In 2010, the Court of Justice of the European Union (CJEU) delivered a landmark judgment concerning the requirements of the ‘complete independence’ of national data protection supervisory authorities (Commission v. Germany, C-518/07). Two and a half years later, the Court has taken a far more moderate view when assessing the level of independence of the Austrian Data Protection Commission (Commission v. Austria, C-614/10). For the author, who had criticized the previous judgment, the more recent one is a major step forward – towards a fair balance to be struck between the necessary independence of these authorities and the likewise necessary coherence of general State organization, State responsibility and State budget. The more recent judgment is also more in line with a) the wording of Article 8(3) of the EU Charter of Fundamental Rights, b) the level of independence enjoyed by the European Data Protection Supervisor (EDPS), the French Commission nationale de l’informatique et des libertés (CNIL) and the National Human Rights Institutions (NHRI) under the ‘Paris Principles’, and c) the previous case law (Commission v. ECB).
Nevertheless, even this more moderate level of independence required for data protection authorities seems to exceed the one deemed sufficient for the judiciary. This is highly problematic given the fact that the judiciary is not just a branch of State organization completely separated from data protection authorities but, on the contrary, is called upon to legally review the decisions of data protection authorities.
So also Commission v. Austria will, most probably, not yet be the end of the story – the more so, because the arguments raised in both judgments in favour of ‘complete independence’ are not intrinsically linked to the issue of data protection, but are likewise applicable to all kinds of regulatory bodies or institutions with a specific remit to secure fundamental rights, and, thus, in principle with horizontal relevance.