In the latest of a series of actions meant to bolster the E.U.-wide,1995 Data Protection Directive, the European Commission announced on Thursday that it is taking Austria to court for failing to establish a completely independent data protection authority.
The news comes as the Commission reviews the directive, the cornerstone of legal data protection in the E.U.
In June, the Commission went to court against Luxembourg for failing to transpose the Data Retention Directive. And in March, Germany was declared in breach of E.U. rules on the independence of the data protection authority by the European Court of Justice. The ruling in that case stated that those bodies responsible for supervising personal data processing must remain free from any external influence, including the direct or indirect influence of the state. Even the risk of political influence through state scrutiny could hinder this independence, the court said.
In the current Austrian situation, the Commission believes that independence is not guaranteed because the authority is under the supervision of the Federal Chancellery, is run by a senior Chancellery official and does not control its own staff nor have its own budget.
With the directive currently under review, the move to take Austria to court sends a clear signal that the Commission wants to see the rules applied properly across all E.U. countries. A criticism leveled at the directive by the Commission’s own Article 29 Working Party (WP29) in July was that the directive is not applied in a homogenous manner by all member states.
In a recent Commission Communication, it conceded that further harmonization and approximation of data protection rules need to be provided at E.U. level. Following reactions to this Communication there will be an impact assessment and legislative proposals presented in 2011.