On March 9, 2010, the European Court of Justice (Grand Chamber) handed down a very interesting judgment regarding the required degree of independence of the authorities responsible for monitoring compliance with Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (“Data Protection Directive”). The full text of the judgment is available here.
German law made a distinction depending on whether or not the processing of personal data of individuals was carried out by public bodies. More specifically, there was a difference between the authorities entrusted, on the one hand, with monitoring compliance with the provisions concerning data protection by public bodies and, on the other hand, with monitoring compliance with data protection by non-public bodies and undertakings governed by public law which compete on the market (“outside the public sector”). The processing of data by public bodies was supervised at the federal level by the “Federal representative responsible for the protection of personal data and freedom of information” and, at regional level, by the “representatives responsible for the protection of regional data.” Those representatives were solely responsible to their respective parliament and were not normally subject to any scrutiny, instruction or other influence from the public bodies which were the subjects of their supervision. On the other hand, the organization of the authorities responsible for supervising the processing of data by non-public bodies varied among the Länder. However, all the laws at the Länder level expressly subjected those supervisory authorities to State scrutiny.
The Commission requested the Court to declare that, by making the authorities responsible for monitoring the processing of personal data outside the public sector in the different Länder subject to State oversight, and by thus incorrectly transposing the requirement of “complete independence” of the supervisory authorities responsible for ensuring the protection of that data, Germany had failed to fulfill its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC. Pursuant to this provision, entitled “Supervisory authority”,
“(1) Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.
These authorities shall act with complete independence in exercising the functions entrusted to them.”
The question essentially came down to the interpretation of the words “with complete independence” of this provision. The Commission and European Data Protection Supervisor (EDPS) relied on a broad interpretation of this language, construing it to require that a supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration. On the contrary, Germany proposed a narrower interpretation arguing that the Directive required the supervisory authorities to have functional independence in the sense that those authorities must be independent of bodies outside the public sector which are under their supervision and that they must not be exposed to external influences.
The Court stressed that the wording itself of that provision and the aims and scheme of the Directive should be taken into account. First, with regard to the wording, it noted that, because the words ‘with complete independence’ are not defined by the Directive, it is necessary to take their usual meaning into account. “In relation to a public body, the term ‘independence’ normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. Contrary to the position taken by the Federal Republic of Germany, there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. On the contrary, the concept of ‘independence’ is complemented by the adjective ‘complete’, which implies a decision-making power independent of any direct or indirect external influence on the supervisory authority” (paras. 18-19).
Second, with respect to the objectives of the Data Protection Directive, the Court held that “[t]he guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies” (para. 25).
Third, as to the scheme of the Data Protection Directive, the Court added that the latter must be understood as the equivalent of Article 286 EC and Regulation No 45/2001 (concerning the processing of personal data by EU institutions). Directive 95/46 also seeks to achieve those aims, but with regard to the processing of such data within the Member States. “In the same way as supervisory bodies exist at national level, a supervisory body responsible for ensuring the application of the rules on the protection of individuals with regard to the processing of personal data is also provided for at European Community level, namely, the EDPS. In accordance with Article 44(1) of Regulation No 45/2001, that body is to perform its duties in complete independence. Article 44(2) thereof clarifies that concept of independence by adding that, in the performance of its duties, the EDPS may neither seek nor take instructions from anybody. In view of the fact that Article 44 of Regulation No 45/2001 and Article 28 of Directive 95/46 are based on the same general concept, those two provisions should be interpreted homogeneously, so that not only the independence of the EDPS, but also that of the national authorities, involve the lack of any instructions relating to the performance of their duties” (paras. 27-28).
The Court then went on to assess whether the State scrutiny to which the supervisory authorities are subject in Germany is consistent with the requirement of independence as defined above. It found that “the mere risk that the scrutinising authorities could exercise a political influence over the decisions of the supervisory authorities is enough to hinder the latter authorities’ independent performance of their tasks. First, as was stated by the Commission, there could be ‘prior compliance’ on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions, and therefore the authorities themselves, remain above any suspicion of partiality” (para. 36).
A last, and perhaps most intriguing, point about this case pertains to the position of independent agencies in the democratic constitutional structure. This is obviously not a novel issue; different legal orders have struggled with the question of the constitutionality of agencies and their democratic legitimacy -or lack thereof. In this case Germany contended that the principle of democracy precludes a broad interpretation of the requirement of independence in a way which would oblige that Member State to renounce its tried and tested system of scrutiny of the supervisory authorities. According to this argument, “that principle [i.e. of democracy], which is enshrined not only in the German constitution, but also in Article 6(1) EU, requires that the administration be subject to the instructions of the government which is accountable to its parliament. Thus, the legality of interventions concerning the rights of citizens and undertakings should be subject to the scrutiny of the competent minister. Since the supervisory authorities … have certain powers of intervention with regard to citizens and entities outside the public sector, a heightened scrutiny of the legality of their activities by means of instruments for monitoring legality or substance is absolutely necessary” (para. 40).
The Court responded that this “principle does not preclude the existence of public authorities outside the classic hierarchical administration and more or less independent of the government. The existence and conditions of operation of such authorities are, in the Member States, regulated by the law or even, in certain States, by the Constitution and those authorities are required to comply with the law subject to the review of the competent courts. Such independent administrative authorities, as exist moreover in the German judicial system, often have regulatory functions or carry out tasks which must be free from political influence, whilst still being required to comply with the law subject to the review of the competent courts. That is precisely the case with regard to the tasks of the supervisory authorities relating to the protection of data (para. 42). Admittedly, the absence of any parliamentary influence over those authorities is inconceivable. However, it should be pointed out that Directive 95/46 in no way makes such an absence of any parliamentary influence obligatory for the Member States (para. 43). Thus, first, the management of the supervisory authorities may be appointed by the parliament or the government. Secondly, the legislator may define the powers of those authorities (para. 44). Furthermore, the legislator may impose an obligation on the supervisory authorities to report their activities to the parliament. In that regard, a comparison may be made with Article 28(5) of Directive 95/46 which provides that each supervisory authority is to draw up a report on its activities at regular intervals which will then be made public (para. 45). In view of the foregoing, conferring a status independent of the general administration on the supervisory authorities responsible for the protection of individuals with regard to the processing of personal data outside the public sector does not in itself deprive those authorities of their democratic legitimacy (para. 46).”
For these reasons, the Grand Chamber held that Germany had failed to fulfill its obligations under the second subparagraph of Article 28(1) of Directive 95/46.