A Brussels think tank published a careful, well-sourced paper this February diagnosing a genuine failure in European data policy. The diagnosis is largely accurate. The remedy the paper proposes would, in practice, make privacy fully available only to those who can pay for it.
A diagnosis most people agree with
In February 2026, economists Paul Heidhues, Nick Jacobson, Giorgio Monti, and Fiona Scott Morton published a Bruegel working paper titled “Europeans Should Be Allowed to Trade Personal Data.” Bruegel is an established Brussels economic think tank with direct influence over EU policy formation. The authors are credentialed: Scott Morton is a former Chief Economist of the US Department of Justice Antitrust Division; Monti is a professor at the European University Institute’s Robert Schuman Centre.
Their starting point is accurate. European platforms — primarily the advertising arms of Google and Meta — extract substantial economic value from personal data while offering users neither meaningful consent nor direct compensation. The current system is not equitable, and it is not, in the EDPB’s consistent view, genuinely GDPR-compliant. The policy debate, the authors argue correctly, has become trapped between two unworkable positions: privacy advocates demanding the effective end of personalised advertising, and platforms demanding unfettered data access. A regulated middle ground is needed.
Their solution is a three-tier menu. Regulators would require platforms to offer: a zero-fee option with minimal data processing; a subsidised option in which users accept intensive tracking in exchange for a benefit; and a paid option with no data collection at all. The paper cites a 2025 policy discussion paper by Monti and co-authors for the concrete model design.
The proposal is coherent. It is also, on close examination, a framework for converting a fundamental right into a product line.
Three options, three income brackets
The three tiers are presented as expanded choice architecture — users select the privacy level that suits them. Mapped against economic reality, they describe three access conditions stratified by income.
In the first tier, users pay nothing and accept minimal data processing. The paper is explicit about a structural consequence of this default: “when a default allows users to access a platform’s free service in a more private way, the platform will have a financial incentive to encourage more data sharing.” The proposal contains no regulatory floor on the quality of this tier. The platform need not actively degrade it — product investment simply flows elsewhere. Features improve in Tier 2; Tier 1 does not keep pace. A default that the platform is structurally incentivised to make comparatively less attractive is not a protected privacy option. It is the starting position in a negotiation in which one party holds all the cards.
In the second tier, users accept intensive tracking in exchange for a subsidised service. The paper describes this as compensation. But what is being exchanged is the legal right to privacy under Article 8 of the Charter of Fundamental Rights of the European Union and under the GDPR. The user does not receive cash. They receive a reduced bill, denominated in euros, on a service they previously accessed for free. The economic value generated by that tracking — the advertising revenue those data flows produce — remains with the platform. The user gets a discount; the platform keeps the margin. This is the tier designed for users who find Tier 3 too expensive and Tier 1 too degraded to accept. In income terms, it is the tier for those who cannot afford to say no.
In the third tier, users pay a subscription fee to access the service without data collection. The paper describes this as something platforms “may also offer” — not a mandatory element of the menu, but an optional addition at the platform’s discretion. Full privacy is therefore not only priced; it is contingent on the platform choosing to offer it.
| Tier | Cost to user | Privacy outcome | Who uses this tier | What it produces |
|---|---|---|---|---|
| Zero-fee | Degraded service utility; no monetary outlay | Minimal tracking | Privacy-conscious users and those priced out of Tier 3; structurally incentivised to migrate upward | A floor the platform has no regulatory obligation to maintain |
| Subsidised | The fundamental right to privacy, exchanged for a service discount | Intensive tracking | Users priced out of Tier 3 who need more than a degraded Tier 1 offers | Surveillance institutionalised as the working compromise for those who cannot afford the alternative |
| Paid | Monthly subscription fee; offered at platform discretion — not required by the proposal | No tracking | Users for whom the fee is an affordable discretionary cost | Privacy as a premium product — a right already conferred by law, available here at a price |
The three-tier model achieves the income stratification of a fundamental right. The framing is user autonomy. The structural outcome is that surveillance becomes the default condition for users who cannot afford to avoid it.
The labour analogy and where it breaks
The paper’s central intellectual move is an analogy with the labour market. Europeans have a fundamental right to freedom of movement. Employment contracts restrict that freedom. Yet employment is not treated as a violation of fundamental rights, because the restriction is voluntary, regulated, and compensated. The authors argue the same logic applies to personal data: trading a right for compensation in a regulated market is not inherently a violation.
The analogy holds up to a point. It does not reach as far as the paper implies.
A worker who accepts an employment contract gives up freedom of movement and receives wages. Wages are cash — fungible, transferable, spendable on anything, including other exercises of freedom. The worker gains genuine economic independence from the transaction.
A Tier 2 user who accepts intensive tracking receives a discount on the service that is tracking them. The compensation is non-fungible: it cannot be transferred, saved, or spent outside the platform extracting the value. The surplus generated by the data sharing stays within the platform’s advertising system. What the user gains is a reduced invoice on something that, under the previous arrangement, cost them nothing.
More fundamentally: labour law governs a negotiation for compensation that workers did not previously hold by right. GDPR already confers the right to privacy. The question is not whether an employment contract can attach conditions to labour — it can, within limits. The question is whether a regulatory framework can be designed that starts from an existing legal entitlement and creates a market structure that erodes it unless the rightsholder pays to maintain it. That is not the same mechanism. It is closer to a toll on a right the law has already declared.
The labour analogy would hold if Tier 2 users received cash. The paper does not propose cash.
What regulators have already concluded
The regulatory framework has already addressed the core question directly — in documents the paper cites.
The European Data Protection Board’s Opinion 08/2024, published in April 2024, is listed in the Bruegel paper’s bibliography. The paper references it in a footnote as having “conveyed mixed messages,” focusing on an element that appeared to permit platforms to charge a reasonable fee for an ad-free alternative. What the paper does not quote is the opinion’s central finding on consent: “In most cases, it will not be possible for them to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.” The EDPB Chair stated the underlying principle plainly: “Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy.”
That sentence describes the outcome the three-tier model produces. It is in the paper’s own bibliography.
The European Commission’s DMA enforcement decision against Meta, issued on April 23, 2025 and also cited in the paper, imposed a €200 million fine. The specific finding: Meta’s model did not give users a genuine third option — a free, reduced-tracking version of the service equivalent in quality to the full product. That requirement — a real free option with no service degradation — is precisely what Tier 1 is supposed to be. The Bruegel proposal creates no regulatory mechanism to make that option real.
Meta challenged the EDPB opinion in the General Court of the EU (Case T-319/24). The Court dismissed the challenge on April 29, 2025, leaving the EDPB’s substantive position intact. Meta has since appealed to the Court of Justice (Case C-454/25 P, filed July 2025). The platform’s litigation posture indicates exactly how much is at stake in the question the Bruegel paper is attempting to resolve through market design.
The personal data currently in circulation about you exists independent of how the regulatory debate resolves. A Mirror investigation maps what is already findable, attributed, and cross-referenced — under the rights framework that still stands.
Talk to an AnalystThe Digital Omnibus: the architecture is already moving
The paper references the European Commission’s Digital Omnibus — the November 2025 simplification package — and notes it falls short of the comprehensive data market framework the authors advocate. What the paper does not examine is what the Omnibus is already doing to the underlying architecture.
Three elements are directly relevant.
First, the Omnibus proposes to narrow the legal definition of personal data. Under the proposed amendment, data is no longer “personal” if the entity holding it does not have “means reasonably likely to be used to identify” the individual — regardless of whether another party could re-identify the person from the same dataset. Pseudonymised records, which currently carry GDPR protections, begin to fall outside the regulation’s scope at the moment of transfer. The boundary of what requires consent before processing is contracted by definition.
Second, the Omnibus introduces Article 88c, creating an explicit legitimate interest basis for processing personal data to develop and operate AI systems. Commercial processing of personal data for AI development no longer requires a user’s consent — it requires a balancing exercise and a right to object that users must actively invoke. The default shifts from protected to permitted, and the burden of maintaining the right moves from the platform to the individual.
Third, the Omnibus repeals the Data Governance Act entirely and folds its provisions into the Data Act. The DGA was structured around data governance and user rights. The Data Act is structured around market access and commercial data flows. Legal analysis of the consolidation has described the shift as moving away from “a governance- and rights-centred paradigm toward a pro-industry regulatory model.” The framing is administrative simplification. The effect is architectural.
These changes narrow the definition of what requires protection, lower the threshold for commercial processing without consent, and restructure the institutional framework toward market priorities. The Bruegel paper and the Digital Omnibus are reading from the same brief — the paper says the Omnibus does not go far enough. That position makes more sense once the Omnibus’s own direction is named plainly.
Who are “Europeans” in the title?
The paper’s title — “Europeans Should Be Allowed to Trade Personal Data” — contains an ambiguity worth naming.
The paper’s own figures indicate that Google and Meta combined generated €149 billion in net income in 2024, with an estimated €30 to €45 billion earned in Europe. This is cited as evidence that data has substantial value, and that users should share in it through a regulated market.
Under the three-tier model as designed, the distribution of that value is as follows. Tier 1 users receive a free service on a quality trajectory the platform has no obligation to maintain. Tier 2 users receive a discount on a service they previously accessed for free, funded by advertising revenue that remains within the platform’s system. Tier 3 users pay a subscription that, where offered at all, represents an additional revenue line for the platform.
The surplus is not redistributed. It is formalised. The platform retains the advertising inventory, the data infrastructure, and the margin generated by users who migrate from Tier 1 to Tier 2. What individual European users gain is a structured choice between three access conditions — two of which leave the platform’s economic position unchanged, and one of which requires paying to maintain a right EU law already confers.
“Europeans” in the title are, in practice, primarily the European-registered legal entities of the platforms that would gain a regulatory framework legitimising their advertising model. Individual European citizens — the subjects of the fundamental rights the GDPR was designed to protect — gain a menu in a market designed by and for the parties with the most to gain from its existence.
The gap between diagnosis and remedy
The paper’s diagnosis is accurate: current data markets extract value from users without genuine consent or compensation, and the regulatory framework has produced no functioning alternative. The authors are correct that a total ban on personalised advertising would eliminate real value without achieving the redistribution it implies.
The gap between that diagnosis and the proposed remedy is structural. Genuine redistribution of value from platforms to users would require cash payments, not service discounts. It would require a regulatory floor preventing the degradation of privacy-protective tiers. It would require no bundling of consent with service access at all. Each of these conditions would require platforms to restructure business models that currently generate the profits the paper treats as evidence of data’s value.
Market design that does not address the underlying power asymmetry reproduces the asymmetry with more orderly documentation. The EDPB said it plainly, in a document the paper cites: controllers must take care not to transform the fundamental right to data protection into a feature that individuals have to pay to enjoy. The Bruegel proposal creates a regulated market in which that transformation is the intended outcome.
Sources
- Heidhues, P., N. Jacobson, G. Monti and F. Scott Morton (2026) “Europeans should be allowed to trade personal data,” Working Paper 02/2026, Bruegel. doi.org/10.64153/QHXP9557
- EDPB Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, April 2024. edpb.europa.eu
- European Commission, “Commission finds Apple and Meta in breach of the Digital Markets Act,” 23 April 2025. ec.europa.eu/commission/presscorner
- General Court of the EU, Case T-319/24, Meta Platforms Ireland v EDPB, dismissed 29 April 2025.
- Court of Justice of the EU, Case C-454/25 P, Meta appeal against T-319/24, filed July 2025.
- European Commission, Digital Omnibus Package, 19 November 2025. digital-strategy.ec.europa.eu
- Taylor Wessing, “The EC’s Digital Omnibus proposal — re-writing the EU’s digital rulebook,” November 2025. taylorwessing.com
- MediaLaws, “The Data Omnibus: The Good, the Bad, and The Ugly Behind the DGA and Data Act Rewrite.” medialaws.eu