Opinion of Advocate General Szpunar delivered on 21 March 2019.

• Jurisdiction: European Union
• Celex Number: 62017CC0673
• ECLI: ECLI:EU:C:2019:246
• Date: 21 March 2019
• Court: Court of Justice (European Union)
• Procedure Type: Reference for a preliminary ruling
• Docket Number: C-673/17

Provisional text

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 21 March 2019(1)

Case C‑673/17

Planet49 GmbH

v

Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.

(Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))

(Preliminary reference — Directive 95/46/EC — Directive 2002/58/EC — Regulation (EU) 2016/679 — Processing of personal data and protection of privacy in the electronic communications sector — Cookies — Concept of consent of the data subject — Declaration of consent by means of a pre-selected checkbox)

I. Introduction

1. In order to participate in a lottery organised by Planet49, an internet user was confronted with two checkboxes which had to be clicked or unclicked before he could hit the ‘participation button’. One of the checkboxes required the user to accept being contacted by a range of firms for promotional offers, another checkbox required the user to consent to cookies being installed on his computer. These are, in a nutshell, the facts of the present order for reference from the Bundesgerichtshof (Federal Court of Justice, Germany).

2. Beneath these seemingly benign facts lie fundamental issues of EU data protection law: what precisely are the requirements of informed consent which is to be freely given? Is there a difference as regards the processing of personal data (only) and the setting of and access to cookies? Which legal instruments are applicable?

3. In this Opinion I shall argue that, as regards the current case, the requirements for giving consent are the same under Directive 95/46/EC (2) and Regulation (EU) 2016/679 (3) and that there is, in the case at issue, no difference whether we are dealing with the general question of processing of personal data or the more particular one of storing of and gaining access to information by way of cookies.

II. Legal framework

A. EU law

1. Directive 95/46

4. Article 2 of Directive 95/46, headed ‘Definitions’, provides:

‘For the purposes of this Directive:

…

(h) “the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’

5. Within Section II of that directive, entitled ‘Criteria for Making Data Processing Legitimate’, Article 7 provides under point (a):

‘Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

…’

6. Article 10 of the same directive, headed ‘Information in cases of collection of data from the data subject’, provides as follows:

‘Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing for which the data are intended;

(c) any further information such as

– the recipients or categories of recipients of the data,

– whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

– the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.’

2. Directive 2002/58/EC (4)

7. Recitals 24 and 25 of Directive 2002/58/EC (5) state the following:

‘(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

(25) However, such devices, for instance so-called “cookies”, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46 about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user’s terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.’

8. Article 2 of that directive, headed ‘Definitions’, provides, under point (f):

‘Save as otherwise provided, the definitions in Directive 95/46 and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) ^[(6)^] shall apply.

The following definitions shall also apply:

…

(f) “consent” by a user or subscriber corresponds to the data subject’s consent in Directive 95/46;

…’

9. Article 5(3) of that directive, that article being headed ‘Confidentiality of the communications’, provides:

‘Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

3. Directive 2009/136/EC (7)

10. Recital 66 of Directive 2009/136/EC (8) states:

‘Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.’

4. Regulation 2016/679

11. Recital 32 of Regulation 2016/679 states:

‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.’

12. Article 4, point (11), of that regulation, that article being headed ‘Definitions’, provides:

‘For the purposes of this Regulation:

…

(11) “consent” of the data subject means any freely given, specific, informed and unambiguous...