In the European Union, compliance with data protection requirements is overseen by public authorities (ie data protection authorities or DPAs), who ‘shall act with complete independence in exercising the functions entrusted to them’. Given the growing number of countries around the world that have adopted data protection legislation based on the EU model, the requirement of having an independent data protection authority has spread to other regions as well. This requirement has recently been reinforced by the judgment of the European Court of Justice (ECJ) in the case Commission v Germany, where the Court found that the DPAs of the German federal states (Lander) were structured so as to be subject to governmental oversight, and that Germany had thus failed to properly implement Article 28(1) of the EU Data Protection Directive. These developments lead to reflection on the concept of ‘independence’. As the ECJ found, the basis for requiring independence is that it helps ensure the effectiveness and reliability of supervision by allowing the authorities to carry out their tasks free from external influence. The experience in Europe shows the need for such regulatory independence, given that governments sometimes have sought to influence the work of the data protection authorities (one such example is the resignation en masse of the entire Greek Data Protection Commission in 2007 for alleged political interference). However, the issue of independence is more complex than it may seem at first glance. While independence is indeed an indispensable requirement for the work of DPAs, complete and total independence is never possible, or even desirable, on the part of any public authority. Principles of accountability and transparency require that a supervisory authority be answerable for its actions (eg through the possibility of judicial review), and that it be subject to controls in order to ensure its integrity. There are also different types of independence. The ECJ decision concentrates on legal independence, that is how the DPAs are set up and structured so as to be free of undue governmental influence. However, just as important is independence in terms of financial and personnel resources. Indeed, many European data protection commissioners complain that they have insufficient resources to do their jobs properly (a view supported by a recent study of the European Agency for Fundamental Rights). Indeed, one European DPA even had to shut down its operations for several months toward the end of 2010 because it had completely run out of funds. Some European governments have used structural independence as a ‘poisoned chalice’, freeing their DPAs from being part of government ministries but also making it clear that from that point the DPA is required to provide for its own budget. It is therefore welcome that the European Commission has taken a broad view of the concept of independence of the DPAs in its current review of the EU data protection framework. Independence may also be viewed differently in different legal cultures. For instance, one non-EU DPA has stated privately that in its country, being part of a government ministry gives it more ‘clout’ and results in it being taken more seriously than if it were set up as a free-standing, independent regulatory authority. It may therefore be necessary to consider the complete legal and political structure of a country before determining whether its data protection regulator is independent.
Read full abstract