In line with previous jurisprudence on the matter, the Court of Justice of the European Union (CJEU) has once more affirmed that having pre-ticked boxes in a contract is not the legally correct way to obtain a client’s consent.

A contract which contains a clause stating that the customer has consented to the collection and storage of his or her identity document does not mean that the customer has validly given his/her consent, where the box referring to that clause has been ticked by the data controller before the contract was signed.

The facts of this case were briefly as follows. The Romanian National Authority for the Supervision of Personal Data Processing imposed a fine on a provider of mobile telecommunications services for collecting and storing copies of its customers’ identity documents without their express consent. The authority claimed that the telecoms service provider had concluded contracts for the provision of services which contain a clause stating that customers have been informed of, and have consented to, the collection and storage of a copy of their identity documents for identification purposes.

The box relating to that clause had been ticked by the data controller before the contract was signed. The national court seized of the case filed a preliminary reference before the CJEU requesting guidance as to the conditions which must be satisfied for customers’ consent to the processing of personal data to be considered as legally valid in terms of EU data protection law.

The protection of an individual’s data is not taken lightly by the EU

The CJEU based its judgment on an interpretation of the predecessor of the General Data Protection Regulation (GDPR), which interpretation is none-theless still valid in terms of the now applicable GDPR. It affirmed that EU law provides for a list of instances in which the processing of personal data can be regarded as being lawful.

One such instance relates to when the data subject has given his/her consent for such processing to take place. However, such consent must be freely given, be specific, informed and unambiguous. Since the service provider is the controller of personal data, the burden of proving the lawfulness of the processing of data falls onto it. This means that it must be able to prove the existence of the valid consent of its customers.

The CJEU observed that consent is not considered to be valid should customers be unable to tick the box relating to the grant of consent for the data controller to collect and store copies of their identity documents themselves since, in such a case, there is no positive indication of their consent. Consent is not validly given in the case of silence, inactivity on the part of the customer or pre-ticked boxes.

The court went on to assert that if the data subject’s consent is given within the context of a written declaration which includes other matters, such declaration must be presented in an intelligible and easily accessible form, using clear and plain language. It also highlighted the fact that the data subject must enjoy genuine freedom of choice in providing his/her consent or otherwise. Hence, contractual terms must not mislead customers as to the possibility of concluding the contract notwithstanding a refusal to consent to the processing of their data.

The court noted that in this particular case, the service provider also required the customer to declare in writing that he/she did not consent to a copy of his/her identity document being collected or stored.

It opined that such an additional requirement is liable to unduly affect the freedom to choose to object to such collection and storage. The CJEU concluded that since the service provider was required to establish that its customers have, by active behaviour, given their consent to the processing of their personal data, it cannot require them actively to express their refusal.

The protection of an individual’s data is not taken lightly by the EU as is evident from the onerous obligations imposed on data controllers in terms of the now applicable GDPR. It is, therefore, to be expected that legal provisions are interpreted restrictively by the CJEU in order to ensure that individuals obtain the maximum protection of their personal data.

Mariosa Vella Cardona, freelance legal consultant

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.