At the beginning of July, the European Commission informed the Austrian and German Federal Governments about its intention to start legal proceedings before the European Court of Justice against Austria and Germanyaccording to Art. 226 EC Treaty, due to a breach of the EC Data Protection Directive.
The Commission argues that the private sector Data Protection Authorities (DPAs) of the German states ("Länder") and the Austrian DPA ("Datenschutzkommission") are part of the state administration or closely connected to it.
The "current organisation of the competent private sector DPAs" is "not compliant with Community law", the letter to the German Federal Government allegedly says. The "different forms of [supervision]" of the DPAs in the individual German states ("Länder") is considered to lack the independent status that is required by Art. 28 para. 1 EC Data Protection Directive.This letter allegedly requests a "complete independence in exercising the functions entrusted to them".
According to the "Tagesspiegel",the Commission takes the view that none of the 16 German states fulfill the independence test. Independence is regarded as being especially problematic in states like Saarland, Baden-Württemberg and Brandenburg, where the DPA is incorporated in the reporting mechanisms of a ministry.
For Austria the arguments are similar. An official of the Austrian government has a seat in the management board of the Austrian DPA. Although the official is not subject to directions of the government, this set-up is considered as lacking an adequate independence.
The Commission’s position might have been influenced by German national proceedings on the retention of IP addresses. A private user had been prosecuted in 2002 for an article on the 9/11 terror incidents. The user had been identified by his IP address that his Access Provider revealed to the prosecutor.
The user claimed that the retention of his usage information and IP address by the Access Provider was illegal. In his view the Access Provider’s practice of storing personal data on his use, being a flat rate user, for 80 days, was breaching German data protection law. He filed a complaint with the DPA for Hessen, the Regierungspräsidium Darmstadt.
The Regierungspräsidium Darmstadt took the position that the data retention was lawful because the user could – despite the flat rate – also initiate calls by modem with costs depending on the time of the connection. Therefore billing purposes required the storage. The Lower Court of Darmstadt (Ref: 300 C 397/04), however, took the opposite view. According to the court’s assessment the retention of data was not relevant, not least because other access providers were not storing such data. For this reason the court regarded the retention as unlawful.
The DPA’s assessment was highly criticised. For example, the DPA of the state Schleswig-Holstein and the Federal Data Protection Commissioner rejected this view. The proceedings questioned the DPA’s independence: on the one hand the DPA shall protect the data subject’s privacy interests, at the same time it is part of a public administration that has a high interest in keeping communication data as long as possible for state security and anti-terror purposes. This case may have finally led to the proceedings now initiated by the Commission.
The work of the Austrian DPA has been criticised for some time-based on inefficient work, with proceedings for complaints taking 10 months. The Austrian Bundeskanzleramt has been trying to strengthen the DPA’s independence by amending structures. Apparently, these steps have not been sufficient for the Commission.
The Austrian and German Governments had until the beginning of September 2005 to reply to the letters and give their opinion on the allegations. So far no details on the reply have been published. If the European Commission regards the reply as not being sufficient the Commission may file proceedings at the European Court of Justice (ECJ). If the ECJ finds that Austria and/or Germany is/are infringing the Directive it can impose a fine on them.
Germany's state governments should take the letter as a starting point to assess the independence of their DPAs and eventually introduce legislation to make the state DPAs (more) independent. Although the European Commission is obviously referring to the private sector only, it will be interesting to follow its impact on the public sector. In Germany, the German Federal Commissioner is the supervisory authority – under the legal control of the Federal Government.