Brussels, Tuesday 16 October 2012
Today, the Court of Justice of the European Union ruled that the Austrian Data Protection Authority, the Datenschutzkommisson (DSK), does not fulfil the requirements of independence as outlined in the European Data Protection Directive.
In particular, the Court said that the DSK's functional independence from the Government as provided for under Austrian law was not sufficient, and that its close ties with the Federal Chancellery prevent the DSK from being above all suspicion of partiality.
Peter Hustinx, EDPS, says: "Once again, the Court has underlined the legal obligation of complete independence in a data protection authority, this time in Austria. This ruling supports the importance of data protection as a fundamental right and the need for impartiality in order to safeguard it effectively in national law. The court decision is also important for the review of the data protection framework which must strengthen the role of the data protection authorities."
The Court criticised the central role in the DSK of the managing member who is a career official within the Federal Chancellery, that the staff of the DSK are civil servants of the Federal Chancellery and that the Chancellor has the right to be informed of all the activities of the DSK. However, the Court did not comment on the activities of the DSK as such.
Further to his intervention in the case, the EDPS welcomes that the Court, in a second case, attaches such importance to the independence of data protection authorities. By referring to the EU Charter of Fundamental Rights, the Court has highlighted that truly independent data protection authorities are intrinsic to the work carried out in the data protection field.
An infringement procedure was brought by the Commission against Austria, because it believed that the way in which the Austrian Data Protection Authority (DPA) has been set up is not in conformity with the EU Data Protection Directive. The Commission claimed that the independence of the Austrian DPA is not sufficiently assured, due predominantly to the close ties between the DPA and the Federal Chancellery. The case was brought before the Court of Justice and on 25 April 2012, the EDPS participated as an intervening party in support of the Commission at the hearing.
In legal terms, the case is comparable to the Commission v. Germany (C-518/07), in which the EDPS
also acted as an intervening party in support of the Commission. In its judgment of 9 March 2010, the
Court considered that DPAs should be free from any external influence, whether direct or indirect. The
mere risk of an external influence is sufficient to conclude that the DPA cannot act with complete independence. In the case against Austria, the Court was asked to provide further clarity on the requirements of independence.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
For more information: firstname.lastname@example.org
EDPS - The European guardian of data protection
Follow us on Twitter: @EU_EDPS