Feeds

EU judge scolds Austria: Data sheriffs must be properly independent

You in the back, stop whispering with the chancellor ...

The essential guide to IT transformation

EU countries that merely provide for their appointed data protection authorities to have "functional independence" cannot be said to be compliant with EU law, the Court of Justice of the European Union has ruled.

In order to be said to have "complete independence", DPA staff must not share the same offices as Government officials and the authority must not, by law, be required to provide Government officials with an "unconditional" access to information about its work, the Court said. In addition, the individual who heads up a DPA must not also hold a role within Government, it ruled.

However, the CJEU said that DPAs "need not be given a separate budget" from government departments "in order to be able to satisfy the criterion of independence".

The CJEU was ruling in a case brought by the European Commission in which the Commission argued that Austria had acted in breach of EU law by failing to allow its appointed DPA, the Datenschutzkommission (DSK), to act with "complete independence" from the Austrian government.

The Court upheld the Commission's complaint and rejected Austria's claims that the DSK was independent of government because it had "functional independence".

"The fact that the DSK has functional independence in so far as ... its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is, admittedly, an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the [EU's Data Protection Directive]," the CJEU said in its ruling. "However, contrary to what the Republic of Austria maintains, such functional independence is not by itself sufficient to protect that supervisory authority from all external influence."

"The independence required under the [Directive] is intended to preclude not only direct influence, in the form of instructions, but also ... any indirect influence which is liable to have an effect on the supervisory authority’s decisions," the Court said. It ruled, though, that Austrian law had precluded the DSK from acting with complete independence.

Under the EU's Data Protection Directive, member state governments are required to appoint a public body to be responsible for monitoring compliance with data protection law in their nations. The UK watchdog responsible for performing this duty is the Information Commissioner. The Directive requires that the authorities "act with complete independence in exercising the functions entrusted to them."

You're supervised by whom?

The CJEU raised concerns with the supervisory arrangements of the DSK in Austria after discovering that the "managing member" of Austria's DSK has a "service-related link" to the Federal Chancellery that means that that individual is supervised by a "hierarchical superior" at the Chancellery.

"Even if [Austrian law] is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that [another part of Austrian law] confers on the hierarchical superior a power of supervision that is liable to hinder the DSK’s operational independence," the CJEU said.

"Suffice it to point out, in this regard, that it is conceivable that the evaluation of the managing member of the DSK by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’ on the part of the managing member. Moreover, by reason of the links that the managing member of the DSK has with the political body, which is subject to the supervision of the DSK, the latter is not above all suspicion of partiality," it added.

Under Austrian law the "Federal Chancellery is required to make available to the DSK office the necessary equipment and staff," according to the CJEU ruling. However, the Court said the office arrangements for DSK staff were unsuitable because it left the operation of the authority open to influence. This was because the DSK office is integrated with "departments of the Federal Chancellery", it said.

"The attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them," the Court said. "The regulatory framework in force in Austria fails, however, to satisfy that ... condition."

"The staff made available to the DSK office consists of officials of the Federal Chancellery who are subject to supervision by the Federal Chancellery ... However, such supervision by the State is not compatible with the requirement of independence set out in the [EU's Data Protection Directive] ... The Republic of Austria’s argument that the organisation of the office cannot affect the DSK’s independence in so far as the office implements only decisions of the DSK must be rejected," the CJEU added.

"The fact that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries a risk of influence over the decisions of the DSK," it said. "In any event, such an organisational overlap between the DSK and the Federal Chancellery prevents the DSK from being above all suspicion of partiality and is therefore incompatible with the requirement of ‘independence’ within the meaning of the [Directive]."

Under Austrian law the "Federal Chancellor has the right to be informed at all times by the chairman and the managing member of all aspects of the work of the DSK," according to the CJEU's ruling. This arrangement meant that the impartiality of the DSK could be called into question, the Court said.

"Such a right to information is also liable to subject the DSK to indirect influence from the Federal Chancellor which is incompatible with the criterion of independence ... Suffice it to note in this regard, first, that the right to information is far-reaching inasmuch as it covers ‘all aspects of the work of the DSK’ and, second, that it is unconditional," the CJEU said. "In those circumstances, the right to information set out in [Austrian law] precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality."

The CJEU's judgment was welcomed by the European Data Protection Supervisor, the watchdog responsible for advising the EU institutions on their own data protection compliance issues.

Peter Hustinx, EDPS, said: "This ruling supports the importance of data protection as a fundamental right and the need for impartiality in order to safeguard it effectively in national law. The court decision is also important for the review of the data protection framework which must strengthen the role of the data protection authorities."

Under the UK's Data Protection Act the Information Commissioner is compelled to undertake certain duties. The Commissioner is required to report annually to Parliament on the "exercise of his functions" under the Act and can be ordered to comply with a "direction" of the Justice Secretary to lay before Parliament "codes of practice for guidance as to good practice" on data protection issues.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

The essential guide to IT transformation

More from The Register

next story
Super Cali signs a kill-switch, campaigners say it's atrocious
Remote-death button bad news for crooks, protesters – and great news for hackers?
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
Don't even THINK about copyright violation, says Indian state
Pre-emptive arrest for pirates in Karnataka
The police are WRONG: Watching YouTube videos is NOT illegal
And our man Corfield is pretty bloody cross about it
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.