Feeds

EU judge scolds Austria: Data sheriffs must be properly independent

You in the back, stop whispering with the chancellor ...

Beginner's guide to SSL certificates

EU countries that merely provide for their appointed data protection authorities to have "functional independence" cannot be said to be compliant with EU law, the Court of Justice of the European Union has ruled.

In order to be said to have "complete independence", DPA staff must not share the same offices as Government officials and the authority must not, by law, be required to provide Government officials with an "unconditional" access to information about its work, the Court said. In addition, the individual who heads up a DPA must not also hold a role within Government, it ruled.

However, the CJEU said that DPAs "need not be given a separate budget" from government departments "in order to be able to satisfy the criterion of independence".

The CJEU was ruling in a case brought by the European Commission in which the Commission argued that Austria had acted in breach of EU law by failing to allow its appointed DPA, the Datenschutzkommission (DSK), to act with "complete independence" from the Austrian government.

The Court upheld the Commission's complaint and rejected Austria's claims that the DSK was independent of government because it had "functional independence".

"The fact that the DSK has functional independence in so far as ... its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is, admittedly, an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the [EU's Data Protection Directive]," the CJEU said in its ruling. "However, contrary to what the Republic of Austria maintains, such functional independence is not by itself sufficient to protect that supervisory authority from all external influence."

"The independence required under the [Directive] is intended to preclude not only direct influence, in the form of instructions, but also ... any indirect influence which is liable to have an effect on the supervisory authority’s decisions," the Court said. It ruled, though, that Austrian law had precluded the DSK from acting with complete independence.

Under the EU's Data Protection Directive, member state governments are required to appoint a public body to be responsible for monitoring compliance with data protection law in their nations. The UK watchdog responsible for performing this duty is the Information Commissioner. The Directive requires that the authorities "act with complete independence in exercising the functions entrusted to them."

You're supervised by whom?

The CJEU raised concerns with the supervisory arrangements of the DSK in Austria after discovering that the "managing member" of Austria's DSK has a "service-related link" to the Federal Chancellery that means that that individual is supervised by a "hierarchical superior" at the Chancellery.

"Even if [Austrian law] is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that [another part of Austrian law] confers on the hierarchical superior a power of supervision that is liable to hinder the DSK’s operational independence," the CJEU said.

"Suffice it to point out, in this regard, that it is conceivable that the evaluation of the managing member of the DSK by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’ on the part of the managing member. Moreover, by reason of the links that the managing member of the DSK has with the political body, which is subject to the supervision of the DSK, the latter is not above all suspicion of partiality," it added.

Under Austrian law the "Federal Chancellery is required to make available to the DSK office the necessary equipment and staff," according to the CJEU ruling. However, the Court said the office arrangements for DSK staff were unsuitable because it left the operation of the authority open to influence. This was because the DSK office is integrated with "departments of the Federal Chancellery", it said.

"The attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them," the Court said. "The regulatory framework in force in Austria fails, however, to satisfy that ... condition."

"The staff made available to the DSK office consists of officials of the Federal Chancellery who are subject to supervision by the Federal Chancellery ... However, such supervision by the State is not compatible with the requirement of independence set out in the [EU's Data Protection Directive] ... The Republic of Austria’s argument that the organisation of the office cannot affect the DSK’s independence in so far as the office implements only decisions of the DSK must be rejected," the CJEU added.

"The fact that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries a risk of influence over the decisions of the DSK," it said. "In any event, such an organisational overlap between the DSK and the Federal Chancellery prevents the DSK from being above all suspicion of partiality and is therefore incompatible with the requirement of ‘independence’ within the meaning of the [Directive]."

Under Austrian law the "Federal Chancellor has the right to be informed at all times by the chairman and the managing member of all aspects of the work of the DSK," according to the CJEU's ruling. This arrangement meant that the impartiality of the DSK could be called into question, the Court said.

"Such a right to information is also liable to subject the DSK to indirect influence from the Federal Chancellor which is incompatible with the criterion of independence ... Suffice it to note in this regard, first, that the right to information is far-reaching inasmuch as it covers ‘all aspects of the work of the DSK’ and, second, that it is unconditional," the CJEU said. "In those circumstances, the right to information set out in [Austrian law] precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality."

The CJEU's judgment was welcomed by the European Data Protection Supervisor, the watchdog responsible for advising the EU institutions on their own data protection compliance issues.

Peter Hustinx, EDPS, said: "This ruling supports the importance of data protection as a fundamental right and the need for impartiality in order to safeguard it effectively in national law. The court decision is also important for the review of the data protection framework which must strengthen the role of the data protection authorities."

Under the UK's Data Protection Act the Information Commissioner is compelled to undertake certain duties. The Commissioner is required to report annually to Parliament on the "exercise of his functions" under the Act and can be ordered to comply with a "direction" of the Justice Secretary to lay before Parliament "codes of practice for guidance as to good practice" on data protection issues.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.