The Advocate General has considered the meaning of consent under the GDPR and the previous Data Protection Directive (95/46/EC) in Orange Romania SA v Autoritatea Na?ionala de Supraveghere a Prelucrarii Datelor cu Caracter Personal, Case C-61/19.
The case arose in the context of Orange România SA concluding contracts for mobile telecommunication services. Copies of customers’ IDs were annexed to those contracts. The national regulatory authority disputed that customers had given valid consent for the collection and storage of the copies of their identity papers.
There were contracts in which the choice freely expressed by the customer about the retention of a copy of his or her identity document was indicated by the insertion of a cross in a box, as well as cases where the customers have refused to agree. It appeared from Orange România’s ‘internal procedures’ for selling that, in the latter cases, Orange introduced the necessary information regarding the customer’s refusal to keep a copy of the identity document by completing a specific form to this effect and then concluded the contract. Therefore, despite Orange România’s general terms, Orange did not refuse to conclude contracts with customers, even when they refused to consent to a copy of their identity card being retained.
The case was referred to the Court of Justice of the European Union for the following questions to be answered. For the purposes of Article 2(h) of Directive 95/46/EC what conditions must be fulfilled for:
- an indication of wishes to be regarded as specific and informed?
- an indication of wishes to be regarded as freely given?
Applying the legal criteria to the case, the AG said that it was legitimate for a firm to ask customers to provide some personal data and in particular to prove their identity for the purposes of the conclusion of a contract. However, to require a customer to consent to the copying and storing of identity documents, appeared to go beyond what is necessary for the performance of the contract.
On the basis of the facts, it appeared to the AG that Orange’s customers did not give their free, specific and informed consent.
Firstly, there was no freely given consent. Obliging a customer to state in handwritten form that he or she does not consent to the copying and storing of his or her ID card does not permit freely given consent in the sense that the customer is put into a situation in which he or she perceptibly deviates from a regular procedure which leads to the conclusion of a contract. Customers must not in this connection feel that their refusal to consent to the copying and storing of their identity documents is not in line with regular procedures. The AG said that previous case law laid an emphasis on active behaviour on the part of the data subject with a view to giving his or her consent. A positive action of the data subject is therefore required for giving consent. Yet, in this case, the reverse situation appeared to occur: a positive action was needed to refuse consent. The AG referred to the case of Bundesverband der Verbraucherzentralen und Verbraucherverbände Verbraucherzentrale Bundesverband eV v Planet49 GmbH, Case C-673/17 and said that if unticking a pre-ticked checkbox on a website is considered too much a burden for a customer, then a customer cannot reasonably be expected to refuse his or her consent in handwritten form.
Secondly, there was no informed consent. It was not made crystal-clear to the customer that a refusal to the copying and storing of his or her ID card does not make the conclusion of a contract impossible. A customer does not choose in an informed manner if he or she is not aware of the consequences.
Thirdly, Orange România had not demonstrated that customers consented to processing of their personal data. There was an evident lack of clarity in internal procedures which was not conducive to furnishing the proof that consent has been given by the customer. Such lack of clarity and conflicting instructions to sales personnel obviously cannot be to the detriment of the customer/data subject.
The AG therefore took the view that the Court of Justice answer the questions referred as follows:
A data subject intending to enter into a contractual relationship for the provision of telecommunication services with an undertaking does not give his or her ‘consent’, that is, does not indicate his or her ‘specific and informed’ and ‘freely given’ wishes, within the meaning of Article 2(h) of [the Data Protection Directive] and of Article 4(11) of [the GDPR], to that undertaking when he or she is required to state, in handwriting, on an otherwise standardised contract, that he or she refuses to consent to the photocopying and storage of his or her ID documents.