Privacy & Information Security Law Blog

On April 6, 2011, the European Commission formally requested that Germany immediately comply with a March 9, 2010 judgment (C-518/07) by the European Court of Justice (the “Court”) concerning the independence of German data protection authorities (“DPAs”).

As we previously reported, the Court ruled in March 2010 that Germany had failed to properly implement the requirement that DPAs are to act with “complete independence” in exercising the functions entrusted to them, as explicitly provided by the EU Data Protection Directive 95/46/EC. According to the Commission, 15 out of Germany’s 16 federal states have not yet undertaken any action to rectify the violation identified in the Court’s judgment. In its formal notice letter, the Commission ordered Germany to comply with the Court’s judgment within two months or risk a fine or penalty imposed by the Court.

In Germany, the supervisory function of the DPAs responsible for the private sector varies between the federal states, and may be assigned to the data protection commissioner of the respective state or to the general state government. Both types of supervisory authorities are subject to “state scrutiny” under German law. The Court held that this situation is not consistent with the EU Data Protection Directive requirement of “complete independence,” which is meant to allow DPAs to perform their duties free from any direct or indirect external influence that might hinder their ability to function.  In particular, the Directive indicates that DPAs must not be part of the government since the government itself may have an interest in a DPA’s actions. The German government, however, takes the position that complete independence of the DPAs responsible for the private sector would not be compatible with the German constitution. In addition, certain DPAs argue that many Federal States have already reorganized the supervision to comply with EU law.

It remains to be seen how Germany will respond to the Commission’s latest move. Meanwhile, the Commission continues to signal its commitment to ensuring the complete independence of national DPAs, having referred Austria to the Court for the same violation—specifically, for lack of complete independence of the Austrian Data Protection Commission (Datenschutzkommission)—in October of last year.