Data protection case analysis: Never break the chain
Marc Dautlich and Jamie Cox analyse a recent Belgian data protection case, which has implications for controllers in supply chains
Case analysis: Proximus NV (Public electronic directories) v Gegevensbeschermingsautoriteit (Opinion), Case C-129/21, ECLI:EU:C:2022:332
Advocate General Collins considered the scope of the obligations in a supply chain where multiple controllers process data for the same purposes, focusing on the ePrivacy Directive and the EU’s General Data Protection Regulation (EU GDPR).
This Opinion has wider applicability than the facts of the case at hand. It suggests that: (1) controllers should never simply assume that an individual has consented to the processing; and (2) data subjects are free to approach any controller in a given supply chain to withdraw their consent (or request erasure of their personal data), at which point it is the obligation of that controller to take reasonable steps to inform the other controllers in the supply chain.
It should be noted that Opinions are not themselves legally binding. Therefore, we await the Court of Justice’s decision to see whether it follows the Opinion.
Proximus provides telecommunications services, including directories with the contact details of its own subscribers and the subscribers of other telecommunications providers. These contact details are offered to other companies providing directory services. In Proximus’ databases, where an individual’s contact details should not be included in directories, they are marked with ‘NNNNN’ instead of ‘XXXXX’. The complainant received telephone services from Telenet, which shares its subscribers’ contact details with a number of third parties, including Proximus.
The complainant requested his data be removed from Proximus’ directories after seeing his contact details appear. Whilst Proximus complied with the request by changing the complainant’s status to ‘XXXXX’ in its databases, when Telenet sent updated subscriber lists to Proximus, it had the complainant listed as ‘NNNNN’. This resulted in Proximus automatically re-instating the complainant’s details into its directories. When he noticed this again, the complainant submitted a second request to Proximus, along with a complaint to the Belgian data protection authority.
Following the ruling against them in the first instance, Proximus appealed the decision to the Belgian Court of Appeal, which subsequently referred four questions to the Court of Justice. The Advocate General opined on each in turn as follows:
(1) Must Article 12(2) of Directive 2002/58, read in conjunction with Article 2(f) thereof and Article 95 of the [EU GDPR] be interpreted as permitting a national supervisory authority to require a subscriber’s “consent” within the meaning of the [EU GDPR] as the basis for the publication of the subscriber’s personal data in public directories and directory enquiry services, published both by the operator itself and by third-party providers, in the absence of national legislation to the contrary?
In respect of the first question, the Advocate General’s view was that directory operators need the consent of a subscriber to include his or her contact details in the directory and cannot simply assume that the subscriber has consented to the processing. The controller must be able to show the subscriber consented, even if (in this case following a specific statutory provision concerning directories) it may rely on consent provided to another controller.
(2) Must the right to erasure contained in Article 17 of the [EU GDPR] be interpreted as precluding a national supervisory authority from categorising a request by a subscriber to be removed from public directories and directory enquiry services as a request for erasure within the meaning of Article 17 of the [EU GDPR]?
The Advocate General considered that a request from a subscriber to have their data removed from directories constitutes an exercise of the right to erasure under Article 17. This was based on giving the words in Article 12(2) of Directive 2002/58/EC their ordinary meaning, such that the term “correct” should mean changing a spelling or address, whilst the term “withdraw” should mean that the controller must cease processing the data. This means that the record pertaining to the data subject of such a request should be deleted rather than just hidden (as was done in this case).
The Opinion also argues, unless stated otherwise, a data subject’s withdrawal of consent applies only to the data that is the subject of the specific processing. This was in response to Proximus’ argument that Telenet (which collected the original consent and had a separate contractual relationship with the complainant for the provision of telecommunication services) would have to delete the personal data from all their databases, rendering Telenet’s contract with the complainant impossible to perform. The Advocate General based this argument of the fact that consent should be as easy to give as to withdraw and, if Proximus’ argument was correct, then the complainant would be unable to exercise his right to withdraw his consent without also having to terminate his wider contract with Telenet.
(3) Must Article 24 and Article 5(2) of the [EU GDPR] be interpreted as precluding a national supervisory authority from concluding from the obligation of accountability laid down therein that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely, the telephone service provider and other providers of directories and directory enquiry services that have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 in conjunction with Article 7 of the [EU GDPR]?
Where a subscriber withdraws their consent, controllers need to take appropriate technical and organisational measures to inform third party controllers that receive the data. It was the Advocate General’s view that this obligation arises due to the general obligations in Articles 5(2) and 24 to take steps to ensure that data processing complies with the EU GDPR. He extrapolated this obligation to mean that, where a controller receives a data subject’s request, it assumes responsibility for passing on the data subject’s request to the other controllers in the supply chain, even if the controller receiving such a request was not the party that obtained the data originally.
(4) Must Article 17(2) of the [EU GDPR] be interpreted as precluding a national supervisory authority from ordering a provider of public directories and directory enquiry services which has been requested to cease disclosing data relating to an individual to take reasonable steps to inform search engines of that request for erasure?’
The Advocate General did not think that Article 17(2) would preclude a national supervisory authority from making such an order. He did not think that Proximus had to be 100 percent certain that it was the source of the information on the search engine before it was reasonable for Proximus to take steps to inform the search engine. This was for several reasons. The most persuasive one was the fact that an alternative finding would create a perverse scenario which encourages controllers’ dissemination of the data widely, in order to limit their responsibilities in processing the personal data and to make it more difficult for a subscriber to withdraw their consent.
The Advocate General was firm in suggesting that a failure by one controller to take reasonable steps to pass on data subjects’ requests to other controllers in the supply chain can result in all controllers unlawfully processing the personal data. This imposes a high bar, and potentially presents a significant issue for controllers in complex supply chain processes where multiple parties are controllers. Therefore, controllers should accordingly review:
· all data flows across such supply chains to ensure that they comply with their general obligations of accountability and that their data processing complies with the EU GDPR;
· how they deal with data subjects withdrawing their consent or requesting the erasure and/or rectification of their data. Following the Advocate General’s assessment in respect of question 2, controllers should also make sure that they actually erase the data where so requested, instead of just recategorising it; and
· their contracts with other controllers in the supply chain and what, if any, due diligence to undertake in respect of the subject rights-related processes and procedures of other controllers in the chain. There will no doubt be much discussion amongst controllers about the right allocation of contractual risk to cater for scenarios such as the one in the present case.
Marc Dautlich is a partner and Jamie Cox is an associate at Bristows bristows.com