A while back, the Court of Justice declared in Case C-518/07 Commission v. Germany that Germany had breached Article 28 §1 of Directive 95/46/EC on data protection because the authorities it had established to monitor the processing of personal data were subject to state scrutiny and thus were not completely independent as required by that provision.
The judgment is a bit of a surprise.
Article 28 of Directive 95/46, entitled ‘Supervisory authority’, provides:
‘(1) Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.
These authorities shall act with complete independence in exercising the functions entrusted to them.
While German law makes a distinction depending on whether or not data processing is carried out by public bodies, it provides that all the authorities responsible for monitoring the application of the Directive are subject to some kind of scrutiny or other by Federal or State bodies.
The Commission considered that subjecting those authorities to State scrutiny was contrary to Article 28 §1 of the Directive. It considered that the requirement that the supervisory authorities exercise their functions ‘with complete independence’ must be interpreted as meaning that a supervising authority must be free from any influence, whether that influence is exercised by other authorities or outside the administration. Germany on the other hand disagreed with the Commission and considered that Article 28 §1 of Directive 95/46 requires the supervisory authorities to have functional independence only: Those authorities must be independent of bodies outside the public sector which are under their supervision and that they must not be exposed to external influences.
The Court held in favor of the Commission.
It held that contrary to what Germany submitted, there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. On the contrary, it found that the concept of ‘independence’ is complemented by the adjective ‘complete’, which implies a decision-making power independent of any direct or indirect external influence on the supervisory authority.
The Court also held that the supervisory authorities provided for in Article 28 of Directive 95/46 are the guardians of the fundamental rights and freedoms in respect of data privacy. In order to guarantee that protection, the supervisory authorities must ensure a fair balance between, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data. The guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies.