Pulsantiera di navigazione Home Page
Pagina Facebook Pagina Linkedin Canale Youtube Italian version
News
Legal news

DATA PROTECTION

Austria: Federal Administrative Court Confirms the Unlawfulness of the “Pay or Okay” Model under the GDPR.

In a recently published ruling, the Austrian Federal Administrative Court (BVwG) upheld the earlier decision of the Austrian Data Protection Authority (DSB), which had found that the newspaper DerStandard violated the GDPR by introducing the consent mechanism known as “Pay or Okay.”

Background

DerStandard was the first Austrian online news outlet to adopt this model when the GDPR entered into force, offering users a binary alternative:

  • consent to tracking for advertising purposes by hundreds of third parties; or

  • pay a monthly subscription of €9.90.

According to the evidence presented, while only 1–7% of users would normally consent to tracking when asked transparently, the “Pay or Okay” system induced approximately 99.9% of users to provide consent.

Decisions of the Authority and the Court

The DSB had already held the model unlawful, noting that DerStandard only permitted a global consent or refusal, whereas EU law requires the possibility of giving specific and selective consent for each processing purpose (so-called “granularity of consent”).
The BVwG has now confirmed this conclusion, declaring the consent obtained invalid and dismissing the newspaper’s appeal.

At the same time, the Court allowed an appeal to the Supreme Administrative Court (VwGH), as the issue is novel and has not yet been adjudicated by higher courts. It is highly likely that the matter will subsequently be referred to the Court of Justice of the European Union (CJEU).

Key Legal Points

  • Consent not freely given: Consent rates close to 100% demonstrate, according to the authorities, the absence of a genuinely free choice, contrary to Articles 4(11) and 7 GDPR.

  • Granularity required: Consent must relate to specific categories of processing and cannot be imposed on an “all-or-nothing” basis.

  • Political dimension: The DSB was initially perceived as reluctant to challenge the media sector. Nevertheless, both the Authority and the Court confirmed the GDPR violation.

  • Model actions and standing of NGOs: The Court rejected DerStandard’s reliance on an isolated Belgian decision alleging abuse of law by NGOs. In line with Austrian and German case law, the Court confirmed the admissibility and legality of such “model cases.”

Conclusion

The DerStandard case highlights the restrictive stance of Austrian case law on the validity of consent in the digital environment. The “Pay or Okay” model appears incompatible with the GDPR framework, as it effectively conditions the exercise of a fundamental right on the payment of a fee.
The forthcoming ruling of the Supreme Administrative Court – and potentially of the CJEU – will be decisive for the future of data monetization strategies and business models based on “alternatives to consent.”

Stampa la pagina