European Data Protection Supervisor v Republic of Austria: Data protection decision

October 21, 2012 |

In European Data Protection Supervisor v Republic of Austria the European Court of Justice found that EU countries that merely provide for their appointed data protection authorities (DPAs) to have “functional independence” does not constitute compliance with EU law.

The European Commission brought the action arguing that Austria had acted in breach of EU law by failing to allow its appointed DPA, the Datenschutzkommission (DSK), to act with “complete independence” from the Austrian Government.

In order to be said to have “complete independence”, DPA staff must not share the same offices as Government officials and the authority must not, by law, be required to provide Government officials with an “unconditional” access to information about its work, the Court said. In addition, the individual who heads up a DPA must not also hold a role within Government. However DPAs “need not be given a separate order to be able to satisfy the criterion of independence”.

The Court upheld the Commission’s complaint rejecting Austria’s claims that the DSK was independent of Government because it had “functional independence”.

The fact that the DSK has functional independence in so far as … its members are ‘independent and [are not] bound by instructions of any kind in the performance of their duties’ is, admittedly, an essential condition in order for that authority to satisfy the criterion of independence within the meaning of the [EU’s Data Protection Directive].


The independence required under the [Directive] is intended to preclude not only direct influence, in the form of instructions, but also … any indirect influence which is liable to have an effect on the supervisory authority’s decisions,” the Court said. It ruled, though, that Austrian law had precluded the DSK from acting with complete independence.

Under the EU’s Data Protection Directive member state governments are required to appoint a public body to be responsible for monitoring compliance with data protection law in their nations.

The CJEU was concerned with the supervisory arrangements of the DSK in Austria, stating:

Even if [Austrian law] is designed to prevent the hierarchical superior from issuing instructions to the managing member, the fact remains that [another part of Austrian law] confers on the hierarchical superior a power of supervision that is liable to hinder the DSK’s operational independence.


The attribution of the necessary equipment and staff to such authorities must not prevent them from acting ‘with complete independence’ in exercising the functions entrusted to them,” the Court said. “The regulatory framework in force in Austria fails, however, to satisfy that … condition.

The fact that the office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the DSK, carries a risk of influence over the decisions of the DSK,” it said. “In any event, such an organisational overlap between the DSK and the Federal Chancellery prevents the DSK from being above all suspicion of partiality and is therefore incompatible with the requirement of ‘independence’ within the meaning of the [Directive].

Leave a Reply