This article is also available in:
Deutsch: Kommission verklagt Österreich wegen unzureichender Unabhängigkeit s...

Since a complaint was filed by the data protection association Arge Daten back in October 2003, the lack of adequate independence of the Austrian Data Protection Authority (DSK - Datenschutzkommission) has been on the European Commission's (EC) agenda.

Years later, in 2009, the Commission asked Austria, in a reasoned opinion under EU infringement procedures, to revise the way the authority is organised. However, as the Austrian authorities failed to comply with the reasoned opinion and the Commission has decided to refer Austria to the European Court of Justice (ECJ). This decision was officially published on 28 October 2010.

The Commission considers that provisions setting up the Austrian data protection authority do not conform to EU rules, which require Member States to establish a completely independent supervisory body to monitor the application of the 1995 Data Protection Directive (Directive 95/46/EC).

Although the Austrian data protection legislation (Datenschutzgesetz 2000) spells out that the authority exercises its functions independently and takes no instruction in its performance, the Commission considers that "complete independence," as required under EU data protection rules, is not guaranteed because:

- the authority remains under the supervision of the Federal Chancellery as integrated into the Chancellery in terms of organisation and staff: it controls neither its own staffing nor its equipment and it does not have its own budget;

- since its creation in 1980, the authority has been run by a senior official of the Chancellery as executive member ("geschäftsführendes Mitglied"), subject to the supervision of the Chancellery;

- the right of the Chancellor to be informed at all times by the chair and the executive member on all subjects concerning the daily management of the authority potentially hinders the members of the supervisory authority in the independent performance of their tasks.

The Commission's approach to the independence of data protection authorities reflects the case law of the European Court of Justice. In its ruling of 3 March 2010 (C-518/07), in which Germany was declared in breach of EU rules on the independence of the data protection supervisory authority, the Court confirmed that authorities responsible for the supervision of the processing of personal data must remain free from any external influence, including the direct or indirect influence of the state. According to the Court, the mere risk of political influence through state scrutiny is sufficient to hinder the independent performance of the supervisory authority's tasks.

Earlier this year, the European Fundamental Rights Agency (FRA) has also seriously criticised the status of Austria's data protection authority. The FRA study 'Data Protection in the European Union: the role of National Data Protection Authorities', published in May 2010, casted a damning light on the Austrian DSK. The study detected both a lack of independence from the government and a lack of financial resources and staff of the DSK. The Austrian DSK is not equipped with full powers of investigation and intervention. As a consequence, the supervisory body "cannot enforce its decisions in warning the data processor/controller as to its unlawful conduct" - a serious deficit which occurs only in three of the 27 EU Member States, i.e. Poland, Hungary and Austria.

No official statement has been published by the Austrian government since the EC announced it would refer Austria to the Court of Justice in this matter. It remains to be seen whether the Austrian government will stick to its former plans to close down the DSK. According to a draft law promoted in 2007 and reconditioned in 2010, which is aiming at changing various regulations of the Austrian Constitution, the government intends to assign some of the duties of the DSK to nine administrative courts of the "Länder" instead. By which organisation(s) the remaining duties of the DSK should be fulfilled, remains unclear till today. In its recently published bi-annual report of the years 2007-2009, the DSK criticised these plans and argued that only 10 % of its tasks were suitable to be carried out by administrative courts.

In light of its ruling of 3 March 2010, in which Germany was declared in breach of EU rules on the independence of the data protection supervisory authority, it is more than likely that the ECJ will come to a similar conclusion in the Austrian case. It's also more than likely that neither the EC nor the European Court of Justice will appreciate the further demolition of the Austrian data protection authority by closing down the existing insufficient body and scattering its competencies to regional administration.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/LexUriServ%%%/LexUriServ.do?uri=CELEX:31995L0...

Data Protection: Commission to refer Austria to Court for lack of independence of data protection authority: (28.10.2010)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1430&...

Publications Office Judgment of the Court (Grand Chamber) of 9 March 2010 - European Commission v Federal Republic of Germany (1.5.2010)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:113:00...

Data Protection in the European Union: the role of National Data Protection Authorities (Strengthening the fundamental rights architecture in the EU II) (7.5.2010)
http://fra.europa.eu/fraWebsite/research/publications/publications_per...

EDRi-gram 5.19 - The days of the Austrian DPA are numbered (10.8.2007)
http://www.edri.org/edrigram/number5.19/austrian-dpa

EDRi-gram 3.17 - EC: data protection inadequate in Austria and Germany (24.8.2005)
http://www.edri.org/edrigram/number3.17/DPA

Austrian Data Protection Act 2000 (only in German)
http://www.ris.bka.gv.at/Dokumente/Bundesnormen/NOR40113679/NOR4011367...

Datenschutzbericht 2009 - 1. Juli 2007 - 31. Dezember 2009, Österreichische Datenschutzkommission (only in German)
http://www.dsk.gv.at/DocView.axd?CobId=40344

(Contribution by Andreas Krisch, EDRi-member VIBE!AT, Austria)