Feeds

EU judge scolds Austria: Data sheriffs must be properly independent

You in the back, stop whispering with the chancellor ...

Beginner's guide to SSL certificates

EU countries that merely provide for their appointed data protection authorities to have "functional independence" cannot be said to be compliant with EU law, the Court of Justice of the European Union has ruled.

In order to be said to have "complete independence", DPA staff must not share the same offices as Government officials and the authority must not, by law, be required to provide Government officials with an "unconditional" access to information about its work, the Court said. In addition, the individual who heads up a DPA must not also hold a role within Government, it ruled.

However, the CJEU said that DPAs "need not be given a separate budget" from government departments "in order to be able to satisfy the criterion of independence".

The CJEU was ruling in a case brought by the European Commission in which the Commission argued that Austria had acted in breach of EU law by failing to allow its appointed DPA, the Datenschutzkommission (DSK), to act with "complete independence" from the Austrian government.

The Court upheld the Commission's complaint and rejected Austria's claims that the DSK was independent of government because it had "functional independence".

"The fact that the DSK has functional independence in so far as ... its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is, admittedly, an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the [EU's Data Protection Directive]," the CJEU said in its ruling. "However, contrary to what the Republic of Austria maintains, such functional independence is not by itself sufficient to protect that supervisory authority from all external influence."

"The independence required under the [Directive] is intended to preclude not only direct influence, in the form of instructions, but also ... any indirect influence which is liable to have an effect on the supervisory authority’s decisions," the Court said. It ruled, though, that Austrian law had precluded the DSK from acting with complete independence.

Under the EU's Data Protection Directive, member state governments are required to appoint a public body to be responsible for monitoring compliance with data protection law in their nations. The UK watchdog responsible for performing this duty is the Information Commissioner. The Directive requires that the authorities "act with complete independence in exercising the functions entrusted to them."

You're supervised by whom?

The CJEU raised concerns with the supervisory arrangements of the DSK in Austria after discovering that the "managing member" of Austria's DSK has a "service-related link" to the Federal Chancellery that means that that individual is supervised by a "hierarchical superior" at the Chancellery.

"Even if [Austrian law] is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that [another part of Austrian law] confers on the hierarchical superior a power of supervision that is liable to hinder the DSK’s operational independence," the CJEU said.

"Suffice it to point out, in this regard, that it is conceivable that the evaluation of the managing member of the DSK by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’ on the part of the managing member. Moreover, by reason of the links that the managing member of the DSK has with the political body, which is subject to the supervision of the DSK, the latter is not above all suspicion of partiality," it added.

Under Austrian law the "Federal Chancellery is required to make available to the DSK office the necessary equipment and staff," according to the CJEU ruling. However, the Court said the office arrangements for DSK staff were unsuitable because it left the operation of the authority open to influence. This was because the DSK office is integrated with "departments of the Federal Chancellery", it said.

"The attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them," the Court said. "The regulatory framework in force in Austria fails, however, to satisfy that ... condition."

"The staff made available to the DSK office consists of officials of the Federal Chancellery who are subject to supervision by the Federal Chancellery ... However, such supervision by the State is not compatible with the requirement of independence set out in the [EU's Data Protection Directive] ... The Republic of Austria’s argument that the organisation of the office cannot affect the DSK’s independence in so far as the office implements only decisions of the DSK must be rejected," the CJEU added.

"The fact that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries a risk of influence over the decisions of the DSK," it said. "In any event, such an organisational overlap between the DSK and the Federal Chancellery prevents the DSK from being above all suspicion of partiality and is therefore incompatible with the requirement of ‘independence’ within the meaning of the [Directive]."

Under Austrian law the "Federal Chancellor has the right to be informed at all times by the chairman and the managing member of all aspects of the work of the DSK," according to the CJEU's ruling. This arrangement meant that the impartiality of the DSK could be called into question, the Court said.

"Such a right to information is also liable to subject the DSK to indirect influence from the Federal Chancellor which is incompatible with the criterion of independence ... Suffice it to note in this regard, first, that the right to information is far-reaching inasmuch as it covers ‘all aspects of the work of the DSK’ and, second, that it is unconditional," the CJEU said. "In those circumstances, the right to information set out in [Austrian law] precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality."

The CJEU's judgment was welcomed by the European Data Protection Supervisor, the watchdog responsible for advising the EU institutions on their own data protection compliance issues.

Peter Hustinx, EDPS, said: "This ruling supports the importance of data protection as a fundamental right and the need for impartiality in order to safeguard it effectively in national law. The court decision is also important for the review of the data protection framework which must strengthen the role of the data protection authorities."

Under the UK's Data Protection Act the Information Commissioner is compelled to undertake certain duties. The Commissioner is required to report annually to Parliament on the "exercise of his functions" under the Act and can be ordered to comply with a "direction" of the Justice Secretary to lay before Parliament "codes of practice for guidance as to good practice" on data protection issues.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.