Understanding the Planet 49 Decision

For the last twelve years I have successfully predicted the outcome of every single privacy case sent to the Court of Justice of the European Union and in every single case I have seen highly qualified lawyers failing to predict the outcome.

It often strikes me as odd, given that I am not a lawyer, how can my understanding of the Court’s processes be so accurate when those with legal expertise often get it so wrong? The cynic in me often writes this off as these professionals choosing to ignore what they know will be the outcome in favor of trying to push an alternative position that benefits their own agenda.

But what I also see with every single judgment, is a long list of commentary claiming the judgment doesn’t apply to x, doesn’t mean y etc. in situations where simply reading the judgment would suggest otherwise.

Why is this important? In my job I have to assess the risk certain activities present for my clients and when assessing risk it is important to understand the landscape of not just existing case law but to be able to predict the outcome of potential future cases, because lets face it, no client wants to spend a lot of money complying with something only to find out that a case goes before the Court and they have to spend even more money making changes to comply with new precedents.

So how do I predict how the Court will rule? The answer is simple, I try to understand how and why the Court has come to previous decisions. It is easy to read the answers to the questions put before the Court (and I suspect that is what many people do) but that does not give an holistic understanding of those answers which means trying to predict based on those answers alone is unlikely to be accurate.

To understand the answers you need to try to think like the Court and understand what resources the Court uses when answering questions.

Existing Case Law

The Court will always consider previous judgments which answered similar or related questions - so having knowledge of existing case law will go a long way to being able to predict the outcome of a new case. The Court will try in every case not to contradict a previous decision because to do so undermines their legitimacy; so you can pretty much guarantee that unless there is a substantial reason to go against a prior decision, they will not.

The only situation I can think of where this is likely to happen is if there has been a substantial change in law since the previous decision was made. So for example, If a law has been repealed which that previous decision relied upon.

Legitimate Guidelines or Opinions (including AG Opinion)

The Court (in every privacy case I have observed) will always refer to official guidelines or opinions issued by a regulatory body such as the Article 29 Working Party (now the EDPB).

So many times I have heard people argue that these “opinions” are not legally binding, and of course this is true but that doesn’t mean that the Court doesn’t consider them as authoritative. I have yet to see a case where the Court has not cited existing opinions as part of their reasoning nor do I recall one where they have substantially disagreed with such an opinion (at least not in the realms of privacy or data protection).

As such, the chances are that if there is an existing formal opinion, it is a pretty good bet that the Court’s decision will reflect the sentiment of that opinion so whereas the Opinion itself might not be legally binding, its legitimacy is strengthened every single time it is considered in a decision by the Court which has the same effect.

Breadth

In the case of issues relating to fundamental rights such as privacy or data protection it is important to understand that these rights are principle based and other laws focused on the specific protection of those rights are also (usually) principle based.

As such the Court has historically viewed such matters very broadly. Examples of this are many such as the Safe Harbour ruling, the Right to be Forgotten, various cases relating to monitoring communications, FashionID etc.

Recitals

Like formal Opinions, Recitals are not “legally binding” but they do have authority in the decision making process and are pretty much always cited in judgments and these Recitals have historically been applied broadly. So don’t just read the text of the law, read the recitals as well and understand how they have been interpreted in previous cases.

Fundamental Rights

Historically, the Court has tended to weight the fundamental rights of individuals against the rights of Governments or legal persons and this is logical, because in many cases individuals do not have the means to protect themselves against these other entities so the Court tries to balance this inequity. As such it would be unwise to ever dismiss the rights of the individual as being less important than commercial business models - for example, saying that the right to run a business has equal weight to the right to privacy is unlikely to resonate with the Court. If there is a situation which undermines the fundamental rights of the Citizen - the protection of the Citizen has historically been the result.

Planet 49

Taking all the above into account - I would now like to address some of the commentary on the Planet 49 case.

“It only applies to marketing cookies!”

I find it very difficult to believe that any professional in the privacy or data protection space actually believes that this decision only applies to marketing cookies.

Primarily because there is nothing in the decision which limits the scope in this way. In fact the word “marketing” doesn’t appear once in the entire text of the decision.

Further, it the Court’s interpretation of the law it looks at what legislators intended with the law. In its discussion of Question 1b (paragraph 66-71) on whether or not the requirements for consent only exist for data considered as personal data, the Court (and the AG Opinion) both conclude that Recital 24 of 2002/58/EC does not limit the scope of protection in this way and in fact believes that that scoop should be applied broadly because:

“that provision aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data.“ (paragraph 69)

and

”That interpretation is borne out by recital 24 of Directive 2002/58, according to which any information stored in the terminal equipment of users of electronic communications networks are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.” (paragraph 70)

Now forget the bit about “personal data” here and consider the actual text. The Court makes it clear that any access to or storage of information within the terminal equipment of the end user whether that be personal data or any other data, whether that is a cookie, a tracking pixel, a locally stored object etc. requires consent.

Sure, in this particular case the Court is considering the matter of personal data, but it is not restricting the definition in any way and is in fact applying it broadly by saying explicitly “that protection applies to any information...”.

If we look at Recital 24 we can see that it is intended to be applied broadly specifically because it is in relation to the protection of fundamental rights:

”(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.”

So not only does the decision of the Court not mention or restrict the context to marketing cookies - neither does the Recital which the Court based its answer on, to suggest that the decision only applies to marketing cookies is clearly contrary to text.

”Scrolling a web site constitutes an affirmative action.”

I think the Court makes it pretty clear (despite this not being one of the questions) that this would not be appropriate. Throughout paragraphs 44 - 65 the Court makes repeated references to existing case law, the AG Opinion, 95/46, 2002/58 and 2016/679.

The Court repeatedly emphasises the meaning of consent as being an “unambiguous” action on behalf of the user, that the user must be given meaningful information to be able to make an informed decision (so to state that scrolling the website implies consent would not satisfy that requirement) and that the end user must be given the right to refuse.

Furthermore as I mentioned earlier, the Court has historically regarded Article 29 Working Party opinions as authoritative, so despite the Court not ruling specifically on this issue, In Opinion WP259 on page 17, the Article 29 Working Party provides an example of what would not be a valid consent mechanism:

”Scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous.”

This position is mirrored in the Court’s reasoning in paragraph 55.

Further, in the same Opinion WP259 on page 13 the Article 29 Working Party provides a comprehensive list of the minimum information required in order for consent to be considered as informed - I have personally yet to see a single situation where the “page scrolling” notice has been used in the real world, which comes even close to meeting those minimum requirements.

Therefore, had the Court been asked to answer this question, one can reasonably predict that they would have agreed with this Opinion and made a decision that such activity would not constitute a valid consent.

”Cookie walls are permitted by the Judgment”

This is actually a very interesting issue because both the Court and the AG explicitly refused to address this issue but they did make a point of mentioning it stating in paragraph 64 in the final Judgment that it would not be appropriate for the Court to consider this as it was not a formal question.

However, what is interesting here is that they did mention the issue despite the fact that it was not a question, which makes one wonder whether or not the Court were hinting that such a question should be referred to the them.

Again, should that happen, one can reasonably predict given existing case law, formal opinions and legal definitions - that they would rule against such behaviour.

In Conclusion

We would have liked some of these questions to be formally answered but it should be obvious to anyone familiar with existing case law and the process the Court uses to come to a decision, what the answers to those questions would be.

For now we must continue to rely on existing Guidance/Opinions for these questions but I will continue to advise my clients that the law should be interpreted as I have outlined above.