CJEU - C-673/17 - Planet49

From GDPRhub
Revision as of 00:42, 18 January 2020 by Ms (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C-673/17 Planet49
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: ePrivacy Directive 2002/58/EC

Article 6 GDPR

Directive 95/46/EC

Decided: n/a
Published: n/a
Parties: Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V

v.

Planet49 GmbH

Case Number: C-673/17
European Case Law Identifier: ECLI:EU:C:2019:801
Referring Court: BGH Germany (Federal Court of Justice)
Language: 24 EU Languages
Original Source: CURIA

On 1 October 2019 the Court decided on the Planet49-case. The decision concerns the legal framework applicable to cookies and user consent.

English Summary

Facts

A German company called Planet49 organized an online lottery hosted on their webpage. In order to participate in the lottery the participant had to enter a name and an address. Underneath the input field there were two checkboxes. The first checkbox required the user to accept being contacted by firms for promotional offers. The second checkbox required the user to consent to cookies being installed on the participants computer. The first checkbox was not pre-ticked, while the second checkbox was. To participate in the lottery the user had to tick, at least, the first checkbox.

The Federation of German Consumer Organisations (the “Bundesverband”) initated court proceedings against Planet49, claiming that the declaration of consent did not meet the requirements for a freely given and informed consent.

The case reached the Federal Court of Justice (“Bundesgerichtshof”), which referred questions regarding the scope of consent under provisions of the Data Protection Directive 95/46/EC, the ePrivacy Directive 2002/58/EC, and the GDPR to the CJEU.

The case was referred to the Court of Justice on 5 October 2017 - before the GDPR became applicable on 25 May 2018. As the Bundesverband sought an injunction to prevent Planet49 from continuing its practices in the future, the Court’s decision takes into account the requirements for consent on the basis of both the Directive 95/46/EC and the GDPR.

The decision of the Court

The Court assessed the requirements for a valid consent under both Directive 95/46/EC and the GDPR and found that there were no substantial differences between them, noting however that the GDPR explicitly states requirements that need to be inferred under Directive 95/46/EC. As the Court notes, the notion of consent under the ePrivacy directive should have the same meaning as consent under Directive 95/46/EC and the GDPR.

Consent

A key question posed by the referring court in relation to the consent requirement was whether consent could be “passive” or if it had to be “active”. The Court concluded that a key component of a valid consent is that the consent is given by a clear affirmative act. Requiring the user to untick a box to “opt-out” is not sufficient. The Court emphasized that inaction is insufficient to establish whether the consent is a “freely given and informed decision”. The Court concludes on this basis that Planet 49’s consent model was inadequate with regards to securing a compliant consent to place cookies on the user’s device. The Court’s conclusion follows from reading Article 5(3) of the ePrivacy directive in conjunction with Article 2(h) of Directive 95/46/EC, and noting that active consent is now regulated under GDPR. For the consent to be valid, it must be “given” on the basis of “clear and comprehensive information” communicated to the user. The requirement for the information to be “clear and comprehensive” implies that in cases where the cookie aim to collect information for advertising purposes, there should be information about “the duration of the operation of cookies and whether or not third parties may have access to those cookies”. Worth noting here is that the Court explicitly reference Article 13 of the GDPR and Article 10 of Directive 95/46/EC as the relevant framework for determining which information should be provided to the user.

The ePrivacy directive and GDPR

The German law transposing the ePrivacy directive establishes a difference between the collection of “personal data” and other data. The Court referenced the earlier opinion of the AG, noting that the AG correctly interpreted the provision to protect the user from any privacy interference, irrespective of whether that interference concerns personal data or other data. The obligation to secure a valid consent for the placement of cookies is therefore applicable regardless of the legal status of that information. A consequence of this view is that the German incorporation of directive 2002/58 is not fully in line with the directive. It is worth highlighting that Article 5(3) of the ePrivacy directive carves out an exception for the consent requirement for cookies that are “strictly necessary” to provide the service as requested by the user. In broad strokes, this means that so-called “functional cookies” that are essential for browsing and using the website, typically for holding items in the cart while browsing a web shop, are exempt for the consent requirement (most often first-party session cookies).

Comment

The decision does not come as a big surprise. In its decision, the Court clarifies the notion of consent and connects consent under the e-Privacy directive, the DPD and the GDPR. While it’s hardly a surprising decision, a clear judgement on these issues might force some companies to change their policy regarding information gathering. Unfortunately, the Court concluded that it was not necessary to decide whether the requirement for a consent to be “freely given” was compatible with demanding that the user consented to having third-party tracking cookies placed on their device to participate in the lottery.