The Court of Justice of the European Union: The provision of pre-ticked checkboxes in contracts regarding the personal data processing is not an actively expressed consent. What can we learn?

On November 11^th, 2020 the Court of Justice of the European Union (hereinafter – “CJEU”) has ruled a decision in a case regarding a Romanian telecommunications company’s “Orange România” actions on collecting and processing the personal data of its customers.

According to the information gathered for this case, during the period from March 1^st to March 26^th   “Orange România” has been contracting remote contracts with new costumers that included a clause stating that the costumers are informed and that they agreed to the collection and processing of their personal identification documents in the company for customer identification basis. However, a pre-ticked box has been added to this clause to indicate that the person agrees to this clause. Finally, in order for the customer to object to the processing and collecting of such data, “Orange România” required the customer concerned to declare in writing that he did not consent to the collection or storage of copies of his identity document.

While analyzing the circumstances, the CJEU noted that, in accordance with recital (32) of the General Data Protection Regulation (hereinafter “GDPR“), consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her. Such actions could be performed by checking a checkbox for example in a contract or other act which makes it clear that the data subject consents to the proposed processing of his or her personal data. The CJEU also stated, in accordance with the provisions of recital (42) of the GDPR, that consent should not be considered to have been given voluntarily if the data subject does not in fact have a free choice or cannot refuse consent or withdraw consent without harm.

Thus, the CJEU ruled that “Orange România” actions in obtaining consents for the processing of their customers’ data were unlawful because:

– “Orange România” as data controller, ticked the checkbox before the signing of the contract;

– such a clause a the contract misleads the customer, as a data subject, as to the possibility of concluding the contract in question, even if he refuses to give his consent to the processing of his data;

– “Orange România” unreasonably restricts the free choice to object to the collection and storage of such personal data by requiring the customer, in order to refuse consent, to provide additional written confirmation of such refusal.

What can we learn?

Before collecting personal data, we would suggest to assess the legal basis for the processing of such data. Article 6 (1) of the GDPR sets out 6 basis for the lawfulness of data processing, however, consent should be used as a legal basis in cases where it is not possible to apply other basis for the processing of personal data.

Article 4(11) of the GDPR stipulates that  the consent of the data subject “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or he”.

European Data Protection Board (hereinafter – “EDPB”) in its guidelines No. 05/2020 specifies that the consent should meet the criteria below:

– the consent should be freely given;

– the consent should be specific;

– the consent should be informed;

– the consent should be an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Also, EDPB identifies the following cases as inappropriate forms of consent:

– silence or inactivity;

– pre-ticked checkboxes;

– an indication that consent is given when the data subject is continuing to browse the website.

Thus, we would recommend that when the data controller is assessing the form and content of the data subject’s consent follow, he should follow the criteria set out in the EDPB guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances

Prepared by ECOVIS ProventusLaw attorney at law Loreta Andziulytė and ECOVIS ProventusLaw associate Andrius Karmonas