The “Düsseldorfer Kreis”, a committee of German data protection supervisory authorities, adopted guidance on the requirements for obtaining valid privacy consent declarations (the "Guidance").
In the Guidance the German data protection supervisory authorities summarise their position and provide recommendations for companies as to how to obtain valid declarations of consent from individuals under Section 4a of the Federal Data Protection Act as well as under Section 13 (2) and (3) of the German Telemedia Act.
According to the Guidance the main objective is to differentiate clearly between declarations which are intended to provide information only and declarations which shall provide a legal basis for the data processing based on consent of the affected data subjects. In practice, this kind of statement is often integrated into contract forms without providing a real choice to the data subjects. The supervisory authorities state that neither the heading nor the content of such declaration must be misleading and the Guidance sets out some examples of bad practices. The Guidance makes clear that the data subject must be made aware that they are providing a declaration of consent in addition to the declaration for concluding the contract.
The Guidance has faced some criticism for being in parts stricter than the prevailing legal opinion and case law in Germany when requiring an “opt-in” for valid consent. That means that in accordance with the Guidance pre-ticked check-boxes and/or consent wording that can be deactivated or deleted by the data subject would not be sufficient. On first reading, this requirement seems to contradict two Federal Supreme Court decisions (VIII ZR 348/08 Payback, and VIII ZR 12/08 Happy Digits) which confirm that a consent wording based on an opt-out would be sufficient. However, it remains to be seen how further case law evolves. In addition, the opt-in requirement set out in the Guidance is reflected similarly also in the new General Data Protection Regulation (GDPR), where recital 32 states that 'Silence, pre-ticked boxes or inactivity should not constitute consent’.
Organisations operating in Germany should check the use of its forms and contract templates that include declarations of consent to confirm whether they contain wording similar to that identified in the Guidance as a bad example or whether the declarations of consent have been integrated in a compliant way within the process of concluding the contract. This affects online privacy statements, online forms and templates as well as contracts which are concluded offline. In fact, with the current Guidance there is little scope left to hide or play down the role of a declaration of consent. It can be expected that besides the data protection supervisory authorities, consumer protection agencies and even competitors will monitor closely the implementation of such Guidance and may react in the event of non-compliance with a warning letter or an application for an injunction.
The Guidance can be accessed here (German).
Submitted by Dr. Stefanie Hellmich, LL.M., Counsel in the IP/IT law department of Luther Rechtsanwaltsgesellschaft - Frankfurt am Main, Germany, in partnership with DAC Beachcroft LLP.