Close

Institutional aspects of the Wirtschaftsakademie case: focus on the independence of data protection supervision

BY Charlotte Ducuing - 16 August 2018

This blogpost discusses institutional aspects of the Wirtschaftsakademie case (C-210/16), namely the clarification by the CJEU of the principle of independence of data protection supervision. The facts of the Wirtschaftsakademie case are summarized in another blogpost, which also discusses the (joint) responsibility of Wirtschaftsakademie for the processing of personal data taking place on a Facebook fan page.

Fostering the independence of DPAs

The German referring Court substantially asked the CJEU whether, in a situation of joint controllership where controllers are not established in the territory of the same Member State, the data protection authorities (“DPAs”, also called supervisory authorities) are respectively bound to call on the other DPA to exercise its powers as part of their cooperation obligations, as a prerequisite to the enactment of an order to one of the controllers. The CJEU ruled that the data protection directive(article 28.6) does not contain such obligation falling onto the national DPA when the national law of its Member State is applicable. This conclusion was derived by the CJEU from the principle of independence of the DPA, as enshrined in article 28.1 of the Directive but also in primary law (article 8.3 of the Charter of Fundamental Rights and article 16.2 TFEU). On this issue the meaning of the judgement could have been limited to the case brought to the CJEU, given the recent entry into force of the GDPR that overhauls the data protection directive (95/46) and especially the enforcement by DPAs. However the reference to primary law grants the judgement further-reaching meaning. Well, then what does it mean?

While many independent administrative authorities have been created by EU law, the DPAs constitute an exception in two respects: (1) they are active in enforcing fundamental rights while the others are mostly active in market regulation and (2) their independence is guaranteed by EU primary law since the adoption of the Lisbon Treaty. The CJEU has clarified this notion to which it has undoubtedly attributed a broad interpretation. The Wirtschaftsakademie case is in that sense the latest building block.

Confirmation of complete independence as primary law requirement

The independence of the DPA is a cornerstone of data protection. While both the directive (article 28.1) and the GDPR (article 52.1) provide for the principle of “complete independence”, primary law merely provides for “independence” without clarifying the extent of that principle. The CJEU firstly referred to “complete independence” as deriving also from primary law in the Schrems case which was confirmed in the Wirtschafstakademie case. This implies that not only national law and the DPA practice but also EU secondary legislation – and especially the GDPR – shall comply with this high standard of “complete independence” of the DPAs.

DPAs shall act independently… from independent DPAs?

Among the different aspects of the principle of independence, the CJEU has notably clarified whom DPAs shall be and act independent(ly) from. Three types of actors have been identified: (1) market players or more generally private actors and (2) national States, on an horizontal level, such requirement being rather common (see e.g. in electronic communications law). The CJEU also found that DPAs shall be independent, on a vertical level, from (3) EU institutions and especially from the European Commission (Schrems case as summarized here). This is more unusual, when compared for instance to the cooperation mechanism between competition law authorities (as provided for by Regulation 1/2003 and Commission notice 2004/C 101/03). The Court now takes it to the next level by applying the independence requirement of the DPA in relation to another DPAwhen cooperating to apply data protection law, without any consideration for the actual independence of the other DPA. Furthermore, the formulation of the Court is so broad as to include other (any?) possible entities from which the DPAs shall be independent.

Where does it take us?

The combination of both clarifications notably result in that independence of the DPAs shall be understood as extending to the other DPAs. Such independence shall be “complete” which derives directly from primary law. As a result the principle of complete independence of a DPA vis-à-vis the other DPAs shall apply to secondary law. It is however not clear how far such independence shall now extend in the context of the new and complex cooperation mechanisms enshrined in the GDPR between DPAs. While each national DPA is competent to supervise the application of the GDPR “on the territory of its own Member State” (article 55), the ability of a DPA to act autonomously from any external influence is limited in the context of “cross-border processing” of personal data by the statutory requirements to cooperate amongst concerned DPAs in order to achieve a “consensus” (article 60). Besides, this cooperation is subject to dispute-resolution mechanism between DPAs by the newly created European Data Protection Board (EDPB) as body of the EU and comprised of representatives from DPAs from all Member States. Additionally – and not limited to the circumstances of the monitoring of cross-border processing – the EDPB is also competent to issue soft law to try and ensure “the consistent application” of the GDPR (article 70) which inevitably comes as another limitation of the autonomy of the national DPAs.

Whether the cooperation mechanisms set up by the GDPR are at all compliant with the strong requirement of complete independence of the DPAs is an open question which calls for further consideration. Notably, one may wonder whether the national DPAs are still to be looked at as the relevant body subject to the principle of independence (on the basis of their statutory competence to supervise compliance with the GDPR on the territory of their respective Member State) or whether the cooperation mechanism set up by the GDPR and especially the establishment of the EDPB as new body shall be interpreted as partly moving the focus to the EDPB as relevant body in this regard. Indeed primary law does not as such provide for the requirement for national bodies to supervise data protection law independently. The EU law-maker seems to abide by the second option as it reiterated in the GDPR the independence requirement as applying also to the newly created EDPB (article 69). In this regard, the case law of the CJEU shall be recalled as it guides the interpretation. The Court indeed ruled that the independence of the DPAs is not an end in itself and that it shall be given purposive interpretation, namely it shall serve “effectiveness and reliability of the supervision of compliance” (Commission vs. Germany). In that sense, the “Europeanisation” of data protection enforcement brought about by the GDPR may not as such violate the principle of independence. However, the complexity of the cooperation mechanisms and of the assignment of competences to the respective bodies and the administrative heaviness that it brings as designed in the text may be.

This article gives the views of the author(s), and does not represent the position of CiTiP, nor of the University of Leuven.
ABOUT THE AUTHOR — Charlotte Ducuing

Charlotte joined CiTiP in November 2017 as legal researcher. She carries out research mainly on the legal challenges posed to transportation by new technologies. The scope of her research covers EU law relating to economic and more specifically transport law and liability law as well as to data protection, cybersecurity and electronic contract law.

View all posts by Charlotte Ducuing

Comments

blog comments powered by Disqus