Article 4a ePrivacy Regulation - Consent
Article 4a ePrivacy Regulation
1. The provisions for consent provided for under Regulation (EU) 2016/679/EU shall apply to natural persons and, mutatis mutandis, to legal persons.
1a. Paragraph 1 is without prejudice to national legislation on determining the persons who are authorised to represent a legal person in any dealings with third parties or in legal proceedings.
2. Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8 (1), consent may be expressed by using the appropriate technical settings of a software application enabling access to the internet placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet.
2aa. Consent directly expressed by an end-user in accordance with Paragraph (2) shall prevail over software settings. Any consent requested and given by an end-user to a service shall be directly implemented, without any further delay, by the applications of the end user’s terminal, including where the storage of information or the access of information already stored in the end-user’s terminal equipment is permitted.
2a. As far as the provider is not able to identify a data subject, the technical protocol showing that consent was given from the terminal equipment shall be sufficient to demonstrate the consent of the end-user according Article 8 (1) (b).
3. End-users who have consented to the processing of electronic communications data in accordance with this Regulation shall be reminded of the possibility to withdraw their consent at periodic intervals of [no longer than 12 months], as long as the processing continues, unless the end-user requests not to receive such reminders.
Relevant provisions referenced from the GDPR:
Article 4 – Definitions
For the purposes of this Regulation:
[…]
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
[…]
Article 7 – Conditions for consent
1. Where processingis based on consent, the controllershall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consentis given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subjectshall have the right to withdraw his or her consentat any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent
4. When assessing whether consentis freely given, utmost account shall be taken of whether, inter alia, the performanceof a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Corresponding Recitals
(3) Electronic communications data may also reveal information concerning legal entities, such as business secrets or other sensitive information that has economic value and the protection of which allows legal persons to conduct their business, supporting among other innovation. Therefore, the provisions of this Regulation should in principle apply to both natural and legal persons. Furthermore, this Regulation should ensure that, where necessary, provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council, also apply mutatis mutandis to end-users who are legal persons. This includes the definition of provisions on consent under Regulation (EU) 2016/679.
(3a) This Regulation should not affect national law regulating for instance the conclusion or the validity of a contract. Similarly, this Regulation should not affect national law in relation to determining who has the legal power to represent legal persons in any dealings with third parties or in legal proceedings.
(16b) Services that facilitate end-users everyday life such as index functionality, personal assistant, translation services and services that enable more inclusion for persons with disabilities such as text-to-speech services are emerging. Processing of electronic communication content might be necessary also for some functionalities used normally in services for individual use, such as searching and organising the messages in email or messaging applications. Therefore, as regards the processing of electronic communications content for services requested by the end-user for their own individual use, consent should only be requested required from the end-user requesting the service taking into account that the processing should not adversely affect fundamental rights and interest of another end-user concerned. Processing of electronic communications data should be allowed with the prior consent of the end-user concerned and to the extent necessary for the provision of the requested functionalities.
(16c) Providers of electronic communications services may, for example, obtain the consent of the end-user for the processing of electronic communications data, at the time of the conclusion of the contract, and any moment in time thereafter. In some cases, the legal person having subscribed to the electronic communications service may allow a natural person, such as an employee, to make use of the service in accordance with Regulation 2016/679.
(18) End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time). In the digital economy, services are often supplied against counter-performance other than money, for instance by end-users being exposed to advertisements. For the purposes of this Regulation, consent of an end-user, regardless of whether the latter is a natural or a legal person, should have the same meaning and be subject to the same conditions as the data subject’s consent under Regulation (EU) 2016/679. Basic broadband internet access and voice communications services are to be considered as essential services for individuals to be able to communicate and participate to the benefits of the digital economy. Consent for processing electronic communications data from internet or voice communication usage will not be valid if the data subject end-user has no genuine and free choice or is unable to refuse or withdraw consent without detriment.
(20a) End-users are often requested to provide consent to the storage and access to stored data in their terminal equipment, due to the ubiquitous use of tracking cookies and similar tracking technologies. As a result, end-users may be overloaded with requests to provide consent. This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined. Implementation of technical means in electronic communications software to provide specific and informed consent through transparent and user-friendly settings, can be useful to address this issue. Where available and technically feasible, an end user may therefore grant, through software settings, consent to a specific provider for the use of processing and storage capabilities of terminal equipment for one or multiple specific purposes across one or more specific services of that provider. For example, an end-user can give consent to the use of certain types of cookies by whitelisting one or several providers for their specified purposes. Providers of software are encouraged to include settings in their software which allows end-users, in a user friendly and transparent manner, to manage consent to the storage and access to stored data in their terminal equipment by easily setting up and amending whitelists and withdrawing consent at any moment. In light of end-user’s self-determination, consent directly expressed by an end-user should always prevail over software settings. Any consent requested and given by an end-user to a service should be directly implemented, without any further delay, by the applications of the end user’s terminal. If the storage of information or the access of information already stored in the end-user’s terminal equipment is permitted, the same should apply.
(20aaaa) In contrast to access to website content provided against monetary payment, where access is provided without direct monetary payment and is made dependent on the consent of the end-user to the storage and reading of cookies for additional purposes, requiring such consent would normally not be considered as depriving the end-user of a genuine choice if the end-user is able to choose between services, on the basis of clear, precise and user-friendly information about the purposes of cookies and similar techniques, between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes, on the other hand. Conversely, in some cases, making access to website content dependent on consent to the use of such cookies may be considered, in the presence of a clear imbalance between the end-user and the service provider as depriving the end-user of a genuine choice. This would normally be the case for websites providing certain services, such as those provided by public authorities. Similarly, such imbalance could exist where the end-user has only few or no alternatives to the service, and thus has no real choice as to the usage of cookies for instance in case of service providers in a dominant position.
To the extent that use is made of processing and storage capabilities of terminal equipment and information from end-users’ terminal equipment is collected for other purposes than for what is necessary for the purpose of providing an electronic communication service or for the provision of the service requested, consent should be required. In such a scenario, consent should normally be given by the end-user who requests the service from the provider of the service.
I. Definition of consent, Art. 4a Sec. 1 ePrivacy Regulation and Art. 4 No. 11 GDPR
The ePrivacy Regulation defines consent by means of reference to the definition of consent in Art. 4 No. 11 GDPR.[1] The GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ in its Art. 4 No. 11. The basic concept of consent from Directive 95/46/EC is thereby retained and supplemented by the GDPR, which, in addition to the definition in Art. 4 No. 11 GDPR, provides further specifications on consent in Art. 7 and Art. 8 GDPR as well as its Recitals 32, 33, 42, and 43.[2]
As set out in Art. 4a Sec. 1 ePrivacy Regulation, some of the factors determined in the definition of Art. 4 No. 11 GDPR require adaptation in order to be applicable in the ePrivacy context. First, it is not the data subject’s declaration of consent that is to be taken into account, but rather that of an end-user as defined by the ePrivacy Regulation, who can also be a legal person (Art. 4 No. I.2.e). Accordingly, the requirements for consent must be fulfilled by the end-user: the end-user must make a voluntary (Art. 4a No. IV.2.) and informed decision (Art. 4a No. IV.4.) regarding consent and make an unambiguous (Art. 4a No. IV.4.) and specific expression of consent (para. 38 et seqq.). Furthermore, the agreement of the end-user must relate to the processing of the electronic communications data concerned, which is not necessarily also personal data in contrast to the wording of Art. 4 No. 11 GDPR (or, depending on the case of application, the consent of end-users must relate to the use of storage capacities on one’s own terminal equipment, or the inclusion in a publicly available directory, see Art. 8 para. X and Art. 15 para. X respectively).
Although the basic concept of the predecessor Directive on data protection has been retained, the aforementioned provisions of the GDPR on the declaration of consent provide for a stricter handling of this legal basis.[3] The stricter approach to consent manifests in particular in the increased requirements for its validity, the stricter legal protection of children and special requirements for consent for the processing of special categories of data.[4]
[1] In principle, this reference would have been covered by the general reference in Art. 4 Sec. 1 lit. a) ePrivacy Regulation already and, thus, Art. 4a Sec. 1 ePrivacy Regulation is of a purely declaratory nature with regard to Art. 4 No. 11 GDPR.
[2] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 6.
[3] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 93.
[4] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 93.
II. Relevance of consent under Art. 4a ePrivacy Regulation
Consent plays a central role within the ePrivacy Regulation, as it constitutes an important legal basis for data processing in accordance with the Regulation’s provisions.[5] Thus, the relevance of consent in the ePrivacy Regulation is similar to the crucial role of consent under the GDPR.[6] Art. 4a Sec. 1 ePrivacy Regulation refers comprehensively to the notion of consent under the GDPR. The definition of consent as well as the requirements for its validity (para. 13 et seqq.) and details of withdrawal (Art. 4a No. VII.1.) are determined in the GDPR and are applicable under the ePrivacy Regulation, albeit with the necessary modification that all requirements should also be applicable to legal persons (Art. 4 No. I.).[7]
Throughout the ePrivacy Regulation, the possibility to rely on consent exists for different types and purposes of data processing. Valid consent will constitute a legal basis for lawful processing of electronic communications data pursuant to Art. 6a Sec. 1 (processing of electronic communications content, Art. 6a para. 4 et seqq.) and Art. 6b Sec. 1 lit. c) (processing of electronic communications metadata, Art. 6b para. 18). Furthermore, consent may affect the lawfulness of the use of storage and processing capabilities as well as collection of information from or emitted by end-user terminal equipment due to Art. 8 Sec. 1 lit. b), Sec. 2 lit. b) (Art. 8.), the operation of publicly available directories pursuant to Art. 15 Sec. 1, Sec. 2 and the sending of direct marketing communications according to Art. 16 Sec. 1 (Art. 16). The provisions on consent in Art. 4a ePrivacy Regulation and its reference to the GDPR apply to all those provisions in the ePrivacy Regulation that relate to consent.
Within the ePR Commission Proposal 2017, Art.9 predominantly regulated the details regarding collection, effectiveness and withdrawal of consent.[8] The version proposed by the Portuguese Presidency moved this provision to Art. 4a, thus to the general part of the ePrivacy Regulation in Chapter I. Additionally, the content of the provision was modified. Art. 9 Sec. 1 of the ePR Commission Proposal 2017 explicitly referred to Art. 4 No. 11 and Art. 7 GDPR as the relevant provisions for consent under the ePrivacy Regulation, thereby limiting the scope of reference to the GDPR. In contrast, the corresponding reference in Art. 4a Sec. 1 ePrivacy Regulation is now broad, general and not limited and now reads: ‘The provisions for consent provided for under Regulation (EU) 2016/679/EU shall apply to natural persons and, mutatis mutandis, to legal persons’.[9] Thus, in principle, any regulations relevant to the declaration of consent in the GDPR also apply in the context of the ePrivacy Regulation – mutatis mutandis – and are not limited to selected articles.[10]
Consent is likely to play an even bigger role under the ePrivacy Regulation than under the GDPR. This is because, unlike the GDPR, the ePrivacy Regulation does not follow a risk-based approach, at least not to an extent comparable with the GDPR.[11] The ePrivacy Regulation does not contain a legal basis comparable to Art. 6 Sec. 1 sent. 1 lit. f GDPR, which would allow for a weighing of interests in order to determine the lawfulness of data processing (which tends to be in favour of the controller in the case of less risk-prone data processing activities). In the absence of such a provision, the ePrivacy Regulation thus assumes that the risk level is practically equal for all processing activities, since they are all prohibited in the same manner and exclusively subject to the same narrow exceptions. Thus, a declaration of consent is often the only available legal basis that offers some flexibility to broaden the potential scope of processing activities.
This lack of flexibility (and the corresponding importance of consent) was criticized in the legislative process. In its proposed amendment to the Regulation of February 2020, the Council proposed the integration of a legal basis corresponding to Art. 6 Sec. 1 sent. 1 lit. f GDPR, which ought to provide a possibility for the providers of electronic communications networks or services to refer to their legitimate interests when processing electronic communications data or interfering with terminal equipment.[12] The German Presidency, too, considered this suggestion and explicitly put it up for discussion.[13] However, ultimately, the German Presidency did not include the legal basis of legitimate interest in its proposal.[14] Neither does the ePrivacy Regulation as proposed by the Council contain legitimate interest as a legal basis; this approach now appears to have been rejected by the Council of the European Union.
[5] ePR Commission Proposal 2017, Explanatory Memorandum, at 5.2.
[6] Cf. Art. 29 WP, WP 259 Guidelines on consent under Regulation 2016/679, p. 3.
[7] Cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 6.
[8] ePR Commission Proposal 2017, Art. 9.
[9] See also the first proposal submitted by the Portuguese Presidency, from which the specific changes made to the text can be traced more clearly, Council of the European Union,
Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) from 5 January 2021, Doc. No. 5008/21, p. 65.
[10] Cf. recital 3, which now also refers to all relevant provisions of the GDPR on consent and is not limited to the GDPR’s definition of consent as in the ePR Commission Proposal 2017.
[11] The GDPR follows a risk-based approach: The legal obligations of an undertaking, in particular the rights of data subjects, depend on the risk level of the data processing, Rec. 76 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 246.
[12] Council of the European Union, 5979/20, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 21 February 2020, pp. 2, 3.
[13] Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) – Presidency discussion paper, 9243/20, 6 July 2020.
[14] Cf. Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 4 November 2020, 9931/20, p. 2, 67.
III. Burden of proof, Art. 7 Sec. 1 GDPR
According to Art. 7 Sec. 1 GDPR, ‘[w]here processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing`.[15] Thus, the data controllers under the GDPR generally bear the burden of proof if a data subject claims to have given no or no valid consent.[16] This also applies to the ePrivacy Regulation, by way of reference. Accordingly, depending on the case at hand, providers of electronic communications services (including interpersonal communications services) and electronic communications networks (Arts. 6 – 7, Art. 15) as well as entities interfering with the information and storage capabilities of terminal equipment within Art. 8, or sending direct marketing communications pursuant to Art. 16 ePrivacy Regulation, will be required to prove that they obtained the consent of an end-user if they invoke it as a legal basis for their processing activities.
Consequently, in cases of doubt, service providers regulated by the ePrivacy Regulation must be able to demonstrate that consent was obtained in a legally sufficient manner. This requires service providers to establish processes by which consent is not only obtained but also documented in a verifiable manner, in order to avoid unfavourable legal consequences. As with the GDPR, service and network providers under the ePrivacy Regulation are generally free to implement procedures to comply with this obligation in a way that fits their daily business operations.[17] At the same time, the principle of data minimisation arising from Art. 5 Sec. 1 lit. c) GDPR should not be pushed too far and, consequently, no more data should be collected and processed than necessary to document the declaration of consent.[18] Although Art. 5 Sec. 1 lit. c) GDPR does not explicitly refer to consent, the general data protection principles set out in Art. 5 GDPR apply to consent under the GDPR, too. Thus, as far as data protection principles specified in Art. 5 GDPR, such as purpose limitation or data minimisation, apply to consent in the regime of the GDPR, they must also be applicable to consent under the ePrivacy Regulation due to the very general reference in Art. 4a Sec. 1.[19]
Within the GDPR, the burden of proof became particularly relevant where consent was to be obtained online, as there are no specific requirements for such procedure set out by the GDPR and thus an appropriate procedure is to be determined by the responsible parties alone.[20] Here, it mainly depends on the specific processing and its purposes. An example is consent to newsletters or similar subscription services that end-users may receive via email. In Germany, for example, the so-called double opt-in procedure has become popular, which offers a possible data protection-compliant documentation measure in such cases. [21] In this procedure, visitors of a website will declare consent by way of an online mask in a first step, which will also require them to provide e-mail addresses and in a second step, they will receive a verification e-mail including a personalised link, which needs to be followed to finalise the consent procedure.[22]
Under the GDPR, the obligation to demonstrate consent under Art. 7 Sec. 1 GDPR exists as long as the relevant processing activity takes place.[23] According to Art. 4a Sec. 1 ePrivacy Regulation as well as Recital 3, the same will apply under the ePrivacy Regulation. However, as under the GDPR, data retained purely to demonstrate consent will generally have to be deleted as soon as the relevant processing activity terminates and the obligation to demonstrate consent ceases.[24]
[15] Furthermore, this follows from recital 42 GDPR.
[16] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 22; Plath, in: Plath, DSGVO/BDSG (2018), Art. 7, para. 7.
[17] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 22.
[18] Cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 22.
[19] However, this does not apply to the principle of data minimisation, as arguably there may be a legitimate interest in applying this principle to non-personal electronic communications data as well. Also with regard to such data, end-users are likely to have an interest in ensuring that it is processed only to the minimum extent necessary.
[20] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 93.
[21] Plath, in: Plath, DSGVO/BDSG (2018), Art. 7, para. 9; the Austrian supervisory authority for data protection even considers the absence of an double-opt-in procedure to obtain consent for an e-mail newsletter as a violation of the requirements set out by Art. 32 GDPR, see Austrian Data Protection Authority, decision from 9 October 2019, DSB-D130.073/0008-DSB/2019.
[22] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 93; Plath, in: Plath, DSGVO/BDSG (2018), Art. 7, para. 9.
[23] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 22 et seq.
[24] This is required by Art. 17 Sec. 3 lit. b) and lit. e) GDPR, which is also applicable to the declaration of consent, see EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 23.
IV. Requirements for valid consent
The requirements for valid consent set out under the GDPR apply.[25] This concerns primarily the provisions and Recitals of the GDPR, but is, in principle, also transferable to any case law and assessments of competent authorities such as the EDPB or supervisory authorities of Member States that have been issued based on consent under the GDPR. Besides the definition of consent in Art. 4 No. 11 GDPR, the general reference in Art. 4a Sec. 1 ePrivacy Regulation mainly concerns Art. 7 GDPR, which is the central provision regarding the requirements for effective consent to data processing.[26]
[25] See recital 3, 18.
[26] However, see also Art. 4a No. III. regarding the applicability of other, more general provisions of the GDPR.
1. Obtaining consent from the correct end-user
To be valid, consent must be declared by the ‘end-users concerned’.[27] In short, an end-user is a natural or a legal person using or requesting an electronic communications service.[28] However, determination solely on the basis of who has requested a service does not always allow for an unequivocal identification of the correct end-user, i.e. the person who is responsible and entitled to declare consent. There are constellations where multiple persons may have an interest in the confidentiality of communications or the integrity of a device:[29] A communication process often requires multiple participants whose privacy interests could potentially be threatened.
Example: Employee and employer both might have an interest in the confidentiality of communications on a work-computer or phone.
It is conceivable that in specific cases the communicating parties have diverging interests regarding their privacy. This gives rise to the question on how the interests of multiple concerned parties shall be considered and evaluated when processing is at the disposal of one end-users’ consent, such as in the case of Art. 6b Sec. 1 lit. c) ePrivacy Regulation. In such a situation, it is necessary to determine whose interest is decisive. Generally, if only one party is requesting or using a service, this party will be considered the only relevant end-user whose consent the service provider must obtain. For the processing of electronic communications content, Art. 6a Sec. 1 lit. b) provides that, in principle, all parties involved in the communication must consent (Art. 6 para. 17 et seqq). However, there are a number of borderline cases that can be problematic.
Firstly, there are situations where both, a natural and a legal person are involved on one side of a communication process. The definition in the EECC Directive and the ePrivacy Regulation explicitly state that legal persons, too, can be considered end-users.[30] Therefore, where a legal person requests a service, it is, by definition, an end-user of this service. However, legal persons usually require individuals to represent and act for them. An individual using a service is potentially also an end-user, even if a legal person requested the service. Hence, there are two relevant players involved: the legal person, whose interests lie in the protection of their business secrets, and the individual acting on behalf of that legal person, whose interest will be to ensure the greatest possible degree of privacy and confidentiality of communications. Both can, but do not necessarily have to be congruent.
Since service and network providers rely on some form of involvement with end-users, they must be able to determine who their relevant end-user in terms of ePrivacy compliance are. In order to identify their users, providers consequently require the definition of objective criteria. In the context of the provision of electronic communications services and networks, the end-user ought to be the person to whom a certain service is provided to. In most cases, this will be the party subscribing to a service, which will usually be the legal person itself and not the natural persons using the service. However, during the legislative process, there have been proposals to grant individuals, particularly employees, an autonomous right to decide whether they want to consent to certain measures, even if it was their employer who subscribed to the service.[31]
Secondly, multiple individuals may potentially use a single device. This poses a problem, since privacy preferences of one end-user do not necessarily reflect another end-user’s preferences and interests. Therefore, interests of more than one end-user may have to be taken into account. As mentioned above, the identification of the relevant end-user who is authorised to declare consent for each particular processing activity can be tricky in particular when providers base their processing activities on consent. Thus, as in the scenario above, objective criteria in order to determine the respective end-user are required. As a rule of thumb, where multiple persons are concerned, the identification of the relevant end-user is generally determined on the basis of contractual relationships.
[27] See Art. 6b Sec. 1 lit. c) and recital 16b ePrivacy Regulation.
[28] For a detailed definition see Art. 4 No. I.2.e).
[29] The integrity of a device is protected by Art. 8 ePrivacy Regulation, see Art. 8 para. Xx.
[31] Council of the European Union, ST 12293/19, p. 22 et seq.
2. Voluntariness
Consent needs to be given freely, which is not the case if the end-user has no genuine and free choice, feels compelled to consent or is unable to refuse or withdraw consent without detriment.[32] Under these circumstances, consent will be invalid.[33] The most obvious cases of involuntary provision of consent due to detriment are cases of deception, intimidation, coercion and negative consequences, such as cost for the withdrawal of consent.[34] In the event of a dispute, it is up to the controllers under the GDPR and the respective service or network providers under the ePrivacy Regulation to prove that no such detriment exists.[35]
In the context of the GDPR, consent is considered involuntary and thus inapt to serve as a legal basis for data processing where there is a clear imbalance between the data subject and the controller.[36] This applies under the ePrivacy Regulation in relation to imbalances of power between the end-users and service or network providers. Imbalance of power refers to situations with asymmetric bargaining powers of the parties or social relationships of dependence. The decisive factor is whether the power imbalance has had an effect on the decision to provide consent by the end-user.
Consent can be effective despite asymmetric bargaining powers if this imbalance is not reflected in the concrete situation in which it was obtained. This is the case, for example, when the processing is in the interest of the end-user or when the end-user does not have to fear any disadvantages in case of refusal. It is therefore decisive whether the provider engages in an abusive exploitation of the request for consent.
An inappropriate imbalance of power will often exist in cases where the service providers are public authorities or where there is an employment relationship between end-user and the provider.[37] These are particularly obvious examples for lack of voluntariness.[38]
As regards public authorities, it is generally assumed that there are other, more appropriate legal bases than consent to rely on for processing and, thus, these alternative legal bases shall be primarily considered. Despite this general consideration, consent is not excluded absolutely as a legal basis for public authorities.[39]
Example: A local municipality is planning road maintenance works. As the road works may disrupt traffic for a long time, the municipality offers its citizens the opportunity to subscribe to an email list to receive updates on the progress of the works and expected delays. The municipality makes clear that there is no obligation to participate and asks for consent to use email addresses for this (exclusive) purpose. Citizens that do not consent will not miss out on any core service of the municipality or the exercise of any right; they are able to give or refuse their consent to this use of data freely. All information on the road works will also be available on the municipality’s website.[40]
In the latter example, there is clearly no abuse of power by the public authority and, thus, no reason to assume consent was given involuntarily. Similarly, in the context of the ePrivacy Regulation, it must be possible to rebut the general presumption of an imbalance of power in the case of public providers. If there are reasons against a superiority of public providers or a dependency of the end-users, these should be taken into account. This will be particularly relevant in the context of the ePrivacy Regulation as it does not provide for legal bases corresponding to Art. 6 Sec. 1 lit. c) and lit. e) GDPR, which by public authorities can refer to.
In the employment context, there is typically a relationship of dependency between employer and employee.[41] When employees are also end-users with their employers being their providers, the question necessarily arises as to whether, here, declarations of consent can be obtained voluntarily at all. Employers who operate as service providers are therefore generally advised not to rely exclusively on consent as a legal basis. [42]
However, consent is not excluded as a valid legal basis in an employment context per se. It is noteworthy that the legislator decided not to include the employment relationship as a statutory example of clear power imbalance under the GDPR, although such inclusion was proposed in an earlier draft.[43] Accordingly, the EDPB also acknowledges the general possibility for employers to demonstrate that consent of their employees was given freely and that employees were not pressured to provide consent.[44] Thus, a case-by-case assessment will have to take place in order to determine validity of the consent. The threshold for employers to demonstrate the voluntariness of their employees’ consent will arguably be high.
b) Condition for the performance of a contract
According to Art. 7 Sec. 4 GDPR, another factor to be taken into account when assessing voluntariness of consent is whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data which is not necessary for the performance of that contract.[45] Thus, Art. 7 Sec. 4 GDPR sets out a prohibition on makeing a contractual performance conditional upon the provision of consent (‘take it or leave it-scenarios’).[46] Within the ePrivacy Regulation, the same should apply with regard to electronic communications data that is unnecessary for the performance of a contract between the end-user and service or network providers.
Art. 7 Sec. 4 GDPR indicates that service or network providers should avoid to ‘bundle’ consent with the acceptance of terms and conditions or to ‘tie’ the provision of a contract or a service to a request for consent to process personal data which is not necessary for such provision.[47] However, the actual scope of Art. 7 Sec. 4 GDPR is not entirely clear. Some understand it as a general prohibition of such ‘bundled’ consent,[48] while others advocate for a limited application, with regard to essential services only,[49] or only in relation to providers holding a monopoly position.[50] However, the wording of Art. 7 Sec. 4 GDPR as well as its corresponding Recitals 42 and 43 do not provide for such narrow interpretation.[51]
The EDPB, in turn, interprets Art. 7 Sec. 4 GDPR in conjunction with Recital 43 GDPR to stipulate a presumption of invalidity of consent obtained in contractual context for such ‘unnecessary’ data processing.[52] Moreover, it identifies the main purpose of the provision is to ensure that the relevant data is not exploited as consideration for the fulfilment of a contract and that the two legal bases of contract and consent are not ‘merged and blurred’.[53] It highlights that Art. 7 Sec. 4 GDPR neither applies as an absolute prohibition of ‘bundled consent’, nor is there a necessity for a restrictive application of this provision.[54] However, the EDPB concludes that cases will be highly exceptional and rare where valid consent is provided for not strictly necessary data processing activities within a contractual context.[55]
The burden of proof imposed on the controller in Art. 7 Sec. 1 GDPR, which in the case of the ePrivacy Regulation applies to the service or network providers in a similar manner, also extends to the voluntariness of the declaration of consent. In conjunction with the presumption of invalidity of consent declarations in Recital 43 GDPR, it may therefore be difficult to demonstrate that consent was provided voluntarily despite being obtained in a contractual context.[56]
aa) Consent provided as a form of remuneration
Cases where data subjects are given a choice between acquiring a service for a reasonable consideration, such as a fee, and acquiring it ‘free of charge’ in return for a declaration of consent, could be exempt from Art. 7 Sec. 4 GDPR if the choice relates to a genuinely equivalent service.[57] The consent provided in such cases could be qualified as an option instead of a real condition for the performance of a contract and, thus, might be considered voluntary.[58]
However, a service must not be denied entirely if an end-user refuses to provide consent, e.g. refusal to accept cookies or other tracking mechanisms when accessing a website. Rather, the end-user must be given an opportunity to refuse consent and still access the content of a website, e.g. in return for a reasonable remuneration, as otherwise there is no ‘genuine choice’ and consent is therefore unlawful.[59] This requires website operators to inform their end-users about the possibility to refuse consent and still obtain access the services of the website. They may not be merely refer to equivalent alternative third-party services. According to the EDPB, the freedom of choice cannot depend on the offer of third market participants, which lies outside the controller’s sphere of influence.[60] Rather, the equivalent service must be offered by the same provider or its organisation to which non-consenting end-users have access to.[61]
Thus, business models that offer ‘free’ services in exchange for consent to data processing activities are not necessarily unlawful, as long as an alternative in exchange for a reasonable consideration is provided.[62] However, where the alternatives provided by the service providers are designed in a way that end-users factually have no other option than consenting to the processing, e.g. where the service provider exploits a dominant position of power, no ‘voluntary’ consent can be provided.[63]
bb) Consent in return for the provision of essential services
Art 7 Sec. 4 is of particular importance in connection with ‘essential services’. Art. 7 Sec. 4 GDPR cannot be considered to be limited to such cases. , But it will be a strong indicator for unlawful conditionality of consent if it is provided in order to gain access to essential services. Essential services are generally services that are crucial to the organisation of daily life for the person giving consent, such as basic utilities like electricity, water or heat. However, in the digitzed society, essential services are no longer limited to such basic services. Consequently, Recital 18 further identifies basic broadband internet access and voice communications services as essential services within the ePrivacy Regulation, as these services are indispensable for individuals in order to manage their everyday lives in the digital economy and enjoy its benefits. Therefore, the ePrivacy Regulation goes on that in the context of such services, it cannot be assumed that a declaration of consent is made voluntarily if the end-user is not given the opportunity to refuse such consent without detriment.[64]
When assessing whether an electronic communications service constitutes an essential services within the framework of the ePrivacy Regulation, it must be taken into account that reliable access to electronic communications services is generally of high importance in a digitized society. Most people rely on electronic communications in connection with their work, their own business or the maintenance of social and family contacts. Thus, end-users will usually be willing to accept higher privacy risks in order to be able to use these vital services. The explicit reference to voice communications and broadband internet access in Recital 18 should therefore be understood as indicative. While these types of electronic communications services are particularly fundamental, they do not necessarily constitute the only category of essential services.[65]
cc) Necessity of processing for the performance of a contract
In addition to single use cases that can be categorised as cases where voluntariness seems rather questionable, it will be decisive whether the data concerned by the declaration of consent are relevant or unnecessary for the performance of the respective contract in order to establish whether a request for consent falls under Art. 7 Sec. 4 GDPR. Necessity in this regard is to be understood in line with the interpretation of Art. 6 Sec. 1 lit. b GDPR. According to the considerations of the Art. 29 WP and the EDPB, the requirement of necessity for the performance of a contract is to be interpreted strictly. This means that the intended processing must be genuinely necessary for a purpose that is crucial for the performance of the contract, e.g. processing of address details in order to deliver goods or of credit card details in order to facilitate a payment.[66] In turn, processing which is only useful but not objectively necessary to perform a contractual service will fall under the provision of Art. 7 Sec. 4 GDPR.[67]
3. Specific and granular
It follows from the basic principles of the GDPR laid down in Art. 5 Sec. 1 lit. b), that it is indispensable to determine a specific processing purpose in order to lawfully process data. If data processing is to be carried out on the basis of a declaration of consent, this consent must clearly and specifically refer to the respective predetermined purpose in order to meet the requirement of ‘specificity’ set out by Art. 4 No. 11 GDPR.[68] The data processing is then also bound to this purpose, unless another legal basis applies (principle of purpose limitation).[69]
The requirement to obtain specific consent is closely linked to the requirement of ‘granularity’, which is considered to be necessary for the voluntariness of consent, i.e. that end-users must be able to consent to specific processing operations for specific purposes and in turn be enabled to opt-out of particular operations.[70] Thus, providers will not be able to lawfully obtain consent for undefined processes and purposes through an all-or-nothing approach. Rather, they are required to obtain specific consent for all envisaged purposes.[71] It follows from the requirement of specificity that consent cannot be obtained in form of a general authorisation.[72]
Example: Entity M runs a web-based email service via the internet. For this purpose, M collects and stores electronic communications metadata. M sells digital advertising spaces on its webpage to third entities. These entities carry out behavioural advertising. When signing up to the email service, users have to consent to the use of their electronic communications metadata for behavioural advertising in order to successfully register with the email service.
In this example, M must inform its users of the different purposes of processing (running the email service + behavioural advertising) before obtaining consent. M’s users might feel obliged to consent to behavioural advertising in order to use the email service. M is required to put the users in a position to give free and specific consent to receiving behavioural advertising, independently of their access to the email service. For this purpose, M could use a pop-up window that informs users of all intended processing purposes and provides for a possibility to select the use of data to which they wish to consent and should inform them on the consequences of refusal of consent for certain kinds of processing activities, such as behavioural advertising.[73]
The challenge of consenting to multiple processing operations and for multiple processing purposes arises frequently with respect to the use of cookies, as operators often want to use different cookies for different purposes (e.g. cookies that enhance the user experience of the website as well analytical cookies). Where multiple purposes are pursued, said information has to be given for each purpose. Consent must not be obtained en bloc but in a granular way that allows the end-user to limit his or her consent to particular purposes. This requires adequate information for end-users about their different options. If, for example, so-called cookie banners are used to obtain consent, it will not suffice if there is only one button indicating ‘accept cookies’. Rather, end-users should be provided the opportunity to differentiate within their choice.
[32] Art. 29 WP, WP 259 rev.01 (2018), p. 5; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95; recital 44 GDPR.
[33] Recital 18 ePrivacy Regulation; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 7.
[34] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 13.
[35] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 13.
[36] Cf. recital 43 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95.
[37] Cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 8 et seq.
[38] This follows from recital 43 GDPR and was highlighted by the EDPB in Guidelines 05/2020 on consent under Regulation 2016/679, p. 9.
[39] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 8.
[40] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 8.
[41] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 9.
[42] EDPB, Opinion 2/2017 on data processing at work, page 6 et seq.; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 9.
[43] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95.
[44] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 9.
[45] See with regard to consent within the GDPR, Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95.
[46] Recital 43 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95.
[47] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 10.
[48] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR)(2017), p. 95 et seq.; Golland, MMR 2018, 130.
[49] Cf. Klement, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 7, para. 56.
[50] Plath, in: Plath, DSGVO/BDSG (2018), Art. 7 para. 19 et seq.
[51] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95.
[52] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 10.
[53] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 10.
[54] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 11.
[55] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 11.
[56] Cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 11.
[57] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 11.
[58] Recital 20aaaa; Recital 25 ePrivacy Directive was based on similar considerations, outlining that ‘access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose’.
[59] Recital 20aaaa.
[60] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, at rec. 37, 38.
[61] Recital 20aaaa.
[62] Cf. Frenzel, in: Paal/Pauly, DS-GVO BDSG (2018), Art. 7 rec. 21; Buchner/Kühling, in: Kühling/Buchner, DS-GVO, Art. 7 (2018) rec. 51; Wolff, in: Schantz/Wolff, Datenschutzrecht (2017), rec. 473.
[63] Recital 20aaaa.
[64] Recital 18.
[65] In this context, it is debatable how access to social networks should be classified. These are steadily gaining in importance, both in the private lives of a large part of society as well as in a professional context. Social media are frequently used for information purposes or professional/scientific exchange. In addition, businesses are increasingly using social media for marketing purposes, distribution of goods and services as well as for the acquisition of employees. However, the trend seems to be to reject social networks as essential services as for now, see Klement, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 7, para. 63.
[66] Art. 29 WP, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP 217, p.16; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 10.
[67] EDPB, Draft Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, p. 7; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 10.
[68] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 13.
[69] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 14.
[70] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 12; Voigt/von dem Bussche, The EU General Data Protection Regulation (2017), p. 96.
[71] Recital 32 GDPR; Voigt/von dem Bussche, The EU General Data Protection Regulation (2017), p. 96.
[72] Voigt/von dem Bussche, The EU General Data Protection Regulation (2017), p. 96.
[73] See for respective examples in the context of consent within the meaning of the GDPR Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 97; Art. 29 Working Party, WP 187 (2011), p. 18 et seq.
3. Informed
End-users have to be sufficiently informed in order to make an empowered decision and validly declare consent. The requirement is closely linked to the principle of transparency of data processing as per Art. 5 GDPR.[74] Moreover, informed consent is a precondition in order to meet the requirement of specificity, as end-users can only consent to a specific purpose if they were sufficiently informed about that purpose.[75]
Information must at the minimum contain the identity of the service providers and the intended purposes for the processing of electronic communications data.[76] Where there are multiple entities involved, which seek to rely on consent, the information should contain the identity of all such entities.[77] The minimum content requirements for ePrivacy consent to be sufficiently informed are
(i) the controller’s identity;
(ii) the processing purposes (if consent is obtained for more than one processing operations, the information must contain the purposes for each such operation);
(iii) the type of data collected and processed;
(iv) information about the possibilities to withdraw consent.[78]
As regards the formal requirements for the provision of information, the GDPR does not provide for a specific form. However, information should be provided in clear and plain language that is comprehensible for the average person in order to meet the transparency requirements.[79] According to Art. 7 Sec. 2 GDPR, where a request for consent is provided in written form it needs to be clearly distinguishable from any other matters, e.g. when the request is submitted together with a service contract and the consent declaration form. In such cases, it is advisable to graphically highlight the request for consent and the information associated with that request as well as explicitly use the term ‘consent’ in order to accomplish sufficient distinguishability.[80] Furthermore, the relevant information required to obtain valid consent cannot be hidden behind long general terms and conditions or non-transparent and complicated privacy policies.[81]
The responsible service or network providers are thus required to balance completeness and simplicity, which might require a case-by-case consideration with regard to the specific group of addressees. If, for example, declarations of consent are to be obtained from minors and the information is directed at minors, such information must be worded in a language understandable to minors (regarding the requirements for obtaining consent from children see Art. 4a VII.).[82]
A declaration of consent can be sufficiently informed and, thus, valid even if the information obligations under Art. 13, 14 GDPR are not entirely fulfilled and certain information listed in Art. 13 and Art. 14 GDPR is not provided.[83] Art. 4a Sec. 1 ePrivacy Regulation only refers to the provisions of the GDPR that concern the declaration of consent and, thus, does not explicitly refer to the general information obligations of Art. 13, 14 GDPR. This is particularly relevant for situations in which third party processors are involved (Art. 28 GDPR). The minimum information required in order to obtain informed consent includes the identity of all controllers involved, but not necessarily of all processors.[84] The (potential) obligation to inform about the identity of involved data processors under the GDPR results exclusively from the information obligations within Art. 13 and Art. 14. In principle, it is therefore conceivable to obtain a valid declaration of consent under the ePrivacy Regulation, even if data processors are engaged which end-users have not been informed about. However, such a result seems difficult to reconcile with general data protection standards. Moreover, the ePrivacy Regulation refers to Art. 28 GDPR, at least for the design and lawfulness of data processing by third parties (Art. 6 para. 37 et seqq.). Indirectly, therefore, similar standards are likely to apply with regard to the information obligations associated with such processing.
[74] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 15.
[75] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 96.
[76] Recital 42 GDPR.
[77] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 15.
[78] In the case of declarations of consent under the GDPR, information on any automated decision-making processes (Art. 22 Sec. 2 lit. c) GDPR) and risks of data transfers due to absence of an adequacy decision (Art. 46) must also be communicated, where applicable . However, the ePrivacy Regulation does not contain any corresponding provisions or references to these regulations. Therefore, this obligation is not relevant in the context of ePrivacy consent.
[79] Art. 7 Sec. 2 GDPR; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 15.
[80] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 94; Plath, in: Plath, DSGVO/BDSG (2018), Art. 7, para. 12.
[81] Cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 15.
[82] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 16.
[83] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 17.
[84] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 16; cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 96.
4. Unambiguous
Valid consent might be provided as an oral statement, written declaration or by electronic means, as the GDPR does not determine mandatory formal requirements.[85] Under the GDPR, data controllers are generally free to elaborate and implement consent flow mechanisms that are suitable to their business models.[86] The same will be applicable to service or network providers seeking to obtain consent for processing of electronic communications data in the context of the ePrivacy Regulation. However, when choosing the form of declaration of consent, the service or network providers should take into account that in case of doubt it might become necessary to prove that consent has been obtained as an unambiguous and clear affirmative act in terms of Art. 4 No.11 GDPR (regarding the burden of proof see para. 9 et seqq.; Art. 7 Sec. 1 GDPR).[87] Consequently, it is advisable to obtain consent in an easily documentable form.[88]
The notion ‘clear affirmative act’ requires a deliberate action by the end-user, which actively indicates a choice.[89] The necessity to provide consent as a clear and affirmative act shall ensure that end-users are aware of the fact that and the extent to which consent is given.[90] Therefore, any means by which consent is obtained must be suitable in order to create such awareness of the addressed end-users.
The most apparent way in of obtaining a clear and affirmative act of consent will be a letter, email or any written form of declaration by which the end-user expressly explains what she or he is agreeing to.[91] However, in practice a clear affirmation could be provided by the following means:
(i) ticking an unticked box when visiting an internet website;
(ii) choosing technical settings (the option to provide consent by means of software settings is envisaged by Art. 4a Sec. 2 ePrivacy Regulation in the context of Art. 8 ePrivacy Regulation and linked to certain preconditions, see Art. 4a No. VI.); and
(iii) any other statement of conduct that clearly indicates acceptance of the intended processing.[92]
Example:[93] Swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request (e.g. if you swipe this bar to the left, you agree to the use of information X for purpose Y.). The controller must be able to demonstrate that consent was obtained this way and data subjects must be able to withdraw consent as easily as it was given.
Subject of dispute is the collection of consent via so-called ‘cookie banners’ as a clear and affirmative act in the online environment. Cookie banners that merely inform about the placement of cookies and do not demand an affirmative act by the end-user, but rather rely on their unopposed use of the website are insufficient for obtaining valid consent. Instead, consent has to be obtained by an active approval of the end-user.[94] This approval has to constitute a separate act that is clearly distinguishable from other matters, such as consent to terms and conditions or subscription to newsletters.
In its Planet49 decision, the CJEU has clarified that pre-ticked boxes, so-called ‘Opt-Out’-solutions, are also insufficient to obtain valid consent in terms of the GDPR and the ePrivacy Directive.[95] This view has now been endorsed by the EDPB[96] and the Federal Court of Justice of Germany.[97] The court held that website operators necessarily need to obtain explicit consent of their end-users for the setting of non-functional[98] cookies by means of a so-called ‘Opt-In’-declaration.[99] The default setting relating to such cookies must be set on ‘reject’ or ‘deactivated’ when end-users access a website for the first time and non-functional cookies may only be set if and after the end-user changes this default setting manually.[100] The CJEU has further clarified that this requirement applies regardless of whether ‘personal’ data is processed through the cookie placement or not, which is of particular relevance for the ePrivacy Regulation.[101]
Thus, neither silence, inactivity, pre-ticked boxes, opt-out solutions nor silent proceeding with a service can be regarded as a sufficiently clear affirmative act and, thus, an active indication of choice.[102] The technical settings of a website ought therefore be designed in a way that no data collection intended on the basis of consent is initiated until the user has actually carried out the necessary action. Whether a website operator continues to use non-compliant opt-out-procedures to obtain consent despite these developments is easily recognizable to the public and, thus, generally also for competitors and consumer protection organizations. Consequently, operators who do not implement a proper opt-in procedure expose themselves to legal consequences against them under relevant applicable Member State laws.[103]
[85] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 94; recital 32 GDPR.
[86] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 19.
[87] Recital 32 GDPR; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 18.
[88] The EDPB even mentions recorded oral statements as permissible in principle, subject to the contract law of the Member States, but immediately notes that in this context the information provided to the data subjects must also be taken into account in a sufficient manner, EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 18.
[89] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 18.
[90] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 94; recital 42 GDPR.
[91] Cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 18.
[92] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 94 et seq.; recital 32 GDPR.
[93] Drawn from EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 19.
[94] See Klement, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 7, rec. 35.
[95] CJEU, judgement from 1 October 2020, Case C-673/17, Planet49, recs. 44-65.
[96] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679 – 4 May 2020, rec. 40, 41; This view is also held by the German Federal Data Protection Conference (Datenschutzkonferenz) which took a position in this regard prior to the CJEU decision, Datenschutzkonferenz, ‘Orientierungshilfe der Aufsichtsbehörden für Anbieter von Telemedien’, March 2019, p. 8.
[97] See German Federal Court of Justice (Bundesgerichtshof), judgement from 28 May 2020 in case I ZR 7/16, para. 44 ff.
[98] However, there is no obligation to obtain consent (at all) for so-called ‘functional’ or ‘essential’ cookies. For the legal and technical differentiation between ‘functional’ (or: ‘essential’) cookies and other types of cookies see Art. 8.
[99] CJEU, judgement from 1 October 2020, Case C-673/17, Planet49, para. 63.
[100] This also results from EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 20.
[101] CJEU, judgement from 1 October 2020, Case C-673/17, Planet49, para. 66 et seq.
[102] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 95; EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 18 et seq.
[103] The German Federal Court of Justice recently referred the question to the CJEU for a preliminary ruling, whether the GDPR also provides for an abstract right of judicial action of consumer protection organisations against responsible companies, or rather whether this can be regulated nationally by Member States due to Art. 80 Sec. 2 GDPR, see German Federal Court of Justice (Bundesgerichtshof), decision from 28 May 2020 in case I ZR 186/17. According to the legal situation under the Data Protection Directive, such a right of judicial action existed, whereas the wording of the GDPR provides for this only in the event that the relevant organisations refer to a concrete infringement of a specific data subject’s rights, and not only to an abstract risk.
V. Consent declared by legal persons
In contrast to the GDPR, the ePrivacy Regulation also grants rights to legal persons. Therefore, legal persons are able to consent to the processing of their electronic communications data. However, the ePrivacy Regulation does not specify how and under which conditions a legal person may validly consent – e.g. who may represent them and to whom the necessary information has to be provided beforehand.[104] Due to the lack of respective provisions concerning legal persons within the GDPR, there are no corresponding GDPR provisions which could be referred to. It is therefore advisable to refer to the general rules of representation of legal persons of the Member States.[105] Consent on behalf of a legal person ought to be given by those individuals that are authorized to represent the legal person in other comparable matters of representation. In the case of a company, for example, these would normally be its managing directors.
However, since it is difficult in practice to engage a member of the management every time consent to the processing of communication data of a company is needed (especially given the requirements of specificity and granularity which eventually require multiple declarations of consent), it is conceivable to delegate this competence to a person or to several persons. In this respect, it may also play a role how the processing in question is designed, i.e. how extensive it is and which communication data it affects. If consent is required ‘only’ regarding the processing of electronic communications metadata, the valuation of the ePrivacy Regulation indicates that lower protection standards apply than in the case of consent to the processing of electronic communications content of legal persons, in which it might be necessary and appropriate to involve the management of the concerned legal person directly.
[104] Art. 29 WP, Opinion 1/2017, p. 28 et seq.
[105] This is also supported by the general approach of the ePrivacy Regulation to leave general provisions of the civil law of the Member States unaffected and to apply them in parallel to the ePrivacy Regulation, which explicitly also applies to provisions on the representation of legal persons, see recital 3a.
VI. Consent expressed via technical software settings, Art. 4a Sec. 2, 2a, 2aa ePrivacy Regulation
Art. 4 Sec. 2 ePrivacy Regulation provides for a special form of consent for the purposes of Art. 8 Sec. 1 lit. b) ePrivacy Regulation. It sets out that in this case consent may be declared through technical privacy settings within the software. Art. 8 ePrivacy Regulation addresses a special form of data processing, namely access to information and storage capacities of end-user terminal equipment for which end-user consent may constitute a legal basis (see Art. 8.). The main practical case of application is the use of cookies by online service providers.
According to Art. 4a Sec. 2 ePrivacy Regulation, end-users can determine, where technically possible and feasible, by way of default software settings, whether and to which processing they want to consent and do not have to define this repeatedly on every website visited. The EDPB advocates taking this even further and calls for browsers and operating systems to be explicitly obliged to provide such possibilities for end-users.[106] At first glance, such approach seems contradictory as this form of declaration of consent contradicts the principle of specificity of consent, namely that consent cannot be validly declared by way of general authorisations (Art. 4a No. IV.3.).[107] Default privacy settings declared via technical means within a software could be considered such general authorisation However, the exception enshrined in Art. 4a Sec. 2 ePrivacy Regulaion only applies within narrow limits, namely exclusively for the cases of Art. 8 ePrivacy Regulation and under reservation of any individually and expressly declared will of the end-user pursuant to Art. 4 Sec. 2aa (Art. 4a No. VI.). Additionally, the technical settings provided for in Art. 4a Sec. 2 ePrivacy Regulation are subject to specific requirements of technical design, which must satisfy basic principles of data protection law. If the software does not meet these requirements, consent declared in this way will not be sufficient.
The possibility to declare consent through technical software settings serves the protection of end-users and is intended to guarantee rather than jeopardize the lawfulness and appropriateness of their declarations of consent by avoiding occurrence of ‘click fatigue’ or ‘consent fatigue’.[108] Many digital services require some form of data processing in order to function, end-users will therefore be frequently confronted with requests for consent.[109] To avoid that the users develop a fatigue towards these requests, which would result in them not properly perceiving the content of the information provided on the individual websites and consenting blindly out of annoyance, it is intended to enable end-users to set their preferences in advance and in a broad manner.[110] However, in order to ensure that the requirements for the validity of consent are not circumvented, the technical options for declaration of consent by default software settings must be designed in a way compatible with the general requirements of valid consent, in particular regarding transparency and specificity.[111] To maintain a certain degree of determination and specificity even within a default setting for consent, it will be necessary to make the available options in the software settings as granular as possible, e.g. allow for the selection to consent to a certain type of cookies specifically, or to certain providers or certain purposes. In addition, the settings must be easy and user-friendly to apply and change, and it must be possible to revoke consent at any time in a simple manner.[112]
The technical protocol of the settings made by the end-user should be sufficient to satisfy the provider’s obligation to demonstrate and prove that a declaration of consent has been made, pursuant to Art. 4 Sec. 2a ePrivacy Regulation. Where an end-user has set the privacy settings in a software on ‘denial’ or ‘rejection’, providers shall not be deprived of the possibility to request consent individually. The mere fact that an end-user has made use of the possibility to set preferences for their privacy in the technical settings of a software does not necessarily prevent service providers from obtaining individual and explicit consent from these end-users. This results from Art. 4 Sec. 2aa ePrivacy Regulation, which stipulates that an individual expression of will prevails over technical default settings.[113] However, such additional request ought not to lead to a noticeable delay in the implementation of the settings made by the end-user but must be implemented immediately as Art. 4 Sec. 2aa sets out.
Art. 9 Sec. 2 of the ePR Commission Proposal 2017 envisaged a similar provision that made it possible to declare consent by means of technical software settings. Additionally, Art. 10 of the ePR Commission Proposal 2017 set out an obligation for all providers of software that allows for electronic communications or the retrieval and presentation of content on the internet to include this option of technical privacy settings in the respective software if it was intended to be placed on the market. Within the framework of this obligation, a definition of certain necessary features of the software was given, such as information of end-users about the possibilities to determine privacy settings during the software’s initial installation.[114] This obligation for software providers regarding the design of their products was deleted from the Council’s version of the ePrivacy Regulation. Only the general possibility to provide declarations of consent by means of software settings was retained in Art. 4 Sec. 2 ePrivacy Regulation. This, however, is not linked to an obligation on the part of the software providers.
The deletion of Art. 10 in the version of the ePrivacy Regulation adopted by the Council has not been unexpected, as it was subject of legislative controversy from the beginning. The approach to oblige software providers to include specific privacy settings in their products as envisaged by Art. 10 ePR Commission Proposal 2017 has raised a lot of concern in the Council of the European Union. This was particularly due to the personal scope of the provision, which was intended to apply to software providers who place the product on the market, which are not necessarily the developers of such software but might be vendors or distributors, e.g. operators of a digital marketplace for apps.[115] Such non-developing providers have no direct influence on the technical design of a software and, consequently, will be unable to change its relevant source code and functionalities. This is also consistent with the principles of ‘privacy by design’ and ‘privacy by default’ in the GDPR (Art. 25 GDPR), which assign respective obligations of technical design and quality of software to data controllers who operate such software and not to its developers. Recital 78 of the GDPR explains the intention: it aims at putting indirect market pressure on the developers, as non-compliant products are creating risks for their customer providers. Hence, Art. 10 ePrivacy Regulation was arguably similarly intended to stimulate the providers as addressees to choose compliant software. Nevertheless, there have been discussions on the effectiveness of such obligations, considering the burden for browser and app developers, competition aspects, the fines in case of non-compliance and its impact on end-users with regard to consent fatigue.[116] Ultimately, the Council of the European Union decided to reject this provision in its proposal.
There will be cases where there is a legal permission for the interference with end-user terminal equipment according to Art. 8 Sec. 1 ePrivacy Regulation, on one hand, and a clear prohibition of such processing expressed by the end-users in the software settings. This triggers the question whether the software settings ‘overrule’ the legal permission. Generally, where there is a legal basis for processing or storing information on the terminal equipment, the service providers must be able to rely on this permission. However, end-users have a reasonable expectation that their software settings are complied with by the service providers. In cases where processing is permissible by law but the end-user has expressed a conflicting wish through technical default settings in a software, it should be mandatory to inform the end-user of the circumstances that his or her chosen settings will not be effective in this particular case. This way, the end-user is appropriately informed of the processing activities that affect him or her and can eventually initiate steps against them. It should also be considered to inform end-users about this possibility while they are choosing their privacy settings, in order to avoid creating a false sense of security.
[106] EDPB, Statement 03/2021 on the ePrivacy Regulation from 9 March 2021, p. 3.
[107] See Voigt/von dem Bussche, GDPR – A Practical Guide (GDPR) (2017), p. 96.
[108] EDPB, Statement 03/2021 on the ePrivacy Regulation from 9 March 2021, p. 3; the GDPR already obliges data controllers to develop mechanisms to tackle this issue, see EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 19.
[109] Recital 20a; cf. EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 19.
[110] Recital 20a.
[111] Recital 20a.
[112] Recital 20a.
[113] See Explanatory Memorandum ePrivacy Regulation 3.4; while these explanations were not made by the European Commission in connection with the now deleted Art. 10 and the obligations of software providers, but only with regard to the possibility of consent by software settings , the ratio is transferable to Art. 4a Sec. 2 ePrivacy Regulation.
[114] Art. 10 Sec. 2 ePR Commission Proposal 2017.
[115] Cf. Härting, ITRB 2017, 265, 266.
[116] Council of the European Union, ST 14491/18, p. 5.
VII. Children’s consent
As children merit specific protection, their consent should meet stricter requirements in order to be considered lawful.[117] The ePrivacy Regulation does not mandate any special or additional requirements for consent of children. Still, by means of reference in Art. 4a Sec. 1 ePrivacy Regulation, the additional safeguards for consent of children provided by the GDPR apply respectively.
[117] Voigt/von dem Bussche, The EU General Data Protection Regulation (2017), p. 98; Recital 38 GDPR.
1. Information society services
Art. 8 GDPR provides for special preconditions for consent in information society services (for a definition see Art. 4 No. I.4.) directly offered to minors.[118] Processing of communications data in this context is only lawful where the consenting child is at least 16 years old or where consent is given by the holder of parental responsibility.[119] Examples for information society services are online search engines, social networks or online sales platforms.[120] Member States may lower age limit to up to a minimum of 13 years according to Art. 8 Sec. 1 GDPR. Consequently, the conditions for consent of children between the ages of 13 and 16 might remain inconsistent throughout the EU.[121]
Information society services may also constitute electronic communications services falling within the scope of the ePrivacy Regulation (Art. 4 No. I.4.). This is also set out in Recital 10 of the EECC, to which the definition of Art. 4 Sec. 1 lit. d) ePrivacy Regulation refers. Therefore, there isa need for the application of Art. 8 GDPR within the framework of the ePrivacy Regulation. Consequently and in accordance with the reference in Art. 4a Sec. 1 ePrivacy Regulation, declarations of consent by minors to the processing of electronic communication data falling within the scope of the ePrivacy Regulation in connection with information society services can be effectively obtained from the minors only if they have reached the age of 16.
The specific requirements set out by Art. 8 GDPR are applicable only if an information society service is offered directly to a child.[122] This includes services that explicitly address children, while at the same time excluding services that explicitly do not address children and also ensure that no use by children occurs, for example by way of sufficient age verifications.[123] However, in case of information society services that are not explicitly addressed to minors but can nevertheless be used by them, it depends on the circumstances of each single case, whether the service can be regarded as targeting minors so that the special requirements of Art. 8 GDPR apply.
Example:[124] An entity runs an online encyclopaedia directed towards school children between the ages of 8 and 18. The different articles have easy-to-understand, basic information and do not contain detailed scientific content. The encyclopaedia is written in a simple and plain language and contains numerous graphics and some illustrations.
In this example, the encyclopaedia directly targets children. Indications are its content, the use of plain and simple language and the overall design containing illustrations. When visiting the website, end-users are asked to provide their consent for the use of analytic cookies. The entity wants to base its interference with the terminal equipment of end-users on their consent. As the targeted end-users are children, their consent has to correspond not only to the general requirements set out by the GDPR but also to the specific requirements of Art. 8 GDPR.
In the view of the EDPB, Art. 8 does not apply where an information society service provider clarifies that it only intends to offer its service to persons aged 18 or over.[125] However, it is not sufficient to simply claim that the service is not offered to minors, e.g. in the terms and conditions, if such statement is undermined by other evidence.[126] Such undermining evidence could be child-oriented language or a design of the relevant homepage which is particularly attractive to children.[127] For services typically used by children it may thus be advisable to line up the consent workflow with the requirements of Art. 8 GDPR to ensure compliance.
Providers of information society services are required to make reasonable efforts in order to verify that children who are providing consent are older than 16 years (Art. 8 Sec. 2 GDPR).[128] However, it is not expressly specified what specific efforts are considered reasonable. In any case, service providers will be required to document the valid collection of consent and any measures taken in order to verify the age of end-users.[129] According to the EDPB, the effort and measures taken to verify the age of the consenting minors need to be proportionate to the nature and risks of the intended processing activities.[130] In turn, the age verification procedure itself ought to be designed in such a way that no superfluous data processing takes place.[131]
[118] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 27.
[119] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 26.
[120] Voigt/von dem Bussche, The EU General Data Protection Regulation (2017), p. 98; an indicative list of services not covered by the definition referenced in the GDPR and the ePrivacy regulation is provided in Annex I of Directive 2015/1535.
[121] Voigt/von dem Bussche, The EU General Data Protection Regulation (2017), p. 99.
[122] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 98.
[123] Karg, in: Wolff/Brink, BeckOK Datenschutzrecht (2020), Art. 8 para. 48.
[124] Derived from Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 98.
[125] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 27.
[126] Art. 29 WP, WP 259 rev.01 (2018), p. 25.
[127] Cf. Karg, in: Wolff/Brink, BeckOK Datenschutzrecht (2020), Art. 8 para. 49.
[128] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 27.
[129] Cf. Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 99.
[130] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 27.
[131] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 28.
2. Treatment of minors' consent declarations outside the scope of Art. 8 GDPR
Outside the limited scope of information society services, the validity of a declaration of consent by minors is determined on a case-by-case basis, depending on whether it can be assumed that a minor has the necessary ability to understand the scope and reason of the provided consent declaration in the case at hand.[132] Decisive indicators can be the purpose, type and scope of the data processing in question. Albeit not directly applicable, the GDPR’s standard age of 16 years in relation to information society services might serve as a guideline outside the scope of Art. 8 GDPR, i.e. regarding other electronic communications services that do not qualify as information society services. This means that, generally, the service or network providers bear the burden of proof when claiming that the age limit for their offered services is lower than the standard for information society services in Art. 8 Sec. 1 GDPR. Conversely, if a minor or the holders of her or his parental responsibility claim that the standard age limit of 16 years is too low in a particular case and should have been higher, thus alleging that consent provided by a minor aged 16 or older was invalid on this basis, the minor must provide evidence that in the case at hand the appropriate age limit should have been higher.[133]
Besides Art. 8 GDPR and its envisaged age limit, consent obtained from minors has to meet all other requirements for valid consent set out by Art. 4 No. 11 and Art. 7 GDPR, i.e. be informed, freely given, specific and unambiguous. Art. 8 GDPR is only an additional layer of protection regarding children and does not replace or supersede other provisions.[134]
The age limit of 16 years set by Art. 8 Sec. 1 GDPR exclusively refers to the effectiveness and validity of consent and does not affect the civil contract law of the Member States, as Art. 8 Sec. 3 GDPR explicitly clarifies and Recital 3a ePrivacy Regulation supports. Recital 3a ePrivacy Regulation sets out that the provisions of the ePrivacy Regulation shall not affect the national laws of Member States, such as laws referring to the conclusion or validity of contracts. The lawfulness of the processing of electronic communications data based on such consent, thus, generally does not affect the validity of the underlying service contract.[135]
[132] Klement, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 8, para. 10 et seq.
[133] Klement, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 8, para. 12.
[134] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 25.
[135] With regard to the GDPR, see Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 100.
VIII. Withdrawal of consent, Art. 4a Sec. 3 ePrivacy Regulation
Within the GDPR, withdrawal of consent plays a prominent role.[136] Art. 7 Sec. 3 GDPR regulates the right to withdrawal. The possibility to withdraw consent is a requirement for the effectiveness of consent. The ePrivacy Regulation evidently also attributes significant importance to the possibility of withdrawal, as unlike many other compliance requirements, the ePrivacy Regulation does not simply rely on a blanket reference to the GDPR with respect to the withdrawal of consent, but provides for additional specific provisions in Art. 4a Sec. 3 and Art. 16 Sec. 6 lit. d) (for the latter see Art. 16.).
The end-user can withdraw consent at any time and without justification, Art. 4a Sec. 1 ePrivacy Regulation, Art. 7 Sec. 3 GDPR. Moreover, withdrawal may not result in any detriment for the withdrawing end-users and, thus, cannot be linked to any charges or loss of service quality.[137] The service provider has to inform the end-user of this possibility and the effects of the withdrawal prior to obtaining consent.[138] Furthermore, Art. 7 Sec. 3 GDPR mandates that withdrawal of consent must be possible as easily as the act of declaration of consent.[139] This does not mean that that giving consent and withdrawing ought to be possible via the same action. However, if consent was provided by means of one mouse click or via a specific user interface, for example, withdrawal must not require any more undue effort from the end-users but ought to be possible via the same interface.[140]
Example: If consent is obtained via a tick box in a smartphone app, it ought to be possible to withdraw consent under similar circumstances in the same app, e.g. by unticking the respective box.
End-users ought to be reminded of the possibility to withdraw consent in periodic intervals, which according to Art. 4 Sec. 3 ePrivacy Regulation should not be longer than 12 months.[141] It is not specified which form this reminder ought to take but, it is advisable to use communications channels that are likely to be frequently monitored by the end-user, such as e-mail or push notifications. Further, the reminders should be documented. The obligation to remind end-users applies as long as the processing of electronic communications data carried out on the basis of a declaration of consent continues, unless the end-users concerned expressly declare that they do not wish to receive corresponding reminders. If this is the case, it is worth noting that generally, there is no automatic expiry date for the effectiveness of consent under the GDPR and, thus, neither under ePrivacy Regulation. However, the EDPB recommends a best practice to ‘refresh’ consent at regular intervals, e.g. by providing the necessary information on data processing from time to time.[142] The obligatory reminder of the right to withdrawal set out in Art. 4a Sec. 3 ePrivacy Regulation might be considered an equivalent to this refreshing of consent, if the end-user is reminded and does not make use of the provided possibility to revoke the declaration of consent.
The withdrawal of consent does not affect the lawfulness of processing that has taken place prior to the withdrawal, but ceases the permissive effect of the consent for the future.[143] Accordingly, future data processing based on consent becomes unlawful. If there is no other legal basis applicable that justifies further processing, all electronic communications data collected on the basis of consent must be deleted upon withdrawal.[144]
In case there is more than one legal basis relied upon, e.g. consent and performance of a contract, all processing purposes and legal bases should be clearly determined and communicated by the responsible service and network providers before consent is obtained and data is collected.[145] It cannot be suggested towards end-users that consent alone is being relied on for the processing of electronic communications data while other legal bases are applied in addition of which the end-users are not aware.
[136] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 23.
[137] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 24.
[138] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 24.
[139] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 97.
[140] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 23.
[141] In the ePR Commission Proposal 2017 there was a similar obligation stipulated in its Art. 9 Sec. 3 providing for a period of 6 months.
[142] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 23.
[143] Voigt/von dem Bussche, The EU General Data Protection Regulation (GDPR) (2017), p. 97.
[144] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 24.
[145] EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 25.