Article 7(4) says that in evaluating whether consent is freely given, “utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.”
Recital 34 is also illuminating: “In order to safeguard that consent has been freely-given, consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller . . . . Consent is presumed not to be freely given, if it does not allow separate consent to be given to different data processing operations despite it is appropriate in the individual case, or if the performance of a contract, including the provision of a service is made dependent on the consent despite this is not necessary for such performance.”
There’s a strong argument that the full range of personal data that free apps usually collect goes well beyond what’s necessary to perform the service. Take a free mobile phone game, for example. It may not be necessary to use any personal data to provide the game. Rather, the personal data is “needed” only for the game provider’s business model – to fund the free app, not to provide it in the technical sense.
Did the EU intend to kill free apps? We’ll soon see.