The Monopoly Report – Episode 47

The Datatilsynet's Tobias Judin on Consent
Host: Alan Chapell
Guest: Tobias Judin, Head of the International Section, Norwegian Data Protection Authority
Date: September 17, 2025

Overview

This episode dives into the complex landscape of cookies, consent, “pay or consent” models, and the evolving nature of digital advertising regulation in Europe. Alan Chapell talks to Tobias Judin of Norway’s Datatilsynet, a key voice within the European Data Protection Board (EDPB) about practical, legal, and philosophical challenges around data protection, user consent, and online ad business models. The conversation explores whether existing approaches are working, the risks and ambiguities of emerging solutions, and what innovation or regulatory course-correction may be warranted.

Key Discussion Points & Insights

1. The Role of Datatilsynet and the EDPB

Timestamps: [03:11]–[04:26]

• Datatilsynet’s role: Norway's authority on enforcing GDPR and providing compliance guidance, closely cooperating with other European regulators.
• EDPB's purpose: Harmonizes GDPR interpretation across Europe, produces guidance, and coordinates cross-border enforcement.
  • Quote – Judin:
    “Our job is essentially to ensure that we all interpret the GDPR in the same manner...so you can trust that the authorities will enforce the law in the way that it is interpreted in those guidelines.” [04:26]

2. Data Protection as Competitive Advantage

Timestamps: [05:57]–[09:01]

• Judin discusses the emerging understanding among consumers that data protection is a differentiator and can build brand trust.

• Companies observing increased customer attrition after breaches see the value of robust data handling.

  • Quote – Judin:
    “If you really do things by the book and earn people’s trust, then you can actually make more money off of your ads.” [08:23]

• The dominance of a few large companies in digital advertising sets unfavorable standards for everyone, creating ‘feudal’ dynamics.

3. Consent in Practice: Problems & Nuances

Timestamps: [09:01]–[13:17]

• While consent is a legal cornerstone, in practice the industry struggles:
  • Manipulative “dark patterns” and deceptive designs are widespread.
  • Consent is treated as a regulatory box-tick, leading to widespread “consent fatigue”—consumers indiscriminately click pop-ups rather than make informed choices.
  • Legitimate interest is discussed as a valid but underused alternative to consent for some types of data processing.
  • Quote – Judin:
    “No one has time to read all that information, just click a button, hope for the best. It’s quite complex.” [12:22]

4. Proportionality & Fairness in Data Use

Timestamps: [13:17]–[15:43]

• The problem: Similar consent is required for both intrusive (behavioral) and non-intrusive (contextual) ad targeting.
• Judin calls attention to the need for maintaining “fairness,” noting that large-scale data sharing (especially with third parties/foreign entities) could contravene GDPR’s fairness principle.
  • Quote – Judin:
    “Is this form of advertising the way it’s been carried out today...really consistent with the fairness principle? Is it really lawful under the GDPR? I’m not so sure.” [14:48]

5. Cookie Banners, Consent Fatigue, and Industry Resistance

Timestamps: [15:43]–[19:55]

• Chapell notes that “reflexive clicking” to dismiss cookie banners isn’t genuine data protection.
• Judin raises the possibility of outright bans on behavioral advertising, noting that the flood of pop-ups and user data exploitation is a direct consequence of the demand for behavioral ads.
  • Quote – Judin:
    “All of this recklessness is driven by the idea that we absolutely need to do behavioral advertisement and...collect as much data as possible.” [18:41]

6. Experimenting with Contextual-Only Ads

Timestamps: [19:55]–[21:23]

• Chapell voices support for Norway experimenting with a ban/limitation on behavioral ads, even if the results are uncertain.
• Both acknowledge risks: Norway’s small market size makes industry-wide effects uncertain, and publishers’ business futures are at stake.
  • Quote – Chapell:
    "If everything is contextual...and overall CPMs rise and you don’t have as much costs associated with data, then that’s a really interesting and worthwhile experiment to have.” [20:34]

7. "Pay or Consent" Models: Economic and Ethical Tensions

Timestamps: [22:08]–[26:56]

• The “pay or consent” debate arises from publishers’ struggle with shrinking ad revenues and tech platform dominance.

• Judin: Enabling “pay or consent” everywhere could harm data protection—if every site asks for payment to avoid tracking, meaningful consent disappears.

  • Quote – Judin:
    “If everyone can have consent or pay...what kind of data protection rights are you left with right, if you always need to accept, because you’re not going to pay €5 for every website, what’s left of your data collection?” [25:32]

• The challenge for regulators: If you allow large, “worthy” publishers to do it, how do you justify prohibiting smaller publishers?

8. The Intersection of Competition and Data Protection

Timestamps: [26:56]–[29:54]

• Chapell observes that privacy and competition are now inextricably linked, especially given big tech’s market power.
• Judin replies that data protection regulators are not equipped (or permitted) to make economic/policy judgments on business models or which publishers “should” survive.
• GDPR only allows regulators to judge whether consent is “freely given.”

9. Scale, Risk, and Enforcement Priorities

Timestamps: [32:14]–[35:06]

• Enforcement is risk-based, prioritizing data quantity, data sensitivity, and the vulnerability of data subjects.
• Asymmetrical regulation (e.g., DMA, DSA) is emerging, focusing attention on the largest players due to their outsized impact.
  • Quote – Judin:
    "We have these companies that are so powerful in part because they have so much data. So then it makes sense for us to actually focus our efforts towards them.” [35:27]

Notable Quotes & Memorable Moments

• On consent fatigue and the failure of the current model:

  “The idea that consumers...are just now reflexively hitting a button to get the pop up to stop is not data protection. I don’t know what it is, but it certainly isn’t data protection.”
  — Alan Chapell [16:45]

• On the industry’s “recklessness” with user data:

  “All of this recklessness is driven by the idea that we absolutely need to do behavioral advertisement and we need to collect as much data as possible and...do so without any limitation.”
  — Tobias Judin [18:41]

• On whether “pay or consent” actually saves publishing:

  “I do question whether online behavioral advertising is a long term sustainable income model. And that is because the big tech players will continue to take a larger and larger proportion of the revenue. So it doesn’t really save you.”
  — Tobias Judin [24:01]

• On regulators’ limits:

  “We don’t want to be the ones speaking about what kind of business model you should have...That is not regulated by the gdpr, it’s completely beyond our remit.”
  — Tobias Judin [30:09]

• On scale and enforcement:

  “Do you have a lot of data? But also what is the nature of the data? Is it special category data, is it sensitive? Is it location financial data? Okay, we’re going to be more interested in that.”
  — Tobias Judin [33:23]

Key Timestamps

• 03:11 – What is Datatilsynet?
• 04:26 – The European Data Protection Board explained
• 06:17 – Data protection as competitive advantage
• 10:22 – Consent’s challenges in practice
• 13:17 – Fairness, proportionality & difficulties with the status quo
• 17:41 – Industry’s failure to address rising risks in data sharing
• 19:55 – Should Norway experiment with banning behavioral ads?
• 22:08 – The “pay or consent” dilemma for publishers and regulators
• 26:56 – The interplay of privacy, competition, and economic sustainability
• 32:14 – How size and risk inform enforcement priorities under GDPR
• 35:06 – Asymmetrical regulation and its implications

Summary Takeaways

• Both guest and host agree: The current consent-driven model in EU digital advertising is deeply flawed and unsustainable, fostering “consent fatigue” and undermining real data protection.
• Regulation is caught between supporting publisher survival and maintaining robust privacy standards; no silver bullet exists.
• “Pay or consent” models may simply delay inevitable publisher contraction rather than provide long-term relief.
• There is cautious optimism for regulatory experimentation, with the caveat that any solution must avoid being co-opted or exacerbating inequalities.
• Data protection authorities prioritize enforcement where impact is highest—large data holders, sensitive data, and vulnerable populations.
• Ongoing developments, such as new EDPB guidance and changes to competition law (e.g., DMA), could soon reshape digital advertising and privacy practices.

For further episodes and analysis, subscribe at monopolyreportpod.com.