Friday, October 04, 2019

Planet49 cookies

I've been reading the judgment of the European Court of Justice (CJEU) in Case C‑673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH.

The case relates to the use of cookies by gaming company, Planet49, in the course of a promotional lottery they organised in 2013. To participate users had to go through the usual rigmarole of agreeing to conditions, subscribers' offering their names and addresses. There were a couple of checkboxes, relating to this.

The first checkbox had to be ticked, as a minimum requirement, to participate but by default was empty, so the user had to select it. The second checkbox came pre-ticked and related to cookies. Missing or leaving the box ticked committed users to:
‘I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, [Planet49], sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here.’ 
The here was hyperlinked to some text (321 words) on how Remintrex and Planet49 would use cookies. Hyperlinks from the conditions attached to the first checkbox linked to a list of 57 companies. The underlined word 'Unsubscribe' was contained after the name of each company.

We've all seen this kind of stuff, thousands of times.

Germany's Federation of consumer organisations decided to challenge the company, saying the consent requirements of the checkboxes did not satisfy German law. It made its way up through the courts and eventually the German Federal Court of Justice referred it to the Court of Justice of the EU for a preliminary ruling. They asked the Court four questions, which the CJEU, in its wisdom, designated two questions, the first of which was a three-parter (though, on second thoughts, it is possible the German court are responsible for the numbering):

Q1(a) When setting and using cookies, do pre-ticked checkboxes, which a user must deselect to refuse consent, constitute valid consent under EU e-privacy and data protection laws?

Q1(b) Does it make a difference if the data stored on or accessed from a user's computer is technically considered 'personal data' in EU law, under the e-privacy (2002) and data protection directives (1995)? (The data protection directive was still in force at the time of the referral of these questions by the German court.)

Q1(c) Does a valid consent under the GDPR Article 6(1)(a) exist?

Q2 What information does a service provider have to give to meet their obligations under the e-privacy directive of 2002.

In kicking off its analysis the CJEU notes the GDPR has been passed and come into force in the time this case has been in play. However, the referring court knew the GDPR was coming and it was likely it would need to be taken into account. So it was appropriate to include the GDPR in the analysis. If the consumer group decided it needed to take further action e.g. asking for a court order to prevent Planet49 using pre-ticked boxes in future the GDPR would be the relevant law. Anyway the data protection heavy lifting is now done by the GDPR which makes references to the earlier data protection directive through the e-privacy directive.

Or as the Court so eloquently put it, 'ratione temporis'.

Sometimes judges can't help themselves. The ancient language is in the blood.

The analysis of the four questions, appropriately enough, starts at paragraph 44, considering questions 1(a) and (c) together - is a pre-ticked checkbox adequate consent and does valid consent exist under the GDPR?

By paragraph 47 the Court points out that the provisions of the e-privacy directive under scrutiny  "must normally be given autonomous and uniform interpretation throughout the EU". Maybe we shouldn't draw the attention of the Brexit/Tory party extremists, aka the Cabinet, to this one.

Moving on, they come to a natural conclusion based on the clear wording of the eprivacy and data protection directives, that consent requires active consent i.e. action of the part of the user. And the use of pre-ticked checkboxes does not constitute active consent on the part of the user.

One of my favourite lines in the whole judgment is the last sentence of paragraph 55:
"It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited."
Nobody reads the T&Cs other than the privacy geeks.

At paragraph 61 they note that conlusion becomes even stronger now the GDPR is in force and active user consent is demanded under that law. 

By paragraph 65, they conclude the e-privacy directive [2002/58] in conjunction with the data protection directive [95/46] and the GDPR [2016/679] nix pre-ticked checkboxes.
"In the light of the foregoing considerations, the answer to Question 1(a) and (c) is that Article 2(f) and Article 5(3) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent."
Onwards again to Q1(b). This one is not hard either. In the Planet49 lottery the storing of cookies amounts to the processing of personal data. The e-privacy directive aims to protect us from interference with our private sphere, whether it involves personal data or not. So the e-privacy directive [2002/58] in conjunction with the data protection directive [95/46] and the GDPR [2016/679] bar outsiders from invading our private electronic space - protections apply whether the data is personal or not.
"In the light of the foregoing considerations, the answer to Question 1(a) and (c) is that Article 2(f) and Article 5(3) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent."
Last but not least Q2 analysis begins at paragraph 72. What information does a service provider have to give to meet their obligations under the e-privacy directive of 2002.
"By Question 2, the referring court asks, in essence, whether Article 5(3) of Directive 2002/58 must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies."
Well, consent requires clear, comprehensive and sufficiently detailed information to enable the user to understand the use of the cookies. In the promotional lottery case the Court concludes the duration of the operation of the cookies and whether or not third parties may have access to them should be part of the "clear and comprehensive information which must be provided to users", (as designated by article 5(3) of the e-privacy directive and article 10 of the data protection directive. Provisions in the GDPR (Article 13(2)(1) then reinforce this conclusion.)
81  In the light of the foregoing considerations, the answer to Question 2 is that Article 5(3) of Directive 2002/58 must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies."
And that's the ballgame.

Consumers organisations 4    Cookie exploiting economic actors 0.

EU law on Q1(a) & (c)
"must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent."
EU law on Q1(b) is
"not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679." (the data protection directive and the GDPR)
EU law on Q2
"must be interpreted as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies."
The thing is, that might be the ballgame in terms of the judgment of the Court but we don't know what it will mean in practice. This decision technically means that most if not all websites, including Blogger, are now in breach of EU law. But as the original cookie law was so blatantly circumvented with the pop up 'accept'/'I agree' buttons, there will be a route to technical compliance, worked out as a new norm which doesn't unduly burden commerce on the Net. Commercial organisations have been abusing our privacy for decades now, through this giant surveillance infrastructure panopticon we call the Internet. There have been few or no negative consequences bouncing down on the heads of the rapacious economic actors mining the private lives of the dominant species of the planet. 

Do not be taken in by the "data ownership" or equivalent propositions which is are delusional and/or deceptive slight of hand, peddled by those on a spectrum from true believers to those with vested interests in expanding, ever further, our surveillance society. The solutions have to be structural -
Legal infrastructure to protect privacy adequately enforced. The real effect of the GDPR will be a massive case study in this regard and may take years to evaluate.

The retrofitting and rebuilding and deployment of better privacy respecting technical infrastructure and networks. The Internet is an entirely artificially created entity. It did not have to be built as a giant surveillance machine.

There have to be structural economic incentives with real consequences for the most powerful players - states and global corporations. Economic externalities enable the worst offenders to grab all of the benefits and none of the costs. Let's get the economic feedback loops landing the negative consequences of mass privacy invasive practices right back in the lap of the invaders.

And finally, for now, social. That means you and I, dear reader, have to step back from being a dazzled, addicted and willing participant in the global madness. As a starter for 10, next time you are faced with a 'click this to get at our stuff blah blah, we value your privacy' message, remind yourself, of course they value your privacy, they are making a fortune out of it. How about instead we get them to respect our privacy?