Many websites are asking their customers to consent to their privacy policy in the following way: “By using this website you are consenting to our privacy policy“. Usually without confirming the on a “ok-button“ the user may not be able to access the website. By asking for consent to their privacy policy these companies are trying to reach a higher degree of legal certainty for their compliance with GDPR. But this approach fails since the consent to the privacy policy is invalid: Firstly, the consent is not freely given since the users have no choice. Secondly, the consent is not specific since the privacy policy contains multible purposes.

1 No consent without choice

The key form of the question for consent is the question you pose at a marriage: “Do you like to marry me?“ In addition we may know the consent from the old roman priciple: “Volenti non fit inuria“ – the consenting person can not be harmed since he agrees to the action. But both situations have the principle in common that consent must be freely given. This aspect is equally highlighted by GDPR in recital 33:

„Consent should be given by a clear affirmative act establishing a freely given, … unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,…“

The Bundeskartellamt (German-Anti-Trust-Agency) confirms this interpretation in its recent decion on Facebook.¹Since WhatsApp leaves no choice to it’s users to refrain from the consent to transfer their data to Facebook, the consent is invalid. This binding interpretation by a regulator shows that a consent without choice is invalid.

This interpretation is underlined by Art. 7 (4) GDPR:

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.“

According to the interpretation of WP 29 the term ‘necessary for the performance of the contract’ has to be interpreted in a narrow way.²

Referring to the example of WhatsApp the service can not be provided without the transfer of the mobile number of the user to WhatsApp since without his mobile number a connection with the messaging service is not possible. But the service of WhatsApp does not necessarily require the data transfer to Facebook. Without the data transfer to Facebook the messaging service is still technically possible.

Eventually, the data subject has the right to withdraw the consent at any time according to Art. 7 (3) GDPR. Therefore, a consent which may not be withdrawn is legally invalid. That derives from the argumentum e contrario.

2 Consent shall be specific for different purposes

In addtion GDPR requires consent to be given seperately for each purpose in case different purposes do apply. Recitial 32 GDPR states:

“When the processing has multiple purposes, consent should be given for all of them.“

But especially the privacy policy contains all aspects of data processing operations of the controller. That derives from the fact that the controller is required to inform it’s customers about the complete data processing according to Art. 13 GDPR within its privacy policy. Usually these aspects are as following:

1. Data processing to improve the services of the controller.
2. Data processing for advertising.
3. The transfer of personal data to other legal entities within the group of undertaking.
4. The transfer of personal data to external third parties.

Since each of these aspects serve a different purpose a seperate consent for each purpose is required. In our example four seperate consents are necessary to be given by the customer. Insofar the controller only asks for one consent which is covering the whole privacy policy, this single consent is invalid.

In addition GDPR requires a seperate consent for each different ‘processing operation’ insofar it is appropriate. Recital 43 GDPR states:

“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case,…“

But this last aspect shall not be further elaborated.

3 Assesment

The aim to ask the users for consent to the privacy policy is to reach a higher level of legal certainty. Whenever the privacy policy fails itself in providing a sound legal basis this sutiation shall be covered by consent to the complete privacy policy. That is the background of consent as fall back legal basis.

But this effect fails and leads to the contrary:

1. The consent is invalid and not freely given since the user has no choice to refrain from the consent to the privacy policy.
2. The consent is invalid since it is not given in a seperate form for each single purpose since the privacy policy contains multiple purposes.
3. A fall back legal basis is no legally valid option.

The DSK – which is the conference of all German Data Protection Authorities – provided a recent statement on No. 3 the fall back legal basis. According to the DSK a voluntarly switch from one legal basis to another legal basis by the controller is not admissable.³

Firstly, the controller shall inform the data subject according to Art. 13 GDPR about the legal basis of the processing. That requires the controller to name a specific legal basis.

Secondly, the data processing must be fair according to Art. 5 (1) (a) GDPR. The principle of fairness prohibits the use of a fall back legal basis which leaves the data in a uncertainty on how to check the lawfulness of the data processing.

Therefore, a consent to a privacy policy is invalid.

1Bundeskartellamt, Fallbericht, Facebook; Konditionenmissbrauch gemäß § 19 Abs. 1 GWB wegen unangemessener Datenverarbeitung, Az B6-22/16, vom 6. Februar 2019, S. 11, 12; https://www.bundeskartellamt.de/SharedDocs/Entscheidung/DE/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.html;jsessionid=6E2F698E64D2AFFC8247F0997CF1AE97.1_cid362?nn=3591568;
Bundeskartellamt, press release; https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html;jsessionid=6E2F698E64D2AFFC8247F0997CF1AE97.1_cid362?nn=3591568

2Article 29 Working Party, WP 217, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014; https://datenschutz.hessen.de/infothek/artikel-29-datenschutzgruppe

3DSK (Datenschutzkonferenz), Kurzpapier Nr. 20, Einwilligung nach der DS-GVO, 22. Februar 2019, S. 3; https://www.datenschutzkonferenz-online.de/kurzpapiere.html