Data Protection – independence of regulatory authorities
Last week the ECJ handed down a judgment on what Art 28 of the Data Protection Directive meant. The directive requires member states to set up regulatory authorities who are to ‘act with complete independence in exercising the functions entrusted to them’. The Commission (and European Data Protection Supervisor) took a broader view of this requirement than that taken by the German government. The Court summarised the Commission’s argument as meaning the requirement ‘must be interpreted as meaning that a supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration.’ The German government argued that only ‘functional independence’ was required. The Court was persuaded by the Commission’s argument. Interestingly, it based part of its argument on the normal meaning of the relevant words, as ‘with complete independence’ is not defined in the Data Protection Directive, concluding that ‘In relation to a public body, the term ‘independence’ normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure.’ Conversely, ‘there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision.’ The ECJ also relied on the fact that the independent authorities have the role of being guardians of certain fundamental rights (Article 8 ECHR). The court’s final argument in support of a broader interpretation of the requirement was based on the terms of Article 44 of Regulation No 45/2001 (which establishes the EDPS). The ECJ concluded: ‘the supervisory authorities responsible for supervising the processing of personal data outside the public sector must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data.’ The EDPS greeted the ruling positively, stating the judgment has consequences not just for the German system. This is undoubtedly true. We might question, however, whether that is the limit of the ruling’s impact. Other areas of EU require regulatory bodies (such as audiovisual media services); most of the arguments (with the exception of the last one) can be used in relation to the other regulators too.
See decision in Case C-518/07 Commission v. Germany, judgment 9th March 2010