In its ruling of 22 November 2012, the European Court of Justice ruled that if the processing of personal data is outsourced in the telecommunications sector, the outsourcing arrangement must contain clauses that warrant that the outsourcer can monitor whether privacy law is being complied with. This decision is also probably important beyond the telecom sector.
At the heart of the dispute: may traffic data be transferred to a collection agency?
The issue revolved around a German male who had a dispute with the company mr. nexnet. The man in question placed a call using a premium rate number of Verizon to access the Internet. He was charged for the associated costs by Deutsche Telekom (his telephone provider). When the man did not pay, Deutsche Telekom transferred the claim to mr. nexnet within the context of factoring. According to this man, this factoring agreement is void, as, in his perspective, the traffic data (data on the use of Verizon’s number) should never have been transferred to mr. nexnet, because very strict rules apply to the processing of traffic data (pursuant to Directive 2002/58/EC). The German court posed questions in respect thereof to the European Court of Justice.
ECJ: permissible… but subject to conditions
The ECJ was relatively quick to respond to the questions of the German Court. Article 6 of Directive 2002/58/EC states literally that “[traffic] data necessary for the purposes of subscriber billing and interconnection payments may be processed” (paragraph 2) and that that processing must be restricted to “persons acting under the authority of providers (…) handling billing (…), and must be restricted to what is necessary for the purposes of such activities”.
The preliminary conditions are therefore rather clear. The question that remains is what “acting under the authority of providers” precisely means. The ECJ considered the following in this regard:
20. It must be stated that neither Directive 2002/58 nor the documents relevant for its interpretation, such as the travaux préparatoires, provide clarification as to the exact scope of the concept of “under the authority”. The meaning and scope of terms for which European Union law provides no definition must be determined by considering their usual meaning in everyday language, while also taking into account the context in which they occur and the purposes of the rules of which they are part (…).
21. As regards the usual meaning of those words in everyday language, it must be held that a person acts under the authority of another where the former acts on instructions and under the control of the latter.
The ECJ thus sets two requirements: a client-contractor relationship and supervision by the client. This corresponds strongly with the framework from general privacy law, more specifically Articles 16 and 17 from the Privacy Directive (cf. also Section 14 of the Dutch Personal Data Protection Act).
The requirements that the ECJ then sets for supervision are far-reaching, because the client must in fact be able to monitor whether the contractor is complying with the agreements. In the words of the ECJ:
23. Article 6(2) and (5) of Directive 2002/58 contains an exception to the confidentiality of communications laid down in Article 5(1) by authorising traffic data processing in accordance with the requirements of billing services (see, to that effect, Case C‑275/06 Promusicae  ECR I‑271, paragraph 48). As it constitutes an exception, that provision of that directive, and therefore also the words “under the authority”, are to be interpreted strictly (see Case C‑16/10 The Number (UK) and Conduit Enterprises  ECR I‑691, paragraph 31). Such an interpretation requires that the service provider has an actual power of supervision which enables him to determine whether the assignee of the claims for payment is acting in compliance with the conditions imposed on it with respect to the processing of traffic data.
Further on a bit, the ECJ goes even further by stating that the outsourcer must, at any given moment, be able to monitor whether the collection agency is complying with the obligations:
27. (…) In particular, the contract concluded between the service provider which assigns its claims for payment and the party to which those claims are assigned must contain provisions of such a kind as to ensure the lawful processing of traffic data by the latter and must allow the service provider to ensure at all times that those provisions are being complied with by the assignee.
In other words, that means that not only agreements on security and confidentiality must be incorporated into a processor’s agreement in the telecom sector, but also agreements on how the person responsible can actually supervise the processor.
Relevant beyond telecom sector as well?
According to the ECJ, “similar provisions” are found in the Privacy Directive (cf. legal ground 25) and Directive 2002/58 must be interpreted in light of the general Privacy Directive.
It would therefore appear that although the case relates exclusively to the telecom sector, formally speaking, the obligations described above also apply to general privacy law. There it stipulates already that the person responsible “must ensure compliance with those [security] measures” (Article 17(2) Privacy Directive). As I assume, a future ruling of the ECJ will make it explicit that these current supervision obligations must also be understood to mean that this supervision can in fact be carried out at any given moment.