The European Commission has acted today to ensure that the EU rules on the protection of personal data are respected in Germany. The Commission has formally requested Germany to comply with a judgment on 9 March 2010 by the EU’s Court of Justice (C-518/07). The Court had ruled that Germany had failed to correctly transpose the requirement that data protection supervisory authorities had to act in “complete independence”. In its letter of formal notice, the Commission has now asked Germany to comply with the Court judgement and complete the implementation of the Directive. The Commission may ask the Court to impose a lump sum or penalty payment if Germany fails to comply within two months.
Under the 1995 EU Data Protection Directive (Directive 95/46/EC), Member States are obliged to set up one or more public authorities in charge of monitoring the application of the Directive. These authorities must act with complete independence.
The organisation of the supervision of personal data processing by non-public bodies in the 16 German Länder varies. It is assigned either to the data protection commissioner of the respective Land or general Land government organisations. They have one thing in common: they are expressly subject to State scrutiny.
The Court held that such State scrutiny is not consistent with the requirements of independence within the meaning of the EU Data Protection Directive. The Court confirmed that the authorities responsible for supervising the processing of personal data must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes not only any influence exercised by the supervised bodies, but also any other external influence, whether direct or indirect, which could call into question the authority’s task of establishing a fair balance between the right to private life and the free movement of personal data.
No legal measures implementing the judgment have been adopted in 15 out of 16 federal Länder. Thus the judgment of the Court has not yet been fully implemented.
Background
The 1995 Data Protection Directive (95/46/EC) regulates the processing of personal data within the EU. It aims to protect people’s fundamental rights and freedoms – in particular the right to data protection – as well as ensuring the free flow of data within the Single Market. The Directive sets out conditions for processing data, including the need to inform individuals and gain their consent, have legitimate reasons for processing data and only use data for the purposes for which it was collected. It also requires Member States to set up an independent supervisory body to monitor data protection levels in the country.
The Data Protection Directive applies to all personal data processing activities in Member States in both the public and the private sectors. However, it does not apply to the processing of personal data to the areas of police and judicial cooperation in criminal matters.
For more information
Justice and Home Affairs Newsroom: http://ec.europa.eu/justice_home/news/intro/news_intro_en.htm
Homepage of Viviane Reding, Vice President and Commissioner for Justice, Fundamental Rights and Citizenship: http://ec.europa.eu/commission_2010-2014/reding/index_en.htm
Source: European Commission