Not even six months have passed since the GDPR became applicable and the first Supreme Court decision is already here. Wait: In many jurisdictions civil proceedings are normally lengthy and it takes quite some time before a case is heard in front of the Supreme Court. This is also true for Austria. So, why did the Austrian Supreme Court decide so quickly on GDPR issues, you might ask:
In the case at hand, a consumer protection organisation filed an action against a company stating that the company uses inadmissible clauses in its general terms and conditions and claiming injunctive relief (i.e. prohibiting the company from using these clauses vis-à-vis customers going forward). The clauses in question also comprised of consent declarations for certain marketing measures which are not required for the performance of the contract. Without granting such consent, customers cannot conclude the relevant contract. The court proceedings were already initiated in 2017. The court of first instance rendered its decision in 2017, the appellate court in May 2018; both decisions were rendered before the GDPR became applicable and both courts considered the consent clauses as inadmissible already under the old data protection regime. The Austrian Supreme Court issued its decision on 31 August 2018, i.e. after the GDPR had become applicable.
When claimants request injunctive relief and where there has been a change in legislation between the filing of the claim and the court's decision, under Austrian law the court must take into account the old legislation and the new legislation – as a requirement for granting injunctive relief, a risk of repetition must be evident. Accordingly, the alleged course of conduct for which the injunctive relief is sought must also be in violation of the new legislation. Thus, the Austrian Supreme Court also had to take into account the rules set out in the GDPR for giving valid consent.
The GDPR contains a provision on the prohibition of consent bundling, whereas the "old" data protection legislation did not contain a similar explicit provision. Pursuant to Art 7 para 4 GDPR, "when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract". Recital 43 to the GDPR is phrased even stronger: "Consent is presumed not to be freely given if […] the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance".
Not surprisingly, the Austrian Supreme Court found the consent clauses at hand to be in violation of said prohibition of consent bundling. Further, the Supreme Court's ruling also contained more general statements on (the voluntariness of) consent declarations:
- Whereas Art 7 para 4 GDPR only requires that "utmost account shall be taken", Recital 43 to the GDPR speaks of an unconditional prohibition. According to the Austrian Supreme Court, this "tension" between the Recital and the respective Article shall be understood as meaning that the assessment of the voluntary nature of consent demands strict requirements.
- Thus, the Austrian Supreme Court reversed the burden of proof: When making the conclusion of a contract dependent on the consent to the processing of personal data not necessary for the performance of such contract, it has to be generally assumed that the granting of such consent has not been done voluntarily – unless, in the individual case at hand, there are special circumstances supporting a "freely given" consent.
- The Austrian Supreme Court did not see any reason to bring the case before the CJEU, mainly because, according to the Austrian Supreme Court, the resulting interpretation clearly follows from the wording of the GDPR and the mentioned recital.
- Interestingly, the Austrian Supreme Court became more liberal in one aspect related to consent declarations in general terms and conditions. Under the previous legislation, the Austrian Supreme Court always required a particular emphasis to be given on data protection consent declarations contained in general terms and conditions (e.g. they had to be in bold-faced letters, underlined or framed) so that they catch one’s eye when quickly skimming over the general terms and conditions. Under the GDPR, however, according to the Austrian Supreme Court, this is no longer required for a valid data protection consent (and is also not required from a general transparency point of view). The court considered it sufficient that data protection consent clauses could be easily found by a table of contents. This is a huge relief when drafting general terms and conditions.
These general statements, as set out by the Austrian Supreme Court in its ruling, are of course relevant for all lower instances, i.e. whenever civil courts have to assess the validity and voluntariness of data protection consent declarations, both contained in general terms and conditions and in a stand-alone context.
Besides the Austrian Supreme Court, the Austrian Data Protection Authority ("DSB") has also already dealt with the voluntariness of consent declaration and issued respective decisions on (i) the possibility of freely given consent declarations by employees and (ii) mandatary consents combined with fee-based alternatives on news portals; see here.