The European Court of Justice held on October 16, 2012 that Austria’s data protection authority is not sufficiently independent, and therefore fails to comply with the requirements of the European data protection directive. This is the second time that the European Court of Justice has found a data protection authority to lack independence. The first time involved Germany, where the European Court of Justice found that the regional data protection authorities were not sufficiently independent of their respective regional governments.
In its October 16 decision regarding Austria, the European Court of Justice found that the Austrian data protection authority, the DSK, had too many links to the Federal Chancellor’s office. First, the managing member of the DSK is in fact a government employee and therefore has some hierarchical links with the relevant ministry, and inevitably will be subject to the ministry’s influence. Austrian law provides that the members of the DSK shall not be subject to outside instructions. The court found, however, that as an employee of the government subject to performance reviews and promotion decisions, the managing member of the DSK will be implicitly influenced by the policies of his employer.
Second, the Federal Chancellery provides the office and staff for the DSK. Here, too, the court found that the government has an indirect influence over the DSK by virtue of the fact that the DSK staff are Chancellery employees.
Finally, the court criticized a provision in the Austrian law pursuant to which the Federal Chancellor benefits from a general right to information with regard to the DSK’s activities. The far-reaching and unconditional right to information “precludes the DSK from being capable of being regarded as operating, in all circumstances, above all suspicion of partiality.”
The court emphasized that the data protection directive’s requirement of “complete independence” requires not only independence in the actual functioning of the data protection authority, but also the appearance of independence in how the data protection authority is structured. In the case of Austria, the links between the data protection authority and the Federal Chancellery are too close to satisfy these requirements.