On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read the judgment here.
The CJEU held that a printed contract for mobile telecommunication services containing a clause stating that the customer has consented to the collection and storage of their identity documents does not constitute valid consent where the box referring to that clause has been pre-ticked by the data controller before the contract was signed.
The case follows up on the previous ruling in Planet49 (Case C-673/17) on which we commented last year here and here.
In March 2018, ANSPDCP imposed a fine on Orange România SA (Orange România) for collecting and storing copies of its customers’ identity documents without their express consent. Orange România concluded paper-based contracts with customers and annexed copies of their identity documents. The contracts included a pre-ticked box stating that the customer had been informed of and given his consent to the collection and storage of his identity documents. ANSPDCP determined that Orange România had failed to prove that their customers had given a legally valid consent.
In this context, the Regional Court of Bucharest, Romania, ultimately requested the CJEU to specify the conditions in which the customers’ consent to the processing of personal data may be considered valid.
The judgment provides important guidance on what constitutes valid consent and what this means for controllers:
- The CJEU reiterated that the GDPR already provides a list of cases in which the processing of personal data is lawful. In particular, the CJEU emphasised that the customers’ consent must be freely given, specific, informed and unambiguous. Consent is not validly given in the case of silence, pre-ticked boxes or inactivity.
- The key part of the judgment focused on the requirement for the consent to be freely given and informed. The CJEU emphasised that the customer must enjoy “genuine freedom of choice” and the contractual terms must not mislead the customer towards the existence of consent as a prerequisite for the conclusion of a contract. Requiring a customer to state in handwritten form that they do not consent to the collection and storage of their personal data affects the customers’ freedom to object to it, it said.
- Transparency of declarations was also considered to be a relevant factor when determining whether consent has been informed. The CJEU stated that the information provided by the controller must easily enable the customer to determine the consequences of any consent he or she might give.
- The requirement to prove valid consent falls on the controller. This includes demonstrating that customers have actively given their consent to the processing of their personal data and that they were informed, in an intelligible and easily accessible form, and in clear and plain language of the consequences of their consent.
The CJEU has followed the Advocate General’s opinion, issued earlier this year, and concluded that consent given through a pre-ticked box in a customer contract was not “freely given”, as the customers did not indicate their consent through an affirmative action.
The judgment will have an impact on any service providers who rely on standardised and pre-formulated clauses to obtain consent. Every service provider must be able to demonstrate that its customers have freely given their consent, and that they have not used misleading practices in obtaining a valid consent. The CJEU’s emphasis on freely given and informed consent builds the important connection between data protection and consumer law as the judgment recognises the role of transparency and the potential for misleading practices when seeking consent.