The Independence of EU Data Protection Authorities: Case Law of the European Court of Justice

National data protection authorities (“DPAs”) are key elements of the EU data protection system as regulated by Directive 95/46/EC (the “Data Protection Directive”)¹. EU member state DPAs are the supervisory authorities that guarantee that the rights and freedoms of individuals are respected by not only the member states but also private parties².

On October 16, 2012, the European Court of Justice (“ECJ”) issued its decision in a landmark case regarding the requirements for the independence of DPAs (see WDPR, October 2012, page 32). The ECJ’s decision in Commission v Austria
³ was the Court’s second major decision on the interpretation of the concept of independence. Its first decision, in Commission v Germany
⁴, set out basic principles regarding the independent operation of DPAs. In the Austrian case, the Court further elaborated on its interpretation of its requirements. A third major decision is to be decided by the ECJ in the future: The Commission has brought Hungary to the Court⁵ (see WDPR, January 2012, page 29) following the premature dismissal of its data protection commissioner after his investigations of certain controversial government data processing practices (see analysis by the author at WDPR, November 2011, page 4).

This article discusses the three ECJ cases on the interpretation of the concept of “complete independence”, focusing on the Austrian case.

Legal Background, Provisions and Requirements of the Data Protection Directive

Pursuant to Article 1 of the Data Protection Directive, the object of the Directive is to protect the fundamental rights and freedoms of natural persons, and, in particular, their right to privacy with respect to the processing of personal data. Further, Article 1 (2) states that such protection cannot justify any restriction or prohibition of the free flow of personal data between EU member states. As an explanation, Recital 62 of the Data Protection Directive clearly states that the establishment in member states of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals. Thus, it is a key element that there is an independent authority operating in each member state as a guarantee for the proper balance between the rights of individuals and the free movement of data within the territory of the European Union.

Article 28 of the Data Protection Directive describes the role of DPAs as follows:

Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. These authorities shall act with complete independence in exercising the functions entrusted to them⁶.

The Case Involving Germany: A Broad Interpretation of the Term ‘Complete Independence’

In Commission v Germany, which the ECJ decided in 2010, the main concern of the European Commission was that certain DPAs operating at the Länder level and supervising non-public data controllers in Germany were subject to state oversight. Germany argued that “complete independence” as set out by the Data Protection Directive shall mean that these supervisory authorities shall be independent from the bodies outside the public sector which are under their supervision. According to the narrow interpretation of the German state, “complete independence” can involve state scrutiny in these cases, since it “does not constitute … external influence, but rather the administration’s internal monitoring mechanism”.

The Commission, supported by the European Data Protection Supervisor (“EDPS”) as intervener, proposed another, wider interpretation: Complete independence means that “a supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration”, and, thus, state scrutiny by member states may constitute a breach of the requirement of independence.

In its landmark decision, the ECJ embraced the broader interpretation of the Commission:

the second subparagraph of Article 28(1) of Directive 95/46 is to be interpreted as meaning that the supervisory authorities responsible for supervising the processing of personal data outside the public sector must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data⁷.

The Case Involving Austria: Requirements Regarding the Status of DPAs

The Commission criticized the Republic of Austria on the ground that its legislation does not satisfy the requirement of complete independence of the supervisory authority. According to the claim of the Commission, the difficulty arises from the facts that:

• the position of managing member of the local DPA (the Datenschutzkommission, or “DSK”) is held by an official of the Federal Chancellery;

• the DSK office is integrated with the Federal Chancellery; and

• the Federal Chancellor has an unfettered right to obtain information from the DSK.

The Commission repeated and cited its broad interpretation of complete independence in its claim.

In its counterclaim, the Republic of Austria took the view that it cannot be inferred from the ECJ’s judgment in Commission v Germany that supervisory authorities must have organic and substantive independence. Austria followed the narrow interpretation, and highlighted that the independence of a supervisory authority was subject to its functional independence, which means that the authority is free to act without having to comply with instructions from the supervised bodies and that it has sufficient independence and impartiality in relation to private individuals.

It must be noted that, in the Commission v Germany case, the Court avoided using terms such as “functional, organic or substantive independence”, even though, as in Commission v Austria, both the Commission and the Federal Republic of Germany used them in the course of their submissions.

The Position of Managing Member of the Local DPA

According to the ECJ, it does not follow from the Austrian legislation that the managing member of the DSK must necessarily be an official of the Federal Chancellery. The ECJ said that the position of managing member is reserved for an official of the federal administration who is a lawyer, which means that the managing member may, but must not necessarily, be an official of the Federal Chancellery. The ECJ came to the conclusion that combining the position of managing member of the DSK with that of a federal official entails a risk of indirect influence of the higher federal authority over the work of the managing member of the DSK, thereby calling into question the DSK’s independence as required by Article 28(1) of the Data Protection Directive.

Integration of the DSK Office with Departments of the Federal Chancellery

The Court held that the structural integration of the DSK office with departments of the Federal Chancellery was not compatible with Article 28(1) of the Data Protection Directive. DSK staff members are, it held, under the authority of the Federal Chancellery and are subject to its administrative supervision. It follows that the DSK office is exposed to potential influence by the Federal Chancellery. That is all the more serious insofar as the Chancellery is, as a public authority, subject to the supervision deemed to be exercised by the DSK. According to the ECJ, the possibility of the Federal Chancellery influencing the work of the DSK is increased by the fact that there is no separate budget line for the DSK and that the DSK’s budget forms part of the Federal Chancellery budget. The ECJ clearly stated that, if a person or entity exercises influence over the office and the staff of the supervisory authority, which is unquestionably the case here, that person or entity consequently exercises influence over the authority as such, a situation which is not compatible with the requirement that the supervisory authority be independent.

Unlimited Right of the Federal Chancellor to Information Concerning the DSK

The ECJ found that the Federal Chancellor’s unlimited right to information concerning the DSK compromises the DSK’s independence, inasmuch as there is a risk that this right might be used to exercise political influence over the DSK; that the DSK office was integrated within the Federal Chancellery; and that, by granting the Federal Chancellor a right to information concerning the DSK, the Republic of Austria incorrectly transposed the requirement laid down by Article 28(1) of the Data Protection Directive that the functions entrusted to supervisory authorities be exercised “with complete independence”.

Based on the above findings, the ECJ came to the conclusion that, by failing to take all of the measures necessary to ensure that the legislation in force in Austria meets the requirement of independence with regard to the DSK, the Republic of Austria failed to fulfill its obligations under the second subparagraph of Article 28(1) of the Data Protection Directive.

The Case Involving Hungary: Premature Dismissal is the Breach of Personal Independence

In the cases brought by the Commission against Germany and Austria, the matter for interpretation was whether the status of a DPA was in line with the requirements of the Data Protection Directive or not. By contrast, in the Hungarian case, the question is whether the reorganization of the data protection supervisory system (by abolishing a DPA before the end of its assigned term and creating a new one) is in compliance with the Data Protection Directive or not.

The data protection commissioner of Hungary was elected by the Parliament in 2008 for a term of six years; however, the governing parties enjoying a supermajority subsequently abolished his office and created a new office, headed by a person nominated by the prime minister. Adding further drama to the situation is that this “reform” took place after serious, ongoing conflicts between the data protection commissioner and the government⁸.

In the view of the Commission, the removal from office before the expiry of the term of the authority responsible for supervising data protection undermines the independence required by the Data Protection Directive of that authority. The Directive does not fix the duration of the term of office of that supervisory authority, so that, in principle, member states are free to fix the term. However, the term of office has to be of reasonable duration, and, once a member state has fixed the duration of that term of office, that duration should be respected. Otherwise, there would be a risk that the exercise of the functions of the supervisory authority would be influenced by the risk of removal from office before the end of his term, and that risk would undermine the independence of that authority.

The Future: The Proposed New EU Regulation

The three cases discussed above show that the requirement for the complete independence of EU member state DPAs is an essential requirement of EU law. Based on the experience of the above cases, the European Commission’s proposed draft regulation to replace the Data Protection Directive (see analysis at WDPR, February 2012, page 4) might contain clearer requirements regarding the independence of DPAs.

Based on the currently available draft regulation⁹, Article 47 (Chapter VI) states:

The supervisory authority shall act with complete independence in exercising the duties and powers entrusted to it. The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody. Members of the supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not. Members of the supervisory authority shall behave, after their term of office, with integrity and discretion as regards the acceptance of appointments and benefits. Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board. Each Member State shall ensure that the supervisory authority has its own staff which shall be appointed by and be subject to the direction of the head of the supervisory authority. Member States shall ensure that the supervisory authority is subject to financial control which shall not affect its independence. Member States shall ensure that the supervisory authority has separate annual budgets. The budgets shall be made public.

The current draft regulation regulates in detail the appointment and the termination of the heads of the DPAs. In this regard, the text follows the above conclusions of the ECJ, including the statements of the Commission in the ongoing case against Hungary.

The question of “complete independence” is the key element for ensuring the balance between the protection of individuals and the free movement of personal data among the member states, and there will be no question about whether the ECJ follows a narrow interpretation of such concept. On the contrary, the concept of complete independence means structural, economic and personal independence from the government, to ensure that DPAs shall act without any political influence.

Andrea Klára Soós is an Attorney at Law with Soóslaw, Budapest. She may be contacted at andrea.soos@sooslaw.hu.