As we’ve discussed previously, the GDPR significantly limits user consent as a basis for processing personal data. One interesting question is whether the new rules on consent will kill free apps in Europe. Free apps typically involve the offer of a service (the app) in exchange for access to personal data (whatever data the app siphons off from my phone, for example, per the terms of use that I probably didn’t bother reading). Under the GDPR, that may not be a bargain that I, as a consumer, am allowed to make.
Article 7(4) says that in evaluating whether consent is freely given, “utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.”
Recital 34 is also illuminating: “In order to safeguard that consent has been freely-given, consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller . . . . Consent is presumed not to be freely given, if it does not allow separate consent to be given to different data processing operations despite it is appropriate in the individual case, or if the performance of a contract, including the provision of a service is made dependent on the consent despite this is not necessary for such performance.”
There’s a strong argument that the full range of personal data that free apps usually collect goes well beyond what’s necessary to perform the service. Take a free mobile phone game, for example. It may not be necessary to use any personal data to provide the game. Rather, the personal data is “needed” only for the game provider’s business model – to fund the free app, not to provide it in the technical sense.
Did the EU intend to kill free apps? We’ll soon see.