Bundled Consent – The First Divergence in Member States' Case Law on GDPR

Simon Roth
Simon Roth

Making the offering of a service conditional upon the data subject's consent to the processing of her or his personal data is a problem under GDPR. But is bundling consent always unlawful or not? In what may be the first judicial clash among the highest courts of EU Member States on the interpretation of the GDPR, this question has recently been answered differently.

Unbundling consent in the GDPR

In the context of obtaining the data subject's consent to processing of personal data, Article 7(4) GDPR states that «when assessing whether consent is freely given, utmost account shall be taken of whether […]  the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.»

Similarly, Recital 43 presumes that consent is not freely given «if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.».

This has become known as the requirement to offer the data subject the opportunity of unbundled consent. You should not make your service dependent on the data subject's consent to the processing of her or his personal data.

Conflicting views in Austria and Italy

However, whether this requirement is mandatory in every case or just represents a presumption that can be rebutted by the data controller has become an issue of controversy.

The highest courts of two EU Member States have recently taken opposing views:

  • The Supreme Court of Austria held on August 30, 2018 that the prohibition of bundling consent is absolute in nature and that there is no room for exceptions. Accordingly, the defendant's practice to incorporate a consent clause in its general terms and conditions, which had to be accepted before the service could be obtained, was held to infringe Article 7(4) GDPR in any event. While the court noted that some GDPR commentators disagreed with the absolute approach, it found that an absolute prohibition of bundling consent followed from the wording of Recital 43.
  • In contrast, a couple of weeks before, on July 2, 2018, the Supreme Court of Italy had taken a softer view. The court gave considerable weight to the question whether the service, to whom the data subject must give her or his personal data, is unique in the sense that the data subject cannot obtain the same services somewhere else. Only in such circumstances would it be justified to ban the bundling of consent. In the absence of alternatives to the service in question, the data subject would be forced to consent to the processing of her or his personal data, which in turn would render the consent not to be freely given. However, where reasonable alternatives do exist, the court further explained, «nothing would prevent the website operator to decline to offer the service to anyone who does not consent to receive promotional emails.».


Against this background, it is unfortunate that the Supreme Court of Austria did not refer the interpretation of Article 7(4) GDPR to the to the Court of Justice of the European Union (CJEU). Invoking the doctrine that Member States courts are not bound to make a referral where EU law is clear, the Supreme Court considered that Recital 43 expresses an absolute prohibition of bundling consent.

Yet, apart from the fact that Article 7(4) GDPR only requires to «take utmost account», which suggests a qualified prohibition rather than an absolute one, it is only the German translation of Recital 43 that implies an absolute prohibition. Literally translated into English, Recital 43 in German states that «consent is deemed not to be freely given».

This is not, however, what the recital does indeed state in English («[c]onsent is presumed not to be given freely»), in French («[l]e consentement est présumé ne pas avoir été donné librement»), in Italian («si presume che il consenso non sia stato liberamente espresso») or in Spanish («[s]e presume que el consentimiento no se ha dado libremente»), a fact that the Austrian court has clearly overlooked.

It can only be hoped that future courts will be more precise and refer the controversial question to the CJEU. Meanwhile, in my opinion, the discussion about the requirement to unbundle consent casts further doubt on the still often-heard advice that consent should be the usual legal basis for processing personal data. Data controllers should rather carefully consider whether the legal bases of contractual necessity (Art. 6(1)(b) GDPR), legal necessity (Art. 6(1)(c) GDPR) or legitimate interests (Art. 6(1)(f) GDPR) are more appropriate in the specific case.

Judgment of the Supreme Court of Austria (Oberster Gerichtshof) of August 30, 2018, 6 Ob 140/18h (in German)

Judgment of the Supreme Court of Italy (Corte Suprema di Cassazione) of July 2, 2018, 17278/2018 (in Italian)

More Blog posts

Team Up
You have a project, case, legal issue or anything else you want to ask us? We are passionate to find out how we can team up with you to get it done.
Let's get in touch