The Court of Justice of the European Union (CJEU) recently issued its ruling in the Case C-61/19 Orange România SA v Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP). The case was a preliminary reference to the CJEU by a Romanian court in relation to the interpretation of provisions relating to consent contained within the Data Protection Directive (Directive 95/46/EC) and the General Data Protection Regulation (GDPR). Ultimately, the CJEU held that a data subject’s consent must be freely given, specific, informed and unambiguous, and consent is not valid where a checkbox granting consent is pre-ticked by the data controller.

Background

Orange România SA (data processor) is the provider of mobile telecommunication services. In March 2018, it was discovered that the company had issued contracts to customers (data subjects) stating that the customers had been informed and consented to the collection and storage of copies of their identity documents. However, the relevant clause within the contract had already been ticked by the company prior to it being signed by the customer. After investigation, the Romanian data protection authority fined Orange România.

The company brought proceedings before the court in an action against the fine. The matter was then referred to the CJEU on several points, including whether ‘free’ and ‘informed’ consent was given by the customers despite the contractual clause already being ticked by the company.

Preliminary reference

As set out in Directive 95/46, data processing may only take place if one of the six criteria applies. As identified by the CJEU, for the purposes of Orange România, the criterion which applied was the existence of unambiguous consent of the data subject. As such, the company could process data where there was unambiguous consent from the data subject. The CJEU then had to decide whether this provision correctly applied by determining whether valid consent was given by the customers.

The CJEU found that the data subject’s consent must be ‘freely given, specific, informed, unambiguous’, and had to be given through their ‘active behaviour.’ The court ruled that the consent clause contained within the contract which stated that customers consented to the collection of storage of their identity documents does not mean that the customer has validly consented, particularly when the box referring to the specific clause had been pre-ticked.

The court also went on to highlight other instances in which valid consent would not be obtained by data controllers. This includes where the customer is misled about whether they can conclude the contract if they refuse to consent to the processing of their data or where the ability to object to the processing of their data is affected by the requirement to complete an additional form setting out the refusal.

The ruling has been sent down to the national court to decide how to move forward with proceedings.

Lessons to learn

In effect, Orange România’s contract misled customers into thinking that consent was a prerequisite to concluding the contract and the company failed to allow customers to actively consent to the processing of their data. Moreover, instead of ensuring that the customer took active steps to provide consent, the company made customers take active steps to withdraw consent by requiring them to declare their objection in writing which, the CJEU felt, unduly affected the freedom to choose to object.

Many lessons can be taken from this case for organisations processing data. Firstly, if organisations are relying on data subjects providing consent, they need to ensure that the consent is freely given, specific, informed and unambiguous. This can be done by ensuring that data subjects are aware of all the relevant information and are not misled as to the consequences of a failure to consent. Secondly, organisations should ensure there is active behaviour on the part of the data subject, whether it is signing or ticking a box confirming that they consent to their data being processed. Finally, organisations need to ensure that there is an opt-out mechanism for data subjects, and this process should be as simple as possible to avoid unduly affecting a data subject’s freedom to object to the processing of their data.

In summary, if relying on consent:

  • Ensure you receive freely given, specific, informed, unambiguous consent
  • Ensure consent is given through the data subject’s active behaviour
  • Ensure there is a simple opt-out mechanism

How can we help?

For further information on consent requirements and potential liabilities under data protection law, please get in touch with our specialist GDPR & Cyber Security team.

This article was co-written by Haris Saleem, Trainee Solicitor.