European Privacy Regulations and Consent Issues.

The background.

Under the 1995 European General Data Protection Directive ‘consent’ was usually considered as the key solution, capable of putting marketers on the safe side with their commercial communication targeting prospect customers. Nowadays, after the coming into force of the General Data Protection Regulation (on May 25, 2018), the focus on ‘consent’ as the primary method for directing promotional messages to individuals is somehow ‘fading’ as the GDPR considers it as just one of the various grounds for legally processing personal information.

Despite the fact that both national DPAs as well as the (then existing) Article 29 Working Party (nowadays replaced by the European Data Protection Board) had been keen to offer detailed guidelines on how to achieve an individual’s valid agreement to the processing of his/her personal data, consent has always resulted in a sort of ‘problem child’. This because marketers tended to seek simple and easy ways to overcome the nuisance of giving proper notice about the purposes of collecting data and of achieving consent for such processing. Hence, they are easily induced to reading the guidelines with their minds focusing on such goal (of obtaining consent in a quick, simple and not intrusive way).

How proper consent should look like in the Regulators’ view.

In the light of the (then) upcoming GDPR the Article 29 Working Party adopted – on November 28, 2017 - specific guidelines on consent under EU Regulation 2016/679. The WP’s successor (i.e. the European Data Protection Board – EDPB) revisited such guidelines on April 10, 2018.

According to such document, an individual’s ‘valid consent’ to the processing of his/her personal information need to meet a range of - essential – requirements (which a controller must be capable of demonstrating to a supervisory authority).

Specifically, consent, to be considered as validly obtained, must be “.. freely given, specific, informed” and result in an “unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (so Article 4 of the GDPR).

The guidelines then go on to detail all these elements by explaining that:

- ‘freely given’ intends that a data subject must have a ‘real choice’ without any negative consequences in case of denial of consent and without bundling consent up “.. as a non-negotiable part of terms and conditions ..” (it is expressly noted that when consent is sought for “.. multiple processing operations for more than one purpose”, free choice implies that data subjects must be enabled to specify separately to which purpose of collection and processing they agree),

- consent is deemed to be ‘specific’, when data subjects, after having received a detailed in-advance notice about all purposes of the planned processing, can separately select each of the purposes they agree with,

- consent is considered ‘informed’, when data subjects – prior to consent’s collection – have been provided with adequate information about the data collector, the type of data to be used, the processing’s purpose (or the purposes in case of multiple processing), their right of withdrawing consent, the potential risks of data transfers and data’s possible use for automated decision making,

- “consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular processing”, where a ‘clear affirmative act’, implying valid consent, means that “the data subject must have taken a deliberate action to consent to the particular processing” and where such active determination may be collected “.. through a written or (a recorded) oral statement, including by electronic means”. While the guidelines concede that controllers benefit from a broad liberty as to developing consent mechanism that suit their organizations best and – at the same time – fulfill the GDPR’s requirements, they also urge controllers to also acknowledge – and to address efficiently - the phenomenon of ‘click fatigue’ (meaning that “.. when encountered too many times, the actual warning effect of consent mechanisms is diminishing”) and the – also not infrequent – situation “..where consent questions are no longer read”.

Finally, the guidelines remind that aside from the requirements for ‘regular’ one, ‘explicit’ consent is necessary any time a ‘serious data protection risk’ is likely to occur. The reference is intended to cover situations, calling for a ‘high level of individual control’ over personal data delivered (i.e. when special categories of data are processed, when data are transferred to third countries or international organizations, when automated individual decision making - such as ‘profiling’ – is performed).

The guidelines contain an interesting indication as to the relationship of consent requirements under GDPR and those deriving from the provisions of the ePrivacy Directive (i.e. Directive 2002/58/EC, at the time of the guidelines’ publication - but also currently – under review). In the Regulator’s view, consent under the ePrivacy provisions needs to be intended as identical to the consent requirements set, previously, by the Directive 95/46 and, nowadays, by the GDPR. Hence, consent requirements “under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive”. Marketers will be well advised to consider properly such indication when conceiving and executing their promotional campaigns.

Moving from theory to practice.

While these indications from the Article 29 WP (now the EDPB) are detailed and result – apparently – to be clear and specific, they have sometimes turned out as ‘problematic’, when they need to be applied in daily life.

There is still room for some ‘interpretation’, which may give raise to conflicting results as the following example attests.

A reading of the Italian Highest Instance Civil Court. 

In July 2018, the First Chamber of the local Highest Instance Civil Court delivered a decision on a case dealing with a company’s marketing practices, which had been questioned – and sanctioned with a cease injunction – by the local DPA for lack of ‘freely given’ and ‘specific’ consent from the targeted individuals. Specifically, the DPA took issue with the fact a company, providing a newsletter service with information about financial, fiscal, legal and labor topics, forced subscribers to such service to agree – through flagging a checkbox in the course of the initial registration - to the delivery of (third parties’) commercial communication. Without such acceptance, the registration process could not be completed, making the service unavailable to the potential subscribers.

As the company had successfully opposed the injunction before a First Instance Court, the DPA filed an appeal and the case ended up in front of the Highest Instance Civil Court. While the case presents no particular complexities, a few introductory comments on the legal background of the issue to solve appear to be appropriate.

In its version prior to the coming into force of the GDPR the Italian Privacy Code required, as a general rule, valid consent to result freely given, specific (in relation to  clearly individuated processing), substantiated in writing and based on a detailed in-advance notice on the purposes of processing as well as on the uses of the collected data. Specifically, with respect to unsolicited promotional communications performed through automated calling systems or by e-mail, facsimile, MMS- or SMS-type messages or similar means the Code provided for a strictly opt-in system.

The DPA’s Guidelines on Marketing and against Spam (as per July 2013) detailed that “consent obtained to send promotional communications must be free, informed, specific; it must relate to processing operations that should be set out clearly; there must be written proof of such consent ... Accordingly, consent is only valid if all the foregoing requirements are met”. In addition, the guidelines clarified that “a contracting party´s consent to promotional activities can be regarded as freely given if it does not represent the default setting or if it does not translate – even only factually or implicitly – into a precondition to obtain the product or service being offered by the data controller. For instance, consent is not free if a company makes signing up to its website and using the relevant services conditional upon giving one´s consent to processing for promotional purposes”. It was also made clear that “it is not acceptable that forms are made available where the consent checkbox is flagged by default ..”and that for multiple processing operations consent had to be sought – and achieved – “specifically for each purpose … and for each processing operation at issue ..”. Finally, in relation to commercial communication, the DPA explained that “the requirement of obtaining specific consent may be legitimately construed to entail – as regards the various marketing mechanisms - that two separate, specific consent statements be collected in respect of conventional marketing and marketing activities as per Section 130(1) and (2) of the Code, respectively; alternatively, a single consent statement may be obtained with regard to both types of marketing”. However, in such (latter) case, “the individual marketing mechanisms must be specified – i.e., it must be specified whether conventional marketing channels or the marketing methods mentioned in Section 130(1) and (2) are relied upon ..”, a requirement to be fulfilled through the information notice.

Based on such statute law and regulatory framework the DPA felt that the company’s marketing practices had failed to meet the requirements of ‘freely given’ and ‘specific’ consent, therefore serving the injunction in dispute.

On the contrary, the company argued that its consent obtaining practices were absolutely in line with the (statute law) provisions of the Italian Privacy Code, the DPA’s guidelines were not allowed to provide for ‘additional’ consent requirements. To such argument the Regulator objected that its guidelines had not introduced ‘additional obligations’ re consent but had only offered explanations about how to correctly apply the requirements laid down in the statute law provisions.

A mentioned earlier, the case is rather trivial. What is interesting (or, better, somehow peculiar) is the interpretation offered by the Court on the concept of ‘freely given’ and ‘specific’ consent. In its decision the Court felt necessary to perform a comprehensive effort to deliver its thoughts on the concept of ‘consent’, though such exercise did not appear relevant to solve the specific case.

First, the Court explained that ‘consent’ under the privacy regulations had to be intended in a meaning significantly different from that pertaining to the concept of ‘acceptance/agreement’ in a contractual relationship, hence ‘defects of consent’ (and their conditioning impact potential on the free determination of the contracting parties) could not be transferred to the issue of invalidity of consent as construed under the provisions governing the protection of personal data.

Furthermore, the Court felt that the provision laid down in Article 7/4 of EU Regulation 2016/679 and setting that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”, could not lead to the forgone conclusion that ANY condition for accessing a certain service is capable of rendering, per se, consent to data processing invalid, because not ‘freely given’. On this premise, the Court argued that such outcome did only occur when the ‘condition’ (in the specific case, the acceptance to receive promotional messages in order to be able to complete the registration process to the newsletter) had a real negative or detrimental impact on the data subject and related to a truly essential and irreplaceable service. Such impact could certainly not be found in the case in dispute, where the information offered by the newsletter could be achieved – without any major sacrifice – by relying on one of the other, numerous resources available on the Internet.

Hence, it was not possible to stretch the privacy provisions (as the DPA had done in its questioned injunction) to a point where a provider of online information services would bear a general obligation to offer its services unconditional of the targeted individual’s acceptance to receive promotional messages.

A provider had to be free to accept or to refuse its services to potential subscribers and would logically expect a remuneration when performing a service. Hence, the Court’s conclusion that in case like the one at stake a provider is entitled to make its services conditional to the acceptance of promotional material. What the provider cannot do, is using the personal data collected during the subscription process to send commercial communication to an individual who has not made explicit that he intends to receive promotional messages.

After this enlightening reading of the concept of ‘freely given consent’ (reading, I find truly difficult to consider as in line with the wording of the privacy regulations in force), the Court focuses on the issue whether in the case in dispute ‘specific’ consent had been obtained (a requirement, according to the Court, intrinsically connected to that of ‘freely given’ consent, to a point that consent may be considered as freely given only if combined with clear and extensive indications about the scope which the planned data collection refers to).

On this aspect the Court agreed with the DPA’s findings, as the questioned practice required a generic consent to the receipt of promotional messages (potentially originating also from third parties), without any indication about the sender of the commercial communication and without any specification of the goods/services the messages would refer to.

The lack of adequate in-advance notice about such details could not be overcome by the availability of a link on the provider’s homepage, which – if clicked – transferred visitors to a separate page, where a more detailed description of purposes of data’s collection could be found, as such mechanism did not guarantee that the information notice was actually read.      

Hence, in the case at stake such lack of adequate – and immediately accessible - in-advance information excluded that consent achieved through the mandatory flagging of an acceptance checkbox could be considered as ‘freely given’ and ‘specific’, apt to allow the performed processing of personal data.  

The impact of this decision.

In my opinion, this decision does not appear to be particularly helpful and capable of adding new elements to the complex topic of consent requirements for data handling in promotional campaigns. It does not offer the marketing industry an additional, general standard to rely on when construing a mechanism for the achievement of a ‘valid consent’. I also wonder whether in other case the local Highest Instance Court will follow this precedent or will – eventually – choose a different path.

As to the DPA’s position, it has to be noted that in a recent injunction (issued on June 20th, 2019) the Regulator has ignored the above mentioned High Court decision and has simply insisted on its previous point of view, confirming that also under the provisions of the EU Regulation 2016/679:

- consent must result freely given, specific and must be provided with respect to one or more specified processing purposes,

- consent collected through a single formula and meant to cover ‘mixed or multiple scopes’ (e.g. for data processing and for accepting certain contractual clauses or for marketing purposes) will not properly fulfil the requirements of the existing privacy provisions,

- consent will be deemed as ‘specific’ and ‘freely given’ only if unambiguously expressed in relation to all indicated purposes of the planned processing.

The absence of any reference to the decision of the local Highest Instance Court nowadays appears justified by recent case-law of the Court of Justice of the European Union. The national and international press has widely reported about the Grand Chamber decision of the CJEU (dated October 1st, 2019 in case C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände vs. Planet49 GmbH). The core findings of such decision may be summarized as follows:

- pre-ticked checkboxes cannot be held as validly achieved consent,

- when users are asked for consent, the expiration date of cookies and their sharing with third parties must be properly disclosed,

- seeking consent for bundled, different purposes is not allowed,

- consent to be validly expressed, always requires an ‘active behavior’, i.e. it must result in a ‘freely given, specific, informed and unambiguous’ indication of the data subject’s wishes in the form of a statement or of ‘clear affirmative action’ signifying agreement to the processing of the personal data relating to him or her,

- these requirements refer also to consent necessary or placing cookies on a user’s device.

Consent requirements, still a problem child. Why?

Aside from the reading offered by the 2018 decision of the Italian Highest Instance Court, there are other examples revealing that proper fulfilment of the consent requirements remains a problematic topic for the marketing industry.

In Austria a newspaper offered free access to the online version on its website on condition that visitors agreed to cookie placement for advertising purposes. When consent was withdrawn, the website was no longer available. However, it was possible to subscribe to the online version against a fee, without becoming subject to tracking.

A complaint to the Austrian DPA was filed against such practice, which – in the complainant’s view – prevented to consider visitors’ consent as freely given. The DPA dismissed the complained[i] arguing that consent would result ‘involuntary’ or ‘forced’, only in cases where the adopted mechanism implied “a risk of deception, intimidation, coercion or significant adverse consequences”. According the DPA such disadvantage was not present in the submitted case as visitors’ tracking - when accepting cookie placement – appeared to be adequately balanced by the full access to the newspaper’s services.

Marketers will presumably feel less happy with the potential implications of a decision of the  French Privacy Regulator CNIL[ii].

The case originated from an inspection performed by CNIL officials at the premises of a French adtech company, which had developed a software kit, enabling to collect - for profiling purposes - geolocation and tracking data of mobile phone users as well as technical information about the operating systems of their devices. The company had a user consent clause with standard wording in place (with the – common - three options: “Accept”, “Refuse”, “More details”), which listed among the processing purposes that off sharing data collected with its business partners (i.e. publishers and vendors). When choosing option three, users had to specifically de-flag check boxes containing undesired uses, otherwise they agreed on all indicated purposes. Data sharing with business partners occurred through a Consent Management Platform (CMP) and by the means of the “Transparency and Consent Framework (TCF)”, offered by the European branch of an international advertising association.

The CNIL took issue with such practice as it felt that the adopted mechanism was not able to provide for an ‘informed’ and ‘specific’ consent, resulting from an ‘affirmative action’.

So far, so good (and nothing particularly new). What’s more interesting is that the CNIL also objected to some aspects of the data sharing with third parties as performed on the Consent Management Platform and through the Transparency and Consent Framework. Specifically, the decision reminds that when data are passed along a chain (of business relations), it is not sufficient to rely on a contractual guarantee stating that data subjects’ consent had been originally/initially obtained in a correct way. According to Article 7/1 of Regulation 2016/679, when processing is based on consent, a controller bears a specific obligation to “be able to demonstrate that the data subject has consented to processing of his or her personal data” (basically meaning that controller must be in a position to substantiate consent achievement over the entire processing route). Hence, such provision prevents the bundling – via a standard framework – of multiple uses under a single agreement mechanism.

If I read the CNIL’s decision correctly, it would follow that a system where ‘consent bundling’ (with subsequent partner processing) is performed via a contractual agreement, does not result compliant with the GDPR requirements.

The marketing industry will have to realize that we are far from having completely exploited the complexities of the GDPR.

[i] The decision is available – in local language - on the Austrian DPA’s website. Case reference number is DSB-D122.931/0003-DSB/2018.

[ii] The decision can be found – in French – on the CNIL’s website at the following URL: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594451&fastReqId=974682228&fastPos=2