Wednesday 9 October 2019

The CJEU rules on consent to cookies under data protection law




Lorna Woods, Professor of Internet Law, University of Essex

Last week’s CJEU ruling in Planet49 is an important Grand Chamber decision concerning the use of cookies and the meaning of consent under the e-Privacy Directive in the light of the Data Protection Directive but also the General Data Protection Regulation (Regulation 2016/679)(GDPR). The judgment is therefore relevant for understanding the cookie obligations in the new regime as well as the old.

Judgment

The case concerned an online lottery. To participate, users had to enter their name and address and were shown two checkboxes in relation to consent for data processing before they could participate in the lottery.  The first consent pertained to users being contacted by third parties for promotional offers. The second consent pertained to cookies being dropped on users’ browsers in connection with participation in the online lottery. While Planet49 sought consent for the third-party promotional offers through the use of an unticked box, box for the use of cookies was pre-ticked.  Two questions were referred: whether the use of pre-ticked boxes gave consent; and what information needed to be supplied to provide clear and comprehensive information to the user.

The e-Privacy Directive provides that users must consent to the use of cookies, and the meaning of consent has the same meaning as in the Data Protection Directive (Recital 17 and Article 2f e-Privacy Directive) and now the GDPR.  The Data Protection Directive required an ‘indication’ of the user’s consent which, as the Advocate General pointed out ([AG60], cited by the Court [para 52]) requires the user to do something active to signal consent rather than remain passive. Further, only active behaviour can satisfy the requirement that consent must be unambiguous [para 54].

The Court also referred to the ‘legislative origins’ of the cookie provision (Article 5(3) e-Privacy Directive), noting that before the provision’s amendment in 2009, the provision gave the user the right to refuse cookies [para 56]. The Court concluded that consent was not valid if pre-ticked boxes were used.  If that was the case under the Data Protection Directive, it remained so under the GDPR, given that its definition of consent is more stringent than that under the Data Protection Directive.  The Court noted that:

according to recital 32 [GDPR], giving consent could include ticking a box when visiting an internet website. On the other hand, that recital expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent [para 62].

The Court noted that the referring court did not asked the question as to whether making consent to such processing a precondition for participation in the lottery satisfied the requirement for consent to be ‘freely given’ and therefore the ECJ did not answer that question.

Given that the e-Privacy Directive is not just about personal data, the referring court asked if the meaning of consent was the same should data other than personal data be in issue. While it was accepted that the data in issue constituted personal data, in line with the approach of the Advocate General and relying on Recital 24 of the e-Privacy Directive, the Court commented:

that Article 5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data [para 68].

In response to the questions of the referring court as to the nature of the information the use must be given as to the duration of the use of cookies and whether or not third parties may have access to those cookies, the Court referred to the general obligation that the use be given ‘clear and comprehensive information’ [para 73].  The Data Protection Directive and now the GDPR list certain information that must be given; this does not include duration. The Court noted that these lists were not exhaustive and that a long duration of operation for cookies would mean that a lot of data would be collected. In support of the argument that information on duration should be given the Court noted that the GDPR requires the controller to provide information about how long personal data will be stored.

Comment

The ruling will have significant implications for those who obtain data relying on cookies, as the Court has confirmed that ‘active consent’ is required. While this is clear on the face of the GDPR it was less so under the Data Protection Directive. Given that the Data Protection Directive has already been repealed and the GDPR is now in force the consequences – save for those already legally embroiled on this point – might be thought to be limited.  Nonetheless, this is a clear affirmation of the fact that the GDPR definition of consent applies in the e-Privacy Directive.

Given that the Court interpreted the meaning of consent through the lens of the GDPR as well as the Data Protection Directive, it is also the first ruling on consent under the GDPR.  Further, the ruling might be seen as part of a more general push-back against ‘surveillance capitalism’ techniques constituted by a number of investigations currently ongoing in various Member States (and note the recent guidance from the ICO on use of cookies). 

As an aside, it is also worth noting the broader scope of the e-Privacy Directive: it is not limited to personal data but the ‘private sphere of individuals’, that private sphere encompassing users’ ‘terminal equipment’. This means that national rules should not be less strict if no personal data is in issue.  The Court reminds us also that the protection in the e-Privacy Directive is not limited to to cookies but to ‘hidden identifiers and other similar devices’ [para 70].  Presumably then these techniques also require active consent.  Of course, this ruling relates to the e-Privacy Directive; it remains to be seen what the position will be should the proposed ePrivacy Regulation ever be agreed. 

The final point to note is the issue surrounding ‘freely given’. The German court did not raise the question of whether requiring consent as a pre-condition for accessing the service would be permissible and the Court did not answer it of its own volition. This presumably will come before the Court another day.

Photo credit: pcmag

No comments:

Post a Comment