On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC. The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.
The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies. There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).
Read more on Lexology. From Hunton & Williams LLP.
Photo credit: Cedric Puisney, Flickr, used under Creative Commons license