Indeed, I overlooked that the ICO took a different stance. I have to admit that I did not research this myself, I just took the word of the (top-tier) law firm back then.
> The decision that you link also seems very much at-odds with the text of the GDPR (in both the German and English versions):
>> (42) Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.*
I don't see why they should be at odds with the decision? Quoting:
"Gibt eine betroffene Person keine Einwilligung ab, so besteht die erste Konsequenz darin, dass diese ein O*-Abo abschließen kann. Dieses O*-Abo ist – wie festgestellt – frei von Werbung, frei von Daten-Tracking und frei von der Setzung von Fremdcookies. Das O*-Abo ist mit einem Preis von 6 Euro monatlich ab dem zweiten Monat auch keine unverhältnismäßig teure Alternative."
It's obviously without question that one can charge something for a service rendered -- the newspaper does not have to offer this for free.
And in the above text, the authority then opined that charging 6 Euro for a monthly subscription to read a newspaper is not unreasonable, hence the decision to opt into tracking is a free one, because the alternative is simply to pay 6 Euro for a month's access.
Indeed, that is what they decided. However, I still find the interpretation very surprising.
The GDPR reads as if its authors had a different understanding. For example, the 'data minimisation' principle indicates that you should not be collecting personal data unless doing so would prevent the desired activity; serving an article, or even serving an article with adverts, can both be achieved without this data. There's also a question over whether the services are the same: a subscription appears to be materially different to one-shot access to an article, a question which is entirely overlooked in their analysis.
Beyond the weakening of 'detriment' to 'significant detriment' by reference to their pre-GDPR decisions, I also find the result unusual. The practical interpretation is that, if a user wishes to read 100 articles from 100 service providers all using this scheme, the cost of privacy is a significant detriment at €600. I am not confident that other data protection authorities will be as eager to jump to this same weakened interpretation.
There is probably a safer middle ground: giving the user the option to pay for either the article or the subscription, and allowing for either direct payment or payment by proxy through an advertising broker. In the latter context, the user's relationship and data-flow is controlled by the advertising broker, and the service provider needs no data relationship with the user. Of course, this shifts the controller liability into the advertisers -- something that they would probably prefer to avoid -- and I'm not aware of any services offering this or concrete decision on it yet.
> The GDPR reads as if its authors had a different understanding. For example, the 'data minimisation' principle indicates that you should not be collecting personal data unless doing so would prevent the desired activity
Indeed. It could reasonably be assumed that this is the main reason why the paid version does not use any tracking.
> There's also a question over whether the services are the same: a subscription appears to be materially different to one-shot access to an article, a question which is entirely overlooked in their analysis.
Well, the service is being offered on a monthly basis alone. The customer may only desire a one-shot access, but that offer is simply not on the table.
I may only be interested one-shot access to [some-Netflix-movie], but the smallest access unit Netflix is willing to sell me is a month. Same goes for certain gym memberships. etc.
> The practical interpretation is that, if a user wishes to read 100 articles from 100 service providers all using this scheme, the cost of privacy is a significant detriment at €600.
Accessing a 100 difference service providers is on the customer, though?
Same example as above. Say the customer wants to watch just one movie on Netflix, Disney+, and 98 other providers, all charging $10/month. $1000 per month sounds a lot but that's entirely on the customer; they could also just spend only $10 and watch 100 movies on Netflix.
> The decision that you link also seems very much at-odds with the text of the GDPR (in both the German and English versions):
>> (42) Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.*
I don't see why they should be at odds with the decision? Quoting:
"Gibt eine betroffene Person keine Einwilligung ab, so besteht die erste Konsequenz darin, dass diese ein O*-Abo abschließen kann. Dieses O*-Abo ist – wie festgestellt – frei von Werbung, frei von Daten-Tracking und frei von der Setzung von Fremdcookies. Das O*-Abo ist mit einem Preis von 6 Euro monatlich ab dem zweiten Monat auch keine unverhältnismäßig teure Alternative."
It's obviously without question that one can charge something for a service rendered -- the newspaper does not have to offer this for free.
And in the above text, the authority then opined that charging 6 Euro for a monthly subscription to read a newspaper is not unreasonable, hence the decision to opt into tracking is a free one, because the alternative is simply to pay 6 Euro for a month's access.