Is there any merit in the argument "this data processing is required for my business model so it is strictly necessary in terms of data protection"?

Question

The company BlockAdblock has an argument that their anti-adblock script is compliant with EU data protection law. It is quite long and has many somewhat unrelated aspects, and I certainly do not want to get into the specifics of the case. There is one argument in particular that refers to the ePrivacy Directive’s “Cookie Law” exceptions that raises a question for me:

Number two explicitly states that the law does not apply when the storing of data is “strictly necessary” in order for the provider to provide the service.

Here in the real world of non-taxpayer funded entities, one typically counts the existential financial viability of a newspaper among its necessities. If without advertising revenue the “service” itself would cease to exist, then the defense of vital and life-sustaining revenue streams are clearly “necessary” to provide the service. So even if anti-adblock defenses did “store” and “access” locally stored information (which they do not), it would appear that the ePrivacy Directive would protect the right to store and access data when said actions are “necessary” to provide the service.

Is there any merit in this sort of argument? Does "data processing X is required for my business model" a valid argument that "data processing X is 'strictly necessary' in terms of EU data protection law"? It seems to me that it is always possible to construct a business model that requires any specified level of data processing. If the mere existence of such a business model makes the data collection legal then there is no protection at all.

Answer 1

"Article 5.3" here means the following from the ePrivacy Directive, 2002/58/EC, as amended amended by Directive 2009/136/EC.

Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

So we are talking here about whether local storage and access by anti-adblock technology is "strictly necessary" in order to provide the website experience.

In the context of cookies, there is authoritative guidance in an opinion, 00879/12/EN WP 194, of the "Data Protection Working Party". This is not binding as law, but national authorities responsible for administering the Directive are meant to follow the guidance. (The DPWP was given authority in this arena by Article 15(3) of the 2002 Directive. It has since been replaced by the European Data Protection Board, but the role here is the same.) According to that opinion, "strictly necessary" has a restricted meaning: it is about the technical functionality of the website, not the business model behind it. For cookies, the tests corresponding to the clause in 5(3) above are:

1. The information society service has been explicitly requested by the user: the user (or subscriber) did a positive action to request a service with a clearly defined perimeter.
2. The cookie is strictly needed to enable the information society service: if cookies are disabled, the service will not work.

In this vein, third-party advertising cookies are likely to fail the test, but other kinds of cookies used to remember user preferences or device video capabilities may be OK. (This is described in more detail in the document.) The extensive reasoning demonstrates that the business model of the website provider is not at issue for this clause: it it was, then all sorts of things would be exempted, just because a business is making money from them. The same reading of this phrase should carry across to other kinds of local storage or access within the scope of Article 5(3).

The other thing going on here is that anti-adblock technology, whether it involves access to local storage or not, is effectively functioning by forcing the service not to work, when it otherwise would. Does this render a cookie "strictly necessary"? This is the same territory as so-called "cookie walls". National authorities have differed in their approach and it is not possible to say definitively whether an anti-adblock wall is permissible. There is slow movement towards a new EU law, an "ePrivacy Regulation", which would cover this topic - but that has yet to happen at the time of writing.

Answer 2

No.

when storing/accessing is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service

(Sometimes known as 'CRITERION B', by the way.)

Meaning:

1. the subscriber or user did some positive action to request a service;

2. the storing/accessing is necessary to provide the service, either for legal compliance or because if cookies are disabled then the service will not work.

The UK's Information Commissioner's Office says of this:

It is important to remember that what is ‘strictly necessary’ should be assessed from the point of view of the user or subscriber, not your own [the service provider]. So, for example whilst you might regard advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service, they are not ‘strictly necessary’ from the user or subscriber’s perspective.

The advertising cookies are not related to a service or functionality explicitly requested by the subscriber or user, therefore they are not exempt under that criterion. They require consent from the subscriber or user.