Updated: June 21, 2010 (Initial publication: June 3, 2010)
II-11.6: A judgment handed down by the Grand Chamber of the European Court of Justice on March 9, 2010 insists on the necessary independence of the authorities in charge of data privacy protection in German Länder, with regards to the application of the European Directive 95/46/EC of 24 October 1995 on "the protection of individuals with regard to the processing of personal data and on the free movement of such data" (Data Protection Directive)
In a judgment taken on March 9th 2010, the Grand Chamber of the European Court of Justice upheld the European Commission’s action against the Federal Republic of Germany, stating that by making the authorities responsible for monitoring the processing of personal data outside the public sector in the different Länder subject to State oversight, Germany incorrectly transposed the requirement of "complete independence" of the supervisory authorities responsible for ensuring data protection, and thereby failed to fulfil its obligations under the second subparagraph of Article 28(1) of Directive 95/46/EC of 24 October 1995 "on the protection of individuals with regard to the processing of personal data and on the free movement of such data".
Un jugement rendu par la Grande Chambre de la Cour Européenne de Justice le 9 mars 2010 insiste sur l'indépendance nécessaire des autorités en charge de la protection des données personnelles dans les Länder allemands au regard de l'application de la directive européenne 95/46/CE du 24 Octobre 1995 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données (Directive "Données Personnelles").
Dans un jugement rendu le 9 mars 2010, la Grande Chambre de la Cour Européenne de Justice a jugé que les autorités de protection des données des Länder allemands qui contrôlent les fichiers du secteur privé n’agissaient pas en pleine indépendance, contrairement aux exigences de la Directive européenne de 1995 sur la protection des données.
Am 9. März 2010 verkündete der Europäische Gerichtshof sein Urteil in der Sache EG / Deutschland (C-518/07) betreffend der Verpflichtung des Mitgliedsstaats sicherzustellen, daß die nationalen Aufsichtsbehörden, die zur Überwachung der Datenverarbeitung verantwortlich sind, ihre Funktionen vollkommen unabhängig auszuüben.
Der Europäische Gerichtshof hat am 9. März 2010 sein Urteil verkündet in der Sache EG/Deutschland, in dem er betont, dass das deutsche Datenschutzsaufsichtssytem die Verpflichtung der Unabhängigkeit von Aufsichtsbehörden, die in den Rechtlinien 95/46 vorgeschrieben ist, unvollständig umgestetzt hat.
En una sentencia dictada por la Gran Cámara de la Corte Europea de la Justicia el 9 de marzo del 2010 insiste en la independencia necesaria de las autoridades a cargo de la protección de la privacidad de data en German Länder, en cuanto a la aplicación de la Directiva 95/46/CE del Parlamento Europeo y del Consejo, de 24 de octubre de 1995, relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos
En una sentencia del 9 de marzo del 2010 la Gran Cámara de la Corte Europea de la Justicia confirmó que la acción que tomó la Comisión Europea contra la República Federal de Alemania, constatando que, al darle a las autoridades la responsabilidad de monitorear el procesamiento de data personal fuera del sector público en los diferentes Länder sujetos a la vigilancia estatal, Alemania transpuso incorrectamente el requisito de ‘independencia completa’ de las autoridades supervisoras responsables de asegurar la protección de data y por lo tanto, no cumplen con los requisitos detallados en el segundo subpárrafo del artículo 28(1) de la Directiva 95/46/CE del Parlamento Europeo y del Consejo, de 24 de octubre de 1995, relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos
European Directive 95/46/EC of 24 October 1995 was taken in an effort to harmonise national legislation on personal data processing. The second sentence of its article 28(1) obliges Member States to make "one or more public authorities" responsible for monitoring "the application...of the provisions adopted but the Member State pursuant to this Directive". It requires "complete independence" for these monitoring authorities.
The German Act of Parliament adapting this Directive into German law made a distinction between authorities supervising data processing by public and non-public organizations. This led to the creation of two types of data protection authorities: those whose aim was to monitor compliance with data protection legislation by public bodies; and those that were in charge of monitoring compliance with the provisions concerning data protection by non-public bodies. The former authorities were supervised at both the Federal and the Regional levels by the representatives responsible for the protection of personal data and freedom of information. Those representatives are responsible before their respective Parliaments, and yet are not subject to any control or influence by the public bodies that they supervise. The authorities responsible for supervising the processing of data by non-public bodies are in each Länder expressly subject to State scrutiny.
The European Commission, supported by the European Data Protection Supervisor (EDPS), brought a claim before the European Court of Justice, arguing that Germany had failed in its obligation to transpose correctly the requirements of "complete independence" of the supervisory authorities in charge of data protection mandated by the second subparagraph of Article 28(1) of Directive 95/46. It mainly argued that the State scrutiny, to which the authorities in charge of the supervision of data protection by non-public bodies were subject, jeopardises the "complete independence" of supervisory authorities, thereby relying on a broad interpretation of the words "complete independence". This wording, the Commission and the EDPS argued, is constructed to require that a supervisory authority be free from any influence, whether internal or external to the administration.
Germany's interpretation of the criteria of "complete independence" was narrower: the Federal Republic stated that the correct interpretation of the criteria of independence of the supervisory authorities should be understood as a functional one: the authorities must be independent from the non-public bodies they supervise, and must not be exposed to any external influences. It further argued that the State scrutiny exercised on data protection authorities constitutes an administrative monitoring mechanism, since those authorities belong to the administrative machinery. Thus, supervision is simply internal to the administrative system, and can not be interpreted as an external influence of any kind.
In its decision, The European Court of Justice first interprets the words "with complete independence", especially since they are not defined in Directive 95/46, stressing that the wording itself of that provision and the aims and scheme of the Directive should be taken into account.
Relying on the usual meaning of the concept of "independence", the Court defines it as "a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure", emphasizing that nothing in this definition indicates that independence solely refers to the relationship between the supervisory authority and the bodies under its surveillance. On top of that, the use of the adjective "complete" further signals a concern for making the decision-making power "independent of any direct or indirect external influence on the supervisory authority".
In the second step of its reasoning, the Court infers from the Preamble of Directive 95/46 that it aims at enabling the free movement of personal data, a goal that is liable to interfere with the right to private life recognised inter alia in article 8 of the ECHR. Therefore, the directive seeks "also not to weaken the protection guaranteed by the existing national rules, but on the contrary to ensure, in the European Community, a high level of protection of fundamental rights and freedoms with respect to the processing of personal data". (22) As depository to this need of a fair balance between observance of the fundamental right to private life and the interests requiring free movements of personal data, the national supervisory authorities were "established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies."
To complete its argument, the European Court of Justice relies on an analogical reasoning. It emphasizes that on a European level, the European Data Protection Supervisor was created by Regulation 45/2001 of December 18th 2000. It is responsible for the processing of personal data by European Community institutions and organs and the free movement of that data. Article 44 of Regulation 45/2001 specifies that the EDPS must complete its duties in "complete independence", clarifying in article 44(2) this concept by adding that, in the performance of its duties, the EDPS may neither seek nor take instructions from anybody.
To the question of whether or not the German system of State scrutiny for data protection authorities for non-public bodies infringed the obligation of "complete independence" as defined in Directive 95/46, the European Court of Justice highlights that "the mere risk that the scrutinising authorities could exercise a political influence over the decisions of the supervisory authorities is enough to hinder the latter authorities’ independent performance of their tasks".
Interestingly, in order for these authorities to act objectively and impartially (i.e. independently), the Court notes that not only must they be free from any governmental influence in their decision-making, but also that their decisions must remain "above any suspicion of partiality”, embracing the requirements of both objective and subjective impartiality of regulatory authorities towards those they supervise.
Rejecting the argument of the German State according to which State scrutiny is justified by the need to ensure that the decisions taken by these authorities do not infringe legality, the Court held that the Federal Republic of Germany failed to correctly transpose the requirements of Directive 95/46.
 Grand Chamber of the European Court of Justice, Judgment of March 9th 2010, C-518/07, Paragraph 16, accessible on : http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=en&numaff=C-518%2F07+&Submit=Submit
This case is in line with the demands for an independent regulator in charge of protecting the fundamental right to privacy that is both objective (i.e. structurally and organisationally independent); and subjective, which means that the regulatory authority does not appear to be influenced by the administration or by corporations in its decision-making.
More specifically, this decision illustrates the very teleological aspect of Regulatory Law—and of European law. Indeed, the European Court of Justice, confronted with the lack of definition of the concept of "independence" in Directive 95/46, assessed that its meaning should be induced by taking the Directive’s purpose into account. Emphasising the complex balance that national data protection authorities should achieve between enabling the free movement of data in Europe, on one hand, and the protection of the fundamental right to privacy, on the other, it embraced a broad understanding of the notion of "independence". Those authorities, "guardians" of the fundamental right to privacy, must be as independent as possible from the administrative hierarchy. In that particular purpose, the Court extracted the definition of "independence" from the goals of Directive 95/46, going so far as to reason analogically to put forward the need for both internal and external independence of data protection supervisory authorities.
The emphasis on this requirement of subjective independence is part of a larger movement initiated by the European Court of Human Rights (especially since the Engel case vs. The Netherlands from 8th June 1976). The ECHR, by borrowing the notion of subjective impartiality from British Law, aims at deepening the protection of people being tried by strengthening the impartiality of the judge, to which the subjective independence completely belongs. Interestingly, the ECJ is now joining the ECHR in its efforts, bringing legal reasoning between “Economic Europe” (ECJ) and “Human Rights Europe” (ECHR) closer, taking into consideration their common concern for the protection of fundamental rights.
Yet, it should be noted that the European Court of Justice did not, in this case, define the substantial components of the criteria of independence, even less of "complete independence". It thus avoided listing the requirements (such as institutional, organisational, budgetary, or financial independence) that the term "independence" entails. The lack of definition provided by this decision has the advantage—from the point of view of the European Union’s teleology—of not closing the door on deepening oversight in Member State’s implementation of such directives in the future.
However, as Advocate General Mazák noted in his opinion, the evidence that Germany failed to fulfil its obligation of transposition is fragile. In fact, the Court stated that "the mere risk" of the supervising authorities being influenced by the scrutinising authorities is a sufficient enough proof that the requirements of "complete independence" are not fulfilled. And yet, "according to the case-law of the Court, in an action for failure to fulfil obligations brought under Article 226 EC it is for the Commission to prove that the obligation has not been fulfilled without being able to rely on any presumption.", Advocate General Mazák says. In this particular case, the Commission failed to bring any evidence of the negative effects of the oversight of data protection authorities for non-public bodies by their States.