EU judge scolds Austria: Data sheriffs must be properly independent
You in the back, stop whispering with the chancellor ...
EU countries that merely provide for their appointed data protection authorities to have "functional independence" cannot be said to be compliant with EU law, the Court of Justice of the European Union has ruled.
In order to be said to have "complete independence", DPA staff must not share the same offices as Government officials and the authority must not, by law, be required to provide Government officials with an "unconditional" access to information about its work, the Court said. In addition, the individual who heads up a DPA must not also hold a role within Government, it ruled.
However, the CJEU said that DPAs "need not be given a separate budget" from government departments "in order to be able to satisfy the criterion of independence".
The CJEU was ruling in a case brought by the European Commission in which the Commission argued that Austria had acted in breach of EU law by failing to allow its appointed DPA, the Datenschutzkommission (DSK), to act with "complete independence" from the Austrian government.
The Court upheld the Commission's complaint and rejected Austria's claims that the DSK was independent of government because it had "functional independence".
"The fact that the DSK has functional independence in so far as ... its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is, admittedly, an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the [EU's Data Protection Directive]," the CJEU said in its ruling. "However, contrary to what the Republic of Austria maintains, such functional independence is not by itself sufficient to protect that supervisory authority from all external influence."
"The independence required under the [Directive] is intended to preclude not only direct influence, in the form of instructions, but also ... any indirect influence which is liable to have an effect on the supervisory authority’s decisions," the Court said. It ruled, though, that Austrian law had precluded the DSK from acting with complete independence.
Under the EU's Data Protection Directive, member state governments are required to appoint a public body to be responsible for monitoring compliance with data protection law in their nations. The UK watchdog responsible for performing this duty is the Information Commissioner. The Directive requires that the authorities "act with complete independence in exercising the functions entrusted to them."
You're supervised by whom?
The CJEU raised concerns with the supervisory arrangements of the DSK in Austria after discovering that the "managing member" of Austria's DSK has a "service-related link" to the Federal Chancellery that means that that individual is supervised by a "hierarchical superior" at the Chancellery.
"Even if [Austrian law] is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that [another part of Austrian law] confers on the hierarchical superior a power of supervision that is liable to hinder the DSK’s operational independence," the CJEU said.
"Suffice it to point out, in this regard, that it is conceivable that the evaluation of the managing member of the DSK by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’ on the part of the managing member. Moreover, by reason of the links that the managing member of the DSK has with the political body, which is subject to the supervision of the DSK, the latter is not above all suspicion of partiality," it added.
Under Austrian law the "Federal Chancellery is required to make available to the DSK office the necessary equipment and staff," according to the CJEU ruling. However, the Court said the office arrangements for DSK staff were unsuitable because it left the operation of the authority open to influence. This was because the DSK office is integrated with "departments of the Federal Chancellery", it said.
"The attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them," the Court said. "The regulatory framework in force in Austria fails, however, to satisfy that ... condition."
"The staff made available to the DSK office consists of officials of the Federal Chancellery who are subject to supervision by the Federal Chancellery ... However, such supervision by the State is not compatible with the requirement of independence set out in the [EU's Data Protection Directive] ... The Republic of Austria’s argument that the organisation of the office cannot affect the DSK’s independence in so far as the office implements only decisions of the DSK must be rejected," the CJEU added.
"The fact that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries a risk of influence over the decisions of the DSK," it said. "In any event, such an organisational overlap between the DSK and the Federal Chancellery prevents the DSK from being above all suspicion of partiality and is therefore incompatible with the requirement of ‘independence’ within the meaning of the [Directive]."
Under Austrian law the "Federal Chancellor has the right to be informed at all times by the chairman and the managing member of all aspects of the work of the DSK," according to the CJEU's ruling. This arrangement meant that the impartiality of the DSK could be called into question, the Court said.
"Such a right to information is also liable to subject the DSK to indirect influence from the Federal Chancellor which is incompatible with the criterion of independence ... Suffice it to note in this regard, first, that the right to information is far-reaching inasmuch as it covers ‘all aspects of the work of the DSK’ and, second, that it is unconditional," the CJEU said. "In those circumstances, the right to information set out in [Austrian law] precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality."
The CJEU's judgment was welcomed by the European Data Protection Supervisor, the watchdog responsible for advising the EU institutions on their own data protection compliance issues.
Peter Hustinx, EDPS, said: "This ruling supports the importance of data protection as a fundamental right and the need for impartiality in order to safeguard it effectively in national law. The court decision is also important for the review of the data protection framework which must strengthen the role of the data protection authorities."
Under the UK's Data Protection Act the Information Commissioner is compelled to undertake certain duties. The Commissioner is required to report annually to Parliament on the "exercise of his functions" under the Act and can be ordered to comply with a "direction" of the Justice Secretary to lay before Parliament "codes of practice for guidance as to good practice" on data protection issues.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.