The GDPR has put in place information obligations on those responsible for processing user data as well as various constraints. One of these constraints is the obligation to obtain the consent of the person concerned by the use of the data. But how should this consent be obtained?
The judgment of the CJEU on the matter of November 11, 2020
On November 11, 2020, the CJEU rendered a judgment in which it clarified the terms and conditions to be observed with regard to the terms and conditions for collecting consent under the GDPR.
In this case, the telecommunications service provider Orange România brought an appeal against a decision of the Romanian data protection authority pronounced on March 28, 2018. By this decision, the supervisory body sanctioned the company Orange for having kept copies of the identity documents of its new customers following the conclusion of new contracts for mobile telecommunications services, without having obtained the consent of said customers. These contracts were concluded prior to the enactment of the GDPR.
The contracts contained clauses according to which the customer was informed and gave his consent to the retention of official documents containing personal data for identification purposes as well as to the processing of his personal data. This declaration of consent was made by means of a checkbox by the client. However, according to the findings of the Bucharest court, some contracts already contained a cross in the checkbox while in others, the presence of the cross was lacking.
In view of these elements, the national courts have been led to put two preliminary questions to the Court of Justice of the European Union.
The issues of the shutdown
The first question which arises is that of knowing, ‘ Within the meaning of Article  (h) of Directive 95/46, what are the conditions which must be fulfilled in order to be able to consider that a manifestation of will is specific and informed? ”.
Next, the judges wondered about the fact of knowing, “ Within the meaning of Article 2 (h) of Directive 95/46, what are the conditions which must be fulfilled in order to be able to consider that a manifestation of will is freely expressed? ”.
The two questions were examined jointly by the Court. More simply, national judges ask themselves on what criteria should they base themselves to determine that the manifestation of will is the expression of a consent given in a free and informed manner by the customers, with regard to the GDPR.
First, the European judges recall the context in which the decision was rendered: the Romanian data protection authority issued its decision prior to the entry into force of the GDPR. The Romanian data protection authority not only fined Orange România but also ordered it to destroy the copies of the credentials in question. The CJEU considered that the RDPG was applicable in the present case.
Then, concerning the methods of collecting consent in European law, the European judges first looked at the interpretation of the GDPR. They recalled that Directive 95/46 defines consent as “ any free, specific and informed manifestation of will by which the data subject accepts that personal data concerning him / her may be processed < / em>. “(Article 2, point h). And in accordance with Article 7 (a), the person must have “ unambiguously given consent “. From these two concepts, it emerges that the data subject must have an active approach in the manifestation of his consent for him to be qualified as such within the meaning of the GDPR.
The limits of the RGPD
The GDPR was reformed by a regulation of April 27, 2016, the concept of consent was taken even further. Indeed, the wording of Article 4 (11) of that regulation, which defines ‘ consent of the data subject ‘ appears even stricter than that of Article 2 (h) , of Directive 95/46, in that it requires a”free, specific, informed and unambiguous expression of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him / her may be processed </ em> ”. This requested positive act must mark the data subject’s acceptance of the processing of their personal data.
Thus, the GDPR in force today expressly provides for active behavior in the issuance of consent. On this notion of active behavior, the European judges consider that it cannot be given “in the event of silence, boxes checked by default or inactivity”. The Court reiterates that the burden of proof of the granting of consent rests on the controller. In this case, it is the responsibility of Orange România to demonstrate that their co-contractors have consented to the processing and storage of their data.
But in the present case, the Court considers that the clients do not seem to have been able to manifest their consent through active behavior because the box which had to be checked to externalize the consent was already checked. Consequently, there is nothing to establish that customers are aware of the methods of use of their personal data. It emerges from the judgment of this decision that the request for consent concerning the processing of user data must be presented “in a form which clearly distinguishes it from other contractual clauses” when it is requested in the context of a written declaration which concerns questions other than that of data processing. It is up to the fund judges to decide whether expressing consent through a checkbox can be considered specific consent.
Finally, one of the fundamental concepts mentioned in this judgment is the “free” nature of consent because by checking the box which, originally, was intended to allow consent to be expressed, the Orange România company requires its customers a written declaration in which they oppose the collection of their data. For the European judges “ the free choice to oppose this collection and this conservation is unduly affected by this person in charge, by requiring that the person concerned, in order to refuse to give his consent, fill out an additional form stating of this refusal. ”
In addition, customers are not informed of the consequences of refusing to collect and keep copies of their identity documents on the conclusion of a contract with Orange România. Thus, “the contractual provisions of said contract are likely to mislead the data subject in error as to the possibility of concluding the contract in question even if he refuses to consent to the processing of his data”.
The issues of the Orange Romania shutdown in relation to the GDPR
As a result, with this judgment, the CJEU has strengthened the requirements for obtaining valid consent under the GDPR by specifying three points. First, it requires that people be informed of the consequences of their consent and how the data will be processed. Then, it requires data controllers not to mislead the persons concerned by the data processing on the possibility of refusing the processing operations while concluding the service agreement. Finally, it prohibits data controllers from requiring that individuals fill out forms or take any other specific measure to be able to refuse the processing of their data.
It emerges from this solution that the essential condition for being able to collect and process clients’ identity documents is the collection of their consent. The GDPR provides for an exhaustive list of cases in which data processing can be considered lawful. For example, the processing of personal data is lawful when it “is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the latter’s request. “. Couldn’t the Orange România data controller have relied on this contractual necessity to collect the identity documents? Or could he not have demonstrated a legitimate interest in collecting the data? The judges are not providing any response in connection with this judgment, it remains silent on the other conditions allowing data controllers to lawfully collect user data.
A continuing case law in the field of IT
What are the consequences of these decisions for German websites? Platform managers must ensure that users of the platform have full access to information relating to cookies. Then, it is necessary to ensure that the user behaves actively in expressing his consent to his data being disclosed, for example, checking a box, pressing a validation button cookies may meet this criterion. Finally, a company should never access a user’s personal information without first ensuring that the user has consented to its disclosure.
Following this first judgment, on May 4, 2020 the European Data Protection Board published guidelines on consent within the meaning of the GDPR in which it confirms the orientation of the CJEU. It clarifies what is valid consent and confirms that it is illegal to use a “cookie wall” as a means of obtaining consent. What is valid consent under the EDPB guidelines? The authority sets four criteria for consent to be considered valid: it must be freely given, specific, informed and unambiguous. It is now necessary to define more precisely what these four criteria consist of.
A different solution in Swiss law.
European law differs fundamentally from the Swiss system which provides, by the Federal Data Protection Act of 19 June 1992 , that telecommunications service providers must, in the context of mobile communication services, verify the identity of the user “ the identity of the user by means of a passport, an identity card or a residence permit ”when the means of access are given or the service is activated for the first time. In addition to this verification, Swiss regulations establish a legal obligation to retain customer information: “ A legible copy of the identity document must be kept . “. Nevertheless, there are many similarities between Swiss law and European law. Indeed, as in European law, Swiss law places the concepts of “freedom” and “ information ” at the heart of the definition of consent by considering that “ the person concerned does not consent valid only if it expresses its will freely and after having been duly informed ”. Consent is a way of overcoming the legal prohibition on data disclosure: through the free and informed will of the data subject, it is possible to communicate personal data. Swiss regulations provide an additional clarification regarding “sensitive data”: “ his consent must also be explicit ”. European regulations are much less precise: “ This regulation also leaves Member States a margin of maneuver to specify its rules, including with regard to the processing of special categories of personal data (hereinafter referred to as “Sensitive data “) “. It is therefore necessary to examine the regulations of each state to know how this data can be used.
Eternoscorp remains at your disposal to assist you in processing your users’ data in accordance with applicable regulations.