EU Court of Justice: Consent and Right to Deletion of the Subscriber’s Details from the Publication of a Telecom Operator’s Directory
In a decision on October 27, 2022, the European Court of Justice has clarified the operators’ obligations regarding consent and the right to object in relation to public directories and information services.
The ePrivacy Directive contains several provisions relating to public directories and information services of telecommunications operators.
In particular, EU Member States must ensure that subscribers are given the opportunity to determine whether their personal data is included in a public directory and, if so, to what extent that such data is relevant for the purpose of the directory as determined by the provider of the directory.
The Directive refers to the General Data Protection Regulation (“GDPR”) for the assessment of consent.
Background of the Case
Proximus, a telecommunications service provider in Belgium, also provides publicly available telephone directories and directory enquiry services that contain the names, addresses and telephone numbers of subscribers of various publicly available telephone service providers.
The contact details of these subscribers are regularly communicated to Proximus by the operators. Proximus, for its part, passes on the details of its subscribers to other directory providers.
A subscriber who had not given his consent to the publication to include his contact details brought an action against Proximus to no longer appear in the Proximus’ directory or in third-party directories.
The European Court of Justice ruled that:
The subscriber of a telephone service operator must have given his or her “free, specific, informed and unambiguous” consent (according to the definition of consent in the GDPR) for his or her personal data to be included in a telephone directory or directory enquiry services.
A request by the subscriber to be removed from such a directory and publicly available directory enquiry services constitutes an exercise of “the right to erasure” established by GDPR.
A national supervisory authority may require the directory provider to take appropriate technical and organizational measures to inform the telephone service operator who provided the subscriber’s data to it, as well as other directory providers to whom it provided such data, of the withdrawal of consent by that subscriber.
A national supervisory authority may order the directory provider from whom the subscriber of a telephone service operator has requested their data no longer be published to take “reasonable steps” to inform search engine providers of this request to delete the data.