Freedom, Power and Contestability: Interactions between Article 5(2) DMA & GDPR

As DMA enforcement moves forward, questions about the interpretation of the DMA’s specific provisions are starting to arise. The European Commission initiated formal proceedings on 25 March 2024 to investigate Meta’s “pay-or consent” model, introduced for Facebook and Instagram in November 2023. This sparked a significant debate about the interpretation of Article 5.(2) DMA. This provision allows gatekeepers the right to combine and process certain types of personal information, as long as users are given a choice and valid consent. To ensure contestability, the DMA’s Recital 36 clarifies that “gatekeepers” should allow end users to freely opt-in to this data processing by offering them a less personalized but equivalent alternative. According to preliminary findings from the ongoing investigation by the Commission, Meta’s model, which offers users a binary option between free access to Facebook or Instagram without personalised advertisements and a paid version of these services, violates Article 5(2) DMA. This is because the model does not give users the option to choose a service which processes less personal data, and it restricts their freedom to consent. Can individuals freely consent to the processing of their data when dealing with powerful entities such as gatekeepers or dominant companies? And can granting users more freedom shift the balance of power, potentially fostering pro-competitive outcomes and market contestability?

Although understanding the interplay between power and freedom is crucial from the perspectives of the DMA, competition law, and the GDPR, this relationship has yet to be thoroughly explored. Discussions under the GDPR on power imbalances and how they impact free consent have mostly focused on employment or interactions with public authorities. The question about imbalances caused by economic power more specifically arose in the legal saga initiated by the Bundeskartellamt’s Facebook decision

issued in 2019, which concluded recently with Meta implementing a set of measures, and it was central to the CJEU’s 2023 ruling in Meta and Others v Bundeskartellamt. The judgment provided some clarifications but the arrival of DMA is a timely and needed impetus to a deeper reflection. This would benefit the DMA, as well as the enforcement of competition laws and the GDPR. Is the DMA’s interpretation in line with the GDPR, and how does it relate to power? It is important to ensure compatibility, as the GDPR’s concept consent is explicitly referenced in Article 5(2) of the DMA. This explicit reference to GDPR is a positive step towards coherence, but a unified enforcement approach by the relevant enforcement authorities remains crucial for legal clarity and predictability. The remainder of this article will compare the DMA’s approach to the requirement for free consent with the GDPR’s, as interpreted by the recent opinion of the European Data Protection Board on the pay or consent model and the 2023 Meta judgement mentioned earlier. The Meta case, which examined the interactions between GDPR and practices of undertakings in a dominant position rather than those who have a gatekeeper role, offers valuable insight into the GDPR perspective on the relationship between individual freedom and economic power. The DMA does allow certain forms of data collection and processing, as long as users consent. According to Article 4(11), GDPR, this consent must be valid, free, specific, informed and unambiguous. In an interesting twist, when drafting the DMA, policymakers initially considered prohibiting gatekeepers from accumulating personal data, but ultimately decided that this was disproportionate. They chose to give the users control, assuming agency – and thus freedom – could still be exercised in spite of the clear power imbalance between individuals, gatekeepers, and other parties. In the Meta case the CJEU held a similar opinion, stating that dominance and therefore a power imbalance “doesn’t, as such prevent the users (…) validly giving consent” (para. 147). Both the DMA and the GDPR can thus be interpreted as operating on the assumption that consent can be freely given to a powerful undertaking.

‘Equivalent alternative’ as a mechanism for correcting power imbalance

However, both the DMA and the GDPR, impose certain conditions. To ensure contestability, according to the DMA’s recital 36, “gatekeepers must allow end users to freely select

a less personalized but equivalent alternative” to ensure contestability. The DMA believes that providing an equivalent alternative is one of the most important – if it is not the most important – ways to correct the power imbalances between gatekeepers, and individuals. This will ensure that the free consent requirement has been met. The investigation by the Commission into Meta shows that the requirement to provide an alternative is taken very seriously. 148). The Court also noted that a dominant situation “may create a clearly imbalance

favoring, inter alia the imposition conditions that aren’t strictly necessary for performance of the contract” (para. 149). In such cases, individuals should not “be obliged to refrain completely from using the service” and should be given a “equivalent alternative” that does not involve data processing operations. 150). Both the DMA and GDPR appear to assume that consumers will suffer if they are denied access to a powerful undertaking. This could be a gatekeeper, or a dominant company. In its opinion on the consent or pay model, the EDPB outlines some examples of individual harm that can occur when people are unable use a service which is integral to their everyday lives and plays a prominent role. Based on the EDPB’s interpretation of detriment and the conditions under which it arises, it is challenging to envision situations in which individuals would not experience detriment when denied access to a powerful undertaking.

Interestingly, the EDPB’s 2020 Guidelines on consent

– which the DMA seems to be aligned with – assert that consent cannot be considered free if a data controller claims that there are choices available in the market, for example an alternative equivalent service provided by another undertaking. Freedom of choice and consent cannot be dependent on the actions of another firm. Therefore, the solution to ensure free consent in contexts characterised by power imbalances is to provide an equivalent, less personalised alternative.

[…]What about charging a fee for an equivalent alternative?

But can such an equivalent alternative be offered for a fee? The DMA doesn’t explicitly prohibit the imposition a fee. However, the Commission’s investigation suggests a restrictive interpretation of Article 5(2) DMA, favouring the provision of a free alternative.[…]Is this restrictive interpretation consistent with the GDPR’s approach to fees? In the Meta judgement, the Court allows the possibility of offering a similar alternative “if necessary for a fee appropriate” (para. The emphasis is on 150. Unfortunately, the Court doesn’t clarify when a charge might be necessary. The Court’s statement can also be interpreted as meaning that a fee could be justified in other circumstances, even if companies pursue an ad-based business model. The Court’s statement could also be interpreted to mean that a charge might be justified in other situations, even if businesses pursue an ad based business model. This raises the following question: In situations where consent and contract is not bundled, will it still be necessary for an equivalent alternative to be provided? While it seems reasonable to conclude that this would indeed be the case, the Court’s ruling does not provide complete clarity on this point.

Regarding the EDPB’s position on the necessity of a fee, it emphasizes that a dual choice – pay or consent – should not be the default for large online undertakings. The EDPB recommends that firms offer a third, less-personalised or nonpersonalised, free option. At the same time, the EDPB acknowledges that the necessity of a fee is to be assessed on a case-by-case basis, leaving room for scenarios where pay-or-consent models could be legal – even though such scenarios are likely to be rare.

Interestingly, the DMA, by requiring the alternative service to be provided free of charge, adopts a stricter stance on the interpretation of freedom of consent than the GDPR, which does not impose an absolute prohibition on pay-or-consent models. The DMA’s more strict approach could be explained by its goal to ensure market contestability. Although pay-or consent models offered by large enterprises might not always violate the individual’s freedom (even though they would in most circumstances due to significant power differences), such models are problematic for contestability. When users are only given a choice between two options, it is possible that a small number of people will choose the paid option. When faced with dual choices, empirical evidence indicates that nearly all users opt for the free option. This poses a significant risk that, if pay-or consent remains legal for gatekeepers and the status quo is maintained, contestability will not be realized. The GDPR and the DMA are in harmony from the perspective of coherence. The DMA’s stricter approach is not in conflict with the GDPR. Data minimisation: preventing a clash between the DMA & GDPR

While the DMA & GDPR appear to have a similar approach to the relationship between individual freedom and economic power, there is a potential conflict in relation to the data minimisation principle. This principle is enshrined at Article 5(1)(c), GDPR. It requires that data are ‘adequate, pertinent and limited to what’s necessary for the purposes they’re processed’. Article 5(2) DMA seems to grant permission to collect various types of data to personalise advertising, if valid consent is obtained. The CJEU’s Schrems V Meta

judgment, issued on 4 October 2024, addressed, among other things the data minimisation concept in the context targeted advertising. The CJEU highlighted that Meta’s collection and use of data about Facebook users outside the social network was ‘particularly extensive’ as it involved potentially unlimited data. 62). The Court also noted that “the indiscriminate usage of all personal data held by social network platforms for advertising purposes” (para. The Court found that the use of personal data for advertising purposes by social networks is a serious violation of fundamental rights. This is a significant conclusion, not only for DMA enforcers. Article 5(2) can’t be interpreted as meaning that a gatekeeper may collect and process data without restriction as long as he has valid consent. The interpretation of DMA should take into account GDPR and CJEU case law. This issue should either be clarified by the High-Level Group envisaged in the DMA, or through bilateral discussions between data protection authorities.