The European Court of Justice Rules That Austria's Data Protection Authority Is Not Sufficiently Independent
On 16 October 2012, the Court of Justice of the European Union (“CJEU”) ruled in favour of the European Commission in its claim against Austria that the Austrian Data Protection Authority, the Datenschutzkommission (“DSK”), was not independent from the Austrian government as required under Article 28 of the EU’s Data Protection Directive. The Commission’s action was supported by the European Data Protection Supervisor ("EDPS"); Austria’s defence was supported by Germany.
Article 28, which was the focus of the case, requires data protection authorities to “act with complete independence in exercising the functions entrusted to them”. This principle is also made clear in the Charter of Fundamental Rights of the EU and in the Treaty on the Functioning of the EU ("TFEU").
The Commission argued that part of Article 28 had been incorrectly transposed into Austrian law, because the relevant provision in Austrian law did not allow the DSK to act “with complete independence”. The Commission was concerned that the DSK had been too closely integrated, structurally and substantively, with the Austrian Federal Chancellery, compromising the DSK’s purported independence. More specifically, under the Austrian-implemented law, members of the DSK were only asked to work for the DSK on a part-time basis, and the manager of the DSK was, at the same time, a federal Austrian official, who was also bound to follow the Austrian government’s instructions. DSK staff members were also placed under the authority of the Federal Chancellery, and the Federal Chancellor had a right to ask for (and receive) any information about the DSK’s work. The Commission’s argument was that these links to the Austrian government, which were extensive, would undermine the appearance of the DSK’s impartiality, and subject the DSK to indirect (or possibly direct) influence from the Federal Chancellery.
This is not the first case relating to the independence of data protection authorities ("DPAs"). In an earlier case, against Germany, the CJEU followed a similar logic, and clearly stated that DPAs must remain free from any direct or indirect external influence that could affect the performance of their duties, or their decision-making processes.