Blogs

EC refers Austria to ECJ for lack of independence of DPA

By EDRi · November 3, 2010

This article is also available in:
Deutsch: [Kommission verklagt Österreich wegen unzureichender Unabhängigkeit seiner Datenschutzbehörde | http://www.unwatched.org/node/2325]

Since a complaint was filed by the data protection association Arge Daten
back in October 2003, the lack of adequate independence of the Austrian Data
Protection Authority (DSK – Datenschutzkommission) has been on the European
Commission’s (EC) agenda.

Years later, in 2009, the Commission asked Austria, in a reasoned opinion
under EU infringement procedures, to revise the way the authority is
organised. However, as the Austrian authorities failed to comply with the
reasoned opinion and the Commission has decided to refer Austria to the
European Court of Justice (ECJ). This decision was officially published on
28 October 2010.

The Commission considers that provisions setting up the Austrian data
protection authority do not conform to EU rules, which require Member States
to establish a completely independent supervisory body to monitor the
application of the 1995 Data Protection Directive (Directive 95/46/EC).

Although the Austrian data protection legislation (Datenschutzgesetz 2000)
spells out that the authority exercises its functions independently and
takes no instruction in its performance, the Commission considers that
“complete independence,” as required under EU data protection rules, is not
guaranteed because:

– the authority remains under the supervision of the Federal Chancellery
as integrated into the Chancellery in terms of organisation and
staff: it controls neither its own staffing nor its equipment and it does
not have its own budget;

– since its creation in 1980, the authority has been run by a senior
official of the Chancellery as executive member (“geschäftsführendes
Mitglied”), subject to the supervision of the Chancellery;

– the right of the Chancellor to be informed at all times by the chair
and the executive member on all subjects concerning the daily management of
the authority potentially hinders the members of the supervisory authority
in the independent performance of their tasks.

The Commission’s approach to the independence of data protection authorities
reflects the case law of the European Court of Justice. In its ruling of 3
March 2010 (C-518/07), in which Germany was declared in breach of EU rules
on the independence of the data protection supervisory authority, the Court
confirmed that authorities responsible for the supervision of the processing
of personal data must remain free from any external influence, including
the direct or indirect influence of the state. According to the Court, the
mere risk of political influence through state scrutiny is sufficient to
hinder the independent performance of the supervisory authority’s tasks.

Earlier this year, the European Fundamental Rights Agency (FRA) has
also seriously criticised the status of Austria’s data protection authority.
The FRA study ‘Data Protection in the European Union: the role
of National Data Protection Authorities’, published in May 2010, casted a
damning light on the Austrian DSK. The study detected both a lack of
independence from the government and a lack of financial resources and staff
of the DSK. The Austrian DSK is not equipped with full powers of
investigation and intervention. As a consequence, the supervisory body
“cannot enforce its decisions in warning the data processor/controller as to
its unlawful conduct” – a serious deficit which occurs only in three of the
27 EU Member States, i.e. Poland, Hungary and Austria.

No official statement has been published by the Austrian government since
the EC announced it would refer Austria to the Court of Justice in this
matter. It remains to be seen whether the Austrian government will stick
to its former plans to close down the DSK. According to a draft law promoted
in 2007 and reconditioned in 2010, which is aiming at changing various
regulations of the Austrian Constitution, the government intends to assign
some of the duties of the DSK to nine administrative courts of the “Länder”
instead. By which organisation(s) the remaining duties of the DSK should be
fulfilled, remains unclear till today. In its recently published bi-annual
report of the years 2007-2009, the DSK criticised these plans and argued
that only 10 % of its tasks were suitable to be carried out by
administrative courts.

In light of its ruling of 3 March 2010, in which Germany was declared in
breach of EU rules on the independence of the data protection supervisory
authority, it is more than likely that the ECJ will come to a similar
conclusion in the Austrian case. It’s also more than likely that neither the
EC nor the European Court of Justice will appreciate the further demolition
of the Austrian data protection authority by closing down the existing
insufficient body and scattering its competencies to regional
administration.

Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the protection of individuals with regard to the processing
of personal data and on the free movement of such data
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

Data Protection: Commission to refer Austria to Court for lack of
independence of data protection authority: (28.10.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1430&format=HTML&aged=0&language=EN&guiLanguage=en

Publications Office Judgment of the Court (Grand Chamber) of 9 March 2010 –
European Commission v Federal Republic of Germany (1.5.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:113:0003:0004:EN:PDF

Data Protection in the European Union: the role of National Data Protection
Authorities (Strengthening the fundamental rights architecture in the EU
II) (7.5.2010)
http://fra.europa.eu/fraWebsite/research/publications/publications_per_year/pub_data_protection_en.htm

EDRi-gram 5.19 – The days of the Austrian DPA are numbered (10.8.2007)
http://www.edri.org/edrigram/number5.19/austrian-dpa

EDRi-gram 3.17 – EC: data protection inadequate in Austria and Germany
(24.8.2005)
http://www.edri.org/edrigram/number3.17/DPA

Austrian Data Protection Act 2000 (only in German)
http://www.ris.bka.gv.at/Dokumente/Bundesnormen/NOR40113679/NOR40113679.pdf

Datenschutzbericht 2009 – 1. Juli 2007 – 31. Dezember 2009, Österreichische
Datenschutzkommission (only in German)
http://www.dsk.gv.at/DocView.axd?CobId=40344

(Contribution by Andreas Krisch, EDRi-member VIBE!AT, Austria)