In a recent ruling on privacy and the processing of personal data, the Court of Justice of the European Union (“CJEU”) considered that the consent of the data subject to use Internet cookies is mandatory. The reference for a preliminary ruling was submitted to the CJEU by the German Federal Supreme Court under a dispute between the German Federation of Consumer Organizations and Associations and online gaming company “Planet49 GmbH” in reference to the consent given by the participating users of a promotional game organized by the company for the transmission of their respective personal registration data to “Planet49 GmbH” sponsors and partners, as well as for storing information and for accessing information stored on their devices through cookies.
The legal framework examined by the CJEU has taken into account the laws of the country of origin of the dispute (Germany), as well as European Community directives on the processing of personal data, their free movement and the protection of privacy, in addition to Article 6, (1), point (a) of the General Data Protection Regulation (GDPR), which establishes data holders consent as the legal basis for the processing of their personal data for one or more specific purposes.
In deciding the case, the CJEU considered whether consent would be valid when the storage of information or the possibility of access to information already stored on the users terminal equipment was passively used by a pre-validated opt-in mechanism, requiring the user to uncheck this option to refuse their consent; and what information the service provider should communicate to the user in order to comply with GDPRs legal requirement to provide “clear and complete information”.
Also, the CJEU decided to provide clear and complete information about the prior consent obtained and the purposes of the processing in question, in order to enable the user to fully understand the functioning of cookies used by that company. In addition to that, the information that the service provider must provide to a website user must include the duration of these cookies and whether or not third parties will have access to them, since without this information, the means and purposes of the processing of personal data will not be clearly and completely informed to the user, impairing the validity of their consent.
In the Brazilian scenario, the LGPD defines the consent in its article 5, item XII, as a “free, informed and unambiguous manifestation by which the data subject agrees to the processing of their personal data for a particular purpose”, providing, like the GDPR, fundamental requirements for the validity of consent. Considering the influence of European decisions in the Brazilian data protection scenario, and the absence, up until now, of a duly constituted and active Data Protection Authority, capable of issuing guidelines for the national market, it is clear that decision will imply behavioral change from national players.
Finally, it is important to consider that, although very common in data protection discussions, the use of consent, whether through cookies or in different situations, tends to be the most critical and volatile legal basis. For its use, it is advised that the data processing agents strictly follow all the rules imposed for the use of this legal basis, under penalty of having an invalid consent (a very common situation in the market today). And while there are no national guidelines or case law from the countrys courts, EU decisions are used as an important guidance framework.
Check the full decision of the CJEU at: https://eur-lex.europa.eu/legal-content/PT/TXT/HTML/?uri=CELEX:62017CJ0673&qid=1570469737618&from=EN (Portuguese) or https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62017CJ0673&qid=1570469737618&from=EN (English).
To receive the main news from the law making scenario related to privacy and data protection, nationally and internationally, follow the Azevedo Sette Advogados Technology, Media and Telecommunications team.