DPA independence and ‘indirect’ access – illusory in Belgium, France and Germany?

Abstract

Directive 2016/680 provides for two procedures for the exercise of the rights of access to one's data: a direct one (that is, directly against the law enforcement authority) and an ‘indirect’ one, in which the responsible Data Protection Authority (DPA) exercises the right of access of the data subject against the law enforcement authority which refused the direct access, including by carrying out a legality check on the data processing of the personal data of the individual requesting access. The recent judgment in Ligue des droits humains ASBL treated the question of the powers of DPAs in the framework of this procedure, amongst others, as a matter of DPA independence. Existing literature has observed that the implementing laws of three Member States – Belgium, France and Germany – severely restrict the powers of the DPAs when these perform the ‘indirect’ right of access, for example to carry out the legality check and inform the individuals of the results of the check. In the this article we will argue that these national restrictions constitute an unjustified interference with the requirement on DPA independence in EU data protection law, including in Article 8(3) of the EU Charter of Fundamental Rights.