OPINION OF ADVOCATE GENERAL
COLLINS
Delivered on 28 April 2022(1)
Case C‑129/21
Proximus NV
(Public electronic directories)
v
Gegevensbeschermingsautoriteit
(Request for a preliminary ruling from the Hof van beroep te Brussel (Court of Appeal, Brussels, Belgium))
(Reference for a preliminary ruling – Processing of personal data and protection of privacy in the electronic communications sector – Directive 2002/58/EC – Article 12 – Directories and directory enquiry services – Data subject’s consent – Regulation (EU) 2016/679 – Definition of consent – Article 17 – Right to erasure (‘right to be forgotten’) – Article 5(2), Article 17(2), Article 19 and Article 24 – Information obligations and responsibility of the controller)
I. Introduction
1. The present request for a preliminary ruling from the Hof van beroep te Brussel (Court of Appeal, Brussels, Belgium) arises out of a request by a person who subscribes to a telecommunications service that his contact details no longer appear in public electronic telephone directories or be available from directory enquiry services. It raises important issues as to the interpretation of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (2) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (3) and the relationship between those two acts.
2. The GDPR imposes a general requirement on each controller to obtain the data subject’s consent to the processing of his or her data. Directive 2002/58 modifies that requirement in respect of data processing by providers of electronic telephone directories and directory enquiry services in that a single instance of consent by a subscriber to the use of his or her data suffices to permit processing for that same purpose. A subscriber thus gives a single instance of consent to his or her contact details appearing in directories, whereupon other providers of directories may rely on that same consent in order to include those contact details in their directories. What happens when a subscriber wishes to have his or her contact details removed from all such directories? At least two questions arise. First, should a subscriber address a request to the telecommunications operator with whom he or she has a contract, or to the provider(s) of directories, or to each of them? Second, is a provider of directories obliged to pass on a request to remove contact details to third parties, such as the subscriber’s telecommunications operator, other provider(s) of directories and search engine providers?
II. Factual background
3. Proximus provides telecommunications services. It includes the contact details of its own subscribers, as well as those it receives from other telecommunications operators, in two Belgian electronic directories, www.1207.be and www.1307.be, and in two directory enquiry services, 1207 and 1307, that it also provides. It passes those contact details on to another provider of directories.
4. Proximus explains that its databases, and those of third parties, distinguish between subscribers whose contact details are to be included in directories and those that are to be excluded. Where contact details are to be included, the relevant parameter in a subscriber’s record is ‘NNNNN’. Where contact details are to be excluded, the relevant parameter is ‘XXXXX’.
5. The complainant is a subscriber to a telephone service provided by Telenet, a telecommunications operator on the market in Belgium. Telenet does not provide directories. It supplies contact details of its subscribers to, inter alia, Proximus.
6. On 13 January 2019, the complainant, using the contact form available on the website www.1207.be, addressed the following request to Proximus: ‘Please do not include this number in the “Witte Gids”, on 1207.be, …’
7. On foot of this request, on 28 January 2019 Proximus changed the relevant parameter in the complainant’s record from ‘NNNNN’ to ‘XXXXX’. On that same date, a Proximus employee responded to the complainant as follows: ‘The number [x] is currently not included in the edition of the “Gids”. The information is also not available on directory enquiries (1207) and on the website (1207.be). You will find the latest update of all published records on our website www.1207.be’.
8. On 31 January 2019, Proximus received a routine update of subscriber data from Telenet. This update contained new contact details for the complainant. It also represented that the complainant’s contact details were to be included in directories (‘NNNNN’). Proximus automatically processed that update. As a result, the complainant’s contact details became publicly available.
9. On 14 August 2019, having realised that his telephone number featured in electronic telephone directories www.1207.be and www.1307.be and in a number of other electronic telephone directories, the complainant contacted Proximus, using the contact form available on the website www.1207.be, asking Proximus ‘not to mention’ his phone number ‘on your website(s) http://www.1207.be’.
10. On the same date, a Proximus employee responded that: ‘As per your request, we have deleted your entry so that your details (telephone number, name, address) will no longer be used for telephone directories or directory enquiry services. Within a few days your details will no longer be available on www.1207.be – www.1307.be and the enquiry services (1207-1307). We will also contact Google to delete the relevant links to our website. In compliance with legal provisions your details were also forwarded to other telephone directories or directory enquiry services who requested [Proximus] to provide them with subscriber data, namely www.wittegids.be, www.infobel.com, www.de1212.be and www.opendi.be. Via the monthly updates they will also be informed of your request not to use your details any longer.’
11. The complainant simultaneously submitted a complaint to the Gegevensbeschermingsautoriteit (Data Protection Authority, Belgium; ‘the DPA’). This included the following text: ‘despite my written and express request … not to include my (brand new) telephone number … and details in the Witte Gids, on 1207.be, …, today, following a telephone call from a firm that does not have my telephone number [I noticed] that my telephone number has nevertheless been included in www.1207.be, www.1307.be, www.wittegids.be, www.infobel.be, ww.de1212.be and most probably also in the relevant directory enquiry services 1207, 1307 and in the paper versions of the Witte Gids(en) and www.opendi.be’.
12. On 27 August 2019, the frontline service of the DPA declared the complaint admissible and referred it to the Geschillenkamer van de Gegevensbeschermingsautoriteit (Litigation Chamber of the Data Protection Authority, Belgium; ‘the Litigation Chamber of the DPA’).
III. Relevant legal provisions
A. European Union law
1. The Charter of Fundamental Rights of the European Union
13. According to the first two paragraphs of Article 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’), entitled ‘Protection of personal data’:
‘1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.’
2. The General Data Protection Regulation
14. The concept of consent is central to the operation of the GDPR. By its Article 4(11), consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
15. Paragraph 1 of Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, states, in relevant part:
‘Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);’
16. Paragraph 2 of Article 5 of the GDPR states:
‘The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”).’
17. Article 6 of the GDPR, entitled ‘Lawfulness of processing’, provides:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…’
18. In its relevant paragraphs, Article 7 of the GDPR, entitled ‘Conditions for consent’, states:
‘1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
…
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
…’
19. In so far as is relevant here, Article 17 of the GDPR, entitled ‘Right to erasure (“right to be forgotten”)’, provides:
‘1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
…
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
…
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
…’
20. Article 19 of the GDPR, entitled ‘Notification obligation regarding rectification or erasure of personal data or restriction of processing’, provides:
‘The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.’
21. By Article 24(1) of the GDPR, entitled ‘Responsibility of the controller’:
‘Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.’
22. Article 95 of the GDPR, entitled ‘Relationship with Directive 2002/58/EC’, provides:
‘This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in [Directive 2002/58].’
3. Directive 2002/58
23. Recital 17 of Directive 2002/58 states:
‘For the purposes of this Directive, consent of a user or subscriber, regardless of whether the latter is a natural or legal person, should have the same meaning as the data subject’s consent as defined and further specified in [Directive 95/46]. Consent may be given by an appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website.’
24. Save as otherwise provided, Directive 2002/58 applies the definitions in Directive 95/46 (4) and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive). (5) Article 2(f) of Directive 2002/58 defines ‘consent’ by a user or subscriber by reference to the data subject’s consent in Directive 95/46. It follows that, for the purposes of Directive 2002/58, the definition of consent is the same as that contained in Article 4(11) of the GDPR, the text of which is set out at point 14 of the present Opinion.
25. Article 12(2) and (3) of Directive 2002/58 provides:
‘2. Member States shall ensure that subscribers are given the opportunity to determine whether their personal data are included in a public directory, and if so, which, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory, and to verify, correct or withdraw such data. Not being included in a public subscriber directory, verifying, correcting or withdrawing personal data from it shall be free of charge.
3. Member States may require that for any purpose of a public directory other than the search of contact details of persons on the basis of their name and, where necessary, a minimum of other identifiers, additional consent be asked of the subscribers.’
B. Belgian law
26. The Wet van 13 juni 2005 betreffende de elektronische communicatie (Law of 13 June 2005 on electronic communication) transposes, inter alia, Directive 2002/58 into Belgian law. (6) Article 133(1) thereof implements Article 12(2) of Directive 2002/58. Such other provisions of the WEC as are relevant to the proposed replies to the questions put by the referring court are referenced below.
IV. The national legal proceedings and the procedure before this Court
27. In so far as appears to be relevant to the reference to the Court, on 30 July 2020 the Litigation Chamber of the DPA ordered Proximus to (i) take immediate, appropriate steps to reflect the complainant’s withdrawal of consent and thus to comply with the requirements relating to the processing of personal data imposed by the GDPR; (ii) comply with the complainant’s request to exercise his ‘right to be forgotten’; and (iii) cease the unlawful processing of data that consisted of passing personal details on to third-party providers of directories. It also reprimanded Proximus for failing to comply with Article 24 of the GDPR. The Litigation Chamber of the DPA fined Proximus EUR 20 000 for infringements of Articles 6, 7 and 12 of the GDPR (‘the contested decision’).
28. Proximus appealed the contested decision before the Hof van beroep te Brussel (Court of Appeal, Brussels), which referred the following questions to the Court:
‘(1) Must Article 12(2) of Directive 2002/58, read in conjunction with Article 2(f) thereof and Article 95 of the [GDPR] be interpreted as permitting a national supervisory authority to require a subscriber’s “consent” within the meaning of the [GDPR] as the basis for the publication of the subscriber’s personal data in public directories and directory enquiry services, published both by the operator itself and by third-party providers, in the absence of national legislation to the contrary?
(2) Must the right to erasure contained in Article 17 of the [GDPR] be interpreted as precluding a national supervisory authority from categorising a request by a subscriber to be removed from public directories and directory enquiry services as a request for erasure within the meaning of Article 17 of the [GDPR]?
(3) Must Article 24 and Article 5(2) of the [GDPR] be interpreted as precluding a national supervisory authority from concluding from the obligation of accountability laid down therein that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely, the telephone service provider and other providers of directories and directory enquiry services that have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 in conjunction with Article 7 of the [GDPR]?
(4) Must Article 17(2) of the [GDPR] be interpreted as precluding a national supervisory authority from ordering a provider of public directories and directory enquiry services which has been requested to cease disclosing data relating to an individual to take reasonable steps to inform search engines of that request for erasure?’
29. Proximus, the DPA, the Italian, Latvian, Portuguese and Romanian Governments and the European Commission submitted written observations.
30. At the hearing of 9 February 2022, Proximus, the DPA and the Commission presented oral argument and replied to questions from the Court.
V. Assessment
A. Admissibility of the questions referred
31. As a preliminary issue, Proximus submits that the part of the first question that relates to the obligations of telecommunications operators, as distinct from those imposed on providers of directories, as well as the second and fourth questions, are hypothetical and/or of no relevance to the issues to be determined by the referring court and are therefore inadmissible.
32. The Court has consistently held that, in proceedings under Article 267 TFEU, it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine in the light of the particular circumstances of the case both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court. Consequently, where the questions submitted concern the interpretation of EU law, the Court is in principle bound to give a ruling. (7)
33. Nevertheless, the Court may refuse to rule on a question referred for a preliminary ruling by a national court where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it. (8)
34. To respond to Proximus’ submissions on inadmissibility, I propose to set out the parties’ principal arguments before the Court in order to assess if the four questions referred are so removed from the subject matter of the dispute before the referring court that they bear no relation to the facts of the main action or its purpose, so that all or part of them are inadmissible.
35. Proximus considers that it has no obligation to obtain the complainant’s consent to include his contact details in its directories or to give him an opportunity to determine whether his personal data are to be included therein. According to Proximus, these are matters for which the telecommunications operator (here Telenet) is responsible. It follows that the complainant ought to have addressed his request to withdraw his contact details from the Proximus directories to Telenet. In the alternative, Proximus considers that the provisions of the GDPR relating to ‘the right to be forgotten’ are irrelevant since the removal of contact details consists in changing the ‘NNNNN’ parameter in the relevant record to ‘XXXXX’. This is a rectification, not an erasure, of data. It is also unreasonable to require Proximus to inform search engine providers of the complainant’s request, since it is uncertain whether the latter obtained his contact details from Proximus or from another provider of directories.
36. The DPA is of the view that the inclusion of the complainant’s contact details in directories required his prior consent. Upon informing Proximus that he no longer wanted his details to be so included, their continued inclusion in all such directories became unlawful. The complainant’s request was a withdrawal of his consent and an exercise of his ‘right to be forgotten’ within the meaning of Article 17 of the GDPR. Article 17(2) of the GDPR obliged Proximus to inform search engine providers of that request. Article 5(2) and Article 24 of the GDPR also permit the DPA to require Proximus to inform the telecommunications operator and other providers of directories of that request.
37. The observations of the Italian Government and of the Commission broadly follow the same lines as those advanced by the DPA. Whilst the observations of the Latvian, Portuguese and Romanian Governments adopt a similar approach, they also include the following caveats. The Latvian Government points out that there is no legal basis upon which each provider of directories can be required to obtain separate consents: different providers, who use data for the same purpose, must be able to rely on a single instance of consent given by the data subject. The Romanian Government considers that Article 5(2) and Article 24 of the GDPR cannot be relied upon in the manner asserted by the DPA because those provisions do not impose obligations on controllers to enter into a dialogue with other controllers. The Portuguese Government considers that the obligation on controllers to inform third parties, including search engine providers, of requests to erase data derives from Article 19 of the GDPR, not from its Article 17(2).
38. From this short overview of the parties’ principal arguments before the Court, I am satisfied that all of the four questions put by the referring court are relevant to the subject matter of the dispute before it and are so closely related that no part of them could be said to be inadmissible. Accordingly I propose that the Court dismiss Proximus’ objections to the admissibility of the questions referred.
B. Substantive assessment
1. First question
39. By its first question, the referring court essentially asks whether, pursuant to Article 12(2) of Directive 2002/58, read together with Article 2(f) thereof and Article 95 of the GDPR, a subscriber’s consent, as defined by the GDPR, is required in order to include his or her contact details in directories published by a telecommunications operator and/or other providers of directories.
40. Article 12(2) of Directive 2002/58 requires that subscribers are given the opportunity to determine whether their personal data are to be included in a public directory. Implicit in that requirement is a corresponding obligation to afford subscribers an opportunity to make an express choice as to whether they wish their data to be included in such directories. Article 12(3) of Directive 2002/58 moreover refers to the fact that ‘additional consent’ may be asked of subscribers for any purpose of a public directory other than the search of contact details of persons on the basis of their name. (9) The reference to ‘additional consent’ in Article 12(3) also implies that Article 12(2) requires that consent to such publication be obtained in the first instance.
41. As observed in points 23 and 24 of the present Opinion, for the purpose of Article 2(f) of Directive 2002/58, ‘consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
42. The reference to ‘affirmative action’ in the definition of consent for the purposes of Directive 2002/58 is a further indication that subscribers must be afforded an opportunity to ‘opt-in’ to the inclusion of their personal data in a public directory. Contrary to Proximus’ argument, providers of directories cannot assume that the default position is that a subscriber consents to the inclusion of his or her contact details in a public directory, or what might be described as an ‘opt-out’ approach.
43. Moreover, the Court has ruled that it follows from a contextual and systematic interpretation of Article 12 of Directive 2002/58 that the consent under Article 12(2) thereof relates to the purpose of the publication of personal data in a public directory and not to the identity of any particular provider. The consent given under Article 12(2) of Directive 2002/58 thus applies to any subsequent processing of data by third-party undertakings active in the market for publicly available directory enquiry services and directories, provided that such processing is for the same purpose. (10)
44. It follows that the subscriber’s consent, as defined by Article 4(11) of the GDPR, is required in order to include his or her personal data in directories published by the telecommunications operator and/or third-party providers of directories. Where such publication serves the same purpose, the telecommunications operator and/or third-party provider(s) may rely on that same consent.
45. I would add that, by Article 7(1) of the GDPR, where processing is based on consent, the controller must be able to demonstrate that the data subject consented to the processing of his or her personal data. A provider of directories such as Proximus cannot assume that a subscriber has given his or her consent, even if it may rely on the consent that the subscriber provided to another controller.
46. Proximus relies on recitals 38 and 39 of Directive 2002/58 to support the propositions that any obligation to: (i) inform subscribers of the purpose of directories in which their personal data are to be included; and (ii) give them the opportunity to determine whether their personal data are included in a directory, lies solely with the telecommunications operator with whom the subscriber has a contract. The text of the said recitals does not support this assertion. Recital 38 refers to the obligation of ‘providers of public directories’ to ‘inform the subscribers to be included in such directories of the purposes of the directory …’. Recital 39 states that ‘the obligation to inform subscribers of the purpose(s) of public directories in which their personal data are to be included should be imposed on the party collecting the data for such inclusion’.
47. Since Telenet does not publish directories neither of those recitals applies to it. Whilst a telecommunications operator may obtain the consent of subscribers for the purpose of including their data in directories provided by third parties, and those third parties may thereafter rely on, and be able to demonstrate, that such consent had been provided to the telecommunications operator, recitals 38 and 39 of Directive 2002/58 do not imply that only telecommunications operators are under an obligation to obtain that consent, thereby absolving third-party providers of directories from their responsibility and accountability in that regard.
48. Finally, since Directive 2002/58 expressly adopts the definition of consent contained in the GDPR, the discussion that Proximus raised concerning the interpretation of Article 95 of the GDPR and the relationship between the GDPR and Directive 2002/58, which it characterised as one of ‘lex generalis/lex specialis’, is irrelevant.
49. I therefore propose that the Court answer the first question by stating that, pursuant to Article 12(2) of Directive 2002/58, read together with Article 2(f) thereof and Article 95 of the GDPR, a subscriber’s ‘consent’, as defined in Article 4(11) of the GDPR, is required in order to include his or her contact details in directories published by a telecommunications operator and/or by other providers of directories.
2. Second question
50. By the second question the referring court seeks to ascertain whether a request by a subscriber to have his or her data removed from directories constitutes an exercise of ‘the right to erasure’ established by Article 17 of the GDPR.
51. Proximus argues that a third-party provider of directories is under no obligation to implement a request from a subscriber to remove data from directories since Article 17 of the GDPR does not apply to that third party. The subscriber ought to have addressed his or her request to the telecommunications operator with whom he or she has a contract. Again Proximus argues that the relationship between the GDPR and Directive 2002/58 is one of lex generalis/lex specialis.
52. In the alternative, Proximus submits that the complainant’s request ‘not to include telephone number … in 1207.be’ is a request for rectification within the meaning of Article 16 of the GDPR, not a request for erasure under Article 17 of the GDPR since the relevant parameter in the subscriber’s record is merely changed from ‘NNNNN’ to ‘XXXXX’.
53. Article 12(2) of Directive 2002/58 states that subscribers must be given the opportunity to ‘correct or withdraw’ personal data that they consent to have included in directories. Directive 2002/58 does not define the terms ‘correct or withdraw’. It is therefore appropriate to take account of the ordinary meaning of those words in the context in which they appear, namely the inclusion of subscribers’ contact details in directories. The word ‘correct’ clearly applies to situations where subscribers wish to change the manner in which their contact details appear in a directory, for example, correcting the spelling of a name or an inaccuracy in an address. That situation is different from that which arises here, where the complainant wants his contact details no longer to appear in public directories. Amongst the meanings of the word ‘withdraw’ are ‘remove’, ‘retract’ or ‘recall’. By no longer consenting to his data being processed by means of inclusion in directories, it can be said that the complainant requested the withdrawal of his personal data within the meaning of Article 12(2) of Directive 2002/58.
54. As the Latvian Government points out, Directive 2002/58 does not contain any other indications as to the modalities, implementation and consequences of requests to ‘withdraw’ personal data. The provisions of the GDPR therefore apply directly, as a consequence of which Proximus’ argument based on the lex generalis/lex specialis relationship between the two acts falls away. Pursuant to Article 7(3) of the GDPR a subscriber has the right to withdraw his or her consent at any time. Once that consent is withdrawn, Article 6(1)(a) of the GDPR provides that the processing of the subscriber’s data for the specific purpose of being included in directories is no longer lawful. This, in turn, triggers the application of Article 17 of the GDPR.
55. Proximus argues that this interpretation cannot be correct because it would mean that both it and Telenet would be obliged to delete the complainant’s record from all of their databases. The DPA and the other parties who have submitted observations to the Court are of the view that the complainant’s request is limited to the withdrawal of his data from directories, not its erasure from the database of Telenet’s subscribers.
56. The complainant seeks to prevent his data being processed for purposes connected with directories. Article 17(1)(b) of the GDPR, which permits the withdrawal of consent on which the processing is based, facilitates his wish. The consent to be obtained from the subscriber pursuant to Article 12(2) of Directive 2002/58 relates to the processing of data in a specific manner, namely for the purpose of publication in directories. When that consent has been withdrawn, that particular manner of processing the subscriber’s data becomes illegal. Were it otherwise, a subscriber would be unable to withdraw consent for the purpose of publication in directories without simultaneously terminating his or her contract for the provision of telecommunications services.
57. I therefore propose that the Court reply to the second question that a request by a subscriber to have his or her data removed from directories constitutes an exercise of ‘the right to erasure’ established by Article 17 of the GDPR.
3. Third question
58. By its third question, the referring court essentially wishes to ascertain whether, pursuant to Article 5(2) and Article 24 of the GDPR, a national supervisory authority may conclude that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely, the telecommunications operator and other providers of directories that have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 of the GDPR, read in conjunction with Article 7 of the GDPR.
59. In this question, ‘the controller’ is Proximus, and ‘third-party controllers’ are: (i) the telecommunications operator, Telenet, with whom the complainant has a telephone subscription; and (ii) provider(s) of directories to which Proximus supplies subscriber details, including those it received from Telenet.
60. Since the telecommunications operator does not provide directories and consent must be obtained in order for subscribers’ contact details to be included in directories, the question arises as to why it would be relevant to inform the telecommunications operator of the subscriber’s withdrawal of his or her consent to the use of his or her data for that purpose.
61. The WEC requires telecommunications operators to pass on subscribers’ contact details to providers of directories. (11) However, they must ‘keep separate’ the contact details of subscribers who have indicated that they do not want to be included in a directory so as to allow them to receive a copy of that directory. (12) As described in point 4 of the present Opinion, withdrawal of consent is effected by means of adjusting the parameters in a subscriber’s record. Proximus updates its database upon receipt of a withdrawal of consent. That update is, however, overwritten when Proximus receives another set of subscriber data from the telecommunications operator for the purpose of those data being included in directories and the telecommunications operator has not been informed of the subscriber’s request that his or her data not appear in a public directory. Proximus must thus not only update its own database to reflect the subscriber’s withdrawal of his or her consent but must also inform the telecommunications operator of that withdrawal.
62. Proximus thus argues that it is merely a ‘recipient to whom personal data has been disclosed’ within the meaning of Article 19 of the GDPR. Therefore, the obligation on controllers to take reasonable steps to communicate requests for erasure to other controllers, contained in Article 17(2) of the GDPR, does not apply to it. It follows, according to Proximus, that it is incorrect to interpret Article 5(2)and Article 24 of the GDPR as imposing an obligation upon it to inform the telecommunications operator and other providers of directories of requests for erasure that it receives.
63. I find it difficult to accept that Proximus is a mere recipient of personal data. Whilst it may have received the complainant’s contact details from Telenet, the publication of those data in its directories constitutes the processing of data within the meaning of Article 4(2) of the GDPR. In that context Proximus acts as a controller within the meaning of Article 4(7) of the GDPR. (13) According to Article 5(2) and Article 24 of the GDPR, controllers are subject to obligations relating to accountability and taking appropriate steps to ensure that data processing is perfomed in accordance with the GDPR.
64. Article 5(1)(a) of the GDPR provides that personal data shall be processed lawfully. Pursuant to Article 6(1)(a) thereof, processing shall be lawful only if and to the extent that the data subject has consented to his or her data being processed for one or more specific purposes. It appears from the order for reference that the complainant withdrew his consent, within the meaning of Article 7 of the GDPR, to have his personal data processed for the purpose of publication in directories. Such processing, including that by other providers of directories for the same purpose, does not comply with the GDPR. It is thus unlawful.
65. It is consistent with that finding, together with the information requirements in Article 17(2) and Article 19 of the GDPR, that a national supervisory authority may conclude, from the obligation of accountability laid down in Article 5(2) of the GDPR and the obligation in Article 24 of the GDPR to ensure, and to be able to demonstrate, that processing is performed in accordance with that regulation, that a controller must, by means of appropriate technical and organisational measures, inform other controllers, namely the telecommunications service provider and other providers of directories that have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 of the GDPR, read in conjunction with Article 7 of the GDPR.
66. The Romanian Government notes that Article 17(2) of the GDPR contains the information requirements demanded of search engine providers when erasure requests are made. It would thus be inappropriate for a national supervisory authority to rely on Article 5(2) Article 24 of the GDPR, in particular since those provisions do not contain specific obligations governing the passing on of information to third parties.
67. In my view, Article 5(2) and Article 24 of the GDPR impose general accountability and compliance requirements upon controllers. Their broad wording and scope enables them to facilitate a national supervisory authority that seeks to impose information requirements on controllers vis-à-vis third parties. It is true that Article 17(2) and Article 19 of the GDPR set out specific information obligations in relation to, respectively, ‘controllers’ (in respect of data that has been made public and the erasure of which has been requested) and ‘recipients’. Those provisions do not, however, cover the factual scenario under consideration where the need arises, due to the interaction of the databases of the various parties involved, to inform the telecommunications operator of the withdrawal of consent, without which Proximus, and providers using subscriber data received from Proximus, end up processing data unlawfully.
68. This interpretation of the GDPR leads to a situation whereby a subscriber may communicate the withdrawal of his or her consent (here a request not to include contact details in directories) to any entity that includes those details in directories, or to any entity (including the telecommunications operator), that communicates such contact details to others for that same purpose. The entity that the subscriber chooses to approach becomes responsible for passing on his or her request for erasure to other controllers to the extent required to ensure that the data are not processed unlawfully. Such an interpretation is in line with the obligation that Article 12(2) of the GDPR imposes on controllers to facilitate the exercise by data subjects of their rights under Articles 15 to 22 of the GDPR. It also reflects the requirement in the last sentence of Article 7(3) of the GDPR that it shall be as easy to withdraw, as to give, consent to the processing of personal data. Since a provider of directories may rely on consent given by a subscriber to process data for that purpose to another provider, it follows that, in order to withdraw consent, it must be possible for a subscriber to contact any one of the providers of directories or the telecommunications operator with a view to his or her contact details being withdrawn from directories published by all of those who rely upon his or her single instance of consent.
69. I thus propose that the answer to the third question is that, pursuant to Article 5(2) and Article 24 of the GDPR, a national supervisory authority may conclude that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely, the telecommunications operator and other providers of directories that have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 of the GDPR, read in conjunction with Article 7 of the GDPR.
4. Fourth question
70. By the fourth question, the referring court essentially asks whether Article 17(2) of the GDPR precludes a national supervisory authority from ordering a provider of directories to inform search engine providers of requests for erasure that it has received.
71. Implicit in that question is the referring court’s view that the complainant no longer wanted his contact details to be accessible to the public on the internet via search engines.
72. As point 62 of the present Opinion observes, Proximus takes the view that Article 17(2) of the GDPR does not apply to it because it is merely a recipient of personal data. In the alternative Proximus claims that, pursuant to Article 17(2) of the GDPR, it is required to take reasonable steps only to inform controllers that the data subject has requested the erasure of his or her data. (14) In the absence of Proximus disclosing data to search engine providers directly, it is ‘not 100% certain’ that those providers obtained the complainant’s contact details from Proximus, and they may have obtained them from another provider of directories. In those circumstances it would be unreasonable to require Proximus, upon receipt of the complainant’s request, to contact search engine providers directly.
73. It follows from my proposed reply to the second question that a subscriber’s request to have his or her data removed from directories triggers the application of the obligation that Article 17(2) of the GDPR imposes on the controller to take reasonable steps only to inform controllers processing personal data that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.
74. The question then arises as to whether search engine providers are controllers. Indexing and making available personal data to internet users in a list of search results constitutes the processing of personal data within the meaning of Article 4(2) of the GDPR. Since search engine providers decide how to index those data and are responsible for developing the algorithm that fixes the order in which search results appear, they determine the purposes and means of the processing of personal data, thereby acting as controllers for the purposes of Article 4(7) of the GDPR. (15)
75. There remains the requirement that Proximus is to take reasonable steps only, including technical measures, to inform search engine providers of a request to erase data.
76. In order to assess the reasonableness of steps taken, Article 17(2) of the GDPR provides that the available technology and the cost of implementation must be taken into account, a task that falls primarily upon the authority competent for such matters, subject to judicial review. Point 10 of the present Opinion observes that Proximus told the complainant that it would inform Google of his request for erasure. In its observations before the Court, the DPA indicated that, as of the second quarter of 2020, there were a limited number of search engine providers in Belgium, headed up by Google, which had a market share of between 90% (for desktop searches) and 99% (for smartphone and tablet searches). (16) On that basis alone, it appears unwarranted to conclude that it would be unreasonable to require Proximus to inform search engine providers of such requests for erasure that it receives.
77. In any event, I am not persuaded that the assessment as to whether the steps Proximus must take to inform a particular search engine provider are ‘reasonable’ within the meaning of Article 17(2) of the GDPR must take into account whether it was ‘100% certain’ that the search engine provider in question had obtained the data to be erased from Proximus. Neither am I impressed by the argument that it would be unreasonable to require Proximus to take any steps to comply with Article 17(2) of the GDPR since it is not ‘100% certain’ that search engine providers obtained the complainant’s contact details from Proximus.
78. Allowing controllers to evade responsibility for processing personal data on the basis of a possibility that the data in question had not been obtained from them would render any obligation in that regard ineffective in the many circumstances where data are linked or copied on the internet. Such an approach might even provide a perverse incentive to disseminate data in order to avoid being subject to that obligation. Moreover, taking Proximus’ argument to its logical conclusion, no provider of directories would be responsible for complying with Article 17(2) of the GDPR by informing search engine providers of the complainant’s request because all of those providers could rely on any uncertainty as to the origin of the data. Moreover, since Telenet does not publish directories, the search engine providers cannot have obtained the data from the telecommunications operator. That means that the subscriber would have to find out where his or her contact details are available and send requests for erasure to each entity that publishes them. Such an approach would be manifestly inconsistent with Article 7(3) of the GDPR, which provides that it shall be as easy to withdraw, as to give, consent.
79. Accordingly I propose that the Court answer the fourth question to the effect that Article 17(2) of the GDPR does not preclude a national supervisory authority from ordering a provider of directories to inform search engine providers of requests for erasure that it has received.
VI. Conclusion
80. I accordingly propose that the Court give the following answers to the questions referred for a preliminary ruling by the Hof van beroep te Brussel (Court of Appeal, Brussels, Belgium):
(1) Pursuant to Article 12(2) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read together with Article 2(f) thereof and Article 95 of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), a subscriber’s ‘consent’, as defined in Article 4(11) of the General Data Protection Regulation, is required in order to include his or her contact details in directories published by a telecommunications operator and/or by other providers of directories.
(2) A request by a subscriber to have his or her data removed from directories constitutes an exercise of ‘the right to erasure’ established by Article 17 of the General Data Protection Regulation.
(3) Pursuant to Article 5(2) and Article 24 of the General Data Protection Regulation, a national supervisory authority may conclude that the controller must take appropriate technical and organisational measures to inform third-party controllers, namely, the telecommuncations operator and other providers of directories that have received data from that first controller, of the withdrawal of the data subject’s consent in accordance with Article 6 of the General Data Protection Regulation, read in conjunction with Article 7 of that regulation.
(4) Article 17(2) of the General Data Protection Regulation does not preclude a national supervisory authority from ordering a provider of directories to inform search engine providers of requests for erasure that it has received.