Feeds

EU judge scolds Austria: Data sheriffs must be properly independent

You in the back, stop whispering with the chancellor ...

Combat fraud and increase customer satisfaction

EU countries that merely provide for their appointed data protection authorities to have "functional independence" cannot be said to be compliant with EU law, the Court of Justice of the European Union has ruled.

In order to be said to have "complete independence", DPA staff must not share the same offices as Government officials and the authority must not, by law, be required to provide Government officials with an "unconditional" access to information about its work, the Court said. In addition, the individual who heads up a DPA must not also hold a role within Government, it ruled.

However, the CJEU said that DPAs "need not be given a separate budget" from government departments "in order to be able to satisfy the criterion of independence".

The CJEU was ruling in a case brought by the European Commission in which the Commission argued that Austria had acted in breach of EU law by failing to allow its appointed DPA, the Datenschutzkommission (DSK), to act with "complete independence" from the Austrian government.

The Court upheld the Commission's complaint and rejected Austria's claims that the DSK was independent of government because it had "functional independence".

"The fact that the DSK has functional independence in so far as ... its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is, admittedly, an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the [EU's Data Protection Directive]," the CJEU said in its ruling. "However, contrary to what the Republic of Austria maintains, such functional independence is not by itself sufficient to protect that supervisory authority from all external influence."

"The independence required under the [Directive] is intended to preclude not only direct influence, in the form of instructions, but also ... any indirect influence which is liable to have an effect on the supervisory authority’s decisions," the Court said. It ruled, though, that Austrian law had precluded the DSK from acting with complete independence.

Under the EU's Data Protection Directive, member state governments are required to appoint a public body to be responsible for monitoring compliance with data protection law in their nations. The UK watchdog responsible for performing this duty is the Information Commissioner. The Directive requires that the authorities "act with complete independence in exercising the functions entrusted to them."

You're supervised by whom?

The CJEU raised concerns with the supervisory arrangements of the DSK in Austria after discovering that the "managing member" of Austria's DSK has a "service-related link" to the Federal Chancellery that means that that individual is supervised by a "hierarchical superior" at the Chancellery.

"Even if [Austrian law] is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that [another part of Austrian law] confers on the hierarchical superior a power of supervision that is liable to hinder the DSK’s operational independence," the CJEU said.

"Suffice it to point out, in this regard, that it is conceivable that the evaluation of the managing member of the DSK by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’ on the part of the managing member. Moreover, by reason of the links that the managing member of the DSK has with the political body, which is subject to the supervision of the DSK, the latter is not above all suspicion of partiality," it added.

Under Austrian law the "Federal Chancellery is required to make available to the DSK office the necessary equipment and staff," according to the CJEU ruling. However, the Court said the office arrangements for DSK staff were unsuitable because it left the operation of the authority open to influence. This was because the DSK office is integrated with "departments of the Federal Chancellery", it said.

"The attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them," the Court said. "The regulatory framework in force in Austria fails, however, to satisfy that ... condition."

"The staff made available to the DSK office consists of officials of the Federal Chancellery who are subject to supervision by the Federal Chancellery ... However, such supervision by the State is not compatible with the requirement of independence set out in the [EU's Data Protection Directive] ... The Republic of Austria’s argument that the organisation of the office cannot affect the DSK’s independence in so far as the office implements only decisions of the DSK must be rejected," the CJEU added.

"The fact that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries a risk of influence over the decisions of the DSK," it said. "In any event, such an organisational overlap between the DSK and the Federal Chancellery prevents the DSK from being above all suspicion of partiality and is therefore incompatible with the requirement of ‘independence’ within the meaning of the [Directive]."

Under Austrian law the "Federal Chancellor has the right to be informed at all times by the chairman and the managing member of all aspects of the work of the DSK," according to the CJEU's ruling. This arrangement meant that the impartiality of the DSK could be called into question, the Court said.

"Such a right to information is also liable to subject the DSK to indirect influence from the Federal Chancellor which is incompatible with the criterion of independence ... Suffice it to note in this regard, first, that the right to information is far-reaching inasmuch as it covers ‘all aspects of the work of the DSK’ and, second, that it is unconditional," the CJEU said. "In those circumstances, the right to information set out in [Austrian law] precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality."

The CJEU's judgment was welcomed by the European Data Protection Supervisor, the watchdog responsible for advising the EU institutions on their own data protection compliance issues.

Peter Hustinx, EDPS, said: "This ruling supports the importance of data protection as a fundamental right and the need for impartiality in order to safeguard it effectively in national law. The court decision is also important for the review of the data protection framework which must strengthen the role of the data protection authorities."

Under the UK's Data Protection Act the Information Commissioner is compelled to undertake certain duties. The Commissioner is required to report annually to Parliament on the "exercise of his functions" under the Act and can be ordered to comply with a "direction" of the Justice Secretary to lay before Parliament "codes of practice for guidance as to good practice" on data protection issues.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

SANS - Survey on application security programs

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
RIP net neutrality? FCC mulls information superhighway FAST LANE
Financial fast track to replace level playing field, report claims
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
UK.gov chucks £28m at F1 tech for buses and diggers plan
Well, not really F1 but who's heard of LMP and VLN*?
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.