Vouchers, an acceptable reimbursement? - CJEU in C-76/23 (Cobult)

On March 21, the CJEU published the most recent judgment interpreting provisions of Regulation 261/2004 on air passenger rights in the case Cobult (C-76/23) concerning the possibility of reimbursing passenger's ticket cost through a voucher.

By Lu Lettering from Pixabay  

Many of our readers may have experienced a flight cancellation over the past couple of years, not limited to Covid-19-related causes. In case of a cancellation passengers may choose to have their cancelled flight rescheduled (re-routing) or have their ticket costs reimbursed, pursuant to Article 8 of the Regulation 261/2004. Reimbursement could happen via various means, including via a voucher but the latter only upon passenger's "signed agreement", pursuant to Article 7(3). Thus the reimbursement by a travel voucher "is presented as a subsidiary means of reimbursement" (para 20). 

In this case, TAP Air Portugal invited passengers to fill an online form to claim reimbursement of ticket costs, which would lead to them being immediately compensated in travel vouchers. The online form included conditions of acceptance, with text clarifying that acceptance of a travel voucher precluded further reimbursement claims in other forms. An alternative way of reimbursement was available, if passengers contacted their customer service department and allowed them to examine case facts (paras 8-9). 

The CJEU does not exclude a possibility that passengers could have provided a 'signed agreement' in an online reimbursement form. A 'signed' agreement does not need to include the consumer's signature on an online form they are submitting to the air carrier for reimbursement (para 34). However, certain conditions would need to be met. First, passengers need to be able to give their free and informed consent to reimbursement via a travel voucher (para 22). This will require air carriers to provide passengers with "clear and full information on the various means of reimbursement" of ticket costs (para 30). This condition will not be fulfilled if e.g., air carrier (para 32):

• leaves any ambiguity on its website, 
• presents partial information, 
• writes information in a language that passengers may not be proficient in (e.g. information in this case was given only in English - would this be seen as compliant if many passengers were Portuguese-speaking?), or 
• if the procedure for claiming monetary payment is unfair if compared to the procedure of claiming travel vouchers e.g. because it contains additional steps.

"(...) the addition of such supplementary steps is liable to render reimbursement by a sum of money more difficult to obtain, and thus to upset the relationship between the two means of reimbursement" (para 33) - this is an interesting conclusion by the CJEU, which follows recent developments in other areas of EU consumer law. For example, when assessing fairness of cancellation process of online subscriptions, we would also check whether there were additional steps included, which made the process more complex than when subscription was concluded.

Can we seek compensation for a GDPR breach if it caused great upset or inner discomfort? The AG Opinion in C-300/21, Österreichische Post

According to Article 82(1) of the GDPR any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller or processor for the damage. It turns out that the exercise of this right in practice raises some questions, especially if the damage caused by the infringement would consist of a "great upset" or a "loss of confidence". Recently, the Advocate General Campos Sánchez-Bordona commented on this issue (see: case C-300/21 Österreichische Post). 

Facts of the case

The case concerns the processing of personal data by an Austrian postal company (Österreichische Post AG). The company had been collecting personal data on the Austrian public's affinities for political parties since 2017. Information on political preferences was inferred based on various socio-demographic characteristics. Such processing did not please "UI" (that's how the data subject is called by the AG in the opinion). More specifically, he did not like the way the company classified him as a person sympathizing with one of Austria's political parties. UI therefore entered into a dispute with the company, pointing out, for instance, that he had not consented to the processing of his personal data. As we read in the opinion, UI „was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post” (para. 10). What is more, he claimed that such a „political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation” (para. 11). Therefore he demended compensation of EUR 1 000 in respect of non-material damage (inner discomfort).

Both the court of first instance and the appellate court rejected his claim. However, following an appeal to the Oberster Gerichtshof (Supreme Court, Austria), the court raised several doubts, referring the following questions to the Court of Justice for a preliminary ruling:

"1. Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?"

Opinion of the AG

The AG presented an interesting analysis of Article 82 of the GDPR, taking into account different types of interpretation (literal, historical, contextual and purposive). There are several important statements that deserve attention: 

1. Assuming that under Article 82 of the GDPR a data subject could be awarded compensation for a breach of the Regulation, despite the absence of any damage, would be inconsistent with the fundamental purpose of civil liability. This purpose is to compensate for the damage suffered by the data subject. If the damage could not be identified, the compensation then awarded would not fulfil the aforementioned function, but would be more like a punishment and a sanction for the infringer (paras 29-30). It is true that punitive damages may exist in both EU and national law, but the GDPR does not contain this type of reference (paras 39, 44, 49-50).

2. The AG's position is that a mere breach of the GDPR does not give rise to a presumption of automatic harm to the data subject (paras 56-59). As can be inferred from the Opinion, this is the presumption made by the parties to the proceedings, indicating that a breach leads to a loss of control over the data and thus causes harm to the data subject. However, the AG considers that not every loss of control over data necessarily leads to harm (para. 62) and, furthermore, that giving data subjects as much control over data as possible may not necessarily be derived from the GDPR provisions (para. 74). He states: „where a data subject does not consent to processing and processing is carried out without another legitimate legal basis, that is not a ground for the data subject to receive financial compensation on account of the loss of control over his or her data, as though that loss of control itself amounted to damage that is eligible for compensation” (para. 77).

3. The compensation for non-material damage regulated by Article 82 of the GDPR does not cover the mere upset that a person may feel due to a breach of Regulation 2016/679. It is up to the national courts to determine when, due to its characteristics, a subjective feeling of displeasure can be considered as a non-material damage in a given case (conclusion - para. 117).

Given the facts of the case, the AG's answers to the preliminary questions do not seem surprising. Nonetheless, some views are arguable, such as that „it is not straightforward to conclude from the GDPR that its objective is to grant data subjects control over their personal data as a right in itself” (para. 74). 

In my view, one of the primary objectives of the GDPR is precisely to give individuals control over their data, or even to 'restore' that control. This conclusion can also be drawn based on the provisions of other data flow regulations in the EU, such as the Data Governance Act* or the Data Act proposal**. It is clear that the opinion was given based on the GDPR provisions, but I guess they should not be interpreted without regard to the broader regulatory context. That said, we eagerly await the Court's final verdict.

* For instance, in recital 5 of the DGA it is stated that it "is necessary to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects". A similar idea is expressed in recital 30 in the context of data intermediation services: "data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them". Maybe it is not directly indicated that the purpose of the DGA is to "grant control over data", but still this can be deduced from both the content and the particular objectives of the legal instruments adopted in the DGA. 

** See, for example, recital 78 of the proposal: "To foster further trust in the data, it is important that safeguards in relation to Union citizens, the public sector and businesses are implemented to the extent possible to ensure control over their data". Again, it is not stated expressly, but without ensuring control over data, the other objectives of the regulation will not be achieved. From this perspective, granting control over data may appear as one of the purposes. 

No ads in email services without prior consent: CJEU in C‑102/20, StWL Städtische Werke Lauf

Today we would like to recall one of the judgments delivered by the Court still in late 2021 - in case C-102/20 StWL Städtische Werke Lauf. Since many language versions of this judgment were not available until recently (including the English one), it may be helpful to summarise it quickly, while interested readers can now consult the full text of the Court's decision here. The case is noteworthy as it combines an interpretation of the e-Privacy Directive 2002/58/EC with that of Directive 2005/29/EC on unfair commercial practices (UCPD). 

 Facts of the case

The case involved two competing electricity suppliers in Germany, one of whom commissioned a marketing campaign consisting in displaying ads to the users of a free email service, T-Online. The advertisements appeared in private email inboxes of those users, inserted between the emails received. The entities differed from the incoming emails in three respects: (i) the date was replaced by the word ‘Anzeige’ (advertisement), (ii) no sender was mentioned and (iii) the text appeared against a grey background. The subject of the "message" was of promotional nature, and referred to advantageous prices for electricity and gas services. Upon clicking on it, the user was redirected to the advertiser's website. 

A competitor of the supplier engaged in this form of promotion considered the practice to be unlawful under German law. Among others, it was argued, the practice violated the provisions on unsolicited email marketing and persistent unwanted solicitation. Since both issues also fall under EU law, the German Supreme Court (BGH), hearing the appeal, decided to stay the proceedings and refer questions concerning the e-Privacy Directive and the UCPD to the Court of Justice.

Judgment of the Court

The CJEU focused on two issues: firstly, the concept of electronic mail, and use thereof, within the meaning of the e-Privacy Directive, and secondly, the reading of the per se prohibition set out in point 26 of the Annex to the UCPD. 

Unsolicited email marketing (e-Privacy Directive)

Pursuant to Article 13(1) of the e-Privacy Directive the use of, among others, electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent. What the Court had to analyse was, therefore, whether the factual situation in the case at hand qualified as the use of electronic mail covered by the Directive. 

The Court did not seem to have doubts about an affirmative answer to this question. Firstly of all, the fact alone that commercial messages were communicated by means of email inbox was sufficient for the CJEU to conclude that the use of electronic mail referred to in Article 13(1) took place (para. 46). Moreover, the Court opted for a broad reading of direct marketing, whereby selection of recipient remains irrelevant to the qualification of commercial communications as addressed "directly and individually" to that recipient. In other words, the fact that respective communication is sent "on a mass, random basis to multiple recipients" does not disqualify it as direct marketing. A user who obtains access to his or her inbox only after having entered his or her registration data and password and sees commercial messages in that space counts as an individual recipient (para. 51). 

Two extra points

While the response of the Court could be limited to these two points, two additional points are worth considering. Firstly, the Court expressly stated that the list of means of communication, referred to in Article 13(1) of the e-Privacy Directive, is not exhaustive, but instead should be given a broad interpretation, evolving from a technological perspective (paras. 38-39). The leaves it open what other ways of communicating messages via publicly available electronic communications services, similar to voice calls, fax, SMS/MMS and email, could fall under Article 13(1) - with the consequence that the use of such services for direct marketing would always require user's prior consent. Messaging apps, such as Messenger or WhatsApp, certainly come to mind. Interestingly, Facebook reportedly intended to insert ads in WhatsApp, but abandoned the idea following public backlash. It now seems that legal reasons would also speak against it, especially in view of the broad reading of 'direct marketing' recalled above.

The second point, which the CJEU decided to address without being directly asked about it, concerns the corresponding consent of the user. Not surprisingly, the Court observed that consent must "be indicated, at least, in a manifestation of a free, specific and informed wish on the part of the person concerned", in line with the conditions which are now extensively defined in the General Data Protection Regulation (para. 57). What seems most interesting in this regard is the reading of "freely given" consent in the context of so-called bundling, i.e. whereby access to a service is conditioned on granting one's consent. While the judgment did no address this directly, the Court appears to pay attention that two versions of the email service were available to the user - a paid and ad-supported one (para. 58). Arguably, this direction of reasoning can be accepted with regard to freely given consent, provided the conditions of the paid subscription are reasonable - a matter which the CJEU did not explore in the case at hand. Like in the previous case law, the Court devoted more attention to the informed nature of consent, specifying that users should be clearly and precisely informed about the means of adverts distribution, in particular the fact that advertising messages are displayed within the list of private emails (para. 59). While the lack of clear guidance on the freely given consent is somewhat disappointing, it is interesting that consent given to the email service provider is accepted as relevant for assessing the lawfulness of specific commercial messages communicated through this service. Advertisers making use of such services are thus advised to verify the consent mechanisms applied by their providers.

Persistent and unwanted solicitations (UCPD)

In the second part of the judgment the Court turned to consumer law stricto sensu, namely to Directive 2005/29/EC on unfair commercial practices. To recall, point 26 of the Annex to the UCPD establishes a per se prohibition of "making persistent and unwanted solicitations by telephone, fax, e-mail or other remote media except in circumstances and to the extent justified under national law to enforce a contractual obligation". A question was thus posed if activities considered in the case at issue fulfilled the above criteria.

As was to be expected, the Court found that advertising messages, such as those in the case at issue, consitituted a solicitation of email service users within the meaning of point 26 of the UCPD black list (para. 71). What is surprising, however, is the limited guidance as regards the criteria of "persistent" and "unwanted" nature. As for the former, the focus remained on the messages from a particular advertiser and a broad reading of persistent solicitation was applied, whereby three ads within a period of approx. 1 month were deemed to be persistent (para. 73). The Court did not elaborate, however, if persistence may also refer to the commercial messages displayed in the email service as a whole. That question, arguably, remained outside the scope of the present dispute, but is definitely a practically relevant one.

As for the "unwanted" nature of solicitations, the Court connected it to the absence of consent of the user prior to the display of ads. However, what exactly is meant by such "consent prior to the display" is not elaborated. While a connection to the first part of the judgment would make sense at first glance, on a closer look some questions can be posed. If what we analyse are specific commercial messages inserted in the mailbox, can consent to the use of email service really be decisive? And if so, shouldn't that consent also specify the type of adveritsements which the user does not wish to receive, or at least be conditional on the possibility of screening them subsequently? As a matter of fact, the Court mentioned the relevance of user's "opposition" to advertising practices, which was supposedly established in the main proceedings - this, nonetheless, is not apparent from the recalled facts of the case. Overall, the reading of the UCPD in case C‑102/20 disappoints and further guidance on the notion of persistent and unwanted solicitations will certainly be needed.

Invalid consent and illegal sharing of sensitive data - € 6.5 million fine imposed by the Norwegian DPA on Grindr LLC

It would seem that quite strict requirements have been indicated in the General Data Protection Regulation in relation to consent as a legal basis for personal data processing. But even clear-cut conditions (indeed - not always easy to meet) will not force or encourage data controllers to adopt fully compliant practices, especially when the commercial interests are at stake. This time under scrutiny was Grindr - the world’s largest dating app for LGBTQ+ community. Last week the Norwegian Data Protection Authority imposed approximately € 6.5 million fine for several GDPR breaches. 

The main problem concerned the consent mechanism employed in the application. Grindr implemented a model where a user was only asked whether he or she „Cancel” or „Accept” the privacy policy while registering. If the „Cancel” button was chosen, the data subject could not use the app. What is more, users were not asked separately if they wanted to consent to the sharing of their personal data with Grindr’s partners for marketing purposes. They were forced to accept the policy in its entirety in order to use the app - a classical "take it or leave it" situation. And besides, the length of the privacy policy and the variety of information contained therein made it even more difficult to get acquainted with all relevant issues and make a "freely given, specific, informed and unambiguous" agreement to the processing (see: Art. 4(11) of the GDPR). Therefore in the DPA’s view Grindr did not collect valid consent:

"Where the controller has several different purposes for processing personal data, and it does not allow for separate consents to be given, there is a lack of freedom and control for the data subject. If the data subject cannot identify and opt in to the processing purposes for which the data subject wishes to give his or her consent […] there is no genuine free choice or control."(See: pp.17-18 of the decision). 

The DPA underlined also that in the case at hand the provision of behavioural advertisement was not an essential part of the service, and definitely was not the reason why data subjects used the app. Therefore user’s consent cannot be regarded as „freely given”, even if - as Grindr argued - data subjects were informed how to opt-out from data sharing with third parties. However, according to the GDPR, consent should take the form of a statement or a clear affirmative action. There is no doubt that opt-out model does not fulfill this condition. 

The last but not least, in the EU it is generally forbidden to process special categories of data, so called „sensitive data”. Information on sexual orientation is considered as sensitive (as indicated in Article 9(1) of the GDPR) and as such it enjoys a higher standard of protection. In order to process sensitive data a controller must rely on one of the legal basis stipulated in Article 9(2) of the GDPR. Since Grindr did not collect the consents for processing lawfully, it could not lawfully share the data. 

It is not the first and certainly not the last case where the consent mechanism turns out to be far from exemplary. Just for the record - the issue of consent validity in the context of cookies was examined, inter alia, by the Court of Justice in the Planet49 case (C-673/17; reported on this blog here). Despite clear rules referring to the consent as a legal basis for processing, many controllers still look for new ways to optimize the process of obtaining user consents. Some of them accept, consciously or not, to collect consents not necessarily in a manner consistent with the GDPR. Others try to mislead data subjects by showing in their privacy policies or cookie banners, usually in the first information layer, that there is no consent for processing of personal data by default, while in fact the processing takes place on the basis of the legitimate interests of the controller. What other practices will emerge in the future? We do not know yet, but will keep an eye on them.

Of unfair terms, novation agreements and other not so magical creatures - CJEU in C-19/20

Dear readers, 

as the spring advances (not really, for those of us in continental Europe, but we keep faith), we should catch up with some case-law developments from the past weeks. 

Hereby, thus, a quick overview of a somewhat convoluted case decided by the CJEU on 29 April - IW v Bank BPH SA. After Dziubak, it is no surprise that more cases would be pouring in from Poland on the subject of credit in Swiss francs. 

In the case under discussion, the referring court was of the opinion that the consumers had been sufficiently informed about the risks associated with the mortgage contract, so that the main indexation interest was not unfair; however, within this mechanism, the bank had included an indication that the final cost to the consumer would incorporate a resale margin for the bank which was not further elaborated upon in the contractual documents. This left the bank unconstrained in determining such margin and the consumer unaware of what factors may affect the bank's determination.

The blank resale margin clause was later amended by means of an agreement between the parties which, according to the Court, established a sufficiently clear mechanism - thus "fixing" the term. 

While the consumers did not agree with the referring court's assessment of the main indexation terms, ultimately the questions for the CJEU all concerned the situation with regard to the resale margin mechanisms. 

The first question concerned the effect of the agreement amending the resale margin clause on the unfairness assessment: must a court exert unfair terms control in spite of the agreement? According to the Court, in substance, the agreement prevails when the consumers have signed it in full awareness of the fact that they were waving their rights to unfair terms control. Otherwise, the Court is supposed to assess the term and, where it finds it unfair, establish that the consumers are entitled to be put in the same position where they would have been without the agreement. 

The second and third questions concerned the admissibility of a finding that only the resale margin term should be invalidated, while leaving the rest of the indexation mechanism in place. Would such approach go against the CJEU-sanctioned prohibition of court revision of unfair terms? The Court does not give a final answer to this question, but instructs the national court to establish whether the resale margin determination can be considered as a "contractual obligation distinguished from he other contractual terms, capable of being the subject of an individual examination of its unfairness" [para 71]. The removal should not, on the other hand, remove an unfair element within a term, altering "the substance" of such term [para 80]. This is an interesting question in fact: on the one hand, it is obvious that the combination of indexation and resale margin was, taken together, the mechanism through which the cost of credit was fixed. On the other hand, the clause determining the bank's resale margin could very well be separately set at zero, without - as the referring court observes, creating a gap. This sounds, at first appraisal, like a question that would be best addressed in legislation. While the referring court mentioned the existence of legislation dealing with the unfair term in the MS, this legislation, which was passed after the contract was entered into, is in essence irrelevant to the dispute according to the CJEU.

The fourth question is more straightforward and concerns the consequences of finding that the resale margin term was unfair: when should the contract be invalidated? According to established case-law by the CJEU, whether a contract should be held in place after a finding of unfairness depends on whether, under national law, it is capable of continuing to function - based on an objective assessment and thus not on the subjective position of one of the parties [90]. The referring court wondered whether the contract's invalidation had a sanctioning character and to what extent the consumer's preference played a role, to which the court replied by summarising its case-law to the effect that the judge must first determine the consequences of unfairness on the contract and then, when relevant, allow the consumer to decide whether they prefer invalidation of the contract or maintaining the unfair term.

The fifth and final question went into the referring court's role with respect to the consumer's choice between invalidation and preservation of the unfair term: should the court actively inform the consumer about their options and the implication of their choices, or could this function be entrusted to the consumer's legal representation when they have one? The CJEU's answer in this respect is very clear: since it is upon the court to make sure that the consumer's rights in the procedure are respected, and in particular that their decision in respect of the outcome of unfair terms control is the result of "free and informed consent", the court must also inform the consumer about their choices [95].

Nothing in this decision comes particularly as a surprise. The more difficult points, ultimately, go back to the referring court who needs to decide whether the consumer has in fact waived the term's invalidity via the novation agreement and, if not, must assess whether the resale margin mechanism can be severed from the overall indexation mechanism (and, if not, must decide on the future of the contract). Unlike in Dziubak, it is not obvious in this case that the consumers would gain from the contract's overall invalidation, which could or could not add to the case's complexity. Curious what the Polish colleagues in the blog team may have to say on this case!

Dark patterns and conditions for a valid consent to data processing - judgment of the CJEU in C‑61/19 Orange Romania

Earlier this week, the Court of Justice delivered a judgment in case C-61/19 Orange Romania, concerned with the conditions for a valid consent to the processing of personal data under EU data protection law (the Data Protection Directive 95/46/EC and the General Data Protection Regulation 2016/679, which remains in effect as of May 2018). The case follows up on the previous ruling in C-673/17 Planet49, on which we commented last year (see also: Planet49: Pre-Ticked Checkboxes Are Not Sufficient...). Aside from confirming the importance of an "active" consent, the Court elaborates on the requirement for consent to be informed, specific, unambiguous and freely given, building bridges to important categories known from consumer law, such as transparency and misleading practices.

Facts of the case

The dispute goes back to a fine imposed by the Romanian data protection authority on the provider of mobile telecommunications services, Orange România, for an allegedly unlawful storage of the copies of customers' identity documents. In particular, the authority argued, the data controller failed to demonstrate that the data subjects had given their valid consent to the contested processing. What makes the case interesting is that the storage of ID cards was, in fact, explicitly mentioned in the contracts which Orange concluded with its customers. Specifically, the following wording is cited:

"The customer states that: ... (ii) Orange România has provided the customer with all the necessary information to enable him or her to give his or her unvitiated, express, free and specific consent to the conclusion and express acceptance of the contract; (iii) he or she has been informed of, and has consented to [numerous types of processing, including the storage of copies of documents containing personal data for identification purposes]."

As seen from above, both the declaration of "consent" and the confirmation of having received the associated information were pre-forumlated by the trader. At least in certain cases they were also already "pre-ticked". In fact, however, consent to the storage of the copies of ID cards was not necessery for entering into a contract and customers, who refused to consent, were not prevented from the contract conclusion. Data subjects who did not wish their ID cards to be copied, though, were asked to go through additional steps, most notably confirm their refusal in a specific form, which, like pre-ticked checkboxes, can be regarded as an example of dark patterns in action (or, in this case, "sludge"). 

Against this backgroud, doubts have been raised, among others, as to whether the clauses on data processing were sufficiently distinct from the remaining parts of the documents, whether the data subjects were not misled about the possibility of refusing consent to the storage of ID cards and, if so, whether this could have an impact on the validity of their consent.

Legal provisions

Even though the contested fine was imposed on Orange România prior to the date of application of the GDPR, the Court of Justice decided to provide guidance on both Directive 95/46/EC and Regulation 2016/679. Key norms subject to the analysis where those laying down conditions for a valid consent. Focusing on the GDPR, attention should be drawn to its Article 6(1)(a), listing data subject's consent among the grounds for the lawful professing of his or her personal data, and to Article 4(11), which defines "consent" as any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Of relevance are further the associated information duties in Article 13 as well as (non-binding) clarification of the above in recitals 32 and 42.

Judgment of the Court

While the specific assessment of the case at hand has been left to the national court (in line with the nature of preliminary reference procedure), the judgment provides important guidance on the legal provisions to be applied. In particular:

• The Court recalls that for consent to be validly expressed (by the data subject) and later demonstrated (by the controller), the corresponding wish of the data subject should be reflected in his or her active behaviour. In particular, unambiguous and informed consent cannot be inferred from the fact that the data subject did not deselect a pre-ticked checkbox (paras. 35-37, 45-46; on the burden of proof, see also paras. 42, 51).
  

• The judgment goes on to discuss the definition of consent as a "specific" indication of data subject wishes, highlighting the requirements of Article 7(2) (presentation of the request for consent in a manner which is clearly distinguishable from the other matters) and recital 42 of the GDPR (presentation of pre-formulated declarations in an intelligible and easily accessible form, using clear and plain language). The latter is especially worth highlighting, as it directly refers to Directive 93/13/EEC on unfair terms in consumer contracts. Transparency of declarations is also considered relevant for establishing whether consent so expressed has been informed. What is more, corresponding information provided by the controller "must enable the data subject to be able to determine easily the consequences of any consent he or she might give", which again brings to mind the requirements for substantive transparency known from consumer law stricto sensu (paras. 38-40, 47-48). The latter may have significant impliactions for the validity of consent to the processing of personal data in the context of automated decision-making.

• Finally, an important part of the judgment concerns the requirement for consent to be freely given (and again informed). In para. 41, the Court observes that "in order to ensure that the data subject enjoys genuine freedom of choice, the contractual terms must not mislead him or her as to the possibility of concluding the contract even if he or she refuses to consent to the processing of his or her data" (similarly para. 49). This brings to mind the notions of misleading actions and ommissions, known from Articles 6 and 7 of Directive 2005/29/EC on unfair commercial practices (note that the Directive refers directly to the "freedom of choice" only in the subsequent provision on aggressive practices). At a later point of the judgment, the Court also questions the free nature of consent in the case at hand in view of the additional burden (sludge) imposed by the controller on the data subjects who wish to refuse consent (para. 50). As in the other instances, however, an assessment is ultimately left to the referring court. 

Concluding thoughts

Overall, the judgment provides for a range of important reference points, which may help to increase the level of consumer and data protection in the EU. Worth noting are the recurring references to the requirement of an "informed" consent, which appears to complement and reinforce all other conditions. The judgment underlines the close connection between data protection and consumer law stricto sensu, which has long been observed in the literature. Recognition of the role of (substantive) transparency and of potentially misleading practices in assessing consent validity is also to be welcomed. Both seem especially relevant in the digital market, where the consequences of consent are often difficult to determine and where dark patterns remain prevalent.

Data protection (violations) by default: stakeholder views and new developments in enforcement

Last weeks brought some interesting new developments in the implementation of the EU rules on data protection, such as the conditions for a valid consent to the processing of personal data and the principles of data protection by design and by default. As we observed numerously on this blog, the developments in data protection are of direct relevance to consumer law and policy, considering that business practices in the digital economy are often connected to the processing of consumer data and, as such, can come within the purview of both fields.

One of the major topic in the ongoing data protection debate concerns default settings. As readers may recall, several months ago we reported on the judgment of the Court of Justice in case C-673/17 Planet49 (CJEU confirms stricter requirements for valid cookie consent...). The case confirmed that - just like in the GDPR - consent referred to in Articles 2(f) and 5(3) of the E-Privacy Directive cannot validly be obtained by way of a pre-ticked checkbox, which the user must deselect to refuse his or her consent. 

Pre-ticked checkboxes and similar mechanisms of collecting consumers' "consent" by default are unfortunately still very present in the digital market. Furthermore, by applying the so-called dark patterns businesses can steer consumer behaviours in the direction they desire, even without the use of default settings (for an illustration see: Google tracks every step you take). Fortunately, practices of this kind not only attract attention of consumer organisations, but are also gradually engaged with by the law enforcers. Last week a higher regional court in Germany - Kammergericht Berlin - ruled on the case brought against Facebook by the national association of consumer organisations (vzbv). The case concerned a total of 26 alleged violations of consumer and data protection law, many of which were confirmed by the court. Default "consent" to location tracking, sharing a link to the users’ profile with search engines and the use of name and profile picture for commercial purposes have all been found to violate the applicable rules on data protection. By contrast, Facebook’s marketing claims that its services "are free and always will be" have not been considered misleading under national provisions implementing the UCPD.

On the latter point, one which turns around the question whether or not personal data constitutes a price, the emerging court practice is not entirely coherent. Just two weeks before the Berlin ruling, the Administrative Court in Lazio (Tribunale Amministrativo Regionale) partially upheld the decision of the Italian Competition and Market Authority (Autorità Garante della Concorrenza e del Mercato, AGCM) which considered an analogous slogan, directed at Italian users, to qualify as an unfair commercial practice. The AGCM has meanwhile launched proceedings against Facebook for the company's non-compliance with the prior decision.

All of this comes at a time of a broader discussion about the interplay of data protection law and consumer law and the application of the - often broadly framed - provisions of both the GDPR and the UCPD. A certain convergence of views appears to be forming between consumer organisations and data protection bodies, even if the relevant overlap is not always complete. It seems that consumer organisations are willing to accept the economic role of data whenever it is beneficial to consumers (like in the case of potentially misleading "free" claims). The European Data Protection Supervisor, however, has been arguing against any direct analogies between data and price, as illustrated by his position on the recent modernisation of the EU consumer rules (and previously on the digital content directive). When it comes to the data protection by design and by default the alignment between the two stakeholder groups seems even stronger. Last November the European Data Protection Board published Guidelines 4/2019 on Article 25 GDPR, which have largely been supported by the association of European consumer organisations - BEUC. The organisation welcomes the operationalisation of both principles, including through the proposed selection of performance indicators as well as the illustrative case studies. Nonetheless, the achievement of effective protection of consumer data in the digital economy has still a long way to go. Limited personal scope of Article 25 GDPR, which only imposes an obligation on controllers, and the lack of clarity on the role and responsibility of developers/processors have been mentioned as the major gaps to be filled.

No inertia selling in non-individually requested energy contracts - EVN Bulgaria Toplofikatsia and Toplofikatsia Sofia (joined cases C‑708/17 and C‑725/17)

Facts

Joined Cases C‑708/17 and C‑725/17 (delivered on the 5^th of December 2019 and found here) deal with owners of apartments in a building in co-ownership. In both cases, there is a contract for the supply of thermal energy concluded between the majority of the owners of the building and an energy supplier (EVN Bulgaria Toplofikatsia and Toplofikatsia Sofia, respectively). Also in both cases, the energy companies sent to the individual co-owners (Ms Dimitrova and Mr Dimitrov, respectively) a bill for energy consumption costs. The co-owners in question alleged that there is no contractual obligation between them and the respective energy companies since they did not individually request the supply of thermal energy, according to the prohibition of inertia selling of Directive 2011/83/EU and of Directive 2005/29/EC. Moreover, Ms Dimitrova and Mr Dimitrov argued that the consumption reflected on the bills did not reflect their actual energy consumption, which would breach Article 13(2) of Directive 2006/32.

Legal issues

There are two relevant issues from a EU consumer contract law perspective: first, whether there is inertia selling in the case of lack of individual request of energy supply; second, whether the co-owners of a building are consumers. Moreover, from a EU consumer energy law perspective, the case determines whether the bills for the consumption of thermal energy can be calculated in proportion to the heated volume of each owner’s apartment. This case is also interesting because it addresses the relationship between EU consumer law and national contract law.

CJEU’s decision

The CJEU started by determining the applicability of the Consumer Rights Directive. In this case, there is a contract concluded between the thermal energy providers and, according to Bulgarian law, the owners of a building in co-ownership. The question was whether the owners of the building can be considered consumers. Following AG Saugmandsgaard Øe’s opinion, the CJEU answered this question in a brief and evident manner: as long as the owners are not involved in commercial or professional activities, they are consumers within the meaning of Article 2(1) of the Consumer Rights Directive.

Then, the CJEU dealt with inertia selling. Inertia selling has been defined in the CJEU’s case law as a ‘conduct whereby the trader demands payment from a consumer for a product or service which has been provided to that consumer without the consumer soliciting it’ (Wind Tre and Vodafone Italia, C‑54/17 and C‑55/17). Inertia selling is considered an unfair commercial practice under Article 5 and under point 29 of Annex I of the Unfair Commercial Practices Directive. In addition, inertia selling is prohibited by Article 27 of the Consumer Rights Directive. The notion of inertia selling revolves around the concept of solicitation as the act of asking for a service or a good to be provided to the consumer. Therefore, to discuss whether this is a case of inertia selling, the CJEU had to discuss the notion of consent. In fact, the question is whether Mr and Mrs Dimitrova consented to the contract, considering that they did not individually agree to it, but that the majority of co-owners as a group decided it. In other words, when can we consider that a consumer ‘solicited’ a service?

The CJEU highlighted that aspects regarding consent and the formation of the contract are determined by national law, as is acknowledged by Recital 14 and Article 3(5) of the Consumer Rights Directive. Bulgarian energy law provides that the energy installations in a building in co-ownership follow from the written consent of (at least) two-thirds of the owners of the building. Therefore, the energy service appears to also have been solicited by the co-owners in question, since the rules on contractual consent are defined by national legislation. Article 27 of the Consumer Rights Directive states that ‘the absence of a response from the consumer following such an unsolicited supply or provision shall not constitute consent’. Taking Bulgarian law into account, the CJEU determined there was no unsolicited supply of thermal energy in the terms of Article 27 of the Consumer Rights Directive. It is noteworthy that, as the Court implied, the consent necessary to have a ‘solicited’ energy supply can be found in the co-owners’ agreement to be subject ‘to all (…) the decisions adopted by the general meeting of the owners of property in that building’. As a consequence, the CJEU concluded that the Consumer Rights Directive and the Unfair Commercial Practices Directive do not preclude a national law that requires co-owners to pay for energy bills regarding a contract that they did not individually request (and did not use). The take-home message is that the mere lack of individual consent for the supply of a service does not automatically mean that there will be inertia selling under EU consumer law.

Finally, the defendants claimed that to calculate the bills for consumption of thermal energy proportionally to the heated volume of the apartment instead of based on actual consumption goes against Directive 2006/32 and Directive 2012/27. However, both the AG and the CJEU concluded that a law that allows for such a method of bill calculation does not violate EU law, considering that the above-mentioned Directives give the Member States a wide discretion in what concerns the calculation method for billing for thermal energy consumption in buildings in co-ownership.

CJEU confirms stricter requirements for valid cookie consent - case C-673/17 Planet49

Yesterday the Court of Justice delivered its judgment in case C-673/17 Planet49, concerning the requirements for a valid consent to the storage of cookies. The judgment largely falls in line with the previous opinion of Advocate General Szpunar, on which we reported in an earlier post (see: Pre-ticked checkboxes NOT informed consent...).

Background of the case

Source: Pixabay

To recall, the case involved a promotional lottery whose prospective participants were asked, among others, to provide personal details and agree to be contacted by various sponsors. Besides several items, to which users agreed by ticking corresponding boxes, the form included another, already pre-ticked checkbox, which concerned the placement of cookies by Planet49. German consumer organisation vzbv questioned the validity of such 'consent' under Directive 2002/58/EC on privacy and electronic communications. Following a 2009 amendment, Article 5(3) of that Directive required Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

As readers may remember, Directive 95/46/EC was, in the meantime, repealed and replaced by the General Data Protection Regulation. The E-Privacy Directive was also supposed to be replaced with a regulation, with the aim to increase coherence with the GDPR. The respective proposal, however, got stuck in the legislative pipeline. The Court was not distracted by these facts and decided to interpret Directive 2002/58 in the light of both Directive 95/46 and Regulation 2016/679.

Judgment of the Court

First of all, the Court agreed with the Advocate General that consent referred to in Article 2(f) and in Article 5(3) of Directive 2002/58 cannot validly be obtained by way of a pre-ticked checkbox which the user must deselect to refuse his or her consent. To support this conclusion, the Court referred to the requirements for consent to be 'specific' and 'unambiguous' under Directive 2002/58 as well as the even more detailed wording of the GDPR.

Importantly, the Court did not elaborate on the requirement that consent must be ‘freely given’, arguing that a corresponding question had not been asked by the referring court. Response to such a question - one of major importance to the digital economy - would involve an assessment whether user’s consent to the processing of personal data for advertising purposes constituted a prerequisite to that user’s participation in a promotional lottery. As noted in our previous post, the Advocate General elaborated on this matter in a way that was subject to criticism. Against this background, self-restraint showed by the Court is to be welcomed.

As regards the question whether the interpretation set out above should differ, depending on whether or not the information stored or accessed on user's terminal equipment qualifies as personal data, the Court responded with a clear 'no'. This remains in line with the rationale of Directive 2002/58 which aims to protect the user (including natural persons acting for business purposes) from interference with his or her private sphere, regardless of whether or not that interference involves personal data.

Finally, as regards the scope of information to be provided to the user before obtaining his or her consent, the Court opted for a broad reading of Article 5(3) of Directive 2002/58 in conjunction of Article 10(c) of Directive 95/46 and Article 13(1)(e) of the GDPR. In this respect, the Court, once again, sided with the Advocate General, stressing that "clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed" (para. 74). The Court considered that information on both the duration of the operation of cookies and whether or not third parties may have access to them had to be provided to the user.

 

Concluding thought

The judgment in Planet49 strengthens the protection of privacy in the digital sphere, not only of consumers stricto sensu, but of internet users more generally. Moreover, the Court confirmed that the standard of 'cookies protection' does not depend on whether or not user's personal data is involved. Privacy, according to this reading, concerns the very fact of placing pieces of software on user's 'terminal equipment'. This resembles the way in which some consumer authorities have read the notion of 'aggressive practices' under Directive 2005/29/EC on unfair commercial practices, also beyond the cookie context (see especially the Italian decision against Facebook). Whether or not such an approach to the UCPD will hold, and how it might be related to standards of disclosure, is still an open question (on the latter, see the judgment of the Court in Wind Tre, para. 45 et seq). When it comes to the E-Privacy Directive these questions do not emerge: here, without doubt, the duty to inform provides a further layer of protection to the one provided by the consent framework. The E-Privacy Directive, therefore, is quite remarkable: it combines high standards of consumer law and data protection law and applies them beyond their traditional scope. Hopefully, internet users will truly be able to benefit from it.

CJEU in Fashion ID (C-40/17): some consequences of embedding social plugins

Yesterday, the CJEU published its judgment in Fashion ID, a case concerning mainly the notion of "controller" under EU data protection law.

The facts of the case are relatively simple: Fashion ID had placed a "like" button on its website which was connected to Facebook. What Fashion ID's customers may not realise is that - even if they did not use it - the button's presence meant that information concerning them was being transmitted to Facebook. In the proceedings it was uncontested that this information qualified as personal data.

Verbraucherzentrale NRW, a consumer association, brought an injunction against Fashion ID demanding that it abandon such practice. The question whether Fashion ID has any obligations in connection with the data processing - including the duty to inform consumers that their data are being collected and/or require their consent - depends on whether the website is to be considered a data controller.

The referring court doubted whether this is the case since the website operator has no control over the processing of the data transmitted to the plugin provider (para 37).

The Court, in essence, answered that the operator of the website acts as a controller, and is thus responsible for informing the consumer or collecting their consent, insofar as the collection of information and transmission to Facebook is concerned. In particular concerning the collection of the user's consent, the court highlighted that it would not be in line with efficient and timely protection of the subject's rights if the consent would be given only to the second controller, which is involved at a later stage (para 102). Even more strongly, when a customer is not a Facebook user, their data will be processed by the social media operator without them having any direct connection to the latter- which makes the responsibility of the other provider all the greater (para 83).

However, the website operator is not responsible vis à vis the data subjects for any other uses that Facebook itself will make of the data, nor for collecting their consent in that respect (para 102).

While the website has no control on the use of the transmitted data, the purpose of such collection is in part related to the website's benefit as it allows better promotion of its products (para 77-81).

As concerns the collection of data without the subject's consent - ie data that is necessary for the pursuit of a legitimate interest - the court importantly clarified that where both the website and the provider of the social plugin are controllers, they must both be pursuing a legitimate interest for the ground of processing to apply (para 96).

The decision interprets relevant provisions in the "old" Data pProtection directive, which has meanwhile been replaced by the GDPR - but the concepts that it deals with have been kept in the Regulation, so the decision can be transposed to the new rules.

Quite unsurprisingly, the Court rejected Fashion ID's claim that consumer associations would not be entitled to bring any claims under data protection rules - while article 80(2) of the GDPR quite

famously invites MS to set collective enforcement mechanisms, nothing in the previous directive, which only contained general indications on enforcement, can be seen to stand in the way of Member States allowing consumer associations to bring such claims (see in particular paras 57-62).

The Court seems to be aware of the potentially high-profile nature of this case and has accompanied the publication of its decision with a press release. 

Pre-ticked checkboxes NOT informed consent - AG Szpunar in Planet49 (C-673/17)

With the entry into force of the GDPR last year, the issues of data processing became more prominent. As many internet users are consumers (AG Szpunar also uses the average consumer notion for internet users in para. 113) and many issues of data processing correspond to issues of consumer law, we would like to draw our readers attention to the opinion of AG Szpunar from last Thursday in the case Planet49 (C-673/17). It elaborates on the notion of 'informed consent' and the requirements for it, which according to AG Szpunar are the same under the GDPR as under the previously binding Directive 95/46. Informed consent is a fundamental notion of both consumer and data processing law. It creates a presumption that as long as a weaker party had been provided with transparent information, a decision taken based on that information (such as giving consent to data processing) should be considered binding.

Internet users in Germany could have participated in an online, promotional lottery at the website www.dein-macbook.de. In order to play they had to fill in their personal details, such as their address and name. They could also not participate unless they agreed to various parties sponsoring the competition contacting them with their offers. In order to agree to this, they had to tick a corresponding checkbox. The promotional entry form came also with another, already pre-ticked, checkbox, which intended to convey the internet users consent to installing cookies by Planet49, which would track their online behaviour and provide them with targeted advertisements.

May a pre-ticked checkbox lead to informed consent?

AG Szpunar interprets provisions of Directive 95/46 as requiring active and separate consent. This follows, according to him, from Art. 2(h) referring to an "indication" of the data subject's preferences and from Art. 7(a) requiring 'unambiguous' consent (para. 60). An expectation of active consent precludes obtaining it through pre-formulated means (para. 61). Moreover, the provision of consent should be separated from the activity pursued on the internet, as provision of consent should not have an ancillary nature (para. 66). And the user should be informed whether he could pursue the activity, and to what extent, without providing his consent (para. 67). These requirements bind also under the GDPR, where they have been further elaborated on in the recitals 32 and 43 (paras. 72-74). The e-Privacy Directive has also been interpreted by Article 29 Data Protection Working Party as requiring such an active consent (para. 81). It has been argued in the scholarship on the topic that Art. 5(3) e-Privacy Directive requires opt-in consent rather than opt-out, which requirement, however, was not rigorously enforced to date in the Member States. The overlap in requirements related to active informed consent means that there is not much of a distinction between a consent for the use of cookies and for processing of personal data, pursuant to AG Szpunar.

Following the above-listed requirements for informed consent, a pre-ticked checkbox may clearly not be seen as satisfying them. Forcing internet users to untick a box to show that they do not consent,  does not allow to argue a contrario that they have consent by leaving the box pre-ticked as there is no way to prove their activity in providing consent (para. 88). Moreover, there is no separation between the provision of consent and the participation in lottery in the given case, as by clicking on the participation in the lottery button the user consents at the same time to the installation of cookies (para. 89). This is especially problematic as the provision of consent to the installation of cookies was not a pre-requirement for the participation in the lottery, but the users were not informed about this (para. 92).

What about checkboxes that were not pre-ticked? ... and prohibition of bundling

In cases of boxes that need to be ticked, there is no doubt that internet users were active in providing their consent. National courts still need to examine, however, whether the consent was given separately to engaging in the main online activity. AG Szpunar advises online traders who would want to avoid any ambiguity to provide two separate buttons that would need to be clicked, rather than just require a tick in a box (para. 96). National courts also have to consider whether the processing of personal data was necessary for the provision of service, pursuant to Art. 7(4) GDPR, which prohibits bundling. AG Szpunar indicates that it was indeed necessary for the participation in the lottery (para. 99). This last view could be (and is) contested, as it lessens the importance on the prohibition of bundling by creating a broad exception to bundling. Luckily, the CJEU was not asked to answer the question on this issue, and, therefore, remarks by AG Szpunar on this topic may remain non-binding.

Transparency about cookies' application

Final question pertained to the scope of an obligation to provide 'clear and comprehensive information' about cookies. AG Szpunar rightly points to evidence of the lack of knowledge of internet users about cookies and their operation (para. 114), which means that in order to make this information transparent detailed explanations need to be given to internet users, including on the duration of the operation of cookies and whether third parties, and who, are given access to cookies (para. 116).

This opinion could potentially increase the legal protection of internet users online, by widening the scope of interpretation of the transparency principle and narrowing down the situations, in which informed consent could be found. It is very much in line with the previously argued for interpretation of the provisions of e-Privacy Directive and Data Protection Directive. The drawback of this interpretation, if upheld by the CJEU, will be practical: it will lead to more boxes having to be ticked by consumers online, which is what they often find annoying.

German regulator restricts Facebook data sharing

On 07.02.2019, Bundeskartellamt, the German competition regulator, issued a decision against Facebook restricting its processing of user data. 

The Bundeskartellamt points out that Facebook is in a dominant position with a market share of 95%. The closure of Google+, one of the competitors of Facebook, has intensified its dominance. Other companies, such as Twitter or Linkedin are considered to only operate in part of Facebook's market.

The decision states that the way Facebook collects, merges and uses data between its subsidiaries ammounts to abuse of dominant position, under competition law. One of the most troubling practices employed by Facebook is that it collects third-party data on users in an almost unlimited way and attaches all of these data to the users' facebook accounts. Data is being collected not only by other Facebook owned services, but by any website that has an embedded facebook button. It is worth noting that the data of the users was collected even if they would not interact with the facebook buttons (even if they  didnt 'like' a page).

What is even more concerning is that data is collected even if there is no kind of facebook sign on the page, when the website is using facebook analytics. This widespread collection of data allows facebook to form very detailed profiles of its users. 

With its decision, the Bundeskartellamt forbids this practice. Facebook, Instagram and Whatsapp will still be able to collect data on their users. However, Facebook will be prevented from assigning this data to a single facebook account, unless they have the voluntary consent of the users. However, the consent of the users is already required for third-party websites. The decision requires Facebook to make changes to its terms of service and data processing. The processing of data from third parties without the consent of users needs to be substantially limited. Facebook will have to come up with proposals on how to achieve that.

This decision comes after the publication of the first reports on the Code of practice against disinformation, signed by Facebook and other large online companies such as Google, Twitter and Mozilla. Facebook has to strengthen its commitments to empower consumers and boost cooperation with fact-checkers. However, if Facebook is serious about making their platform a fertile ground for those who seek to spread disinformation, it should first and foremost protect its users and their data from those who want to abuse them.

The decision is not yet final, as Facebook will have one month to appeal in German courts. It remains to be seen whether Facebook will challenge the decision. This decision serves to point out the increasing intersections between consumer law, data protection law and competition law. The Bundeskartellamt points out that their investigation required close cooperation with data protection authorities.

This is the dawn of a new age where the traditional compartmentalisations of law may not serve us as well  as in the past. Consumer law will also have to adapt in order to address challenges arising from novel business models, and especially in relation to data protection.