The European Court of Justice (ECJ) recently ruled(1) that the Austrian Data Protection Authority (DPA) is not a sufficiently independent regulatory body and therefore is not in line with the respective requirements of the EU Data Protection Directive (95/46/EC).
In particular, the ECJ took offence at the fact that the day-to-day business of the DPA is managed by a federal official, a position that has always been filled by officials from the Federal Chancellery. The ECJ stated that the service-related link between the federal officials and the chancellery allowed the activities of the former to be supervised by the latter. The ECJ held that this could lead to a form of "prior compliance" on the part of the federal officials and could prevent the DPA from being completely independent (as defined by Article 28(1)(2) of the directive) and above all suspicion of partiality.
Therefore, although Austrian legislation provides for the members of the DPA to be "independent and not bound by instructions of any kind in the performance of their duties" (as stated in Paragraph 37(1) of the Data Protection Act), the ECJ nevertheless stated that such functional independence is not by itself sufficient to protect the DPA from all external influences. The ECJ also referred to its judgment of March 9 2010 in Commission v Germany,(2) holding that in the view of the court, a mere risk of external influence is sufficient to conclude that a national data protection authority is not acting with sufficient independence.
The head of the DPA, Ms Souhrada-Kirchmayer, responded to the ECJ judgment by claiming that no influence had ever been executed on the part of the Federal Chancellery, but that the ruling will nevertheless be executed by outsourcing the DPA from existing ministerial structures. Independent of the ECJ decision, preliminary plans had already been made to suspend the DPA in its current form, as in 2014 new administrative courts will be established in Austria. According to Souhrada, plans to establish a new data protection authority have already been made in line with this administrative restructuring.
In addition to the above, data protection laws in Austria are currently undergoing revision. The revised law will make it possible for companies to appoint an official data protection officer and the position of data protection officer will be acknowledged by the DPA for the first time. Companies were able to appoint data protection officers in the past, but such an appointment had no legal consequences.
According to the draft law, companies that choose to appoint a data protection officer will henceforth be privileged and will no longer need to register all of their personal data processing with the DPA (as is currently the case). Although the law is still in draft form, it seems likely to enter into force this year.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.