Consent to privacy in e-commerce and SaaS: A breach of the GDPR?

Introduction

In my work in the world of e-commerce and SaaS providers, it is a common practice to ask users to consent to the privacy policy. However, this seemingly harmless action could have profound legal consequences. Have you ever considered that this practice could be a violation of the General Data Protection Regulation (GDPR) and breach the principle of good faith?

In this blog post, I shed light on this complex and often overlooked topic. I refer to a recent, but possibly quickly overlooked, decision by the European Data Protection and Privacy Authority (EDSA) and discuss how it might affect the landscape of digital commerce.

The question I am asking is not just theoretical. It could have significant practical implications for the way e-commerce and SaaS providers design and present their privacy statements. It could even lead to the need to adapt store systems and marketing funnels to meet legal requirements.

This blog post is a must-read for anyone working in the digital economy who understands the importance of privacy compliance. Get ready to challenge your previous assumptions and take a fresh look at your company’s privacy policy.

The AGB-legal dimension

Obtaining consent to the privacy policy may result in the privacy policy being subject to strict control under GTC law. This may result in certain information in the privacy policy being judged as invalid clauses. In addition, there is a risk that such clauses could be subject to warnings as violations of competition law.

Pursuant to the judgment of the Court of Appeal of December 27, 2018 (23 U 196/13), certain clauses in the data protection declaration that unreasonably disadvantage customers and cannot be reconciled with essential basic ideas of the statutory regulation from which a deviation is made (Art. 6 (1) DSGVO) may be judged invalid (Section 307 (1) Sentence 1, (2) No. 1 BGB).

In particular, it was held that the mere unilateral promulgation of certain data processing practices by a clause user does not constitute consent of the data subject. Informing customers about data processing practices that the defendant allows itself and that its customers have to accept without being asked does not replace their consent. The argument that the Data Protection Directive at issue is not made the subject of consent, but merely referred to for information purposes, and that at no point in the provisions complained of by the plaintiff is there any mention of the consumer consenting to data processing, ultimately turns on them. This is precisely because the inadmissible deviation of the clauses from the statutory regulation lies in the fact that they give the consumer the incorrect impression that the defendant is entitled to process personal data without the consumer’s consent being relevant.

In addition, it was held that the use of clauses which give the customer the impression that he must accept them as a binding provision in the event of a dispute constitutes general terms and conditions within the meaning of Section 305 (1) of the German Civil Code. 1 sentence 1 BGB can apply. According to their objective wording, these clauses can only be understood as binding regulations of the existing contractual relationship or the contractual relationship to be initiated.

In light of the Kammergericht’s decision and the requirements of the European General Data Protection Regulation (GDPR), the question arises as to whether companies should require consents at all when using legal texts such as general terms and conditions (GTC) and privacy statements on online services. The stringent requirements for the effectiveness of such consents and the potential legal consequences of failing to comply with these requirements make it a complex and risky undertaking.

The decision of the European Data Protection Board and its legal details

The EDSA decision underlines the inadmissibility of obtaining consent in privacy notices and the possible violation of the GDPR, especially if the notice is merely an information notice under Art. 13 GDPR. This decision emphasizes the principle of good faith, which is intended to ensure a fair balance between the business interests of data controllers and the rights and requirements of data subjects. The decision highlights that the basic principles of processing listed in Article 5 of the GDPR may be violated, which may result in significant administrative penalties. In addition, the deadline for compliance with the decision was reduced from six months to three months.

The EDSA decision goes into the full legal details and emphasizes that the possibility to specifically consent to a certain processing falls under Article 6(1)(f) GDPR. It notes that WhatsApp users were forced to agree to the terms of service and privacy policy, which confused users’ expectations. WhatsApp’s processing cannot therefore be considered ethical and truthful, as it is confusing in terms of the type of data processed, the legal basis used and the purposes of the processing.

The EDSA decision and its impact on online providers

The decision of the European Data Protection Supervision Authority (EDSA) has far-reaching implications for the practices of online providers. In particular, WhatsApp’s practice of forcing users to agree to its terms of use and privacy policies has been criticized. The EDSA decision clarifies that this practice cannot be considered ethical and truthful, as it is confusing in terms of the type of data processed, the legal basis used and the purposes of the processing.

The decision also has implications for other online providers. It raises serious questions about the practices and user funnels of online providers and calls for a thorough review and adjustment of their privacy statements and terms of use. It is therefore important to emphasize that the implications of this decision may be far-reaching and that each case should be evaluated individually.

The impact on e-commerce and SaaS providers

Many e-commerce and SaaS providers have not yet fully recognized the potential legal issues associated with obtaining consent for their privacy policies. This practice may not only be problematic under GTC law, but may also constitute a violation of the GDPR itself. Therefore, it is important that providers reconsider this practice and adjust it if necessary. The legal explanations in the EDSA decision underline the need for clear and understandable consent to data processing. The mere unilateral announcement of certain data processing practices by a provider does not constitute consent of the data subject. Information about data processing practices that the provider allows itself and that its customers have to accept without being asked does not replace their consent. This may result in significant legal consequences, including administrative penalties.

It is therefore crucial that providers review their privacy statements and terms of use and ensure that they comply with the requirements of the GDPR. This includes providing clear and understandable information about data processing practices and obtaining explicit consent from users for data processing, when such consent is necessary in the given situation. In addition, providers should keep in mind that simply providing information about data processing practices is not sufficient to obtain user consent. You must ensure that users have the option to refuse consent and that this decision is respected.

Conversely, however, it is also true that consent should probably NOT be obtained for pure “information” on data processing or the manner of data processing without the GDPR stipulating consent.

The role of the GDPR in the digital world

In today’s digital world, the General Data Protection Regulation (GDPR) plays a crucial role. It serves to protect the privacy of citizens and to oblige companies to handle personal data responsibly. The GDPR has raised awareness of data protection issues and increased standards for handling personal data. The EDSA’s decision underscores the importance of the GDPR and shows that violations of this regulation can have serious consequences. It also shows that compliance with the GDPR is not only a legal obligation, but also an important aspect of building trust and credibility with customers.

A breach of the GDPR can not only lead to legal consequences, but also undermine customer trust in your company and damage your reputation. Therefore, it is in your best interest to ensure that you comply with the Privacy Policy.

It is important to emphasize that compliance with the GDPR is not just a matter of complying with the law. It is also about acting ethically and responsibly. Companies that respect and protect the privacy of their customers are likely to have a competitive advantage by gaining the trust and loyalty of their customers.

In conclusion, it is important to emphasize that compliance with the GDPR requires a continuous effort. Data protection is not a one-time event, but an ongoing process that requires regular reviews and adjustments. Organizations need to be proactive and ensure they are up to date with the latest data protection regulations and practices.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.