JUDGMENT OF THE COURT (Third Chamber)
22 November 2012 (*)
(Electronic communications – Directive 2002/58/EC – Article 6(2) and (5) – Processing of personal data – Traffic data necessary for billing and debt collection – Debt collection by a third company – Persons acting under the authority of the providers of public communications networks and electronic communications services)
In Case C-119/12,
REFERENCE for a preliminary ruling under Article 267 TFEU from the Bundesgerichtshof (Germany), made by decision of 16 February 2012, received at the Court on 6 March 2012, in the proceedings
Josef Probst
v
mr.nexnet GmbH,
THE COURT (Third Chamber),
composed of K. Lenaerts (Rapporteur), acting as President of the Third Chamber, E. Juhász, G. Arestis, T. von Danwitz and D. Šváby, Judges,
Advocate General: P. Cruz Villalón,
Registrar: A. Calot Escobar,
having regard to the written procedure,
after considering the observations submitted on behalf of:
– mr.nexnet GmbH, by P. Wassermann, Rechtsanwalt,
– the European Commission, by F. Wilman and F. Bulst, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This reference for a preliminary ruling concerns the interpretation of Article 6(2) and (5) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37).
2 The reference has been made in proceedings between mr.nexnet GmbH (‘nexnet’), the assignee of claims for payment for the supply of internet access services by Verizon Deutschland GmbH (‘Verizon’), and Mr Probst, the recipient of those services.
Legal context
Directive 95//46/EC
3 Article 16 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) provides:
‘Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law.’
4 Article 17 of Directive 95/46 provides:
‘1. Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying-out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
– the processor shall act only on instructions from the controller,
– the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.’
Directive 2002/58/EC
5 Article 1(1) and (2) of Directive 2002/58 provides:
‘1. This Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the [European Union].
2. The provisions of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. …’
6 Point b of the second paragraph of Article 2 of that directive defines ‘traffic data’ as ‘any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof’.
7 Article 5(1) of Directive 2002/58 states:
‘Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. …’
8 Article 6 of that directive provides:
‘1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article ...
2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.
…
5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.
…’
German law
9 The third and fourth sentences of Paragraph 97(1) of the Law on telecommunications (Telekommunikationsgesetz) of 22 June 2004 (BGBl. 2004 I, p. 1190; the ‘TKG’) are worded as follows:
‘Determination and billing of the provider’s remuneration
… If the service provider has concluded a contract with a third party relating to the collection of the charges for service, it is entitled to pass on the [traffic] data in so far as that data transfer is necessary for the collection of charges and for drawing up a detailed bill. The third party must be contractually bound with respect to privacy of telecommunications in accordance with Paragraph 88 and with respect to data protection in accordance with Paragraphs 93, 95, 96, 97, 99 and 100.
…’
10 According to the referring court, the authorisation provided for in the third sentence of Paragraph 97(1) of the TKG on passing on data applies not only to debt collection contracts where those debts remain part of the property of the original holder, but also to other contracts for assignment, in particular contracts for the purchase of debts, and which provide that the right assigned belongs definitively to the assignee both in legal and economic terms.
The dispute in the main proceedings and the question referred for a preliminary ruling
11 Mr Probst is the owner of a telephone line provided by Deutsche Telekom AG, through which his computer is connected to the internet. From 28 June 2009 to 6 September 2009, he used the number provide by Verizon to obtain occasional access to the internet. At first, the charges claimed for were billed to Mr Probst by Deutsche Telekom AG as ‘amounts due to other providers’. When Mr Probst failed to make payment, nexnet, as assignee of that debt pursuant to a factoring contract concluded between the legal predecessors to Verizon and to nexnet, claimed payment of the amounts billed together with various charges. Under the factoring contract nexnet bears the risk of debtor default.
12 The legal predecessors of nexnet and Verizon also concluded a ‘data protection and confidentiality agreement’ which provides:
‘I Data protection
…
(5) The contracting parties undertake to process and use the protected data only within the framework of the abovementioned cooperation and exclusively for the purpose of the present contract and in the manner prescribed.
(6) As soon as the information included as protected data is no longer required for such purpose, all protected data held in that connection shall forthwith be erased irretrievably or returned. …
(7) Each contracting party shall be entitled to check that the other party has ensured data protection and data security in accordance with the present agreement. …
II. Confidentiality
…
(2) The contracting parties shall process and use the confidential documents and information provided exclusively for the performance of the contract concluded between them. They shall make these accessible only to those employees who require such for the performance of the contract. The parties shall require those employees to maintain confidentiality in accordance with this agreement.
(3) On request by a contracting party, or at the latest on termination of the cooperation between the contracting parties, all confidential data held in that connection shall be erased irretrievably or returned to the other party. …
…’
13 According to Mr Probst, the factoring contract is void in so far as it breaches, inter alia, Paragraph 97(1) of the TKG. The Amtsgericht (local court) rejected nexnet’s claim for payment, while the appellate court upheld it in substance. An appeal on a point of law (‘Revision’) has been brought before the Bundesgerichtshof (Federal Court of Justice).
14 The Bundesgerichtshof takes the view that Article 6(2) and (5) of Directive 2002/58 is relevant for the interpretation of Paragraph 97(1) of the TKG. It states, first, that ‘billing’, which is one of the objectives in respect of which Article 6(2) and (5) of that directive authorises the processing of traffic data, does not necessarily include the collection of the amount invoiced. However, it takes the view there is no objective reason for treating billing and debt collection differently with respect to data protection. Second, Article 6(5) of that directive restricts the processing of traffic data to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services (‘service provider’). According to the referring court, it is unclear from that definition whether the service provider must actually be able to determine the use of the data, including on a case-by-case basis, throughout the duration of the data processing or whether it is sufficient that general rules relating to respect for the privacy of telecommunications and data protection are laid down, such as those agreed in the present case in the contractual provisions, and that it is possible for the data to be erased or returned on request.
15 In those circumstances, the Bundesgerichtshof decided to stay the proceedings and to refer the following question to the Court of Justice for a preliminary ruling:
‘Does Article 6(2) and (5) of Directive 2002/58 permit the passing of traffic data from the service provider to the assignee of a claim for payment in respect of telecommunications services in the case where the assignment effected with a view to the collection of transferred debts includes, in addition to the general obligation to respect the privacy of telecommunications and to ensure data protection as provided for under the applicable legislation, the following contractual stipulations:
– the service provider and the assignee undertake to process and use the protected data only within the framework of their cooperation and exclusively for the purpose of the contract and in the manner prescribed therein;
– as soon as the information in the protected data is no longer required for such purpose, all protected data held in that connection are to be irreversibly erased or returned;
– each contracting party is entitled to check that the other party has ensured data protection and data security in accordance with this agreement;
– confidential documents and information transferred may be made accessible only to such employees as require these for the purposes of performing the contract;
– the contracting parties are to require those employees to maintain confidentiality in accordance with this agreement;
– on request, or at the latest on termination of the cooperation between the contracting parties, all confidential data held in that connection are to be irreversibly erased or returned to the other party?’
Consideration of the question referred for a preliminary ruling
16 By its question, the referring court asks essentially whether, and in what circumstances, Article 6(2) and (5) of Directive 2002/58 allows a service provider to pass traffic data to the assignee of its claims for payment and allows the latter to process those data.
17 First, in accordance with Article 6(2) of Directive 2002/58, traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. As nexnet and the European Commission submit, that provision of that directive authorises processing of traffic data not only for the purpose of billing but also for that of debt collection. By authorising traffic data processing ‘up to the end of the period during which the bill may lawfully be challenged or payment pursued’, that provision relates not only to data processing at the time of billing but also to the processing necessary for securing payment thereof.
18 Second, pursuant to Article 6(5) of Directive 2002/58, traffic data processing authorised by Article 6(2) thereof ‘must be restricted to persons acting under the authority of [service] providers of the public communications networks and publicly available electronic communications services handling billing’ and ‘must be restricted to what is necessary’ for the purposes of such an activity.
19 It follows from a combined reading of those provisions of Directive 2002/58 that a service provider is authorised to pass traffic data to the assignee of its claims for payment for the purpose of their recovery and that the latter is authorised to process those data on condition, first, that it acts ‘under the authority’ of the service provider as regards the processing of those data and, second, that it processes only traffic data which are necessary for the purpose of the recovery of those claims.
20 It must be stated that neither Directive 2002/58 nor the documents relevant for its interpretation, such as the travaux préparatoires, provide clarification as to the exact scope of the concept of ‘under the authority’. The meaning and scope of terms for which European Union law provides no definition must be determined by considering their usual meaning in everyday language, while also taking into account the context in which they occur and the purposes of the rules of which they are part (see, to that effect, judgments in Case C-336/03 easyCar [2005] ECR I-1947, paragraphs 20 and 21, and of 5 July 2012 in Case C-49/11 Content Services, paragraph 32).
21 As regards the usual meaning of those words in everyday language, it must be held that a persons acts under the authority of another where the former acts on instructions and under the control of the latter.
22 As to the context in which Article 6 of Directive 2002/58 appears, it must be recalled that Article 5(1) of that directive provides that Member States are required to ensure the confidentiality of communications by means of a public communications network and publicly available electronic communications services and the related traffic data.
23 Article 6(2) and (5) of Directive 2002/58 contains an exception to the confidentiality of communications laid down in Article 5(1) by authorising traffic data processing in accordance with the requirements of billing services (see, to that effect, Case C-275/06 Promusicae [2008] ECR I-271, paragraph 48). As it constitutes an exception, that provision of that directive, and therefore also the words ‘under the authority’, are to be interpreted strictly (see Case C-16/10 The Number (UK) and Conduit Enterprises [2011] ECR I-691, paragraph 31). Such an interpretation requires that the service provider has an actual power of supervision which enables him to determine whether the assignee of the claims for payment is acting in compliance with the conditions imposed on it with respect to the processing of traffic data.
24 That interpretation is corroborated by the objective of Directive 2002/58 in general and of Article 6(5) in particular. As is clear from its Article 1(1) and (2), Directive 2002/58 particularises and complements Directive 95/46 in the electronic communications sector for the purposes, inter alia, of ensuring an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communications sector.
25 In those circumstances, Article 6(5) of Directive 2002/58 must be interpreted in the light of similar provisions in Directive 95/46. It is clear from Articles 16 and 17 of Directive 95/46, which set out the level of control that the controller must exercise over the processor which it appoints, that that processor acts only on the controller’s instructions and that the controller ensures compliance with the measures agreed in order to protect personal data against any form of unlawful processing.
26 As regards the objective pursued by Article 6(5) of Directive 2002/58 in particular, it must be stated that, even if that provision authorises the processing of traffic data by certain third persons for the service supplier for the purpose in particular of collecting the latter’s debts, thereby enabling it to concentrate on the supply of electronic communications services, that provision seeks to ensure, by providing that the processing of traffic data must be restricted to persons acting ‘under the control’ of the service supplier, that such externalisation does not affect the level of protection of personal data enjoyed by the user.
27 It follows from the foregoing that, regardless of the classification of the contract of assignment of claims for payment for collection purposes, the assignee of a claim for payment relating to the payment of telecommunications charges acts ‘under the authority’ of the service provider, within the meaning of Article 6(5) of Directive 2002/58, where, for the processing of traffic data that such an activity involves, the assignee acts only on instructions and under the control of the service provider. In particular, the contract concluded between the service provider which assigns its claims for payment and the party to which those claims are assigned must contain provisions of such a kind as to ensure the lawful processing of traffic data by the latter and must allow the service provider to ensure at all times that those provisions are being complied with by the assignee.
28 It is for the national court to determine, in the light of all the information in the case-file, whether those conditions are met in the case in the main proceedings. The fact that a factoring contract has the characteristics described in the question referred suggests that that contract satisfies those conditions. Such a contract allows the processing of traffic data by the assignee of claims for payment only in so far as such processing is necessary for the collection of those debts and imposes on that assignee the obligation immediately and irreversibly to erase or return those data as soon as knowledge thereof is no longer necessary for the recovery of the claims concerned. Furthermore, it allows the service provider to check whether there is compliance with the rules on security and data protection on the part of the assignee, which may, on simple request, be obliged to erase or to return the traffic data.
29 In the light of the foregoing, the answer to the question referred is that Article 6(2) and (5) of Directive 2002/58 must be interpreted as authorising a service provider to pass traffic data to the assignee of its claims for payment in respect of the supply of telecommunications services for the purpose of recovery of those claims, and as authorising that assignee to process those data on condition, first, that it acts under the authority of the service provider as regards the processing of those data and, second, that that assignee confines itself to processing the traffic data necessary for the purposes of recovering the claims assigned.
30 Irrespective of the classification of the contract of assignment, the assignee is deemed to act under the authority of the service provider, within the meaning of Article 6(5) of Directive 2002/58, where, for the processing of traffic data, it acts exclusively on the instructions and under the control of that provider. In particular, the contract concluded between them must contain provisions capable of guaranteeing the lawful processing, by the assignee, of the traffic data and of enabling the service provider to ensure, at all times, that that assignee is complying with those provisions.
Costs
31 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Third Chamber) hereby rules:
Article 6(2) and (5) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) must be interpreted as authorising a provider of public communications networks and of publicly-accessible electronic communications services to pass traffic data to the assignee of its claims for payment in respect of the supply of telecommunications services for the purpose of recovery of those claims, and as authorising that assignee to process those data on condition, first, that the latter acts under the authority of the service provider as regards the processing of those data and, second, that that assignee confines itself to processing the traffic data necessary for the purposes of recovering the claims assigned.
Irrespective of the classification of the contract of assignment, the assignee is deemed to act under the authority of the service provider, within the meaning of Article 6(5) of Directive 2002/58, where, for the processing of traffic data, it acts exclusively on the instructions and under the control of that provider. In particular, the contract concluded between them must contain provisions capable of guaranteeing the lawful processing, by the assignee, of the traffic data and of enabling the service provider to ensure, at all times, that that assignee is complying with those provisions.
[Signatures]
* Language of the case: German.