As the proceedings concerned an order to refrain from future behavior, the Court decided to take into consideration both the pre-GDPR Directive 95/463 (along with "ePrivacy Directive" 2002/584 and "Cookie Directive" 2009/1365) and the GDPR.
1. Active consent (opt-in vs. opt-out)
When considering whether valid consent could be given using a pre-checked box, the Court conducted a thorough analysis of the wording and legislative context of Article 5(3) of the ePrivacy Directive. This provision provides that the user must have "given his or her consent." According to the CJEU, this wording alone implies that an affirmative action is required by the consumer.
Moreover, the Court found that the legislative history of Article 5(3) supports the notion that consent must be the result of an actively expressed decision by the user. Article 5(3) originally gave the user a "right to refuse." The Cookie Directive amended this right to require that the user "giv[e] his or her consent," which suggests that the user must take an affirmative action to express their consent. In this regard, the Court referred to Recital 17 of the ePrivacy Directive, which states that a user's consent can be given "by any appropriate method" enabling a "freely given [...] indication of the user's wishes, including by ticking a box when visiting an Internet website."
The Court also considered the definition of consent in Directive 95/46 (to which Recital 17 refers), describing the data subject's consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."6 The CJEU held that an "indication" of the consumer's wishes requires active, rather than passive behavior. In particular, the Court argued that – absent active user behavior – it would be practically impossible to ascertain whether the non-removal of the pre-checked box shows actual consent, or whether the user had simply not noticed or ignored the checkbox and the related information. According to Art. 7 of Directive 95/46, however, legitimate consent must be "unambiguously given," a condition that would not be fulfilled in this instance.
Referring to the GDPR which replaced Directive 95/46 as of May 25, 2018, the Court held that its interpretation applies a fortiori under the new law. Consent is defined even more stringently in Article 4(11) GDPR than it was in Directive 95/46, requiring that it must take the form of a "freely given, specific, informed and unambiguous" statement or other "clear affirmative action."
Consequently, only opt-in cookie notices, where the user has to actively agree to the collection and use of their information, meet the legal standard.
2. Informed consent
3. No "personal data" requirement
4. Adequacy of Germany's national implementation of the ePrivacy Directive
Separately from the main point of discussion, Advocate General Szpunar in his March 21, 2019 opinion8 seemed to indicate that Section 15(3) of the German Telemedia Act (TMG) falls short of European legal requirements and may not actually be an adequate implementation of Art. 5(3) of the ePrivacy Directive.9 Where Article 5(3) of the ePrivacy Directive requires consent, Section 15(3) TMG allows a service provider to create user profiles using pseudonymized data10 and to employ such data for marketing purposes, provided the user does not object – i.e., without the actively given indication of the user's wishes which the CJEU now regarded as necessary to constitute valid consent.
Thus far the German government considered Sections 12 and 15 TMG, in combination, to sufficiently implement Article (5)3 of the ePrivacy Directive11. However, the Conference of German Data Protection Authorities (DSK)12 disagrees and emphasizes, in particular, that the creation of user profiles under Section 15(3) TMG may involve the use of stored data such as cookies, so that Article 5(3) of the ePrivacy Directive applies – with the consequence that user consent would be required. 13 The mere possibility to object would be insufficient to voice such consent (as the CJEU now confirmed). While the Court itself did not further elaborate on that particular point of implementation, the Advocate General appears to agree with the DSK that Section 15(3) TMG does not "fully transpose" Article 5(3) of the ePrivacy Directive into German law.14
While the CJEU has encouragingly clarified that consent requires an active opt-in (a position that has been the prevailing view in Germany for years), open issues remain. In particular, tying consent to the provision of a service (here: participation in the lottery) raises further questions. The CJEU only touched upon the issue of compatibility of such a coupling mechanism with the requirement that consent has to be freely given, but refrained from commenting on this dimension of the case since it was not part of the questions presented to it. The Advocate General in his opinion pointed to Article 7(4) GDPR, which requires that, when assessing whether consent is freely given, "utmost account" should be taken of whether the provision of a service is conditional on consent to the processing of data which is not necessary for the provision of such service. The Advocate General left this question to the competent courts but held that, as the purpose of participation in the lottery is the selling of personal data to sponsors, in his view, the provision of such personal data appears necessary for participation in the lottery.
In light of the Advocate General's view on the current shortcomings of Art. 15(3) TMG in agreement with the DSK, it remains to be seen whether further legislative activity will address these concerns in the future.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,
4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
5 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending, inter alia, Directive 2002/58/EC.
6 Art. 2(h) Directive 95/46/EC.
7 Art. 5(3) ePrivacy Directive also allows, without the user's consent, "technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service".
8 Advocates General are members of the CJEU who assist the Court by providing impartial opinions on the Court's cases. They do not take part in the decision-making and their opinions are not binding on the CJEU, but are generally understood to carry considerable weight. As a matter of principle, the opinion of an Advocate General is sought whenever a case concerns a new point of law.
9 Verbraucherzentrale Bundesverband v. Planet49 (Case C-673/17), opinion of Advocate General Szpunar – available here. The German Federal Court of Justice also indicated in its referring decision that there was no implementation act by the German legislator following the ePrivacy Directive.
10 Pseudonymized data still qualifies as personal data; cf. GDPR, Recital 26.
12 The DSK is an independent council consisting of the German Federal and State data protection authorities. Its main task is to ensure a unified approach to national and European data protection law and guard the fundamental data protection rights. The DSK regularly issues guidelines, opinions and resolutions. While the DSK's decisions are not binding on the German government or courts, its views are considered authoritative for the lawful application of data protection law.
14 Fn. 8. See in particular para. 109.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.