Unbundling consent in the GDPR
In the context of obtaining the data subject's consent to processing of personal data, Article 7(4) GDPR states that «when assessing whether consent is freely given, utmost account shall be taken of whether […] the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.»
Similarly, Recital 43 presumes that consent is not freely given «if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.».
This has become known as the requirement to offer the data subject the opportunity of unbundled consent. You should not make your service dependent on the data subject's consent to the processing of her or his personal data.
Conflicting views in Austria and Italy
However, whether this requirement is mandatory in every case or just represents a presumption that can be rebutted by the data controller has become an issue of controversy.
The highest courts of two EU Member States have recently taken opposing views:
- The Supreme Court of Austria held on August 30, 2018 that the prohibition of bundling consent is absolute in nature and that there is no room for exceptions. Accordingly, the defendant's practice to incorporate a consent clause in its general terms and conditions, which had to be accepted before the service could be obtained, was held to infringe Article 7(4) GDPR in any event. While the court noted that some GDPR commentators disagreed with the absolute approach, it found that an absolute prohibition of bundling consent followed from the wording of Recital 43.
- In contrast, a couple of weeks before, on July 2, 2018, the Supreme Court of Italy had taken a softer view. The court gave considerable weight to the question whether the service, to whom the data subject must give her or his personal data, is unique in the sense that the data subject cannot obtain the same services somewhere else. Only in such circumstances would it be justified to ban the bundling of consent. In the absence of alternatives to the service in question, the data subject would be forced to consent to the processing of her or his personal data, which in turn would render the consent not to be freely given. However, where reasonable alternatives do exist, the court further explained, «nothing would prevent the website operator to decline to offer the service to anyone who does not consent to receive promotional emails.».
Against this background, it is unfortunate that the Supreme Court of Austria did not refer the interpretation of Article 7(4) GDPR to the to the Court of Justice of the European Union (CJEU). Invoking the doctrine that Member States courts are not bound to make a referral where EU law is clear, the Supreme Court considered that Recital 43 expresses an absolute prohibition of bundling consent.
Yet, apart from the fact that Article 7(4) GDPR only requires to «take utmost account», which suggests a qualified prohibition rather than an absolute one, it is only the German translation of Recital 43 that implies an absolute prohibition. Literally translated into English, Recital 43 in German states that «consent is deemed not to be freely given».
This is not, however, what the recital does indeed state in English («[c]onsent is presumed not to be given freely»), in French («[l]e consentement est présumé ne pas avoir été donné librement»), in Italian («si presume che il consenso non sia stato liberamente espresso») or in Spanish («[s]e presume que el consentimiento no se ha dado libremente»), a fact that the Austrian court has clearly overlooked.
It can only be hoped that future courts will be more precise and refer the controversial question to the CJEU. Meanwhile, in my opinion, the discussion about the requirement to unbundle consent casts further doubt on the still often-heard advice that consent should be the usual legal basis for processing personal data. Data controllers should rather carefully consider whether the legal bases of contractual necessity (Art. 6(1)(b) GDPR), legal necessity (Art. 6(1)(c) GDPR) or legitimate interests (Art. 6(1)(f) GDPR) are more appropriate in the specific case.