On 28 October 2010, the European Commission decided to refer Austria to the Court of Justice for its lack of independent data protection authority (see press release IP/10/1430). The Commission deemed that provisions setting up the so-called Data Protection Commission (Datenschutzkommission) do not conform to EU rules, which require Member States to establish a completely independent supervisory body to monitor the application of Directive 95/46/EC (“Data Protection Directive”).
Even though the Austrian Data Protection Act 2000 (Datenschutzgesetz 2000) sets forth that the members of the Data Protection Commission shall be “independent and not bound by instructions in the exercise of their duties”, the Commission considers that “complete independence,” as required under Article 28 para 1 of the Data Protection Directive, is not guaranteed.
The Commission alleges that the Data Protection Commission remains under the supervision of the Federal Chancellor because it is integrated into the Chancellery in terms of its organisation and staff and that it neither controls its own staffing nor its equipment. Furthermore, the Commission complains that the Data Protection Commission does not have its own budget and has always been run by a senior official of the Chancellery as an executive member (geschäftsführendes Mitglied), subject to the supervision of the Chancellery. Finally, the right of the Chancellor to be informed at all times by the executive member on all subjects concerning daily business potentially hinders the members of the Data Protection Commission in the independent performance of their tasks.
Based on a complaint filed by ARGE DATEN, a private Austrian organisation for the protection of personal data, in 2003, the Commission initiated treaty violation proceedings against Austria. However, since despite these proceedings the Austrian Administrative Court confirmed in 2007 that the Data Protection Commission was duly organised and in line with EU rules on data protection, the Austrian legislature did not take advantage of the opportunity of this year’s amendment to the Data Protection Act in order to cope with the concerns of the Commission.
While attempting to predict how the court will rule is difficult, it is more likely than not that the Court of Justice will follow the Commission’s approach to the independence of data protection authorities, which reflects a decision that the European Court of Justice already rendered on 3 March 2010 (C-518/07) in relation to a very similar case dealing with the German data protection authority. According to the European Court, data protection authorities have to remain free of any external influence, including the direct or indirect influence of the state, and the mere risk of political influence through state scrutiny may be sufficient to hinder the independent performance of supervisory tasks.
In any case, it may be highlighted that the Austrian Data Protection Commission suffers from a staff shortage, measured against other European data protection authorities of comparable countries. Thus, treaty violation proceedings should at least mark a starting point in order to reconsider and evaluate the importance of an adequately staffed commission and, also in financial terms, a sufficiently independent data protection authority in Austria.