A data subject intending to enter into a contractual relationship with a service provider often gives consent to the collection and storage of his or her data, but the validity of the consent can often be questionable. Service contracts often contain pre-formulated standardised statements of data subject’s consent, unilaterally drafted by service providers. 

According to the European Court of Justice, it is the obligation of the service providers to demonstrate that their customers have actively given their consent to the processing of their personal data, and that they were informed, in an intelligible and easily accessible form, in clear and plain language, of the consequences of that consent.  

Last week, the European Court of Justice (ECJ) ruled in Case C-61/19 on conditions for a valid consent to the processing of personal data under EU data protection law (Data Protection Directive 95/46/EC and the General Data Protection Regulation 2016/679). This case follows upon the previous ruling in C-673/17 Planet49, and is relevant for confirming the conditions for a valid consent in contractual relationships with consumers. 

The case concerned a dispute from 2018 between the Romanian Data Protection Authority (the Autoritatea Națională de Supraveghere a Pelucrării Datelor cu Caracter Personal) and Orange Romania SA, a provider of mobile telecommunication services.

The Romanian Data Protection Authority imposed an administrative penalty on Orange for an allegedly unlawful collection and storage of copies of its customers’ identity documents. According to the Romanian Data Protection Authority, Orange Romania had failed to prove that their customers had given a legally effective consent. 

What is interesting is that the service provider explicitly mentioned in a pre-formulated contractual clause that the customer had been informed of the processing and storage of his or her documents for identification purposes. Moreover, annexed to those contracts there were statements of consent, signed by the customers. In other cases, the existence of the customers’ consent had been established by the insertion of crosses in a tick box. The customers who refused to consent to the photocopying of their identification documents were asked to go through additional steps and to confirm their refusal in a specific form. 

In this context, doubts had been raised as to whether this pre-formulated contractual clauses on data processing can be easily distinguished from the rest of the contract, whether the service provider has tried to guide its customers into desired behavior by using the so-called “dark patterns” method, and therefore, whether this could have affected the validity of their consent. 

In this regard, the ECJ provide us with an important analysis of the requirements for obtaining valid consent under GDPR:

• The Court ruled that a service provider in its capacity as data processor has to demonstrate that its customers have given their valid consent in an active manner. Thus, ticking a preselected box referring to the collection of the customers’ data does not demonstrate that that customer actively consented, and enjoyed a high degree of autonomy when deciding whether or not to consent. 

• A service provider must also ensure that its customers were informed about all the circumstances surrounding the processing of their data in a manner which is clear and distinguishable from other contractual matters. The customer “must be able to determine easily the consequences of any consent he or she might give”. 

• In the same way, the service provider must inform its customers in a clear and plain language that a refusal to the collecting and storing of his or her personal data does not make the conclusion of the contract impossible. For instance, the contractual terms must not mislead the customers towards the existence of consent as a prerequisite for the conclusion of a contract. 

• To require a customer to state in handwritten form that he or she does not consent to the collection and storing of its personal data is too much of a burden for that customer and affects their freedom to object to it. 

The ruling will have an impact on service providers who obtain data relying on standardised pre-formulated clauses and may increase the consumer protection in the field of data law. A service provider must be able to demonstrate in the future that its customers have freely given their consent, and that it has not used misleading practices in assessing a valid consent.