EU—The Factoring Company of an ISP Should Act as a Data Processor, Rules CJEU
By Pascale Gelly, CIPP/E
The Court of Justice of the European Union (CJEU) ruled on November 22, 2012, that factoring agreements must be contemplated also under a data protection angle.
The ISP Verizon had assigned the receivables it had over an Internet user to a factoring company. To avoid paying the amounts due, the user claimed that the factoring agreement was invalid as it breached the obligation of secrecy of telecommunications, preventing the ISP from disclosing personal data about its subscribers.
Had this argument prevailed, it would have caused a real commotion in the e-economy. However, the German competent court pointed that under German telecom law, the ISP can “contract with a third party with respect to the collection of the charges for service.” It is then “entitled to pass on the data in so far as that data transfer is necessary for the collection of charges and for drawing up a detailed bill.”
The court made an extensive interpretation of this text considering that it applies not only to service contracts but also to “contracts for assignment, in particular contracts for the purchase of debts, and which provide that the rights assigned belong definitely to the assignee both in legal and economic terms.”
Still, the German court found the need to refer a question to the CJEU for a preliminary ruling on the interpretation of Articles 6(2) and (5) of the 2002 e-Privacy Directive, which allow the processing of necessary traffic data for billing purposes provided processing is “restricted to persons acting under the authority of provider of the public communications networks and publicly available electronic communication services handling billing” and “must be restricted to what is necessary for the purposes of such activities.”
The CJEU first ruled that the e-Privacy Directive allows to transfer traffic data not only for mere “billing” purposes, as stated in Article 6(5), but also for debt collection purposes as can be implied from Article 6(2).
Moreover, the CJEU gives an interpretation of what must be understood by “under the authority” of the ISP. Although the factoring company is an independent contracting party, because it receives personal data under an exception to the secrecy of communications, it will lose some of its independence with regard to the processing of personal data and will have to act under the sole instruction and control of the e-communications supplier. These two features correspond to the controller-processor relationship of Directive 95/CE/EC.
As a consequence, assignment of debts can occur between ISPs and factoring companies provided that only necessary data is transferred and that they enter into a contract including purpose limitation clauses, confidentiality and security commitments, return or erasure obligations when data is no longer needed for debt collection and ways for the ISP to verify compliance “on the part of the assignee, which may, on simple request, be obliged to erase or to return the traffic data.”
Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at email@example.com.