European Court of Justice rules on consent under data protection law

The ECJ’s recent ruling in Orange Romania SA v Autoritatea Na?ional? de Supraveghere a Prelucr?rii Datelor cu Caracter Personal (ANSPDCP), Case C?61/19 highlights the inadequacies of pre-ticked consent boxes and and is a useful summary of some of the key issues that must be considered when seeking consent from customers under the GDPR.

The court said:

(i) the data controller bears the burden of proof relating to the existence of valid consent

(ii) a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of their ID for identification purposes does not demonstrate the individual had validly given consent if:

• the box referring to that clause was ticked by the data controller before the contract was signed. A consent box ticked by a sales representative in a contract ultimately signed by the data subject was not in itself sufficient to show consent. Only active behaviour by the data subject is relevant. Consent required a ‘specific’ and ‘unambiguous’ indication of the data subject’s wishes in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes, or
• the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question without giving the consent, or
• the freedom to choose to object to that collection and storage is unduly affected by requiring that the data subject complete an additional form setting out any refusal of consent.