several previous requests on Meta (related to disinformation, child protection and election security) – as well as opening two formal investigative actions (on X and Tech tok). But the Commission appears to have paid less attention to compliance issues related to approving the declaration – until now.
Last November, MEPs Kim van Sparentack and Paul Tang submitted written questions to the Commission seeking its views on the legality of Meta's 'consent or pay' offer under EU data protection law and under data protection law – noting that ' Alternatives to tracking, such as contextual advertising are available and possible.
In its response, dated almost two months later (January 30), the Commission wrote that “the processing of personal data for personalized advertising must comply with [GDPR]It said it was “currently monitoring and evaluating the compliance of VLOPs, including Facebook and Instagram, with their DSA obligations.” But the EU avoided providing a specific answer.
In follow-up questions last month, MEPs criticized Internal Market Commissioner Thierry Breton for what they described as “inadequate answers” – reiterating their request for a clear ruling on Meta’s “pay or consent” model. These new questions have been put forward as “priority questions” – increasing pressure on the committee to respond quickly.
One week later, Meta has now received an information request from the committee asking about an ad-free subscription. The EU gave Meta until March 22 to provide the requested information.
“After putting written questions several times to the European Commission, and asking it to act on Meta’s highly questionable ‘pay or consent’ model, I am pleased that the Commission is finally following through,” MEP Paul Tang told TechCrunch today, after we highlighted the issue. RFI for commission on ad-free Meta subscription. “It is time for Meta to face the music and provide the answers we have all been demanding.”
In parallel with the DSA's interest in Meta's consent or payment model, three data protection authorities recently asked the European Data Protection Board, a guideline for the GDPR, to draft an opinion on the legality of consent or payment – which is still pending but could arrive in As soon as later this month. (The board's view may help shape how the GDPR applies to the meta mechanism. So it will also be a view worth monitoring.)
We've also reached out to the Irish DPC for an update on its review of Meta's consent or payment model – which has been ongoing for about six months. A spokesperson for the commission told us: “The DPC’s assessment on this matter is ongoing and therefore we can say no further at this stage.”
More orders
The information request the Commission sent to Meta today contains some additional requests – relating to several topics that were already included in previous formal information requests under the DSA.
“Previous information requests have covered issues such as terrorist content, risk management related to civil discourse and electoral processes, and the protection of minors,” the EU wrote. “The current RFI builds on Meta's previous responses and requests additional information regarding the methodology underlying Meta's reports for risk assessment and mitigation measures, protection of minors, and manipulated elections and media. The RFI also requests Meta to provide information regarding the practice of so-called shadow bans and launch Threads.
Meta has until March 15 to provide the European Union with responses to these requests.
It is not yet clear whether the bloc will open a formal investigation into Meta under the DSA, although all of these information requests indicate that there are several compliance issues that it feels require more careful scrutiny. The committee wrote in its press release today that it will evaluate Meta's responses to determine its next steps. So we may know more in a few weeks.
In addition to potentially opening a formal investigation, as the EU has already done in the case of X's and TikTok's compliance with the DSA, the EU could issue further information requests if it still feels it needs more information from Meta. It also has powers to impose fines for incorrect, incomplete or misleading information in response to such requests.
