Yet another stake through the dark-patterned heart of consentless online tracking. Following a key cookie consent ruling by Europe’s top court last year, Germany’s Federal Court (BGH) has today handed down its own ‘Planet49’ decision — overturning an earlier appeal ruling when judges in a district court had allowed a pre-checked box to stand for consent.
That clearly now won’t wash even in Germany, where there had been confusion over the interpretation of a local law which had suggested an opt-in for non-functional cookies might be legally valid in some scenarios. Instead, the federal court ruling aligns with last October’s CJEU decision (which we reported on in detail here).
The ‘Planet49’ legal challenge was originally lodged by vzbz, a German consumer rights organization, which had complained about a lottery website, Planet49, that — back in 2013 — had required users to consent to the storage of cookies in order to play a promotional game. (Whereas EU law generally requires consent to be freely given and purpose limited if it’s to be legally valid.)
In a statement today following the BGH’s decision, board member Klaus Müller said: “This is a good judgment for consumers and their privacy. Internet users are again given more decision-making authority and transparency. So far, it has been common practice in this country for website providers to track, analyze, and market the interests and behaviors of users until they actively contradict them. This is no longer possible. If a website operator wants to screen his users, he must at least ask for permission beforehand. This clarification was long overdue.”
There is one looming wrinkle, however, in the shape of Europe’s ePrivacy reform — a piece of legislation which deals with online tracking. In recent years, European institutions have failed to reach agreement on an update to this — with negotiations ongoing and lobbyists seeking ways to dilute Europe’s strict consent standard.
Should any future reform of ePrivacy weaken the rules on tracking consent that could undo hard won progress to secure European citizens’ rights, under the General Data Protection Regulation (GDPR), which deals with personal data more broadly.
vzbz’s statement warns about this possibility, with the consumer rights group urging the EU to “ensure that the currently negotiated European ePrivacy Regulation does not weaken these strict regulations”.
“We reject the Croatian Presidency’s proposal to allow user tracking in the future on the legal basis of a balance of interests,” added Müller. “The end devices of the consumers allow a deep insight into complex emotional, political and social aspects of a person. Protecting this privacy is a great asset. We therefore require tight and clear rules for user tracking for advertising purposes. This may only be permitted with consent or under strict conditions defined in the law.”
In the meanwhile, there will be legal pressure on data controllers in German to clean up any fuzzy cookie notices to ensure they are complying with consent requirements.
“As the implementation of these new requirements are easily visible (and technically identifiable) on the website, incompliance bears a high risk of cease-and-desist and supervisory procedures,” warns law firm TaylorWessing in a blog post commenting on the BGH decision.
Separately today, another long running legal challenge brought by vzbz against the social networking giant Facebook — for allegedly failing to gain proper consent to process user data related to games hosted on its app platform, back in 2012 — is set to get even longer after the BGH sought a referral on a legal question to Europe’s top court.
The German federal court is seeking clarification on whether consumer protection organizations can bring a lawsuit before the country’s civil courts seeking redress for data protection breaches. “This question is controversial in the case law of the instance courts and the legal literature,” the court notes in a press release.
Luca Tosoni, a research fellow at the University of Oslo’s Norwegian Research Center for Computers and Law, told us that the referral likely relates to the court wanting to confirm whether, after the entry into force of the GDPR, Member State law may still allow NGOs to bring legal actions (such as actions for injunctions) on their own initiative and in the general public interest, without needing to show that the rights of at least one data subject have been breached in concreto.
“The EU Court of Justice has already addressed similar issues in the past. In particular, in Fashion ID, the Court found that EU data protection law did not preclude Member States from allowing NGOs to bring legal proceedings against controllers on their own initiative. However, the Court provided its answer on the basis of its interpretation of the Data Protection Directive, which contrary to the GDPR did not establish specific rules on collective actions. Thus, it may not be excluded that in this case the Court will come to a different conclusion,” he added.
We reached out to Facebook for any response to the CJEU referral but the company declined to comment.
This report was updated with additional comment