Given the background of the GDPR and its tie-in ban, the Austrian Data Protection Authority presumed as voluntary and therefore valid an individual's consent to accepting advertising cookies in order to use an online news platform for free.

In order to be valid, consent to the processing of personal data must be given voluntarily for the specific case, in an informed manner and unambiguously by way of a statement or other clear affirmative action. In judging the voluntariness, the GDPR insists that maximum consideration be given to whether, i.a., performance of a contract, including the processing of a service, depends on consenting to the processing of such personal data as are not required for performing the contract. This limitation to the use of consenting under data protection law is known as a tie-in ban.

A complaint to the Data Protection Authority was based on the following situation: the appellee runs an online community on her website on which she publishes daily, among other things, various journalistic articles. When first opened, the website displays a window that offers the choice to consent to the use of cookies for web analysis and advertising purposes or, alternatively, to use the website without cookies and adverts by entering into a paying online subscription. The appellant argued that the consent cannot be given voluntarily in line with the GDPR principles. On 30 November 2018 (DSB-D122.931/0003-DSB/2018), the Data Protection Authority rejected the complaint (which decision has since become final and binding).

The Authority found that there was first of all the need to examine the legal grounds for setting cookies under Section 96 of the Telecommunications Act (TKG) of 2003: since this law refers to consent-giving, the concept of consent needs to be judged in line with the GDPR when systematically interpreted, since the TKG 2003 does not have an appropriate definition.

As to the voluntariness criterion, the Data Protection Authority, in addition to the tie-in ban, noted that the risk of considerable negative consequences precludes voluntary action; the individual must not suffer any substantial disadvantage when he or she does not consent. In the specific case, the refusal to consent opens the choice to enter a paying online subscription free of advertising, data tracking, and cookies, at a not disproportionate (in the view of the Authority) cost. Moreover, the user can avail him or herself of alternative sources of information. Moreover, in connection with the unlimited access to the website opened up by the consent it needs to be considered that an action may be voluntary when a certain processing step clearly benefits the individual taking such step. This was the case here and the consent therefore needs to be judged to have been voluntarily given.

The ruling of the Data Protection Authority is highly welcome given the discussion of whether the business model of (supposedly) free online services can be continued after the GDPR has become effective: in the Authority's view, the tie-in ban does not per se contradict an obligatory consent to the setting of cookies or the processing of personal data for advertising or analytical purposes without which a service cannot be economically offered. This appears to confirm the widespread opinion that a tie-in is permissible when the provider of the (supposedly) free service itself offers equivalent alternatives (even against payment) without the need to consent.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.