- On 6 May 2020
By Patrick Van Eecke and Anne-Gabrielle Haie
On 4 May, the European Data Protection Board (“EDPB”) adopted an updated version of its guidelines on consent (Guidelines 05/2020 on consent under Regulation 2016/679). Apart from some minor editorial changes, these revised guidelines clarified some important points related to the conditionality of consent and the unambiguous indication of wishes.
- The EDPB stated that “consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand.”. It further emphasized that “a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent.”. This means that access to a service cannot be conditional to the user’s consent of the processing of his/her personal data.
The EDPB’s position further complements the Court of Justice of the European Union’s analysis in the Planet 49 case (for more information, please read our analysis here). This position will certainly have an important impact on the negotiations of the draft ePrivacy regulation provided that it contradicts the Council’s position on cookie walls (see Council’s document: 6543/20).
These clarifications should be read in conjunction with the warning given by several Data Protection Authorities (See for example Ireland; Belgium; France; and UK) that enforcement actions will soon be launched. We therefore strongly advise companies to review their consent mechanisms in order to ensure that are aligned with these principles.
What does it mean for business?
Businesses must make sure that:
- Access to their service is not conditional to the user’s consent for the processing of his/her personal data;