In Planet49 [2019] EUECJ C-673/17 the CJEU was asked for a preliminary ruling by the German Bundesgerichtshof [Federal Court of Justice] about an aspect of the interpretation of EU data protection law. The request arose from proceedings between two consumer organisations and Planet49 GmbH, an online gaming company. The issue was the validity of the consent given by participants in a promotional Internet lottery organised by Planet49 to the transfer of their personal data to the company’s sponsors and partners, to the storage of information and to the access to information stored in the terminal equipment of those users.
Background
Intending participants had to enter their postcodes, which redirected them to a web page where they had to enter their names and addresses. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first body of text with a checkbox without a preselected tick (‘the first checkbox’) read:
“I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sectors. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here” [26].
The second set of text with a checkbox containing a preselected tick (‘the second checkbox’) read:
“I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, [Planet49], sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here” [27].
Participation in the lottery was possible only if at least the first checkbox was ticked [28].
The consumer organisations asserted that the declarations of consent requested by Planet49 through the first and second checkboxes did not satisfy the requirements of German data protection law and sought an interdict in the Regional Court of Frankfurt am Main requiring Planet49 to cease using such declarations and to pay it EUR 214 plus interest from 15 March 2014 [32 & 33].
The Regional Court upheld the action in part [34]; on appeal, however, the Higher Regional Court rejected the plea for an interdict requiring Planet49 to refrain from including the statement in [27] above, the checkbox for which was pre-checked. It held that the plea was ill-founded because, first, the user would realise that he or she could deselect the tick in that checkbox and, secondly, the text was set out with sufficient clarity from a typographical point of view and provided information about the manner of the use of cookies without it being necessary to disclose the identity of third parties able to access the information collected. The organisations appealed further to the Bundesgerichtshof.
The questions at issue
The Bundesgerichtshof considered that the matter turned on the interpretation of the various Data Protection Directives [36]. It had doubts about the validity of the consent obtained by Planet49 by means of the second checkbox and about the extent of the information obligation provided for in Article 5(3) of Directive 2002/58, so it decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
“(1)(a) Does it constitute a valid consent within the meaning of Article 5(3) and Article 2(f) of Directive [2002/58], read in conjunction with Article 2(h) of Directive [95/46], if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent?
(b) For the purposes of the application of Article 5(3) and of Article 2(f) of Directive [2002/58] read in conjunction with Article 2(h) of Directive [95/46], does it make a difference whether the information stored or accessed constitutes personal data?
(c) In the circumstances referred to in Question 1(a), does a valid consent within the meaning of Article 6(1)(a) of Regulation [2016/679] exist?
(2) What information does the service provider have to give within the scope of the provision of clear and comprehensive information to the user that has to be undertaken in accordance with Article 5(3) of Directive [2002/58]? Does this include the duration of the operation of the cookies and the question of whether third parties are given access to the cookies?”
The judgment
On 1 October, the Grand Chamber CJEU ruled as follows:
1. Article 2(f) and of Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation), must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.
2. Article 2(f) and Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.
3. Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.
Comment
In short, requiring website users to untick pre-checked consent boxes for allowing cookies to record visitor information is illegal under EU data protection law.
If, however, having read this far, you are beginning to wonder what all this might have to do with ‘religion’ as opposed to ‘law’, the answer is this. Lots of religious organisations have websites: if they use pre-checked consent boxes to seek consent for cookies to be placed on users’ computers, according to the ruling they will be in breach of EU law. The Times (£) quotes Rafi Azim-Khan, head of data privacy at Pillsbury Winthrop Shaw Pittman LLP, as saying:
“The new higher standards for consent ushered in by the GDPR, with more emphasis on consent being freely given, informed and specific, means many forms of prior practice, and the way many websites use cookies, do not meet the required standards and could be subject to enforcement action. Businesses should review their websites and general data gathering practices now and make the necessary changes to reduce risk.”
Likewise religious organisations.