Tải bản đầy đủ - 0 (trang)
9 Independence of DPAs Under the Case Law of the CJEU: A Strong Requirement

9 Independence of DPAs Under the Case Law of the CJEU: A Strong Requirement

Tải bản đầy đủ - 0trang

7.9  Independence of DPAs Under the Case Law of the CJEU: A Strong Requirement



355



collective body with mostly part-time members) depended on a managing member

who was a career official and on a supporting office integrated in the Federal

Chancellery.183 The issue at stake in the case of Hungary was that a national law was

adopted that replaced the existing DPA by a new authority.184 The de facto result

was that the Hungarian data protection commissioner – the sole member of the

existing DPA – was replaced during his term of service.185

Arguably, Commission v Germany is the most important case in the context of

this book, because the Court of Justice – for the first time and in a clear manner –

defined the stakes of independence of the DPAs. These stakes were further specified

in the two subsequent rulings. A summary of this case law is included in Schrems.186



7.9.1  T

 he Meaning of Acting with Complete Independence: No

External Influence Allowed

The Court of Justice underlined in Commission v Germany that under Article 28(1)

of Directive 95/46 the DPAs should act with complete independence. The Court

identified a double rationale for independence. It underlined that complete independence is needed to ensure effectiveness and reliability of the supervision,187 thus

contributing to its legitimacy. Based on the wording of the provision, and on the

aims and the schemes of the directive188 this “implies a decision-making power

independent of any direct or indirect external influence on the supervisory

authority”.189 In Commission v Austria, the Court further stressed that this is an

autonomous interpretation, unrelated to the interpretation of the term court or tribunal of a Member State used in Article 267 TFEU.190 Advocate General Mazak noted

in his opinion191 that the autonomous interpretation of the Court on the independence of DPAs may mean that a national authority could be regarded as independent

under Article 267 TFEU, but does not fulfil the criteria of independence under EU

data protection law, or, in other words, the requirements for independence of a DPA

may be stricter than the requirements to qualify as court or tribunal.192



 Case C-614/10, Commission v Austria, EU:C:2012:631, e.g. at 52 and 61.

 Case C-288/12, Commission v Hungary, EU:C:2014:237, e.g. at 59.

185

 For some further background: András Jóri, Shaping vs applying data protection law: two core

functions of data protection authorities, International Data Privacy Law, 2015, Vol. 5, No. 2.

186

 Case C-362/14, Schrems, EU:C:2015:650, particularly at 40–43.

187

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 25.

188

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 29.

189

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

190

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 40.

191

 Case C-614/10, Commission v Austria, Opinion AG Mazak, at 25.

192

 A. Balthasar, “‘Complete Independence’ of National Data Protection Supervisory Authorities”,

Utrecht Law Review, Volume 9, Issue 3 (July) 2013, at 30. Balthasar criticises this consequence.

183

184



356



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



This interpretation should be further understood in the following way. What is

decisive is not the formal status of the DPA,193 but the freedom it enjoys in the exercise of its tasks. The emphasis on the acts of the DPAs may have to do with the

wording of Article 28(1) of Directive 95/46, which does not state that the authorities

should be completely independent, but that they should act as such.194 Moreover, the

case dates from before the entry into force of the Lisbon Treaty, and was based on

Directive 95/46 and not on Article 16(2) TFEU and Article 8(3) Charter, which

require that the authorities themselves are independent. In the subsequent cases, the

Court of Justice observes that Article 28(1) of the directive derives from primary

law,195 but this did not lead to a modification of its position.

As far as a possible external influence on the exercise of the tasks is concerned,

the Court is strict.196 Most importantly, external influence is not only relevant when

it originates from the entity under supervision, which can be a private company or a

public authority. In a case relating to the supervision on the private sector no political influence over the decision-making process was acceptable, because it could

hinder the independent performance of the task by the DPAs, whereas these authorities should remain above any suspicion of partiality. Hence, partiality is not required,

suspicion is enough. What this means is well illustrated by an observation of the

Court in Commission v Austria, relating to a conceivable adaptation of the behaviour of the managing member of the Austrian authority, who used to be a career

official. The prospects of promotion of this person could incite a form of ‘prior

compliance’.197

The Court stated expressis verbis that a government may have an interest in non-­

compliance by a non-public body with data protection law, and gave three examples

why this could be the case.198 A government may itself be an interested party, for

instance because it engages in a public-private partnership, it may have an interest

in the use of data, in particular for taxation or law enforcement,199 and it may favour

interests of economically important companies.

Independence, according to the Court,200 is particularly important in light of the

task of the DPAs, which consists of the balancing between the protection of the right

to private life and the free movement of personal data. In other words, it is not only

the need of effective privacy and data protection that counts, but also the balancing

with other interests, with a broader scope than the rights to privacy and data

protection.

193



 The aim is not to grant a special status to the authorities, see at 25 of the ruling.

 This wording is chosen as a compromise formula, P. Hustinx in Reinventing data protection?

S. Gutwirth et al. (eds), Springer, 2009, at 132.

195

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 36; Case C-288/12, Commission v

Hungary, EU:C:2014:237, at 47.

196

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 31–37 (in particular at 36).

197

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 51.

198

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 35.

199

 This links to what was said in this book on (government) surveillance.

200

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 30.

194



7.9  Independence of DPAs Under the Case Law of the CJEU: A Strong Requirement



357



7.9.2  T

 he Relation Between the Principle of Democracy

and the Broad Notion of Independence

The Court of Justice ruled201 that the principle of democracy does not preclude independent public authorities outside the classic hierarchical administration.202 The

DPAs must carry out their tasks free from political influence, but subject to judicial

review.

However, and this is an essential addition: there should be some degree of parliamentary influence or, in other words, some degree of accountability towards political institutions. The Court gives an illustration of how this influence could be

shaped. The management of the authorities may be appointed by the parliament, the

powers may be defined by the legislator and reporting obligations to the parliament

may be defined.

In Commission v Austria203 the Court dealt with a related issue, the influence of

another political entity, namely the right of the Federal Chancellor to be informed

of the work of the DPA. The right to information covered all aspects of the work of

the DPA and was considered to be incompatible with the criterion of complete independence. The wording chosen by the Court suggests that it is not the right to information as such, but the extensive scope of this right, that provoked this conclusion.

A contrario, a more limited right to information could ensure that the DPAs are to

some degree accountable.204



7.9.3  Four Observations Based on This Case Law

First, the Court of Justice mentioned effectiveness and reliability of supervision as

an objective. Reliability is relevant in view of the subject matter of the supervision,

the social sphere of individuals,205 which differs from supervision in the more technical, economic sphere where democratic legitimacy plays a less predominant

role.206 The Court’s reference to reliability could also be understood as a confirmation that complete independence could be instrumental in restoring trust in governments in general, and in the European Union in particular.



 Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46.

 The Court also rejects arguments of the German government relating to the legal basis and to

subsidiarity and proportionality, but these are not relevant for this part of the book.

203

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 62–64.

204

 The importance of this accountability is underlined by the annotation of M. Szydlo on Case

C-614/10, Commission v Austria, EU:C:2012:63, in CMLR 50 (2013), 1809–1826, at

1821–1822.

205

 See annotation M. Szydlo on Case C-614/10, Commission v Austria, EU:C:2012:63, in CMLR

50 (2013), 1809–1826, 2013.

206

 As will be explained below in Sect. 7.13.

201

202



358



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



Second, the Court set a high standard for independence, also underlining the

need for organisational distance to the executive. The way the Court explained the

absence of any external influence implies that majoritarian bodies should not play

any role in the exercise of the duties and powers of the DPAs. This standard reflects

an earlier argument by Simitis (1987) who points at the risk that a DPA that is too

close to government207 runs the risk of legitimising processing and new methods of

information-gathering instead of controlling them.208 Still, there should be some

degree of accountability towards political institutions, especially to parliaments and

the judiciary.

This standard differs from the application of the notion of autonomy or independence in relation to EU agencies, where there is a practice that majoritarian bodies –

the Commission, Member States and, where appropriate, the European

Parliament209 – participate in the management boards of the agencies or where direct

influence by the Commission is allowed in decision-making.210 Chiti even argues

that this is a general difference between EU agencies and independent authorities.211

Independent authorities should be independent from private parties and from the

political majority. In his view, the European Central Bank is the prime example,

with strict safeguards on independence, as laid down in Article 130 TFEU.212 In

comparison, the EU agencies are only independent to a limited extent.

Third, the Court underlined the task of the balancing of interests. Especially

where various rights and values need to be balanced, there is a need for distance

from majoritarian policy-making, to ensure a fair decision-making process. This is

an important justification for independence. A need exists for the balancing of various interests, albeit within the mandate of the DPA relating to data protection. More

generally, data protection is not an absolute fundamental right that prohibits the

processing of personal data, but a right to fairness of processing, taking into account

a range of different interests.213

The Court mentioned the need for a fair balance between the protection of the

right to private life and the free movement of personal data, but the need for balancing also relates to a range of other rights and public interests, in particular the freedom of expression, security and transparency, all in a rapidly evolving technological

207



 And private organisations, but that is not relevant here.

 Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania

Law Review, 135/3, 707–46, 1987, at 744.

209

 This is the model foreseen in the Joint Statement and Common Approach of the European

Parliament, the Council of the EU and the European Commission on Decentralised Agencies of 19

July 2012.

210

 Further read, Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in

between Institutions and Member States, Kluwer Law International 2014, e.g., the contributions of

Vos, at 34, and Ottow, at 135.

211

 E. Chiti, An important part of the EU’s institutional machinery: Features, problems and perspectives of European agencies, CMLR 46 (2009), 1395–1442, at 1399.

212

 And repeated in Article 7 of the Protocol (No 4) on the Statute of the European System of

Central Banks and of the European Central Bank.

213

 As explained in Chap. 2 of this book.

208



7.9  Independence of DPAs Under the Case Law of the CJEU: A Strong Requirement



359



environment. It could be argued that, in view of this case law, balancing between

various interests – with a broader scope than the right to private life and the free

movement of data mentioned in the ruling214 – is a task of DPAs. This raises the

question how to ensure that the DPAs, as expert bodies in the area of data protection,

take other interests into account.

The Court still used the wording in Commission v Germany215 relating to balancing of interests, in rulings after the entry into force of the Lisbon Treaty.216 This is

remarkable since, generally, since the entry of the Lisbon Treaty the emphasis is on

data protection as a fundamental right of the individual and no longer data protection as an instrument contributing to the free movement of data in the internal

market.

To conclude, balancing of interests is part of the task of the DPAs and is relevant

to their independence.

Fourth, the Court emphasised the importance of DPAs having discretionary powers and of them being in a position to make policy judgements, since the essence of

their tasks is that they have to balance various interests, as underlined by the Court

in Commission v Germany.217 This is opposite to the Meroni218 case law, where the

Court emphasised that discretionary powers involving policy choices were not to be

given to agencies. Only clearly defined executive powers – and not discretionary

powers – could be delegated by the EU institutions, in the light of the institutional

balance.219

In contrast, the powers and duties of DPAs, by nature, imply a high level of discretion. This confirms the special status of DPAs, different from EU agencies,

although it must be admitted that the actual relevance of Meroni – a ruling of 1958 –

in relation to agencies is disputed in legal literature.220 Furthermore, the case law of

the Court in relation to agencies has developed, so that, presently, powers that

involve discretion can to a certain extent be given to regulatory authorities.221

The emphasis in the case law on the balancing of various interests implies that

independence is needed to avoid ‘prior compliance’. It also suggests that elected

bodies – or more broadly: majoritarian institutions and, in particular, executive

branches of government that depend on the support of a majority in parliament –

 As mentioned in Case C-518/07, Commission v Germany, EU:C:2010:125, at 30.

 The reference to the internal market in Case C-518/07, Commission v Germany, EU:C:2010:125,

at 30, is made even more explicit in para. 50 of the ruling.

216

 In Cases C-288/12, Commission v Hungary, EU:C:2014:237, at 51, and C-362/14, Schrems,

EU:C:2015:650, at 42.

217

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 24.

218

 Case 9/56, Meroni, EU:C:1958:7, at 152.

219

 See on the Meroni doctrine: Vos in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds),

2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at

40.

220

 See, e.g., E. Chiti, An important part of the EU’s institutional machinery: Features, problems

and perspectives of European agencies, CMLR, 46, 1395–1442, 2009, at 1421–1424.

221

 Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament

and Council, EU:C:2014:18 (on ESMA), ruling of 22 January 2014 and the Opinion of AG

Jääskinen.

214

215



360



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



may be ill-equipped222 to deal with certain complexities of public policy, or more

specifically law enforcement, in comparison with unelected bodies.



7.10  Independence of DPAs: An Analysis

7.10.1  D

 ifferent Degrees of Independence Under EU Law,

Parallels with the ECB and with Courts

Different degrees of independence exist. In the area of data protection the DPAs are

subject to high requirements of independence. This was, as we have seen before,

confirmed by the case law of the Court of Justice of the European Union223 and it has

a functional as well as an institutional component.224 In the EU framework, this

status of the DPAs can be best compared with that of the European Central Bank

(ECB), which enjoys a high level of independence, as laid down in Article 130

TFEU.225 Article 130 TFEU provides that neither the ECB nor national central

banks shall seek or take any instructions from EU institutions or bodies, or from the

Member States. Moreover, the EU institutions or bodies and the Member States

undertake to respect this principle. This is also laid down in a concise manner in

Article 282(3) TFEU: The ECB is independent in the exercise of its powers and EU

institutions and bodies, as well as the Member States, shall respect that independence. As the Court stated in Commission v European Central Bank,226 the Treaty

seeks “to shield the ECB from all political pressure in order to enable it effectively

to pursue the objectives attributed to its tasks”.

This book is not claiming that the level of independence of DPAs is the same as

that of the ECB, which operates in a totally different area of government intervention, but there is a similarity. The wording used by the Court of Justice in relation to

DPAs prohibiting any direct or indirect external influence on the supervisory authority227 implies that they “shall not seek or take any instructions”.228 Moreover, the

prohibition of any direct or indirect external influence on the supervisory authority

implies a dual duty. EU institutions and bodies as well as Member States should

abstain from influencing DPAs.



222



 Wording from F. Vibert, The Rise of the Unelected, Democracy and the New Separation of

Powers, Cambridge University Press, 2007, at 1.

223

 See, e.g., ruling of CJEU in Case C-518/07, Commission v Germany, EU:C:2010:125.

224

 See European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection

reform package, at II.8.

225

 And repeated in Article 7 of the Protocol (No 4) on the Statute of the European System of

Central Banks and of the European Central Bank.

226

 Case C-11/00, Commission v European Central Bank, EU:C:2003:395, at 134.

227

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

228

 Article 130 TFEU.



7.10  Independence of DPAs: An Analysis



361



Another similarity concerns the requirements for national courts and tribunals

under Article 267 TFEU. These requirements determine which courts or tribunals

can refer cases to the Court of Justice. Independence is one requirement and

includes, amongst others, guarantees against dismissal or removal from office.229

However, there is one difference. In Dorsch Consult Ingenieursgesellschaft,230 the

Court did not consider the fact that the organisational structure of a body was linked

to the executive sufficient reason for denying its independence. Bodies called

‘mixed councils’ under Austrian law were admitted to refer cases to the Court,

whereas the (former) Austrian data protection authority – also a mixed council

under Austrian law – was not considered completely independent under Directive

95/46.231

Despite this autonomous interpretation of data protection law there is a clear

similarity with the case law relating to Article 267 TFEU. This is for instance illustrated by the reasoning of the Court in Syfait and Others232 where it did not accept

the independence of the Greek national competition authority (the Epitropi

Antagonismou). The Court took into account that, despite the personal and operational independence of the members of this authority, there were no effective safeguards against undue intervention or pressure from the executive on those members.

The Court also noted that “the Epitropi Antagonismou is not a clearly distinct third

party in relation to the State body which, by virtue of its role, may be akin to a party

in the course of competition proceedings.”233 So, the absence of sufficient guarantees against external influence, caused by the risk of the executive having specific

interests, was a reason for declaring that a body did not fulfil the criteria of independence under Article 267 TFEU.

In contrast, the autonomy granted to EU agencies is different in character. The

agencies do not enjoy a comparable high degree of independence. The ability of EU

agencies to act can be subject to restrictions by majoritarian bodies. Courts are supposed to be independent from political preferences, whereas the agencies are part of

the administration, loyal to government and acting on its behalf.234

In any event, to the extent that agencies have tasks in relation to the functioning

of the market, they are autonomous vis-à-vis market forces, but not vis-à-vis political majorities.235 A good example in this context is the participation of the

 Case C-54/96, Dorsch Consult Ingenieursgesellschaft, EU:C:1997:413, at 34–38.

 Case C-54/96, Dorsch Consult Ingenieursgesellschaft, EU:C:1997:413, at 34–38.

231

 The mixed councils are mentioned in Case C-614/10, Commission v Austria,, EU:C:2012:631,

Opinion AG Mazak, footnote 7 of Chap. 1. Further read: A. Balthasar, “‘Complete Independence’

of National Data Protection Supervisory Authorities”, Utrecht Law Review, Volume 9, Issue 3

(July) 2013, at 26–38.

232

 Case C-53/03, Syfait and Others, EU:C:2005:333, at 29–38.

233

 Case C-53/03, Syfait and Others, EU:C:2005:333, at 33.

234

 Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort Knox of the

European Composite Administration, Critical Quarterly for Administration and Law (EuCritQ), 1,

pp. 44–57, 2014, at 53.

235

 See on this, Chiti, CMLR 46 (2009), 1395–1442.

229

230



362



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



g­ overnments of Member States in the management boards of EU agencies.236 One

can argue that this is against the rationale of the existence of independent agencies.

However, one can also argue that this makes sense, since agencies may be technocratic in character yet they also may have to give value judgements on public interests that are, by their very nature, political. It also makes sense from the perspective

of giving the Member States influence on the performance of technocratic bodies at

EU level.237 To put it differently, where EU agencies act national powers are not

only transferred to the European Union, with its alleged democratic deficit,238 they

are actually being transferred to a technocratic body within the European Union.

This justifies a certain limitation of the independence of these bodies and the maintenance of some political control.



7.10.2  H

 igh Degree of Independence for DPAs, Confirming

Their Status as New Branch of Government

As explained above, under EU law, the independence of DPAs is a constitutional

requirement. The Court of Justice confirms that control by an independent authority

is not only laid down in Article 28 of Directive 95/46, but that this requirement also

derives from primary law.239 This has two consequences: on the one hand, independence is an autonomous concept that cannot be restricted either by the EU legislator

or by the Member States in their national laws, and, on the other hand, the European

Union and the Member States are obliged to actively ensure the independence of the

DPAs or, in other words, to give substance to the concept of independence.

Moreover, as was also explained before, this book argues that the DPAs – and

certain other expert bodies – qualify as a new branch of government complementing

the traditional separation of powers. The institutional framework of the European

Union is based on the institutional balance, which is not a static notion.240 We argue

that DPAs, as far as they exercise control at the European level, also complement the

existing institutional balance. Support for this argument can be found in the former

Article 286 EC as the legal basis for the foundation of the EDPS.241 Since the EDPS

was also empowered to supervise the activities of the EU executive – the Commission

is the clear example here – a separate constitutional position was needed. Merely

integrating the EDPS into one of the existing institutions would not have been

236



 Also the Commission and, where appropriate, the European Parliament participate in these

Management Boards.

237

 Further read: E. Vos in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU

Agencies in between Institutions and Member States, Kluwer Law International 2014, at 29.

238

 See on this Chap. 4, Sect. 4.10 of this book.

239

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 36; Case C-288/12, Commission v

Hungary, EU:C:2014:237, at 47. See also Sect. 7.9.

240

 See Sect. 7.7 above.

241

 See also Sect. 7.3 above



7.10  Independence of DPAs: An Analysis



363



s­ ufficient.242 The Lisbon Treaty replaced Article 286 EC by Article 16 TFEU, which

is formulated in more general terms and no longer provides for a specific legal basis

of a European DPA. However, the general requirement of Article 16(2) TFEU also

implies independent control of the EU institutions, which cannot be exercised by

one of the institutions themselves. Hence, there must be a body supervising the

institutions and complementing the institutional balance. A final remark in this context is that a European DPA is not amongst the EU institutions, listed in Article 13(1)

TEU. This book considers this to be an omission in the Treaty on European Union.

The high degree of independence for DPAs has been specified by the Court in the

three cases that were brought before it.243 This independence of the DPAs is mainly

limited by the judicial and political accountability described below.

However, guarantees for the independence of DPAs are not only the result of

negative obligations of the European Union and national governments, they also

imply positive obligations. The most obvious obligation is adopting legislation that

enables complete independence. The European Union and national governments

should also create the circumstances necessary for the establishment and functioning

of independent authorities in practice. One example of this will be explored below.



7.10.3  T

 he Appointment of Members of a DPA: A Critical

Factor Potentially Influencing Independence

One of the most critical factors potentially influencing the independence of DPAs is the

way in which the members of a DPA are appointed. It is at this instance where majoritarian bodies may exercise their influence. In this context, too, checks and balances are

essential. Scholten makes an interesting observation in respect of the appointment of

members of independent regulatory agencies in the United States, which requires the

common involvement of both the Congress and the President.244 A divided government

may lead to a better outcome than a unified government where one party can advance

its political candidates. Of course, there is an objection to this statement since a divided

government may also lead to a deadlock, but in general ensuring the involvement of

various points of view may provide an incentive to appointing suitable candidates.

Current and future EU law includes safeguards that must ensure that choices are

based on the expertise and independence of the candidates for a function. The

­procedure foreseen for the appointment of the European Data Protection Supervisor

serves as an illustration. Article 42 of Regulation 45/2001245 requires, in the first

242



 Further read: H. Hijmans, The European data protection supervisor: The institutions of the EC

controlled by an independent authority, CMLR, 43, 2006, 1313–1342.

243

 Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria,

EU:C:2012:631 and C-288/12, Commission v Hungary, EU:C:2014:237

244

 M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience,

(dissertation Maastricht, 2014), at 174.

245

 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December

2000 on the protection of individuals with regard to the processing of personal data by the

Community institutions and bodies and on the free movement of such data, OJ L 8/1.



364



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



place, the involvement of three institutions, the European Parliament, the Council

and the Commission. In the second place, there are requirements giving the procedure a certain degree of transparency: the call for candidates is public, the list of

candidates is public and the European Parliament is entitled to organise a public

hearing246 which, in practice, it does. In the third place, Article 42 of Regulation

45/2001 requires the chosen candidate to possess specific qualities: his or her independence must be beyond doubt, he or she must have the experience and skills

required to perform the job, and it is seen as an advantage if he or she is a member

or has been a member of a national DPA. The General Data Protection Regulation

emphasises qualifications, experience and skills.247

However, the regulation does not require the involvement of the various branches

of government in the appointment procedure of national DPAs, which can be

explained by the fact that appointment of the members of these national authorities

is a task of the Member States, in accordance with the principle of national procedural autonomy.248 The Commission proposal allows appointment either by the parliament or the government. The legislative resolution of the European Parliament

limits this to an appointment by the national parliament.249

The final text of the General Data Protection Regulation provides the Member

States various options. In the hypothesis that the DPAs are new branches of government in between the three traditional branches it would strengthen the position of

the DPAs if all branches of government were involved in the appointment of members of DPAs. In any event, the discussion on the appointment of the DPAs has

focused on the position of the legislative and the executive branch, whilst the possibility of a role of the judiciary branch in the appointment procedure has not been

considered. The independent body mentioned in Article 53 of the General Data

Protection Regulation as an option for the Member States could be implemented by

including the judiciary in the appointment procedure.



7.10.4  T

 he DPAs Have an Obligation to Safeguard Their

Independence, Under the Principle of Democracy

As explained above, in Commission v Germany250 the Court of Justice underlined

the relationship between independence of DPAs and the principle of democracy. It

follows from this relationship that independence is not merely a negative obligation

for elected bodies to refrain from influencing the DPAs, but that the DPAs themselves have – within a democratic society –an active obligation to preserve their

246



 See mainly Article 3 of Decision No 1247/2002/EC of the European Parliament and of the

Council and of the Commission of 1 July 2002 on the regulations and general conditions governing

the performance of the European Data-protection Supervisor’s duties, OJ L 183/1

247

 Article 53 (2) GDPR.

248

 Case C-93/12, Agrokonsulting-04, EU:C:2013:432, at 35

249

 Article 48 of Commission Proposal for a General Data Protection Regulation, COM (2012), 11

final; amendment 325 of the legislative resolution of the European Parliament; Article 53 (1)

GDPR.

250

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46



7.10  Independence of DPAs: An Analysis



365



independence. They should not allow any external influence in the performance of

their tasks.

This active obligation is particularly important in view of the broad tasks of the

DPAs, which are in many instances not performed in isolation, but in close contact

with stakeholders, be they governments, representatives of the private sector or civil

society. For example, as part of its enforcement activity, a DPA may advise a company on the measures it should to take in order to comply with data protection law.

If, in a later stage, an individual lodges a complaint with the DPA against the company in relation to these measures, the DPA must remain above any suspicion of

partiality, as required by the case law of the Court. This is not evident, where the

DPA was involved in designing the measure at stake.251 The same could also happen

at a more general level: where DPAs were initially involved with governments, representatives of the private sector and/or civil society in the design of codes of conduct or implementing measures, this may at a later stage (potentially) influence

enforcement.



7.10.5  I ndependence in Relation to Effectiveness

and Accountability

The Court of Justice underlined in Commission v Germany252 that there is a clear

link between independence and effectiveness. Hence, this link supports the view

that effectiveness can legitimise DPAs. This is the output legitimacy, explained in

Chap. 4 of this book.253

DPAs do not escape accountability towards the elected parliaments. In Commission

v Germany254 the Court gave indications for the assurance of accountability. This

need for parliamentary influence can be satisfied by the Member States under

Directive 95/46, which leaves a wide discretion to the Member States as to the establishment and functioning of the DPAs. Under the General Data Protection Regulation

this discretion will be significantly reduced, although Article 53 (1) thereof leaves

room for Member States relating to the appointment of the members of the DPAs.

The EDPS opinion on the reform package suggests reinforcing the democratic guarantees by requiring a more systematic role for the national parliaments in the procedure for the appointment of these members.255 Moreover, the case law gives some

further indication on ensuring accountability in a more general sense, since the Court

does not preclude that governmental bodies have a right to be informed.256

251



 See also Chap. 6, Sect. 6.14 of this book.

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 25.

253

 See Chap. 4, Sect. 4.13.

254

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46.

255

 European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection reform

package, at 236, with a reference to Commission v Germany.

256

 See above, and the annotation of M. Szydlo on Case C-614/10, Commission v Austria,

EU:C:2012:63, in CMLR 50 (2013), 1809–1826, at 1821–1822.

252



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

9 Independence of DPAs Under the Case Law of the CJEU: A Strong Requirement

Tải bản đầy đủ ngay(0 tr)

×