CJEU - C-61/19 - Orange Romania

From GDPRhub
CJEU - C-61/19
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(11) GDPR
Article 6(1)(a) GDPR
Article 7 GDPR
Article 2(2)(h) Directive 95/46
Article 6 Directive 95/46
Article 7 Directive 95/46
Article 32 Law No 677/2001 on the protection of persons with regard to the processing of personal data and on the free movement of such data (Romanian Data Protection Act)
Decided: 11 November 2020
Parties: Orange România SA
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Case Number/Name: C-61/19
European Case Law Identifier: ECLI:EU:C:2019:801
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

The CJEU ruled that consent is not valid if a contract contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her ID for identification purposes, when the contract could be misleading as to the possibility of concluding the contract if the customer refuses to consent to the storage of the ID. Consent is also not valid if data subjects must complete an additional form setting out that refusal.

Facts

Orange  România SA is a  provider  of mobile  telecommunications  services on  the  Romanian market. On 28 March 2018, the Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (national Romanian data protection authority; ‘the ANSPDCP’), based on Article 32 of Law No 677/2001 (Romanian Data Protection Act) imposed an administrative penalty on Orange România (a provider of mobile telecommunication services on the Romanian market) on the ground that copies of the identity documents of its customers had been obtained and stored without their express consent. The DPA also ordered the controller to destroy already existing copies of the IDs.

Orange România had requested consent for this data processing from its customers by giving them the opportunity to refuse their consent in handwritten form. Some of the contracts for mobile telecommunication services had a pre-ticked box signaling the consent to the storage of ID copies, while other did not. In order to signal that they do not give their consent to the storage of the ID copies, the customers had to fill out an additional form before the conclusion of the contract.

Orange România appealed against the ANSPDCP's decision before the Tribunalul Bucureşti (Regional Court, Bucharest, Romania) which then requested the CJEU'S preliminar ruling on the following questions:

(1) For the purposes of Article 2(h) of Directive 95/46, what conditions must be fulfilled in order for an indication of wishes to be regarded as specific and informed?"

"(2) For the purposes of Article 2(h) of Directive 95/46, what conditions must be fulfilled in order for an indication of wishes to be regarded as freely given?

The opinion of the Advocate General

The Advocate General (Maciej Szpunar) assessed the case both under the Directive 95/46 and under the GDPR and came to the same opinion under both legal frameworks:

Assessing the meaning of "freely given" and "informed" consent, he argued that "freely given consent" necessitates active, rather than passive behaviour. The data subject needs to enjoy a high degree of autonomy when choosing whether or not to give consent. Consent in the form of a preselected tick of a checkbox cannot imply active consent on the part of the data subject dealing with a physical document which he or she ultimately signs. "Informed consent" means, that there must not be any room whatsoever for any doubt that the data subject was not sufficiently informed.

On the burden of proof whether or not the data subject has given valid consent, the Advocate General reached the conclusion that it is for the controller to demonstrate that the data subject has consented to processing of his or her data (Art 7 (1) GDPR). This is equally true under Article 7(a) of the Directive 95/46, which required that the data subject has unambiguously given his or her consent.

On the consent form used by Orange România in its customer contracts, the Advocate General stated that the requirements of "freely given" consent has not been met: Obliging a customer to state in handwritten form that he or she does not consent to a processing (here i.e. copying and storing of his or her ID card) does not permit freely given consent. The customer is put into a situation in which he or she perceptibly deviates from a regular procedure which leads to the conclusion of a contract. Also there has been no "informed consent" as it is not made clear to the customer that a refusal to the processing at hand does not make the conclusion of a contract impossible.

In conclusion the Advocate General proposed that the CJEU answer the questions referred by the Tribunalul Bucureşti as follows:

"A data subject intending to enter into a contractual relationship for the provision of telecommunication services with an undertaking does not give his or her ‘consent’, that is, does not indicate his or her ‘specific and informed’ and ‘freely given’ wishes, within the meaning of Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and of Article 4(11) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), to that undertaking when he or she is required to state, in handwriting, on an otherwise standardised contract, that he or she refuses to consent to the photocopying and storage of his or her ID documents."

The decision of the Court

The Court decided that a contract for the provision of telecommunications services which contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent, as provided for in those provisions, to that collection and storage, where

–        the box referring to that clause has been ticked by the data controller before the contract was signed, or where

–        the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data, or where

–        the freedom to choose to object to that collection and storage is unduly affected by that controller in requiring that the data subject, in order to refuse consent, must complete an additional form setting out that refusal.

Comment

The decision shows similarities with the Planet49 case, C‑673/17, EU:C:2019:801. The Court refers to Planet49 on multiple occasions with regards to the standard of valid consent.

Link of the Advocate General Opinion.