TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Tele2 NL: A straightforward CJEU judgment with potentially interesting implications Related reading: The Privacy Advisor Podcast: CCPA in its final form

rss_feed
PrivacyTraining_ad300x250.Promo1-01

In Tele2 NL, the Court of Justice of the European Union held that telecommunications companies could be required by law to provide their subscriber data to companies that wished to provide directory enquiry services. On the face of it, the Court’s judgement in Tele2 NL was a straightforward extension of the CJEU’s 2011 judgment in Deutsche Telekom. In that case, the CJEU held that the German telecommunications law could require that the transfer of the personal data of subscribers to directory enquiry services. The only substantial difference between the two cases is that in Deutsche Telekom the personal data was being transferred within Germany; in Tele2 NL the personal data was to be transferred from the Netherlands to another EU member state. Given that the order to transfer the data in question was being made pursuant to the EU’s Universal Service Directive, the CJEU decision that it could be transferred within the EU was hardly a surprise.

Tele2 NL is a straightforward judgment but that does not mean that it is without significance. For one thing it is yet another illustration that the CJEU seems quite comfortable with legislation that provides a legal basis for the processing of personal data. This follows on from the CJEU’s judgment the week before in Manni, in which the CJEU held that Italian law could require the publication of personal data on a company register for what might prove to be an indefinite period. And in Tele2 NL the CJEU repeated its judgment in Deutsche Telekom that where a subscriber to a telecommunications service has consented to their personal data being provided to one directory service, a further consent is not required before their data can be provided to another as required by a national law.

The CJEU made clear that its judgment did not mean that a law could require the transfer of personal data without any safeguards. It noted that the Universal Service Directive required that subscribers be informed of how their data was to be processed and by whom. And it had to be “… guaranteed that those data will not, once passed on, be used for purposes other than those for which they were collected …” The CJEU also noted that telecommunications operators and directory enquiry services “… operate within a highly harmonised regulatory framework making it possible to ensure throughout the European Union the same respect for requirements relating to the protection of subscribers’ personal data …” Hence the CJEU judgment in Tele2 NL should not be read as suggesting that EU or national legislatures can provide for the processing of personal data without providing for similar safeguards.

What makes Tele2 NL really interesting is the purpose for which the order to transfer this personal data was made: EU competition law. One of the aims of the EU’s Universal Service Directive is “… to ensure the availability throughout the Community of good-quality publicly available services through effective competition and choice …” The EU’s old Data Protection Directive had its legal basis in the competition provisions of the EU Treaties; its new General Data Protection Regulation, the GDPR, has a new legal basis. But the GDPR retains the objective of ensuring that the free movement of personal data within the Union is neither restricted nor prohibited for data protection reasons. This commitment to competition is most obvious in Article 20 of the GDPR, which provides for the right to data portability. This means that subjects may have the right extract their personal data from one data controller “… in a structured, commonly used and machine-readable format …” Those subjects will then “… have the right to transmit those data to another controller without hindrance …” This right is far from absolute, in particular it can only be invoked where subjects have provided their data to the controller on the basis of consent or contract, but it is there.

Of course the EU’s commitment to competition goes far beyond the text of the GDPR. The EU Commission is pursuing a number of cases alleging breaches of EU Competition law, including three against Google. It is also developing a Digital Single Market strategy. In this context it is interesting that the CJEU has reaffirmed that EU competition law can provide a legal base for requiring the transfer of personal data within the EU. Tele2 NL is a short, straightforward judgment, but it may have big implications in the context of EU Competition law. 

Comments

If you want to comment on this post, you need to login.