Articles
Industry news
The future of user consent: A discussion with Max Schrems
Industry news
new

The future of user consent: A discussion with Max Schrems

Published  

10/15/2024

by 

Clara Verglas

9
min read

Published  

October 15, 2024

by 

Clara Verglas

10 min read
Summary

On September 24th, our co-founder and CEO Romain Gauthier sat down with Max Schrems, renowned privacy lawyer and Chairperson at noyb, Peter Craddock, partner at Keller and Heckman, and Willy Mikalef, partner at Bird and Bird, to cover a breadth of topics about the current state of data privacy.

Keep reading for the main takeaways from the event covering cookie banner guidelines from the EDPB, Pay or Consent, and artificial intelligence, or watch the recording on YouTube: 

Exploring the updated EDPB cookie banner guidelines

The first topic of the event was the creation of a cookie banner taskforce by the European Data Protection Board, created in January 2023 in reaction to the filing, by noyb, of hundreds of complaints to 18 EU/EEA DPAs relating to the design of cookie banners.

This taskforce was a voluntary initiative to coordinate response and issued a report focusing specifically on dark patterns, a type of deceptive practice aimed at tricking users by deliberately obscuring, misleading, and deceiving them. You can learn more about the various types of dark patterns in our dedicated article.

The EDPB guidelines did not constitute guidance and were not comprehensive but merely informative, as rules regarding cookie consent and their application remain fragmented within the EU, with varying enforcement levels from one country to the next.

Willy Mikalef noted that the report highlighted several practices but did not provide clear, comprehensive instructions for organizations and that the EDPB failed to find a consensus on certain key issues:

“While there was hope from organizations that this document would harmonize regulators' expectations in terms of cookie banner design (...) the task force findings were rather general and often refer to a case by case approach.”

- Willy Mikalef, partner at Bird and Bird

As a result, cookie laws remain fragmented in the EU, and organizations must continuously monitor country rules and data protection authorities’ guidance to ensure compliance, with support from expert partners like Didomi or Bird and Bird.

To help organizations have a clearer picture of EU and national guidelines on dark patterns, noyb actually issued its own report on the topic. Max Schrems, as the Chairperson of the group, described the initial cases as motivated to get harmonization about the various rules surrounding cookies in the EU and regrets that the EDPB report ended up illustrating the minimum threshold and not necessarily representing the reality at a country level:

“It's very hard to navigate because if you just read the report, you get the impression that a lot of stuff is kind of acceptable (...) it's quite unfortunate, to be honest.”

- Max Schrems, Chairperson at noyb

From a legal perspective, Peter Craddock, partner at Keller and Heckman, was able to bring some perspective to the notion of dark patterns by arguing that what is sometimes considered a dark pattern (like the choice of colors for buttons in a consent banner) would merit from further discussions and nuance: 

“And I know I might be slightly controversial when I'm saying this, but basically, all interfaces that we're interacting with are misleading to some extent. Everyone wants to sell. So every supermarket you enter (...) The most expensive stuff is at eye level. That's normal. It's because they're trying to sell one particular version, ideally above something else. And so being able to promote certain options in a certain way isn't per se illegal.”

- Peter Craddock, partner at Keller and Heckman

After a back-and-forth between Peter Craddock and Max Schrems (check the recording for the full exchange), Romain Gauthier concluded that having a set of standardized principles would help everyone involved. 

{{learn-more-about-consent-banner-formats}}

Debating “Consent or Pay” models

The second part of the conversation was centered around “Consent or Pay” models, a topic we covered extensively at Didomi over the past year

For context, the term came about in November 2023, when Meta introduced a paid subscription for Instagram and Facebook, allowing users to pay a fee in exchange for not being tracked on the platform. This model was challenged by noyb and others as not being legal under GDPR. The European Data Protection Board (EDPB) agreed, issuing an opinion earlier this year stating that simply offering users a binary choice between consenting to data processing for advertising or paying a fee is unlikely to meet the standards for valid consent.

As the conversation continues within the industry and more publishers start considering this type of business models, our conversation offered an interesting set of participants: Max Schrems, who founded and is a chairperson at noyb, and Peter Craddock, who frequently works with publishers in his role as a partner at Keller and Heckman.

Opening the conversation, Max Schrems gave his interpretation of why these models are so attractive:

“If you talk with newspapers, especially in the background, it's very largely an argument to say: ‘We still wanna actually make money with subscriptions, not with advertisement. Subscription is the one that we really want.’

And it's a good segue into subscription. You basically take a cookie banner and make it an advertisement space for subscriptions, by taking the reject button and basically making it a subscribe button.”


- Max Schrems, Chairperson at noyb 

Peter Craddock, on the other hand, introduced elements of nuance by arguing that organizations should be awarded the freedom of monetizing their products and services:

“We see very often from the side of regulators and of some nonprofit organizations that this is about you selling your fundamental rights. (...) And I think that's a very unfair comparison, because it's like saying, well, I'm a bully, and I'm going to force you to pay.

Well, sorry, but services are commercial. (...) They need funding, and that funding can be through different means.”

- Peter Craddock, partner at Keller and Heckman

As the co-founder and CEO of Didomi, where our expertise lies in providing consent technologies to organizations, Romain Gauthier brought up the question of data, whether the strategies have an impact on opt-in rates, and the fact that data is often missing from the discussion: 

“ We do what we call consent analytics. It’s very interesting to notice that in every debate, something is missing, which is how many users are actually bouncing, leaving the website, which is another way to say no. (...) You can have a 99% consent rate, but, still, only 56% of people might have actually opted in because the rest has left the website for a long time.”

- Romain Gauthier, co-founder and CEO at Didomi

To access some of the data mentioned during the webinar, check out our 2024 consent collection benchmark, where we compiled valuable insights to paint a picture of consent performance around Europe:

As our panelists debate around the legitimacy of the Pay or Consent models, Willy Mikalef circled back to the EDPB opinion, highlighting the fact that the document from the European Data Protection Board has been considered by many as flawed in different areas:

“[The EDPB opinion] brings a lot of legal uncertainty, and most organizations, unfortunately, have to navigate through this uncertainty.

- Willy Mikalef, partner at Bird and Bird

This section of the conversation on Consent or Pay was particularly enriching and packed with information. To enjoy the full scale of the discussion and the thought-provoking opinions from each side, we strongly recommend that you check the recording:

Considering the privacy implications of AI

The last part of the conversation revolved around artificial intelligence and data privacy, focusing specifically on the use of personal data for AI training, as explained by Peter Craddock:

“ AI systems are based on training: You have to train an AI system in order to be able to lead it to work in a certain way.

And the discussion that we're having nowadays is what do we do with the training, in particular of LLMs, when it comes to the gathering of information? (...) Are we talking about personal data? Is personal data going into the training? Is then personal data being used within the machine itself? Is there personal data in the input that I'm providing? And is there personal data in the output?” 

- Peter Craddock, partner at Keller and Heckman

Max Schrems introduced the work noyb has been conducting, challenging companies like Meta around the use of legitimate interest as a legal basis for collecting personal data for AI training. 

After some additional context and areas of reflection from Peter Craddock, Willy Mikalef added more information about the work done by the French Data Protection Authority (CNIL), which has been leading the way by providing a set of guidelines as a reference for AI data practices, and opening the topic on the use of legitimate interest across legislations:

“ (...) With regard to the application of the GDPR to the different phases of the training of AI, of course, the key question is the legal basis. We all know that collecting consent in a GDPR-grade way is just not practicable.

We already see some national guidance saying that legitimate interest can be a possible legal basis, as the CNIL does, but the Dutch DPA says the contrary. 

So it's very important that the discussion happens, in a very open manner, and that there are also, public consultations, which follows a certain number of guiding principles, and we could look also at what our UK friends are doing with public consultation.”

- Willy Mikalef, partner at Bird and Bird

Following that point, Peter Craddock and Max Schrems bring the debate back to its inception, emphasizing the importance of determining first and foremost whether person data is used in the training models of LLMs and other technologies.

To learn more, visit our blog post on balancing AI and data privacy for more information or jump to the specific section of the conversation:

The event was a real success, with hundreds of attendees and dozens of interactions in the chat, on top of the fascinating debate between our panelists. Make sure to stay tuned for future webinars and conversations with industry experts by signing up for our newsletter and following us on LinkedIn and X.