Today, the Court of Justice decided1 that data protection authorities in the German Länder which supervise the processing of personal data in the private sector are not acting with "complete independence" as required by the Data Protection Directive 95/46/EC.
The case was brought by the Commission which argued that since these data protection authorities are part of the regional administration and subject to State scrutiny, they were not acting in complete independence. The German government stated that sufficient independence was ensured by making these authorities independent from the parties they supervise. The European Data Protection Supervisor (EDPS) intervened in the case in support of the arguments of the Commission.
The EDPS is very pleased with the judgment. Peter Hustinx, EDPS, stated: "The judgment of the Court is of great importance. It strengthens and clarifies the position of data protection authorities as part of the fundamental right to data protection. This judgment is relevant for all supervisory authorities in all EU Member States."
The Court confirmed the position of the Commission. It considered that "complete independence" means that the supervisory authority should be able to make decisions independently from any direct or indirect external influence. An authority must not only be independent from the parties it supervises, but must also not be part of government since the government itself may be an interested party. The German government argued that the State scrutiny in Germany sought only to guarantee the legality of the acts of the data protection authorities and not to exert any political influence. However, the Court considered that the existence of such State scrutiny means that the possibility remains that the authorities are not able to act objectively.
In its judgment the Court stated clearly that supervisory authorities are "an essential component of the protection of individuals with regard to the processing of personal data".
(1) Judgment of 9 March 2010 in Case C-518/07