Lorna Woods, Professor of Internet Law, University of Essex
Last week’s CJEU ruling in Planet49
is an important Grand Chamber decision concerning the use of cookies and the
meaning of consent under the e-Privacy
Directive in the light of the Data
Protection Directive but also the General
Data Protection Regulation (Regulation 2016/679)(GDPR). The judgment is
therefore relevant for understanding the cookie obligations in the new regime
as well as the old.
Judgment
The case concerned an online
lottery. To participate, users had to enter their name and address and were
shown two checkboxes in relation to consent for data processing before they
could participate in the lottery. The
first consent pertained to users being contacted by third parties for
promotional offers. The second consent pertained to cookies being dropped on
users’ browsers in connection with participation in the online lottery. While
Planet49 sought consent for the third-party promotional offers through the use
of an unticked box, box for the use of cookies was pre-ticked. Two questions were referred: whether the use
of pre-ticked boxes gave consent; and what information needed to be supplied to
provide clear and comprehensive information to the user.
The e-Privacy Directive provides
that users must consent to the use of cookies, and the meaning of consent has
the same meaning as in the Data Protection Directive (Recital 17 and Article 2f
e-Privacy Directive) and now the GDPR.
The Data Protection Directive required an ‘indication’ of the user’s
consent which, as the Advocate General pointed out ([AG60], cited by the Court
[para 52]) requires the user to do something active to signal consent rather
than remain passive. Further, only active behaviour can satisfy the requirement
that consent must be unambiguous [para 54].
The Court also referred to the
‘legislative origins’ of the cookie provision (Article 5(3) e-Privacy
Directive), noting that before the provision’s amendment in 2009, the provision
gave the user the right to refuse cookies [para 56]. The Court concluded that
consent was not valid if pre-ticked boxes were used. If that was the case under the Data
Protection Directive, it remained so under the GDPR, given that its definition
of consent is more stringent than that under the Data Protection
Directive. The Court noted that:
according to
recital 32 [GDPR], giving consent could include ticking a box when visiting an
internet website. On the other hand, that recital expressly precludes ‘silence,
pre-ticked boxes or inactivity’ from constituting consent [para 62].
The Court noted that the
referring court did not asked the question as to whether making consent to such
processing a precondition for participation in the lottery satisfied the
requirement for consent to be ‘freely given’ and therefore the ECJ did not
answer that question.
Given that the e-Privacy
Directive is not just about personal data, the referring court asked if the
meaning of consent was the same should data other than personal data be in
issue. While it was accepted that the data in issue constituted personal data,
in line with the approach of the Advocate General and relying on Recital 24 of
the e-Privacy Directive, the Court commented:
that Article
5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the
gaining of access to information already stored’, without characterising that
information or specifying that it must be personal data [para 68].
In response to the questions of
the referring court as to the nature of the information the use must be given
as to the duration of the use of cookies and whether or not third parties may
have access to those cookies, the Court referred to the general obligation that
the use be given ‘clear and comprehensive information’ [para 73]. The Data Protection Directive and now the
GDPR list certain information that must be given; this does not include
duration. The Court noted that these lists were not exhaustive and that a long
duration of operation for cookies would mean that a lot of data would be
collected. In support of the argument that information on duration should be
given the Court noted that the GDPR requires the controller to provide
information about how long personal data will be stored.
Comment
The ruling will have significant
implications for those who obtain data relying on cookies, as the Court has
confirmed that ‘active consent’ is required. While this is clear on the face of
the GDPR it was less so under the Data Protection Directive. Given that the
Data Protection Directive has already been repealed and the GDPR is now in force
the consequences – save for those already legally embroiled on this point –
might be thought to be limited.
Nonetheless, this is a clear affirmation of the fact that the GDPR
definition of consent applies in the e-Privacy Directive.
Given that the Court interpreted
the meaning of consent through the lens of the GDPR as well as the Data
Protection Directive, it is also the first ruling on consent under the
GDPR. Further, the ruling might be seen
as part of a more general push-back against ‘surveillance capitalism’
techniques constituted by a number of investigations currently ongoing in
various Member States (and note the recent
guidance from the ICO on use of cookies).
As an aside, it is also worth
noting the broader scope of the e-Privacy Directive: it is not limited to
personal data but the ‘private sphere of individuals’, that private sphere
encompassing users’ ‘terminal equipment’. This means that national rules should
not be less strict if no personal data is in issue. The Court reminds us also that the protection
in the e-Privacy Directive is not limited to to cookies but to ‘hidden
identifiers and other similar devices’ [para 70]. Presumably then these techniques also require
active consent. Of course, this ruling
relates to the e-Privacy Directive; it remains to be seen what the position will
be should the proposed ePrivacy Regulation ever be agreed.
The final point to note is the
issue surrounding ‘freely given’. The German court did not raise the question
of whether requiring consent as a pre-condition for accessing the service would
be permissible and the Court did not answer it of its own volition. This
presumably will come before the Court another day.
Photo credit: pcmag
No comments:
Post a Comment