Authored By: Caroline Atuhaire
The Quiet Revolution of Offline Consent.
The General Data Protection Regulation (GDPR) was incorporated to shift power back to the individual, yet much of the early legal scrutiny focused on digital interfaces of cookies, apps, and online forms. The landmark decision delivered by the Court of Justice of the European Union (CJEU) on 11 November 2020 in Case C-61/19, Orange România SA v ANSPDCP, is significant precisely because it transplanted the stringent requirements of valid consent from the digital realm into the physical world of standardized customer contracts. This case gives a clear response to one of the key questions of data governance, can an organization, based on the mere signature of a customer, confirm a non-explicit, pre-designed agreement to handle sensitive personal information for instance copies of identity documents? The CJEU was categorical about that free, specific, informed, and unambiguous consent being contravened by the practices. Bringing into question the operations of a large telecommunications company, Orange Romania, the case revealed how the notion of corporate convenience tends to cripple the true consumer autonomy. The ruling supports the key connection between the data protection standards and the consumer law in general, and the importance of transparency and the imperative prohibition of false presentation in the context of the consent seeking1.
The Commercial Mechanism: Convenience Versus Coercion.
The facts that support the dispute are the ways in which corporate processes may push or even coerce consumers to give up the rights to their privacy. In March 2018, the Romanian data protection authority fined Orange Romania, a leading mobile telecommunication service provider, because it was collecting and storing the copy of the customer identity documents (ID) of its customers.
The scandal was focused on the form of the written subscription agreements.
The Pre-Ticked Box had a clause in the contracts that the customer was informed and had agreed to the collection and storage of their identity documents to be used in identification. It is important to note that the Romanian data protection authority discovered that the checkbox on which this consent clause was written was pre-ticked by the sales agents of Orange Romania prior to the signature of the customer of the document by the latter.
The Refusal Trap. Although Orange Romania insisted that the customers were informed orally and that lack of consent was not an indication to avoid the conclusion of the contract, its internal procedures posed a considerable challenge to the refusal. When questioned to interpret under what circumstances freely given and unambiguous consent was to occur in these situations, the national court (Tribunalul Bucuresti) sent it to CJEU. Customers who wished to object to the storage of their ID copies were required to complete and sign an additional, separate form setting out that refusal.
The Romanian data protection determined that Orange România had failed to prove that its customers had given legally valid consent to this processing. The national court, faced with interpreting what constituted “freely given” and “unambiguous” consent in these circumstances, referred the matter to the CJEU.
The Legal Standard.
The case assumed the CJEU considered the main provisions of both Directive 95/46/EC which applied, ratione temporis, to the initial fine and Regulation (EU) 2016/679 (GDPR), which applied in the context of the ongoing processing and to the destruction order. The definitions of the consent of both instruments require that the agreement should be voluntary, precise, and informed.
The Mandate of Effective Affirmative Action.
Relying on its previous decision on the matter of online mechanisms (Case C-673/17), the Court confirmed that consent requires an active statement of what the data subject wants. Requirement of Clear Affirmative Action. Under the GDPR, this is formalized as a “clear affirmative action.” The CJEU made it clear that passive acceptance is fundamentally incompatible with EU law. Silence, pre-ticked boxes, or inactivity should not therefore constitute consent2.
Applying this to the physical contract, the Court held that the fact the box was ticked by the data controller’s agents was not a positive indication of the customer’s consent.
The mere signature of a contract containing the pre-ticked box does not, on its own, prove such consent, especially where there are no indications confirming that the clause was actually read and understood.
The Indivisible Burden of Proof.
The main point of analysis in the judgment was the burden of proof, which, naturally, rests on the side of the controller. Article 7(1) of the GDPR provides that the controller Orange Romania should be in a position to prove that the data subject has given his/her consent to the processing.
The Court found that Orange România’s procedure requiring customers to complete a separate “refusal form” fundamentally undermined the notion of freely given consent. By obliging individuals to undertake an additional administrative step solely to refuse the collection and storage of their identity documents, the controller unduly restricted their freedom of choice and improperly burdened the exercise of their right to object.
By imposing an additional written requirement merely for the refusal of consent, the company inappropriately burdened the data subject. Since the company is already required to demonstrate that the customer gave consent through active behaviour, it cannot then require the customer to actively express their refusal. This extra pressure formed an institutional bias of acceptance, which interfered with the true freedom of choice by the customer.
Transparency and Misleading Terms.
Another point made by the Court was that consent has to be informed. This necessitates that the controller provides information about all circumstances of the processing, including the purposes, in an intelligible and easily accessible form.
Crucially, contractual terms must not mislead the data subject into believing that consent is a prerequisite for the conclusion of the contract. It was ordered that the national court should ascertain whether the terms of the contract in question could mislead the customer on the possibility of concluding the contract without providing consent. The overall explanation that storage was intended solely to allow identification may not have met the transparency detail requirements of the Directive and the GDPR.
The Judgment’s Impact and reclaiming autonomy.
The interpretation of the CJEU creates a high-water mark in the validation of consent, whether the processing occurs under the Directive 95/46/EC or the GDPR.
The Court held that a contract for telecommunications services fails to demonstrate valid consent for ID document storage if the relevant box was ticked by the data controller before the contract was signed. The contract terms were capable of misleading the data subject regarding their ability to conclude the contract even if they refused consent and the right to dissent was imposed upon them and the additional refusal form was mandatory.
Operational Burden on Businesses.
This ruling placed an unmistakable operational burden on all service providers not just telecom companies like Orange România, but also entities in the banking, insurance, and retail sectors that rely on standardized, pre-formulated clauses to obtain consent. These companies now have to make sure that the consent mechanisms accurately opt-in.
The ruling requires controllers to use granular consent features and make requests in a way that is evidently distinguishable compared to other contractual issues, and pre-set options should not be employed.
Reinforcing Human-Centric Regulation.
The Orange Romania case is a crucial addition to the jurisprudence of the CJEU as it goes beyond the digital setting to apply the principle of autonomy to its daily commercial relations. The Court reinforced the relation between data privacy and consumer protection against deceptive or manipulative practices by accepting that procedural friction, the additional refusal form, is undue influence.
The ruling confirms that the imbalance of power between large corporations and individual customers requires judicial vigilance. A data subject should have a true freedom of choice, for instance the road leading to disinterestedness should be equally easy and painless, as the road leading to assent.
Conclusively Consent Must Be Active, Not Assumed.
The Orange Romania decision is a potent reminder that consent in the EU law does not represent a legal formality that can be glossed over by the signature on a thick contract. The accountability principle requires that the controller prove consent was given, not that the data subject prove it was withheld.
This ruling makes it clear that corporations must design their data processing procedures around the customer’s freedom of choice, ensuring that silence, pre-ticked boxes or inactivity remain strictly excluded from the definition of valid consent, whether in a website pop-up or on a physical contract. In essence, the CJEU held that gaining permission to use personal data cannot feel like a corporate tax on refusal. The individual’s right to control their identity documents and, by extension, their personal data must be protected from procedures designed to harvest consent through confusion or complication.
BIBLIOGRAPHY
- Case Law
Case C-61/19 Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) EU:C:2020:901. Case C-673/17 Planet49 GmbH EU:C:2019:801.
- Legislation
Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data OJ 1995 L 281/31. Regulation (EU) 2016/679 (General Data Protection Regulation) OJ 2016 L 119/1.
- Secondary Sources and Commentary
Cynthia O’Donoghue and Angelika Christoforou, ‘CJEU delivers judgment on conditions for valid consent in an offline context’ (Reed Smith | 19 November 2020) https://technologylawdispatch.com/post/102k327/cjeu-delivers-judgment-on-conditions-for valid-consent-in-an-offline-context accessed 22 November 2025. Caroline Atuheire, ‘Case Summary: Case C-61/19 Orange România SA v ANSPDCP (CJEU, 11 November 2021)’ (2021).
1 Case C-61/19 Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) EU:C:2020:901.
2 Cynthia O’Donoghue and Angelika Christoforou, ‘CJEU delivers judgment on conditions for valid consent in an offline context’ (Reed Smith | 19 November 2020) https://technologylawdispatch.com/post/102k327/cjeu delivers-judgment-on-conditions-for-valid-consent-in-an-offline-context accessed 22 November 2025
