The seemingly narrow rejection of the consent-or-pay model for large online platforms relies on shoddy argumentation, spelling trouble for data subjects when it comes to smaller controllers
Erm. You say that there is no explicit requirement that consent needs to be as easy to reject as it is to grant. While it doesn't specifically say 'refuse' article 7(3) explicitly states: "3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent."
It seems a reasonable cognitive step to assert that if it needs to be as easy to withdraw as to grant, it should also be as easy to refuse consent in the first place.
Hi! Thank you for your comment. This is why I said GDPR doesn't require this explicitly. As far as I'm aware, we also don't have concrete case law from the CJEU confirming this interpretation (closest might be the non-binding AG Opinion in C-673/17, para. 66). I think it's poor wording by the legislator, which on the other hand did use "refuse or withdraw" in Recital 42.
The standard should really be that refusal should be at least as easy as consenting. More generally, there should also be a level playing field between the two options which also rules out tactics like consent badgering if you refuse. Can we make an interpretative jump from Article 7(3) to that as well or did the legislator intend to leave some extra room for controllers? I guess we don't really know (as far as I'm aware) and that's a less straight case to argue. Withdrawal should in my opinion be similarly/about/roughly/nearly as easy as giving consent because a choice was already expressed at that point and there's no need for measures like floating UI elements to follow you around the website when it could just be a link at the bottom of the page or similar.
My problem isn't so much that the EDPB said refusal must be at least as easy as consenting, I just would've liked a clearer explanation of how they got to that conclusion (given how much time they spent going in circles on other points) and what DPAs should point to when issuing decisions on the matter. My understanding is also that not all DPAs necessarily agree with all the above interpretations or similar questions (do we even have any guidance on consent badgering?) given some of the diverging opinions that were present inside the EDPB Cookie Task Force. Perhaps such processing could even be considered unfair given the potential deception/manipulation at play.
Article 7(3)*, in the absence of clear wording, at best implies (an intent by the legislator) that refusal should be on the same pedestal as giving consent. I think it might be easier to argue that making it harder to refuse consent would likely (but perhaps not in all situations where the data subject is determined to refuse consent) render it invalid because it would not be freely given due to a difference in consent rates compared to a scenario where consent and refusal were both presented in a neutral manner (which is also an avenue for combatting other dark patterns). Alternatively, one could argue that it's not freely given because of the (albeit minor) time and mental processing power detriment the data subjects experiences if they don't consent, which conditions them to always click on 'Accept All' to get rid of the banner as quickly as possible. The EDPB didn't say any of that.
Curiously the DMA in Recital 37 does say in no uncertain terms that "Not giving consent should not be more difficult than giving consent." But then lawyers might argue that this requirement does not flow from GDPR (and even if it did, is it a valid post-facto interpretation of it, similar to the requirement to obtain consent for the use of personal data in ad targeting stemming from Recital 68 DSA?) but rather a consequence of the DMA's Article 13(4) and (6) anti-circumvention clauses. Maybe the legislator intended for the gatekeepers to be under more stringent consent requirements? I don't think they did but the text itself doesn't make that theory unfounded given how Recitals 36 and 37 DMA are written to quickly shoot down any attempts at neutering Article 5(2) DMA (which was initially a ban entirely) and GDPR lacks some of that wording.
Ultimately though, the DPAs or the even the CJEU probably won't concern themselves with such technicalities anyway (unless specifically raised by a controller). Sorry for the long-winded answer :P
*I noticed the EDPB and consequently my blogpost actually incorrectly refer to Article 7(2) and have fixed that.
Erm. You say that there is no explicit requirement that consent needs to be as easy to reject as it is to grant. While it doesn't specifically say 'refuse' article 7(3) explicitly states: "3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent."
It seems a reasonable cognitive step to assert that if it needs to be as easy to withdraw as to grant, it should also be as easy to refuse consent in the first place.
Hi! Thank you for your comment. This is why I said GDPR doesn't require this explicitly. As far as I'm aware, we also don't have concrete case law from the CJEU confirming this interpretation (closest might be the non-binding AG Opinion in C-673/17, para. 66). I think it's poor wording by the legislator, which on the other hand did use "refuse or withdraw" in Recital 42.
The standard should really be that refusal should be at least as easy as consenting. More generally, there should also be a level playing field between the two options which also rules out tactics like consent badgering if you refuse. Can we make an interpretative jump from Article 7(3) to that as well or did the legislator intend to leave some extra room for controllers? I guess we don't really know (as far as I'm aware) and that's a less straight case to argue. Withdrawal should in my opinion be similarly/about/roughly/nearly as easy as giving consent because a choice was already expressed at that point and there's no need for measures like floating UI elements to follow you around the website when it could just be a link at the bottom of the page or similar.
My problem isn't so much that the EDPB said refusal must be at least as easy as consenting, I just would've liked a clearer explanation of how they got to that conclusion (given how much time they spent going in circles on other points) and what DPAs should point to when issuing decisions on the matter. My understanding is also that not all DPAs necessarily agree with all the above interpretations or similar questions (do we even have any guidance on consent badgering?) given some of the diverging opinions that were present inside the EDPB Cookie Task Force. Perhaps such processing could even be considered unfair given the potential deception/manipulation at play.
Article 7(3)*, in the absence of clear wording, at best implies (an intent by the legislator) that refusal should be on the same pedestal as giving consent. I think it might be easier to argue that making it harder to refuse consent would likely (but perhaps not in all situations where the data subject is determined to refuse consent) render it invalid because it would not be freely given due to a difference in consent rates compared to a scenario where consent and refusal were both presented in a neutral manner (which is also an avenue for combatting other dark patterns). Alternatively, one could argue that it's not freely given because of the (albeit minor) time and mental processing power detriment the data subjects experiences if they don't consent, which conditions them to always click on 'Accept All' to get rid of the banner as quickly as possible. The EDPB didn't say any of that.
Curiously the DMA in Recital 37 does say in no uncertain terms that "Not giving consent should not be more difficult than giving consent." But then lawyers might argue that this requirement does not flow from GDPR (and even if it did, is it a valid post-facto interpretation of it, similar to the requirement to obtain consent for the use of personal data in ad targeting stemming from Recital 68 DSA?) but rather a consequence of the DMA's Article 13(4) and (6) anti-circumvention clauses. Maybe the legislator intended for the gatekeepers to be under more stringent consent requirements? I don't think they did but the text itself doesn't make that theory unfounded given how Recitals 36 and 37 DMA are written to quickly shoot down any attempts at neutering Article 5(2) DMA (which was initially a ban entirely) and GDPR lacks some of that wording.
Ultimately though, the DPAs or the even the CJEU probably won't concern themselves with such technicalities anyway (unless specifically raised by a controller). Sorry for the long-winded answer :P
*I noticed the EDPB and consequently my blogpost actually incorrectly refer to Article 7(2) and have fixed that.