On the nature of the right to privacy

 November 28, 2023

In the last month, Meta has started to give their European users a choice between an account for their services paid in data or one paid in Euros. Today, noyb has filed a GDPR complaint against Meta over this behavior. Noyb has very good points to sustain their filing, but I don’t want to delve too much into those since those are very well explained in their press release. I think there is a deeper problem that they quickly touch but do not address directly, which is the interpretation of the kind of right that privacy is.

When I think about rights, I divide them based on the ability to waive them into the following five categories:

• Rights that need an action to be exercised: those rights are often knowingly or unknowingly waived since the right holder needs to do something specific to exercise their right. An example is the right to collect prizes as a consequence of collecting points.
• Rights that need a “simple” action to be waived: those rights are knowingly waived, but not always being aware of the value of what is being waived. An example would be the EULAs and all the other “I Accept” boxes that we are often prompted to accept daily.
• Rights that need a “clear” action to be waived: those rights are knowingly waived, and the user is fully aware of what is being waived but might be in a state of mind that is unfit for the decision. An example of this would be a financial transaction where the person sells something (i.e., waives their ownership right).
• Rights that need a “complex” action to be waived: those rights are knowingly waived, and the user is fully aware of what is being waived, is in the correct state of mind to understand the decision, and is acting in their free will. Examples of this happen every time a sanctioned individual is needed to be present (e.g., judges, notaries, doctors).
• Rights that can not be waived: those rights can not be waived even if the right holder wants to. Examples may vary based on the specific legal systems, and the most common one is usually the right to live.

Even though I divide rights into those five categories, people might divide them in different ways since this is a continuum, so every discrete categorization is (mostly) arbitral.

To understand how to place Meta’s rights waive request, we need to consider a few things:

• The user is prompted with the following options:
  • pay with data, whose value is hard to quantify for a user.
  • pay with money, whose value is easy to quantify for a user and similar to services like Spotify (or higher if the user uses multiple Meta services).
  • stop using the Meta services.
• The user is forced to decide immediately. There is no “ask me again in a few days”; therefore, the user is not allowed to think about it.
• The “pay with data” option is indicated as “your current experience”.
• The use of colors, words, etc., makes it more natural to opt for the “pay with data” option.
• Very limited (and only after clicking on a link) information on the differences between the options.
• There is an (obvious) power disparity between the user and Meta.
• Meta has already provided their services to the user in a way that is not compliant with the EU legal framework, and the user is probably unaware of this.

Due to all those reasons, I think Meta behaves as if privacy is a right of the second kind (waivable with a “simple” action).

Personally, I think this is not aligned with what the GDPR stands for since the GDPR specifies multiple times that the user needs to be clearly informed about the privacy implications, and the user needs to make their decision out of free will. I think there is a need for a more clearly defined set of characteristics that a lawful waive of privacy request should have, and I think the set should be something like this:

• The user is clearly informed about the various options and their implications.
• The user is able to postpone the decision for a (reasonable) amount of time.
• The decision should be “confirmed” with multiple actions of the user.
• The tradeoffs need to be “similar” in value for the requestor.
• In case of power disparity between the requestor and the requestee, a third party should at least review the waive request form.

Those considerations are not against noyb’s action since I think they have great points as well, just an additional point that they have not listed, probably due to the nature of their action (a data protection authority filling) that has certain rules that they have to stick with.