Customers ordering merchandise online will typically open a customer account without thinking twice. Aside from providing a means to easily contact the retailer, customers frequently use these accounts to check the status of their order or make changes to their order. Accounts also give customers an easy way to place additional orders without having to enter all of their information again every time. Because these accounts foster customer relationships in this way, some retailers actually require customers to open an account before placing an order. But in accordance with a recently published resolution (PDF only in German) by the Conference of Independent Federal and State Data Protection Authorities (the “Data Protection Conference,” or “DSK”), this practice violates data protection law.
The view of the Data Protection Conference
Given the legal basis for processing in this case, performance of a contract, as well as the principle of data minimization, DSK concludes in its resolution that controllers which offer goods or services online are generally required to allow customers to place orders via guest access, independently of the option of creating a registered account. The resolution notes that the processing of personal data in the form of a registered customer account, including user names and passwords, can only be based on performance of a contract if the customer actually intends to place recurring orders, which would require a deliberate statement of intent from the customer, in the form of consent. Since consent must be voluntary in accordance with the GDPR, DSK takes the view that retailers are required to offer an alternative in the form of guest accounts, through which retailers collect only the personal data which is necessary for performance of the contract and fulfillment of their legal requirements.
Is the DSK resolution unconstitutional?
DSK’s analysis, which is based solely on data protection law, has encountered substantial objections from the viewpoint of constitutional law. DSK’s resolution can be viewed as an encroachment on the constitutionally guaranteed freedom of contract, a key pillar of the right of self-determination. As an individual guarantee, the freedom of contract guarantees all individuals the right to fully arrange their own legal affairs through contracts, and also embodies a right to resist measures by the state which limit their personal right of self-determination without constitutional justification. Aside from the right to enter into contracts and the right to choose the terms of the agreement, freedom of contract also gives individuals the right to make contractual arrangements independently without regard for formal requirements, including the right to provide for formal requirements, such as the registration of a customer account.
Even if a limitation on the freedom of contract may be justified in any individual case based on considerations of data protection law, such a determination would at the very least require us to weigh all the circumstances of the case. Given DSK’s very one-sided focus on the rights of the customer, and in light of the freedom to choose an occupation and the right to establish and operate a business, it appears doubtful that such an analysis was performed. Last but not least, the right to establish and operate a business protects the company’s right to continue its previous activities undisturbed based on the operational precautions already taken and the freedom to choose an occupation in accordance with Article 12 of the German Constitution.
While DSK’s reasoning may be understandable and defensible from the viewpoint of data protection law, the resolution fails to weigh these considerations against the rights and economic interests of retailers. It would have been better if the resolution were to specify exceptions to the rule or explain the conditions under which companies may offer customer accounts exclusively. In our view, an assessment is required in each individual case in order to determine whether companies are required to provide guest accounts. In any case, DSK’s near-absolute requirement for companies to set up guest accounts represents a worrisome encroachment upon constitutionally guaranteed personal freedoms, in line with the tendency which has already been detected in the practices of certain data protection authorities with regard to product warnings. We therefore believe that a practice which deviates from DSK’s resolution would be defensible on these grounds.back