Brussels, 28 October 2010
Data Protection: Commission to refer Austria to Court for lack of independence of data protection authority
The European Commission has today decided to refer Austria to the Court of Justice regarding the lack of an independent data protection authority. The Commission considers that provisions setting up the Austrian data protection authority do not conform to EU rules, which require Member States to establish a completely independent supervisory body to monitor the application of the 1995 Data Protection Directive (Directive 95/46/EC).
Although Austrian data protection legislation (Datenschutzgesetz 2000) spells out that the authority exercises its functions independently and takes no instruction in their performance, the Commission considers that “complete independence,” as required under EU data protection rules, is not guaranteed because:
the authority remains under the supervision of the Federal Chancellery because it is integrated into the Chancellery in terms of organisation and staff: it controls neither its own staffing nor its equipment and it does not have its own budget
since its creation in 1980, the authority has been run by a senior official of the Chancellery as executive member (“geschäftsführendes Mitglied”), subject to the supervision of the Chancellery
the right of the Chancellor to be informed at all times by the chair and the executive member on all subjects concerning the daily management of the authority potentially hinders the members of the supervisory authority in the independent performance of their tasks.
In a reasoned opinion sent in 2009 under EU infringement procedures, the Commission had asked Austria to revise the way the authority is organised. However, as the Austrian authorities failed to comply with the reasoned opinion, the Commission has decided to refer Austria to the Court of Justice.
The Commission's approach to the independence of data protection authorities reflects the case law of the European Court of Justice. In its ruling of 3 March 2010 (C-518/07), in which Germany was declared in breach of EU rules on the independence of the data protection supervisory authority, the Court confirmed that authorities responsible for the supervision of the processing of personal data have to remain free from any external influence, including the direct or indirect influence of the state. The mere risk of political influence through state scrutiny is sufficient to hinder the independent performance of the supervisory authority's tasks, according to the Court.
Justice Directorate-General Newsroom:
Latest information on infringement proceedings concerning all Member States:
For more information on EU infringement procedures, see MEMO/10/530
Homepage of Vice-President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship: