Law and Rights
Steve Peers
Yesterday?s second judgment on data protection is not quite as important as the first, but is very interesting nonetheless. In Commission v Hungary, the CJEU built upon its prior rulings in Commission v Germany and Commission v Austria, as regards the independence of data protection authorities. But implicitly the judgment has rather broader resonance than that.
Background
The EU?s data protection Directive requires data protection authorities to be set up to enforce the rules in the Directive, alongside the possibility of individual court actions. Since the Directive applies to the public and private sectors, and the data protection authorities form part of the public sector, there is an implicit risk that the authorities might be reluctant to challenge the government or the governing parties? private sector allies, or could otherwise be ?captured? by the sectors of industry most impacted by data protection law. To avoid this possibility, the Directive requires Member States to ensure that data protection authorities act ?with complete independence?.
In Commission v Germany, the CJEU ruled that Germany infringed this rule by providing for too much parliamentary accountability for the data protection authorities. In Commission v Austria, the Member State concerned had breached the law because the data protection authority formally was part of the civil service, giving rise to a possible appearance of partiality.
The judgment
The latest judgment concerned a different issue. Hungary had replaced the individual data protection supervisor with a supervisory board, and had cut short the term of the supervisor when the new board was set up.
In the Court?s view, Hungary had infringed the Directive. As in the Austrian case, the national rules could lead to a situation of ?prior compliance? with the government?s wishes (or what might often be called ?self-censorship?). Here that would result from the threat of early termination of the supervisor?s (or now the supervisory board?s) term.
So, while Member States are free to have different rules on the composition of national data protection authorities, and free to change those rules, any significant changes had to provide for transitional periods to avoid compromising the independence of those authorities.
Comments
The Court?s judgment is unsurprising, in light of its prior case-law. The prospect of early termination of a term of office of a 'independent' supervisor is bound to give rise to the appearance of partiality, if not actual self-censorship. The supervisor concerned might even have doubts about the government's willingness to employ him or her in another job after the termination of the term of office. A government could even put pressure on the private sector not to hire that individual. In any event, the private sector may judge that it is unwise to hire a person who appears not to be in the government's favour.
More broadly, the judgment should also be seen as part of a broader concern about the rule of law in Hungary. This judgment is just one of several actions which the Commission brought, or threatened to bring, due to concerns about possible interference with the central bank, the judiciary and the data protection authorities in that state.
Previously, the Hungarian rules on retirement of judges ? which would have entailed a big reduction in the retirement age for current judges, followed by a later retirement age for their replacements ? were criticised by the Court of Justice, on the grounds that this would breach the EU?s framework equality Directive as regards age discrimination. The apparent intent to ?pack the courts? via this route was not discussed as such by the CJEU, although the Court?s judges were surely aware of it.
Moreover, the Commission had begun proceedings regarding the independence of the Hungarian central bank, and dropped them due to changes in Hungarian legislation. It had also threatened to bring separate proceedings relating to the independence of the judiciary generally, due to the risk that EU law cannot be properly applied unless judges are impartial. While that argument is sound in principle (whether it is true of Hungary is a separate question), ultimately the Commission decided that a non-judicial approach was better suited to dealing with such situations, and released its recent communication on the rule of law in the EU instead.
It seems as though the CJEU is also determined to follow a cautious path politically. Neither yesterday?s judgment nor the earlier judgment on judicial retirement makes any reference to the broader context. Furthermore, it hardly seems coincidental that yesterday?s judgment came after, not before, last weekend?s election, which saw the current government returned to power. A judgment like this one shows both the strengths and the weaknesses of EU law when fundamental questions like these are raised.
Barnard & Peers: chapter 9
- When Super-regulators Fight: The ?one-stop Shop? In The Proposed Data Protection Regulation
Steve Peers A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains ? and start beating the hell out of each other instead. This...
- The Domino Effect: How Many Eu Treaties Violate The Rights To Privacy And Data Protection?
Steve Peers Earlier this year, the Court of Justice of the European Union (CJEU) ruled in the Digital Rights judgment against the validity of the EU?s data retention directive, on the grounds that it provided for mass surveillance without any...
- Data Protection Rights And Administrative Proceedings
Steve Peers What rights do asylum-seekers have as regards data protection law? This issue was clarified in today?s CJEU judgment in YS and M and S, which could also have broader relevance for any case which involves access to documents in the context...
- Europe V Facebook: The Beginning Of The End For Nsa Spying On Eu Citizens?
Steve Peers Since the revelations about the extent of spying by the American National Security Agency (NSA) revealed by Edward Snowden, doubts have increased about the adequacy of the data protection regime in the United States, in particular as regards...
- Are National Data Retention Laws Within The Scope Of The Charter?
By Steve Peers Following the annulment of the EU?s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons...
Law and Rights
The CJEU confirms the independence of data protection authorities
Steve Peers
Yesterday?s second judgment on data protection is not quite as important as the first, but is very interesting nonetheless. In Commission v Hungary, the CJEU built upon its prior rulings in Commission v Germany and Commission v Austria, as regards the independence of data protection authorities. But implicitly the judgment has rather broader resonance than that.
Background
The EU?s data protection Directive requires data protection authorities to be set up to enforce the rules in the Directive, alongside the possibility of individual court actions. Since the Directive applies to the public and private sectors, and the data protection authorities form part of the public sector, there is an implicit risk that the authorities might be reluctant to challenge the government or the governing parties? private sector allies, or could otherwise be ?captured? by the sectors of industry most impacted by data protection law. To avoid this possibility, the Directive requires Member States to ensure that data protection authorities act ?with complete independence?.
In Commission v Germany, the CJEU ruled that Germany infringed this rule by providing for too much parliamentary accountability for the data protection authorities. In Commission v Austria, the Member State concerned had breached the law because the data protection authority formally was part of the civil service, giving rise to a possible appearance of partiality.
The judgment
The latest judgment concerned a different issue. Hungary had replaced the individual data protection supervisor with a supervisory board, and had cut short the term of the supervisor when the new board was set up.
In the Court?s view, Hungary had infringed the Directive. As in the Austrian case, the national rules could lead to a situation of ?prior compliance? with the government?s wishes (or what might often be called ?self-censorship?). Here that would result from the threat of early termination of the supervisor?s (or now the supervisory board?s) term.
So, while Member States are free to have different rules on the composition of national data protection authorities, and free to change those rules, any significant changes had to provide for transitional periods to avoid compromising the independence of those authorities.
Comments
The Court?s judgment is unsurprising, in light of its prior case-law. The prospect of early termination of a term of office of a 'independent' supervisor is bound to give rise to the appearance of partiality, if not actual self-censorship. The supervisor concerned might even have doubts about the government's willingness to employ him or her in another job after the termination of the term of office. A government could even put pressure on the private sector not to hire that individual. In any event, the private sector may judge that it is unwise to hire a person who appears not to be in the government's favour.
More broadly, the judgment should also be seen as part of a broader concern about the rule of law in Hungary. This judgment is just one of several actions which the Commission brought, or threatened to bring, due to concerns about possible interference with the central bank, the judiciary and the data protection authorities in that state.
Previously, the Hungarian rules on retirement of judges ? which would have entailed a big reduction in the retirement age for current judges, followed by a later retirement age for their replacements ? were criticised by the Court of Justice, on the grounds that this would breach the EU?s framework equality Directive as regards age discrimination. The apparent intent to ?pack the courts? via this route was not discussed as such by the CJEU, although the Court?s judges were surely aware of it.
Moreover, the Commission had begun proceedings regarding the independence of the Hungarian central bank, and dropped them due to changes in Hungarian legislation. It had also threatened to bring separate proceedings relating to the independence of the judiciary generally, due to the risk that EU law cannot be properly applied unless judges are impartial. While that argument is sound in principle (whether it is true of Hungary is a separate question), ultimately the Commission decided that a non-judicial approach was better suited to dealing with such situations, and released its recent communication on the rule of law in the EU instead.
It seems as though the CJEU is also determined to follow a cautious path politically. Neither yesterday?s judgment nor the earlier judgment on judicial retirement makes any reference to the broader context. Furthermore, it hardly seems coincidental that yesterday?s judgment came after, not before, last weekend?s election, which saw the current government returned to power. A judgment like this one shows both the strengths and the weaknesses of EU law when fundamental questions like these are raised.
Barnard & Peers: chapter 9
- When Super-regulators Fight: The ?one-stop Shop? In The Proposed Data Protection Regulation
Steve Peers A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains ? and start beating the hell out of each other instead. This...
- The Domino Effect: How Many Eu Treaties Violate The Rights To Privacy And Data Protection?
Steve Peers Earlier this year, the Court of Justice of the European Union (CJEU) ruled in the Digital Rights judgment against the validity of the EU?s data retention directive, on the grounds that it provided for mass surveillance without any...
- Data Protection Rights And Administrative Proceedings
Steve Peers What rights do asylum-seekers have as regards data protection law? This issue was clarified in today?s CJEU judgment in YS and M and S, which could also have broader relevance for any case which involves access to documents in the context...
- Europe V Facebook: The Beginning Of The End For Nsa Spying On Eu Citizens?
Steve Peers Since the revelations about the extent of spying by the American National Security Agency (NSA) revealed by Edward Snowden, doubts have increased about the adequacy of the data protection regime in the United States, in particular as regards...
- Are National Data Retention Laws Within The Scope Of The Charter?
By Steve Peers Following the annulment of the EU?s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons...