New EU privacy laws could ‘destroy’ the predominant ‘free-to-user’ business models of internet organizations, according to Professor Lilian Edwards, an expert in Internet Law from the University of Strathclyde.

In a two-part interview with Indivigital (the second part can be read here) she also stated:

Free-to-user business models are “contributory to destroying privacy and creating profiling and discrimination”;

Attempts by organizations to reacquire consent prior to the GDPR were often “completely unnecessary” and an example of “lawyers going crazy about risks”;

That “the definition of personal data in the modern world is beginning to swallow everything”;

That she’s “fed up” with people thinking consent is the only lawful basis under which organizations can process data; and

That SMEs making “good faith efforts” to comply with the GDPR are unlikely to be on the radar of data protection authorities.

She also highlighted what she believes are the “two biggest issues going right now,” namely:

Google and Facebook, to some extent, “playing games” by claiming in some circumstances that they are only a data processor rather than joint controllers; and

Inferences around personal data i.e. organizations inferring personal characteristics based on users’ online activities.

The end of free-to-user business models?

Professor Edwards comments on free-to-user business models were made in the context of free content provided by news organizations (which often rely predominantly on advertising revenues to finance their operations) as well as stricter rules under the General Data Protection Regulation (GDPR) around “freely given consent”.

According to Article 7(4) of the EU’s General Data Protection Regulation (GDPR):

“When assessing whether consent is freely given, utmost account shall be taken of whether…the performance of a contract…is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.

Commenting on Article 7(4), Professor Edwards stated:

“The argument is that by asking people to consent to collection of data for marketing [or advertising] you’re asking them to consent to something that isn’t necessary for the provision of something like [a news service]”.

In other words, the litmus test will be whether it’s found that the collection of personal data is vital to the provision of a free-to-user service.

“At some point [free-to-user platforms] will argue very strenuously that it is [necessary for the provision of a service], otherwise they’ll go bust…this [argument] is waiting like a bomb to happen”, she said.

“If [it’s] accepted at the top-level as it were that you can’t freely give consent to advertising because they are holding the service to ransom [i.e. a service can’t be accessed without sacrificing personal data], then the free-to-user business model is destroyed. It’s possible that the whole thing [Web 2.0] is about to become illegal”.

Business models based on monetizing personal data are “destroying privacy”

While she doubts a court will go that far, she also believes it’s ample motivation for providers to commoditize their content i.e. provide subscription services rather than relying on users’ personal data for monetization.

“That’s a good thing,” she said.

“[Monetization of personal data] is destroying our world: it’s destroying privacy, it’s creating profiling and discrimination, and all the rest of it. And you know what: why not move to a subscription model? It’s worked for Spotify. It can work”.

Professor Edwards views subscription models – where users pay to access content or services – as less legally contentious under the GDPR as they will likely rely less on monetizing personal data, or tracking users’ activities, than services dependent on personalized advertisements for revenue.

Subscription services can also more clearly determine which audiences they’re targeting e.g. by only selling subscriptions to non-EU users.

Since the GDPR, many prominent internet platforms and news organizations have made accessing content or services conditional upon a user sacrificing personal data.

While several platforms now request user consent to serve personalized advertisements, it’s evident that some are sending user data to third parties prior to consent being granted.

Earlier this month Dom Blacklock, head of strategy at the 7stars, told Digiday:

“Data targeting and first-party retargeting was certainly affected [by GDPR], with audiences dropping by up to 50 percent, and spend proportionally…but this is going back to normal sizes as users consent to the new terms and conditions”.

However, Digiday also notes:

“Not all retargeting is likely to be compliant. Everyone in advertising is hedging their bets when it comes to the GDPR, and it remains to be seen how it will fully impact programmatic [advertising]”.