In brief
- The Court of Appeal has handed down an important judgment (RTM v Bonne Terre Ltd & Anor) on the meaning of “consent” in the context of data protection and ePrivacy law, and overturned what had been a problematic prior judgment of the High Court, which had left many businesses, especially those in the betting and gaming sector, facing an “ineradicable” risk of claims that potentially they could not reasonably have defended.
- The Court of Appeal has confirmed that consent under the UK GDPR and PECR is an objective test, meaning that data controllers do not need to establish individuated subjective consent.
- Businesses relying on consent as the lawful basis for processing personal data, particularly those in the betting, gaming and online marketing sectors, should take note of the court's decision, which provides greater legal certainty around what constitutes valid consent under the UK GDPR and PECR.
What is valid “consent” under UK data protection and electronic marketing law?
Under the UK GDPR (Article 4(11)) consent means: "any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Article 7 puts the onus on the data controller to prove that the standard has been met.
Section 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”, which deal with the sending of direct electronic marketing to individuals and the use of cookies and similar technologies), adopts the Article 4(11) UK GDPR definition (and applies it to “subscribers” and “users” as opposed to data subjects).
The facts of RTM v Bonne Terre
So far, so straightforward. But what happens in the case of someone who purports, by a clear affirmative action, such as ticking a box, to give a specific, informed and unambiguous indication of their wishes, signifies agreement to the processing of personal data relating to them, and to the receiving of direct electronic marketing, but who later argues that the consent was vitiated by factors of which the data controller/sender of the marketing was unaware, and could not reasonably have been aware? Put another way, is the sending of direct electronic marketing on the basis of the objectively valid consent of someone who was subjectively incapable of giving valid consent, to be treated as lawfully sent?
The High Court decision
“No”, said the High Court in the first instance. RTM was someone who, in his own submission, had engaged in “compulsive, out of control and destructive” gambling, and claimed, in data protection and in misuse of private information, for damages on the basis that, as he argued, Bonne Terre (operating as Sky Betting and Gaming, or “SBG”) had "gathered and used extensive information, generated by his use of its platforms, unlawfully…especially by way of personalised and targeted marketing which he could not handle and which fed his compulsive behaviour".
Mrs Justice Collins Rice DBE had held in her judgment (despite RTM not pleading in these terms) that, even though RTM had not lacked capacity to consent, and “that he wanted the direct marketing material – even perhaps craved it” he was one of a small subset (an “irreducible minimum”) of “individuals for whom decision-making…was already out of control in relation to gambling, and for whom the consenting mechanisms and information provision meant nothing other than barriers to gambling to be overcome”. Whilst SBG had adopted controls in line with gambling regulatory requirements and expectations to avoid the risk of marketing to “problem gamblers” (the judge’s words) and even though these controls “can and do help manage and minimise the particular risks of direct marketing to online gamblers…they cannot and do not eliminate them”. This was because he “lacked subjective consent”; “the autonomous quality of his consenting behaviour was impaired to a real degree”; and “the quality of [his] consenting was rather lower than the standard required”, and “insufficiently freely given.”
The first instance judgment had presented all businesses, but especially those in the betting and gaming sector, with a problem and a risk: i) how could they establish in each case the subjective aspect of a data subject’s consent? and ii) if they could not establish that subjective aspect, how could they deal with the risk that marketing which would, on the face of it be lawfully sent, would be held not to be, if the recipient was one of the irreducible minimum whose consent was not, subjectively, valid? Perhaps unsatisfactorily, the judge had said that this was "a risk which is ultimately ineradicable. Problem gamblers may not always be easy to recognise, and there will always be relevant information about them which is ultimately unreachable by the provider, and properly so because it is information which is itself in the private domain".
Court of Appeal confirms consent under UK GDPR is an objective test
The Court of Appeal has now roundly overturned the decision. Giving the main judgment, Lord Justice Warby revisited what a data controller must be able to demonstrate, in circumstances where consent is said to be present:
- the controller must “show that the data subject made a statement or took some other clear affirmative action…that ‘signifies agreement’”
- they must also prove that “the data subject’s ‘indication’ met each of the four criteria prescribed by the legislation, namely that it was (i) freely given, (ii) specific, (iii) informed, and (iv) unambiguous”. Each criterion is an objective test: “the data controller does not have to prove what was actually in the mind of the individual data subject at the time of the ‘indication’”.
In a classic example of judicial understatement, Warby LJ noted that the effect of the decision of the judge below was to establish a “principle that decisions deliberately made by a capacitous individual may nonetheless be vitiated for lack of consent” and further noted that it was a “legally novel” principle, whose “contours are not clear to me”.
Recitals 4 and 7 of the UK GDPR are relevant here. Recital 4 reminds us that: "The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights". Recital 7 meanwhile reminds us that: "Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced".
As Warby LJ notes, an “inevitable corollary” of the original ruling would be that a business “could not guarantee its ability to ‘demonstrate’ conformity with the consent requirements of data protection law and PECR”, and "the unsatisfactory and ultimately opaque nature of the test for legally effective consent which the judge applied…would create considerable legal and practical uncertainty for economic operators".
Unless there is a further appeal by RTM, which would require permission from the Supreme Court, the Court of Appeal has now gone a long way towards restoring legal and practical certainty as to the meaning of “consent” in data protection law, and how data controllers should approach the task of gathering and proving consent.