1 Facts of the Case

1.1 Introduction

In late 2019, the European Court of Justice (ECJ) issued a judgment in Case C-673/17 (Planet49) upon a request for a preliminary ruling (Art. 267 Treaty on the Functioning of the European Union) by the German Federal Supreme Court.Footnote 1 The questions stemming from the underlying proceedings between the Federal Union of Consumer Organisations and Associations (Federation of Consumer Organisations) and Planet49 GmbH, an online gaming company, refer to the granting of consent to data processing in online environments and corresponding side issues. Fortunately, due to procedural issues the ruling refers not only to the (repealed) Data Protection DirectiveFootnote 2 (DPD), but also to the General Data Protection RegulationFootnote 3 (GDPR).Footnote 4 The focus of the decision is on the interplay of either regime with the so-called ePrivacy Directive.Footnote 5 In the following, the analysis will mainly examine the interplay of the ePrivacy Directive and the GDPR.

1.2 Matter in Dispute

The matter in dispute was an online promotional lottery organised by Planet49 GmbH.Footnote 6 To participate, users had to provide their name and address. They were confronted with a webpage containing three items relevant for the legal analysis: two bodies of explanatory text (each accompanied by a checkbox) and a button which roughly read “Click here to participate free of charge”. The first checkbox was not pre-selected. The attached text basically allowed third parties to contact users by post, telephone, e-mail, etc. for advertising purposes. The second checkbox contained a pre-selected tick. Its accompanying text read: “I agree to the web analytics service Remintrex being used for me. This has the consequence that [Planet49] sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. (…)” Thus, the pre-selected second checkbox allowed extensive cookie-based tracking of users for advertising purposes. Before clicking the button, users had to actively tick the first checkbox, while it was not mandatory to leave the second checkbox ticked. Users were free to untick the box and, in doing so, deny consent to the placing of cookies (and subsequent tracking).Footnote 7

1.3 Questions Referred to the Court

Three questions were submitted to the ECJ, all of which only refer to the second, pre-selected checkbox.Footnote 8 Firstly, is valid consent given within the meaning of Arts. 5(3) and 2(f) ePrivacy Directive, read in conjunction with Art. 2(h) DPD or, now, Art. 6(1)(a) GDPR, if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-selected checkbox which the user must deselect to refuse his or her consent? Secondly, what information does the service provider have to give, according to Art. 5(3) ePrivacy Directive, within the scope of the provision of clear and comprehensive information to the user – and does this include the duration of the operation of the cookies and whether third parties are given access to the cookies? Thirdly, when information is stored or accessed in accordance with Art. 5(3) ePrivacy Directive, does it make a difference whether or not this information constitutes personal data under data protection law?

2 Decision of the Court

2.1 Consent by Means of a Pre-Selected Checkbox?

It is not surprising that the ECJ ruled in response to the first question that a pre-selected checkbox which the user must deselect to refuse his or her consent does not constitute valid consent for the data processing envisaged by Planet49.

2.1.1 Reasoning of the Court

The ECJ’s primary line of argumentation is that active behaviour on the part of the user is necessary for valid consent.Footnote 9 Thus, a pre-selected checkbox does not suffice. This is convincing and holds true under the DPD and the GDPR. In terms of methodology, the ECJ’s interpretation of the relevant statutes is of a literal and a historical nature.

The starting point of this assessment is the wording of the first sentence of Art. 5(3) ePrivacy Directive:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the DPD], inter alia, about the purposes of the processing.

Article 2(f) ePrivacy Directive links the ePrivacy Directive to the DPD. The term “consent” under the ePrivacy Directive refers to the definition contained in Art. 2(h) DPD. Pursuant to Art. 94(2) GDPR, this link now refers to the GDPR’s definition of consent in Art. 4(11) GDPR.

Firstly, the ECJ refers, by means of a literal interpretation, to the wording of Art. 5(3) ePrivacy Directive. This provision does not directly state how consent should be granted, but still implies that the act of granting consent is an active one (“given his or her consent”).Footnote 10 This is supported by Recital 17, which lists “ticking a box when visiting an Internet website”, an active behaviour, by way of example in the context of the granting of consent. This finding is complemented by Art. 2(h) DPD, where consent is defined as a “freely given specific and informed indication” of the data subject’s wishes. Use of the term “indication” indeed implies active behaviour. Also, consent must be given “unambiguously”.Footnote 11 This is only possible when the user takes action (as opposed to remaining passive). Under the GDPR, the legal situation is defined in an even clearer manner. According to Art. 4(11) GDPR, consent means “any (…) indication of the data subject’s wishes (…) by a statement or by a clear affirmative action (…)”. The term “clear affirmative action” strongly suggests active behaviour on the part of the user. In casu, Recital 32 GDPR provides a killer argument, declaring that “[s]ilence, pre-ticked boxes or inactivity should not (…) constitute consent.” This interpretationFootnote 12 of Art. 4(11) GDPR barely leaves any doubt that the pre-selected checkbox did not constitute valid consent.

This line of reasoning is supported by means of a historical interpretation. The initial 2002 ePrivacy Directive demanded in its Art. 5(3) that the user “is provided with clear and comprehensive information in accordance with [the DPD] (…) and is offered the right to refuse such processing”. This opt-out approach was replaced in 2009, whereas now the user must have “given his or her consent”. This deliberate change of wording shows that consent now must result from an (active) opt-in, as opposed to the opt-out solution in place before.Footnote 13

2.1.2 Between-the-Line-Implications on Art. 7(2) GDPR

Inthe following, it will be argued that the ECJ’s decision on Art. 5(3) ePrivacy Directive is convincing, even though the Court failed to explicitly address one question worthy of note (regarding the interpretation of Art. 7(2) GDPR), which is decisive for the matter in dispute and for future cases. Still, based on what has not been said, Planet49 can be of value for the interpretation of Art. 7(2) GDPR and for further defining the conditions for the granting of valid consent in online environments.

The ECJ has been criticisedFootnote 14 for not discussing and solving the present case under Art. 7(2) GDPR, which reads:

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

The underlying idea of this argument is as follows: Art. 7(2) GDPR takes for granted that consent can be given as part of a “written declaration which also concerns other matters”.Footnote 15 The most common scenario would probably be a demand for consent contained in terms and conditions, whereas the latter also refers to other subject matter (such as delivery time and costs, warranty issues, etc.). In the case at hand, one might argue that the button and the two checkboxes combined represent such a declaration. Consequently, the behaviour on the part of the user might, arguably, be considered active. She has to actively click the button in order to participate in the lottery, which could be considered an indication of agreeing with the text next to the second checkbox. This might be enough to assume an “affirmative action” under Art. 4(11) GDPR.

Blame can be laid on the ECJ for not openly mentioning, let alone discussing, Art. 7(2) GDPR, as this line of argumentation is rather obvious and might also be invoked by other data controllers in similar situations. Yet, the way the Court argues implies that it was aware of this statute, but simply found that the overall conditions for valid consent were not given. This finding is correct, for different reasons, and – even though every case calls for individual assessment – provides valuable general implications for the assessment of the validity of consent.

Firstly, the underlying rationale of Art. 7(2) GDPR is to protect data subjects by making sure, through formal requirements, that the request for consent is made in a visually transparent and intellectually understandable manner.Footnote 16 Put differently, the statute does not aim at lowering the threshold for the giving of valid consent, but at raising and specifying the level of protection instead. This is in line with the ECJ’s argument that “the fact that a user selects the button to participate in the promotional lottery organised by that company cannot (…) be sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.”Footnote 17 The Court argues that the consent given in the case at hand was not “specific” enough according to Art. 4(11) GDPR.Footnote 18 With a view to the design of the website presented to the users, this is convincing. A “declaration which also concerns other matters” should not serve as a means of circumventing the safeguards that lawmakers wanted to put in place. At the same time, the Court’s arguing underlines that Art. 7(2) GDPR draws a fine, delicate line between valid and invalid consent. The ECJ fortunately did not follow the Advocate General (AG), who argued that “participation in the online lottery and the giving of consent (…) cannot form part of the same act.”Footnote 19 This approach would render Art. 7(2) GDPR (de facto) void and create unnecessary obstacles to the granting of consent.Footnote 20 Thus, had the text on the button, for instance, made clear reference to the data protection implications given, clicking it would have included specific, valid consent.Footnote 21

Secondly, the ECJ’s reasoning confirms that for a meaningful assessment, it is imperative to consider all provisions relevant, in particular Arts. 4(11), 6(1)(a) and 7 GDPR. These statutes must be read in conjunction and with a view to the corresponding Recitals when assessing the validity of consent in a given case.Footnote 22 The user’s viewpoint is to be taken, without unduly dividing what is presented to him in an artificial manner. In the present case, this means that the complete œuvre of items shown to users by Planet49 must be assessed in its entirety and with the abovementioned statutes’ telos in mind. It is obvious that a user clicking the button would like to participate in the lottery. Yet, it is convincing when the ECJ implicitly argues that this act of clicking is neither an “unambiguous indication” of his or her wishes nor a “clear affirmative action” with a view to the extensive online tracking envisaged by Planet49. Clicking the button has nothing to do per se with the granting of consent to the processing of personal data. Users just want to participate in the lottery. Thus, assuming a “specific” indication of a wish to consent to the processing of their personal data seems too far-fetched.Footnote 23 This is also underlined by the basic rationale of Recital 32, that “[s]ilence, pre-ticked boxes or inactivity should not (…) constitute consent.” Accordingly, one should not argue that all kinds of active behaviour suffice per se. Rather, a holistic assessment of the individual circumstances must find that the way in which consent is granted reflects the GDPR’s spirit in that it must be given actively. One might argueFootnote 24 that the second checkbox actually increases the user’s freedom. She is able to deny consent but still participate in the lottery, which could imply “freely given” consent (Art. 4(11) GDPR). But judging from the disputed website’s layout, a free, deliberate choice can be doubted. The requirement to actively tick the first checkbox suggests, from a user’s point of view, that the second checkbox must be left ticked as well. Put differently, a user must get the impression that if it is necessary to tick the first box, she will not be able to proceed without leaving the second box checked all the more.Footnote 25

2.2 Informational Duties

In response to the second question, the ECJ ruled that Art. 5(3) ePrivacy Directive must be interpreted “as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.”Footnote 26 This is (mostly) true under the DPD and the GDPR.

Article 5(3) ePrivacy Directive demands that the user be “provided with clear and comprehensive information, in accordance with [the DPD]”. Article 10 DPD lists the information to be provided in a non-exhaustive (“at least”) manner. With a view to the extensive amount of profiling made possible by tracking,Footnote 27 the ECJ’s interpretation that the duration of the operation of cookies must be provided is convincing. Under the GDPR, this discussion is obsolete, as the information has to be provided anyway.Footnote 28 In addition, under Arts. 10(c) DPD and 13(1)(e) GDPR, the recipients or categories of recipients of the data must be provided.

Two points are noteworthy.Footnote 29 Firstly, as regards third-party data sharing, it is not clear whether, according to the ECJ, the service provider would also be obliged to inform users about the fact that data are not shared with third parties (“whether or not third parties may have access”Footnote 30). Under the GDPR, it would be rather difficult to argue for an obligation this far-reaching.Footnote 31 Article 13(1)(e) GDPR states that “the controller shall (…) provide the data subject with all of the following information: (…) the recipients or categories of recipients of the personal data, if any”.Footnote 32 This wording implies that an informational duty only exists when there are third-party recipients in the first place. With a view to the present case, this discussion is an academic one, as setting cookies in the context of an advertising network is barely possible without third-party data sharing. But for other data controllers,Footnote 33 it makes a difference whether they always have to inform if third-party recipients exist. Secondly, the ECJ did not discuss whether consent is only “informed” (Art. 4(11) GDPR) when the data controller has complied with the informational duties arising from Arts. 13–14 GDPR. One might argue that a user is only capable of giving truly informed consent when she has received all the information pursuant to these statutes. Yet, the answer to this question is quite foreseeable, as Recital 42 implies differently: “For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.” The small amount of information to be provided “at least” suggests that informed consent can be given even if the data controller does not comply with all her informational duties.Footnote 34

2.3 “Information” under Art. 5(3) ePrivacy Directive

The ECJ found that in the context of Art. 5(3) ePrivacy Directive, it makes no difference whether the information stored or accessed constitutes personal data under the DPD or GDPR.Footnote 35 This is correct. The ePrivacy Directive chose not to use the term “personal data” in its Art. 5(3), but in many other instances, and its Recital 24 makes clear that the private sphere of users can be threatened through “spyware, web bugs, hidden identifiers and other similar devices” that do not necessarily qualify as personal data.Footnote 36

The term information is broader than personal data. This means that protection under the ePrivacy Directive is given at an earlier point in time than under the DPD and the GDPR. Information flows are (partially) regulated, no matter if they represent personal data or not. In online contexts, once enough information stored on the terminal equipment of a user is collected and combined, its legal qualification might “tip” and it might be qualified as personal data under data protection legislation.Footnote 37 This in turn means that all the GDPR safeguards and obligations apply.Footnote 38 The “pivot point” is reached, as a rule of thumb, with identifiability of the natural person.Footnote 39 The legal qualification of information might change during the course of time for different reasons.Footnote 40 This renders data protection compliance cumbersome, as could be witnessed in the notorious Breyer decision.Footnote 41 The responsibility to assess if personal data are given (or not yet given) lies with the data controller.

In sum, Art. 5(3) ePrivacy Directive can be seen as part of a two-step protection regime: privacy implications stemming from the processing of information are partially tackled (only) under the ePrivacy Directive, while data protection implications stemming from the processing of personal data fall, in addition, under the GDPR.

3 Further Thoughts

It is unfortunate that the ECJ was not asked to decide whether the German Telemedia Act, Sec. 15(3) is compatible with Art. 5(3) ePrivacy Directive. This national statute “authorises a service provider to establish user profiles through pseudonyms for purposes of advertising, market analysis, or configuration of electronic media, provided that the user does not object and the service provider has informed the user of his or her right of refusal (…).”Footnote 42 This opt-out solution (“does not object”) is in clear-cut contradiction to the opt-in requirement contained in Art. 5(3) ePrivacy Directive (“has given his or her consent”).Footnote 43

In its request for a preliminary ruling, the German Federal Supreme Court indicated that an interpretation of Sec. 15(3) Telemedia Act in line with the ePrivacy Directive would be possible.Footnote 44 This approach is questionable, as this interpretation would run entirely counter to the wording of the national statute. Also, a direct application of Art. 5(3) ePrivacy Directive is not possible, as Directives cannot create obligations for individuals.Footnote 45 With a view to the primacy of EU law, the lesser dogmatic evil would probably be not to apply Sec. 15(3) Telemedia Act at all. This has also been suggested by the Datenschutzkonferenz, which is a joint body of the data protection authorities of the German federal and state governments.Footnote 46 Consequently, this would mean that in Germany, the cases which are supposed to fall under Sec. 15(3) Telemedia Act would fall instead under the GDPR. This leads to various dogmatic questions, e.g. whether a data controller (who would like to establish user profiles) could rely not only on consent,Footnote 47 but alternatively on its legitimate interests as legal basis: Art. 6(1)(f) GDPR.Footnote 48 An apparently incoherent picture would become manifest. The scope of application of Art. 5(3) ePrivacy Directive is broad, referring to information, whereas the GDPR only covers personal data processing. Yet, the former legal regime strictly demands consent, whereas the latter is more flexible by also providing a legal basis (legitimate interests) that can be applied without user consent. This shows that the ePrivacy Directive is not only part of the two-step protection regime pictured above, but also lex specialis to the GDPR. Thus, Art. 6(1)(f) GDPR should not be accepted as the legal basis for the placing of cookies, as this runs counter to the rationale of the ePrivacy Directive’s opt-in solution. This is in line with the reasoning of the ECJ (in a different context) that “the interpretation of a provision of EU law requires that account be taken not only of its wording and the objectives it pursues, but also of its legislative context and the provisions of EU law as a whole”.Footnote 49 Hence, in the context discussed here, Art. 6(1)(f) GDPR should be interpreted in line with Art. 5(3) ePrivacy Directive to the effect that legitimate interests are regularly not given.Footnote 50 Apart from that, a protection gap resulting from Germany’s legislative inaction still exists, taken that the GDPR only covers the processing of personal data, whereas Art. 5(3) ePrivacy Directive covers all sorts of information.Footnote 51

These questions might become obsolete as a revision of the Telemedia Act is now under consideration. Delivery of the judgment of the German Federal Supreme Court has been scheduled for 28 May 2020. It remains to be seen whether the Court will be able to undo the Gordian knot pictured above.