By Decision of 11 November 2020 (C-61/19), the Court of Justice of the European Union (CJEU) specified the conditions applicable to obtain a GDPR compliant consent.
Indeed, the Court ruled that the data subjects’ consent to the processing of their personal data was not valid in the following cases:
- where the controller (i.e., Orange România) pre-ticked the consent box referring to a clause contained in a contract and stating that the customer has consented to the collection and storage of their personal data (in this case, their identity document); or
- where it was not clear as to whether individuals could refuse the processing operations without suffering any consequences on the possibility to conclude the service agreement; or
- where the individuals’ freedom of choice could be affected by requiring the individuals to complete an additional form to refuse the processing of personal data
The Court also recalls that :
- the data controller must demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data; and
- it has provided beforehand information relating to all the circumstances surrounding that processing, in an intelligible and easily accessible form, using clear and plain language, so that the individual easily understands the consequences of that consent, so that it is given with full knowledge of the facts.
While the GDPR provides for most of the conditions set out above, the Court has set new standard whose contours are not always clear.
1. The Facts & Procedure
On 28 March 2018, the Romanian Data Protection Authority, imposed a fine on the company Orange RomâniaSA, a mobile telecommunication service provider in Romania, for collecting and storing copies of its customers’ ID documents without their express consent.
According to the Authority, between 1 and 26 March 2018, Orange România concluded mobile telecommunication service agreements with its customers containing a clause stating that customers have been informed of, and have consented to, the collection and storage of a copy of their identity documents for identification purposes.
However, Orange Romania pre-ticked the consent box relating to that clause before the customers signed the contract.
Also, where the customers did not want to consent to that data processing operations, Orange România required them to declare in writing that they did not consent to the collection and storage of a copy of their ID documents.
The Tribunal București (Regional Court, Bucharest, Romania) requested the Court of Justice to specify the conditions under which GDPR consent is valid.
2. The European Court Sets Its Standards For A Valid GDPR Consent
The Controller should provide sufficient information that allows the individuals to understand the consequences of their consent so that they have full knowledge of the facts
The European Court ruled that the controller must provide the individual with a prior-information relating to all the circumstances surrounding these processing operations (…) allowing that person easily to understand the consequences of that consent so that it is given with full knowledge of the facts.
However, the Court did not specify what”all the circumstances surrounding the processing operations” or “the consequences” of consent should mean and set its standard by requesting that the controller ensures the individuals have provided their consent with full knowledge of the facts.
Given the present case, the Court may have meant to cover the fact that the information should be clear on the fact that refusing the processing operations does not affect the possibility to conclude the service agreement. However, this is more a consequence of the individuals’ refusal than of their consent.
Therefore, without further details, this is difficult to be sure what the court meant in practice and it may create some uncertainty as to what information the controller should provide. The form and content of this information should be analysed on a case by case basis to ensure the individual is not misled.
Moreover, we may wonder if the Court would ask controllers to provide non-required information to meet its standard in certain circumstances (e.g., providing details of the data etc.).
Individiduals must not be misled as to the possibility to refuse the processing operations and still conclude the service agreement
According to the Court, consent is not valid if the terms of the contract are misleading regarding the possibility for the individuals to conclude the contract without consenting to the processing operations.
In practice, the data controller should make it clear that the consent to the processing operations is optional either by mentioning it or ensuring the layout of the document or the drafting of the clause is not misleading.
Pre-Ticked Consent Boxes Invalidates the GDPR Consent
The Court stresses that it is for Orange România, acting as the Data controller, to demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data.
It results from the above that using pre-ticked boxes is not a valid way to obtain consent.
It is not surprising that the Court took this position insofar as the GDPR expressly states that pre-ticked box or silence are not valid consent.
The data controller should not unduly affect the individuals’ freedom of choice
In the present case, Orange România required its customers to declare in writing using an additional form that they refused the processing of their personal data.
The Court considers this step as unnecessary and as potentially affecting the freedom of choice of the individual.
This position strengthens the CNIL’s recommendation on cookies regarding the necessity to provide a “refuse all button” when obtaining users’ consent to the use of cookies (as opposed to providing an “accept all”, and “personalised your choice” button only).
Conclusion
The CJEU has strengthened the requirements for obtaining valid consent under the GDPR by:
- requiring individuals to be informed of the consequences of their consent so that they have full knowledge of the facts;
- requiring controller not to mislead the individuals on the possibility to refuse the processing operations and still conclude the service agreement; and
- preventing controllers from requiring their customers/individuals to take unnecessary steps when they choose to refuse the processing of their data.
