Now that the “Schrems III” case is in the making, it is time to talk again about consent. What is the case this time? We are talking about the situation of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service. Let me explain.
In a long-standing civil case between Max Schrems and Facebook, the Austrian Supreme Court has accepted Mr Schrems’ request to refer a number of questions to the Court of Justice of the EU (CJEU). Four questions were referred to, with the core question being “consent” or “contract”? Prior to the enforcement of the GDPR, Facebook claimed that users “consented” to their processing of personalized advertising. However, the GDPR raised the requirements for valid consent and also gave users the right to withdraw their consent at any time.
So, on 25 May 2018, the day when the GDPR became enforceable, Facebook no longer claimed to rely on consent. Instead, Facebook said the consent clauses must be seen as a “contract” where users “ordered” personalized advertising.
According to Schrems: “Facebook tries to strip users of many GDPR rights by simply ‘reinterpreting’ consent to be a civil law contract. This was nothing but a cheap attempt to bypass the GDPR.“
The Austrian Supreme Court seems to share these concerns. In its reference to the CJEU, the Austrian Supreme Court summarizes its doubts if Facebook can simply switch consent and contract as legal basis for personalised advertising. According to the Austrian Supreme Court: “A core question of the present proceedings is whether the declaration of intent to process can be shifted by the defendant under the legal concept according to Art 6(1)(b) GDPR in order to thereby ‘undermine’ the significantly higher protection that the legal basis ‘consent’ offers to the plaintiff.”
The GDPR offers six options to process personal data lawfully. These options are called legal bases. In this article we will focus on the 2 most misunderstood ones, which are consent and contract.
The GDPR has significantly raised the bar for a valid consent, giving back more control to data subjects. Consent has to be freely given, specific, informed and unambiguous.
Contract can be used only where the processing is necessary for the performance of a contract, for example, when you purchase a good online, processing of your contact details and address is necessary for the performance of the service – and more specifically, the delivery of your purchase, otherwise the delivery will not be possible to occur.
Consent has to be freely given while contract is subject to the requirement of necessity. These two lawful bases for the lawful processing of personal data (consent and contract) are often merged and blurred. Controllers, whether intentionally or simply by ignorance, “bundle” consent with acceptance of terms or conditions, and by doing so, they limit the data subject’s choices and stand in the way of free consent.
When assessing whether consent is freely given, the GDPR (Article 7 para.4) requires you to pay the greatest attention possible on whether the performance of the contract (including the provision of the service) is conditional on consent to the processing of personal data that is not necessary for the performance of the contract. As the GDPR is aiming at the protection of fundamental rights, an individual’s control over their personal data is essential and the EDPB supports that consent to the processing of personal data that is unnecessary, cannot be seen as a mandatory consideration in exchange for the performance of a contract or the provision of a service.
When can I use contract as a legal basis?
Every time a request for consent is tied to the performance of a contract by the controller, a data subject that does not wish to make his/her personal data available for processing by the controller runs the risk of being denied services they have requested. Taking that into account, the EDPB recommends that when assessing whether such a situation of bundling or tying occurs, it is important to determine:
- what the scope of the contract is and
- what data would be necessary for the performance of that contract.
The term “necessary for the performance of a contract” needs to be interpreted strictly. The processing must be necessary to fulfil the contract with each individual data subject. This may include, for example, the processing of salary information and bank account details so that wages can be paid to employees. There needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract. If you seek to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis.
The choice of the legislator to highlight conditionality as a presumption of a lack of freedom to consent demonstrates that the occurrence of conditionality – when a contract (which could include the provision of a service) has a request for consent to process personal data tied to it – must be carefully scrutinized (check the term “utmost account” in Article 7(4))
In any event, the burden of proof that consent is actually freely given and that data subjects have a genuine choice is on the controller. That could be the case for example if data subjects were able to choose between a service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes on the other hand.
As long as there is a possibility to have the contract performed or the contracted service delivered by this controller without consenting to the other or additional data use in question, this means there is no longer a conditional service. However, both services need to be genuinely equivalent.
Having said that, it will be interesting to see how the CJEU will rule in this specific case, as the outcome will have tremendous consequences. According to Schrems, if the CJEU rules in his favor, “ Facebook would be legally liable for any illegal processing on facebook.com – even when this is done by others.”. The focus though should not be only on Facebook, but on all controllers who use this tactic to bundle consent and undermine data subjects’ control over their personal data.