Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) Case C-61/19
We have all ticked the box without reading the small print. In doing so, it is safe to say you might not know what you have signed up to. This was recently the subject of consideration by the Court of Justice of the European Union (CJEU) in Luxembourg.
Orange provides telecommunications services in Romania.
Their standard terms contained a pre-ticked box confirming the customer’s “consent” to the collection and storage of personal data, namely an identification document.
In March 2018, the Romanian data protection authority (ANSPDCP) fined Orange for this practise. The Regional Court in Bucharest subsequently asked CJEU to specify the conditions in which the customers’ consent to the processing of personal data may be considered valid.
Under EU Law, the consent of any data subject must be freely given; specific, informed and unambiguous. Consent is not validly given in the case of silence, pre-ticked boxes nor inactivity.
Where consent is through a written declaration that might cover numerous points, it must be clearly presented using plain language and must not preclude the possibility of concluding the contract in its absence. A data controller must be able to evidence this.
The CJEU concluded, therefore, that:
…a contract for the provision of telecommunications services which contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent to that collection and storage, where the box referring to that clause has been ticked by the data controller before the contract was signed, where the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data, or where the freedom to choose to object to that collection and storage is unduly affected by that controller, in that it requires that the data subject, in order to express his or her refusal to consent to such processing, must complete an additional form setting out that refusal.
The position under GDPR, and the Data Protection Act 2018, is clear on the consent of data subjects. This decision provides further clarity, should it be needed.
The Information Commissioner’s Office (ICO) has clear guidance on consent:
You must ask people to actively opt-in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.