Data pro­tec­tion in e‑commerce: guest accounts required?

Cus­to­mers orde­ring mer­chan­di­se online will typi­cal­ly open a cus­to­mer account wit­hout thin­king twice. Asi­de from pro­vi­ding a means to easi­ly cont­act the retail­er, cus­to­mers fre­quent­ly use the­se accounts to check the sta­tus of their order or make chan­ges to their order. Accounts also give cus­to­mers an easy way to place addi­tio­nal orders wit­hout having to enter all of their infor­ma­ti­on again every time. Becau­se the­se accounts fos­ter cus­to­mer rela­ti­onships in this way, some retail­ers actual­ly requi­re cus­to­mers to open an account befo­re pla­cing an order. But in accordance with a recent­ly published reso­lu­ti­on (PDF only in Ger­man) by the Con­fe­rence of Inde­pen­dent Fede­ral and Sta­te Data Pro­tec­tion Aut­ho­ri­ties (the “Data Pro­tec­tion Con­fe­rence,” or “DSK”), this prac­ti­ce vio­la­tes data pro­tec­tion law.

The view of the Data Pro­tec­tion Conference

Given the legal basis for pro­ces­sing in this case, per­for­mance of a con­tract, as well as the prin­ci­ple of data mini­miza­ti­on, DSK con­cludes in its reso­lu­ti­on that con­trol­lers which offer goods or ser­vices online are gene­ral­ly requi­red to allow cus­to­mers to place orders via guest access, inde­pendent­ly of the opti­on of crea­ting a regis­tered account. The reso­lu­ti­on notes that the pro­ces­sing of per­so­nal data in the form of a regis­tered cus­to­mer account, inclu­ding user names and pass­words, can only be based on per­for­mance of a con­tract if the cus­to­mer actual­ly intends to place recur­ring orders, which would requi­re a deli­be­ra­te state­ment of intent from the cus­to­mer, in the form of con­sent. Sin­ce con­sent must be vol­un­t­a­ry in accordance with the GDPR, DSK takes the view that retail­ers are requi­red to offer an alter­na­ti­ve in the form of guest accounts, through which retail­ers coll­ect only the per­so­nal data which is neces­sa­ry for per­for­mance of the con­tract and ful­fill­ment of their legal requirements. 

Is the DSK reso­lu­ti­on unconstitutional?

DSK’s ana­ly­sis, which is based sole­ly on data pro­tec­tion law, has encoun­te­red sub­stan­ti­al objec­tions from the view­point of con­sti­tu­tio­nal law. DSK’s reso­lu­ti­on can be view­ed as an encroach­ment on the con­sti­tu­tio­nal­ly gua­ran­teed free­dom of con­tract, a key pil­lar of the right of self-determination. As an indi­vi­du­al gua­ran­tee, the free­dom of con­tract gua­ran­tees all indi­vi­du­als the right to ful­ly arran­ge their own legal affairs through con­tracts, and also embo­dies a right to resist mea­su­res by the sta­te which limit their per­so­nal right of self-determination wit­hout con­sti­tu­tio­nal jus­ti­fi­ca­ti­on. Asi­de from the right to enter into con­tracts and the right to choo­se the terms of the agree­ment, free­dom of con­tract also gives indi­vi­du­als the right to make con­trac­tu­al arran­ge­ments inde­pendent­ly wit­hout regard for for­mal requi­re­ments, inclu­ding the right to pro­vi­de for for­mal requi­re­ments, such as the regis­tra­ti­on of a cus­to­mer account.

Even if a limi­ta­ti­on on the free­dom of con­tract may be jus­ti­fied in any indi­vi­du­al case based on con­side­ra­ti­ons of data pro­tec­tion law, such a deter­mi­na­ti­on would at the very least requi­re us to weigh all the cir­cum­s­tances of the case. Given DSK’s very one-sided focus on the rights of the cus­to­mer, and in light of the free­dom to choo­se an occu­pa­ti­on and the right to estab­lish and ope­ra­te a busi­ness, it appears doubtful that such an ana­ly­sis was per­for­med. Last but not least, the right to estab­lish and ope­ra­te a busi­ness pro­tects the com­pany’s right to con­ti­nue its pre­vious acti­vi­ties undis­tur­bed based on the ope­ra­tio­nal pre­cau­ti­ons alre­a­dy taken and the free­dom to choo­se an occu­pa­ti­on in accordance with Artic­le 12 of the Ger­man Constitution.

Con­clu­si­on

While DSK’s reaso­ning may be under­stan­da­ble and defen­si­ble from the view­point of data pro­tec­tion law, the reso­lu­ti­on fails to weigh the­se con­side­ra­ti­ons against the rights and eco­no­mic inte­rests of retail­ers. It would have been bet­ter if the reso­lu­ti­on were to spe­ci­fy excep­ti­ons to the rule or explain the con­di­ti­ons under which com­pa­nies may offer cus­to­mer accounts exclu­si­ve­ly. In our view, an assess­ment is requi­red in each indi­vi­du­al case in order to deter­mi­ne whe­ther com­pa­nies are requi­red to pro­vi­de guest accounts. In any case, DSK’s near-absolute requi­re­ment for com­pa­nies to set up guest accounts repres­ents a worri­so­me encroach­ment upon con­sti­tu­tio­nal­ly gua­ran­teed per­so­nal free­doms, in line with the ten­den­cy which has alre­a­dy been detec­ted in the prac­ti­ces of cer­tain data pro­tec­tion aut­ho­ri­ties with regard to pro­duct war­nings. We the­r­e­fo­re belie­ve that a prac­ti­ce which devia­tes from DSK’s reso­lu­ti­on would be defen­si­ble on the­se grounds.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.