Sunday, 24 March 2019

Pre-ticked checkboxes NOT informed consent - AG Szpunar in Planet49 (C-673/17)

With the entry into force of the GDPR last year, the issues of data processing became more prominent. As many internet users are consumers (AG Szpunar also uses the average consumer notion for internet users in para. 113) and many issues of data processing correspond to issues of consumer law, we would like to draw our readers attention to the opinion of AG Szpunar from last Thursday in the case Planet49 (C-673/17). It elaborates on the notion of 'informed consent' and the requirements for it, which according to AG Szpunar are the same under the GDPR as under the previously binding Directive 95/46. Informed consent is a fundamental notion of both consumer and data processing law. It creates a presumption that as long as a weaker party had been provided with transparent information, a decision taken based on that information (such as giving consent to data processing) should be considered binding.

Internet users in Germany could have participated in an online, promotional lottery at the website www.dein-macbook.de. In order to play they had to fill in their personal details, such as their address and name. They could also not participate unless they agreed to various parties sponsoring the competition contacting them with their offers. In order to agree to this, they had to tick a corresponding checkbox. The promotional entry form came also with another, already pre-ticked, checkbox, which intended to convey the internet users consent to installing cookies by Planet49, which would track their online behaviour and provide them with targeted advertisements.

May a pre-ticked checkbox lead to informed consent?
AG Szpunar interprets provisions of Directive 95/46 as requiring active and separate consent. This follows, according to him, from Art. 2(h) referring to an "indication" of the data subject's preferences and from Art. 7(a) requiring 'unambiguous' consent (para. 60). An expectation of active consent precludes obtaining it through pre-formulated means (para. 61). Moreover, the provision of consent should be separated from the activity pursued on the internet, as provision of consent should not have an ancillary nature (para. 66). And the user should be informed whether he could pursue the activity, and to what extent, without providing his consent (para. 67). These requirements bind also under the GDPR, where they have been further elaborated on in the recitals 32 and 43 (paras. 72-74). The e-Privacy Directive has also been interpreted by Article 29 Data Protection Working Party as requiring such an active consent (para. 81). It has been argued in the scholarship on the topic that Art. 5(3) e-Privacy Directive requires opt-in consent rather than opt-out, which requirement, however, was not rigorously enforced to date in the Member States. The overlap in requirements related to active informed consent means that there is not much of a distinction between a consent for the use of cookies and for processing of personal data, pursuant to AG Szpunar.

Following the above-listed requirements for informed consent, a pre-ticked checkbox may clearly not be seen as satisfying them. Forcing internet users to untick a box to show that they do not consent,  does not allow to argue a contrario that they have consent by leaving the box pre-ticked as there is no way to prove their activity in providing consent (para. 88). Moreover, there is no separation between the provision of consent and the participation in lottery in the given case, as by clicking on the participation in the lottery button the user consents at the same time to the installation of cookies (para. 89). This is especially problematic as the provision of consent to the installation of cookies was not a pre-requirement for the participation in the lottery, but the users were not informed about this (para. 92).

What about checkboxes that were not pre-ticked? ... and prohibition of bundling
In cases of boxes that need to be ticked, there is no doubt that internet users were active in providing their consent. National courts still need to examine, however, whether the consent was given separately to engaging in the main online activity. AG Szpunar advises online traders who would want to avoid any ambiguity to provide two separate buttons that would need to be clicked, rather than just require a tick in a box (para. 96). National courts also have to consider whether the processing of personal data was necessary for the provision of service, pursuant to Art. 7(4) GDPR, which prohibits bundling. AG Szpunar indicates that it was indeed necessary for the participation in the lottery (para. 99). This last view could be (and is) contested, as it lessens the importance on the prohibition of bundling by creating a broad exception to bundling. Luckily, the CJEU was not asked to answer the question on this issue, and, therefore, remarks by AG Szpunar on this topic may remain non-binding.

Transparency about cookies' application
Final question pertained to the scope of an obligation to provide 'clear and comprehensive information' about cookies. AG Szpunar rightly points to evidence of the lack of knowledge of internet users about cookies and their operation (para. 114), which means that in order to make this information transparent detailed explanations need to be given to internet users, including on the duration of the operation of cookies and whether third parties, and who, are given access to cookies (para. 116).

This opinion could potentially increase the legal protection of internet users online, by widening the scope of interpretation of the transparency principle and narrowing down the situations, in which informed consent could be found. It is very much in line with the previously argued for interpretation of the provisions of e-Privacy Directive and Data Protection Directive. The drawback of this interpretation, if upheld by the CJEU, will be practical: it will lead to more boxes having to be ticked by consumers online, which is what they often find annoying.