Planet 49

ECJ case to settle what should be common sense on cookie consent

This week ECJ Advocate General Maciej Szpunar issued his Opinion on the Planet 49 Case – a case dealing with issues which should have been sufficiently clear not to bother the Court in the first place. Namely, it is about (a) pre-checked boxes as means to collect consent for placing cookies and (b) if, under the ePrivacy Directive, the same consent conditions are applicable irrespective whether the storing and gaining access to information on a user’s equipment means processing personal data or not and (c) what is clear and comprehensive information about cookies. The case started in Germany in 2017, when the Data Protection Directive 95/46/EC (the “DPD”) was in force, but the preliminary questions regarding consent also refer to the GDPR.

According to the facts described in the AG Opinion, Planet 49 was organizing a promotional lottery on a website and presented 2 checkboxes to people when they wanted to participate:

1“I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sector. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here”
2“I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, Planet49 GmbH, sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on a user’s interests. I can delete the cookies again at any time. You can read more about this here.”

Checkbox 2: consent is not valid under the DPD or the GDPR

On the issue of the pre-ticked Checkbox no. 2, the AG is of the view that it does not constitute valid consent, neither under the DPD nor under the GDPR. Consent must be an active and unambiguous behaviour – these conditions are not met in the case of a pre-formulated text which requires a person to actively object to it (i.e. to uncheck the box). More so, consent for placing cookies must be separate and cannot be inferred from other types of user behaviour such as reading a web page, clicking on a button to participate in the lottery or watching a video. In other words, if you did not uncheck box no. 2, but hit the button to participate in the lottery, this last action would signify both consent for cookies and consent for the lottery – which is ambiguous. The same principles regarding consent also apply under the GDPR.

The AG also took the opportunity to provide clarifications on what cookies represent and underlined some useful principles on the topic of placing cookies. Although cookies can be categorised according to their lifespan or the domain they belong to, the AG says that “The validity of consent to the placement of cookies and the applicability of any relevant exemptions, however, should be evaluated based on the purpose of the cookie rather than the technical features.”

Checkbox 1: national court to assess whether participation in the lottery can be conditioned on consent

The AG considers that the national court must assess whether the processing of personal data can be considered necessary for the participation in the lottery. If so, Planet 49 can validly condition the participation on the person’s agreement that their personal data be processed for sending promotional offers. In other words, it could be that obliging users to tick box no. 1 before they can hit the button to participate in the lottery is lawful.

However, we point out that this is not an issue of consent per se. It is quite misleading to ask someone to check a box, as if asking for consent, when the processing of personal data would in fact be necessary for the performance of a contract with the data subject.

Placing cookies and processing personal data

The accessing of data from cookies placed by Planet 49 constitutes processing of personal data – this is an uncontested aspect of the case. Still, the referring national court asks whether, from the standpoint of the ePrivacy Directive requirements on consent, it makes a difference if the information stored or accessed constitutes personal data.

This question seemingly arose because of the way in which the German law transposed the ePrivacy Directive. The German Telemedia Act (TMG) article 15(3) suggested that the requirements on consent under the DPD/GDPR would not apply if the information stored and accessed would not constitute personal data.

The AG clarifies that, under the ePrivacy Directive, the conditions for valid consent (as provided by the DPD/GDPR) apply to any storing and accessing of information on a person’s device, irrespective of such information being personal data or not.

What constitutes clear and comprehensive information about cookies?

What kind of information should have Planet49 provided to users in order to obtain informed consent for placing cookies? The AG says that the functioning of cookies is technically complex and that “the average internet user cannot be expected to have a high level of knowledge of the operation of cookies”.

Clear and comprehensive information on cookies means that the user can “easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions.” From a practical perspective this means that:

  • the user must receive information about the lifespan of the cookies; and
  • whether third parties have access to the cookie information or not (if yes, then such third parties must be identified).

Of course, we underline that points (a) and (b) above must be presented together with the purposes of the cookies. See this presentation by a representative of the Spanish Data Protection Authority on providing information to users about cookies (available in Spanish).

Case-law generated by incorrect transpositions of the ePrivacy Directive?

Just reading the ePrivacy Directive, it is surprising that the German referring Court felt the need to send preliminary questions to the ECJ at all. However, as the AG indicated in para. 109 of its Opinion, “it does appear as if Article 15(3) of the TMG does not fully transpose the requirements of Article 5(3) of Directive 2002/58 into German law” and this is connected to the need for sending a preliminary question on whether it makes a difference under the ePrivacy Directive requirements on consent if the information stored or accessed is personal data.

For example, the Romanian ePrivacy Law “forgot” to transpose an essential detail resulting in the fact that lawyers have to make additional interpretation steps to reach a basic conclusion. Namely, the Romanian ePrivacy Law did not transpose at all the definition of consent which is provided in Art. 2(f) in the ePrivacy Directive and which states that ‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC. The Romanian ePrivacy Law merely states as a general provision that it shall be supplemented by the Romanian Data Protection Law (which had in the past transposed the DPD and is presently replaced by the GDPR). Obviously, since the ePrivacy Directive refers to consent in the former DPD, which has been replaced by the GDPR, it follows that consent for cookie placement is the same consent regulated under the GDPR, and that this standard applies even where there is no processing of personal data through those cookies.

Unfortunately, transposition errors such as the one in the Romanian ePrivacy Law and seemingly the one in the German Telemedia Act give rise to debates on issues which should have already been settled.

noun_social-media_2278023_small

What’s (not) new about EDPB’s Statement on political campaigns

On 14 March 2019 the EDPB issued a Statement on the use of personal data in the course of political campaigns, following its 8th plenary session. This was supposed to be an important position document in light of the upcoming EU Parliament elections in May, however it left us with even more questions and not one solution.

Just a short recap of what’s been going on in relation to the subject matter:

  • the Cambridge Analytica scandal – really, there’s no need to remind everyone about the details, but you can consult the ICO’s section on the case.
  • There are issues about Member States’ laws regulating the use of personal data for political purposes. See the example of Spain, where the GDPR application law has been approved with an article which raises concerns about collecting personal data from other sources in order to carry out electoral activities. The Spanish DPA states that the law should not be applied as to allow profiling based on political opinions and send personalized communications based on those profiles – however the law was adopted with the problematic provisions in place. This issue was also raised by EU MP Sophia in ‘t Veld and the Commission answered this February that it has contacted the Spanish Minister of Justice to clarify the content of the Spanish legal provisions.
  • In Romania, privacy advocacy NGO ApTI sent a complaint to the Commission indicating problems with the Romanian law which applies the GDPR. These problems include the provisions on processing special categories of data by political parties without the data subjects’ explicit consent (GDPR Art. 9.2.d) – i.e. instead of “legitimate activities” the law says “achieving their objectives” and does not limit the processing just to “members or to former members of the body or to persons who have regular contact with it in connection with its purposes”.

Despite the obvious need for clear guidance, the EDPB Statement is very brief and looks like it was rushed in order to tick a box. Here’s why:

  •  The Statement is an enumeration of general GDPR principles – everyone knows political opinions is a special category of data, subject to GDPR Art. 9 limitations. Also, we know that when you process data from other sources and when you send targeted advertising you still have to comply with the GDPR – already 4 of the 5 points of the Statement are wasted.
  •  We would have found some useful information in the paragraph about decision-making based on automated processing. But here we were struck with an error (which should stop being promoted) about profiling being considered a form of automated decision-making. Profiling is a form of automated processing which can lead to a decision affecting the data subject, not a form of decision-making in itself.
EDPB StatementGDPR Article 21(1)
Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • Returning to the issue of significantly affecting the data subject, the EDPB says that “Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject.” How could we identify these circumstances? How do we know when targeted campaigns based on profiling which includes special categories of data are “affecting a person’s vote in an election”?
  • For further research and clarifications, the EDPB sends us to a list of other authorities’ opinions and guidance, in an Annex to its Statement. So if you also know Dutch, French and Polish, you might get the full information.

So it’s back to work as usual with our remaining questions:

  • What constitutes a “similarly significant effect” according to GDPR Art. 22(1) when it comes to electoral campaign targeting?
  • Could political opinions ever actually be used for profiling by political parties without the data subjects’ explicit consent based on Art. 9(2)d)? We believe not, since this would only be limited to members, former members or regular contacts.
  • What information is actually considered to fall in the category of “political opinion” and limit the possibility of data processing? Quite simple and trivial information may lead to conclusions about the person’s political preferences in the context of profiling.

If the GDPR were a supermarket, there’s a big spill in the political purposes isle and the EDPB is sending someone in with a tissue.