Language of document : ECLI:EU:C:2009:694

OPINION OF ADVOCATE GENERAL

MAZÁK

delivered on 22 October 2009 1(1)

Case C‑518/07

Commission of the European Communities

v

Federal Republic of Germany

(Protection of individuals with regard to the processing of personal data – State supervision of national supervisory authorities – Exercise of functions with complete independence)





1.        By its action, (2) the Commission of the European Communities is asking the Court to declare that, by making the authorities responsible for monitoring the application of the provisions transposing Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (3) (‘the data protection supervisory authorities’) subject, under the law of the Länder, to oversight by the State (‘State oversight’) so far as the supervising of entities outside the public sector is concerned, the Federal Republic of Germany has failed to fulfil its obligation under the second subparagraph of Article 28(1) of Directive 95/46 to ensure the complete independence of those authorities.

2.        Under Directive 95/46, Member States, while allowing the free movement of personal data, are to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of such data. In other words, Directive 95/46 seeks, on the one hand, to establish a balance between the free movement of personal data, which is one of the essential aspects of the functioning of the internal market, and, on the other hand, to protect the fundamental rights and freedoms of individuals.

3.        National authorities responsible for monitoring compliance with national provisions implementing Directive 95/46 also contribute to achieving the abovementioned objective. Recital 62 in the preamble to Directive 95/46 states that the establishment in Member States of supervisory authorities, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of personal data. For that reason, Article 28(1) of Directive 95/46 states that:

‘Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.

These authorities shall act with complete independence in exercising the functions entrusted to them.’ (4)

4.        The present action arises from a difference of views between the Commission, supported by the European Data Protection Supervisor, and the Federal Republic of Germany over the interpretation of the term ‘with complete independence’, which appears in Article 28(1) of Directive 95/46 and relates to the exercise of the functions of the data protection supervisory authorities.

5.        The Commission’s application is based on two hypotheses. The first hypothesis is that Article 28(1) of Directive 95/46 requires Member States to ensure that their data protection supervisory authorities are ‘completely independent’. In its reply, the Commission stated that the requirement was not one of institutional and organisational independence but complete functional independence, which means that in carrying out their tasks the data protection supervisory authorities should be free from all outside influence.

6.        The second hypothesis is that oversight by a Member State of its data protection supervisory authorities in respect of entities outside the public sector, the existence of which is not denied by the Federal Republic of Germany, which, moreover, provided clarification with regard to the Commission’s explanations of the different types of such oversight, (5) is likely to affect those authorities’ complete independence, within the Commission’s meaning of the term.

7.        The Federal Republic of Germany’s defence rests on a different reading of the term ‘with complete independence’ in connection with the exercise of the functions of the data protection supervisory authorities. It considers that that term concerns the functional independence of those authorities, meaning their institutional independence in respect of organisational matters solely in relation to the entities that are being supervised. In its rejoinder it adds that State oversight is not subject to any outside influence, since the overseeing authorities are not external services but bodies responsible for supervision within the administration.

8.        Although it is possible to conceive of a conflict between two concepts of the exercise of executive power within the State (6) in relation to the substance of the present action, I shall attempt to propose a solution based, first, on clarification of the meaning of the words ‘act with complete independence in exercising the functions entrusted to them’ and, secondly, on an assessment of whether the data protection supervisory authorities coming under such State oversight, as described by the Commission, are in fact able to act with complete independence in exercising their functions.

 Complete independence in exercising functions, within the meaning of Article 28(1) of Directive 95/46

9.        It will be observed, on the basis of an examination of Community legislation and the case-law of the Court, that the term ‘independence’ is frequently used, not only in relation to the public authorities but also in relation to particular groups of persons who are required to act with independence in exercising their functions within the social system or subsystem.

10.      I can give as an example Article 19(4) of Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93, (7) which requires market surveillance authorities to carry out their duties with complete independence, or Article 16(1) of Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights, (8) which requires that Agency to fulfil its tasks with complete independence, or again Article 3(2) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services, (9) which requires Member States to guarantee the independence of national regulatory authorities.

11.      The term ‘independence’ also appears in the context of ‘soft’ law. Article 8(1) of the European Code of Good Administrative Behaviour, approved by the European Parliament on 6 September 2001, (10) for example, states that the official is to be impartial and independent.

12.      Similarly, the Court has had occasion to consider independence in relation to the European Central Bank, (11) to members of the European Parliament, (12) and also to lawyers. (13)

13.      Despite frequent use of the term ‘independence’, it is not easy to determine the meaning of that term. Given that independence is traditionally linked to the judiciary, some evidence exists in relation to judicial independence. The European Data Protection Supervisor also suggested in his statement in intervention that the criteria for assessing whether a body is to be regarded as being independent should be derived from the case-law of the Court concerning the independence of the courts. (14)

14.      In my view, those criteria cannot be used in the present case, since the Court when it laid them down defined the judiciary in relation to the other branches of the State. In the present case, we are concerned with the supervisory authorities and there is no denying that those authorities are administrative structures and, by dint of this, that they belong in the sphere of the executive. Therefore, the requirement that they should act with complete independence in exercising their functions must be defined only in the context of the executive and not in relation to the other branches of the State.

15.      In that regard, it should be noted that Article 28(1) of Directive 95/46 does not require the Member States to establish authorities which are separate from the administrative system with its hierarchical structure. It should be added, however, that there is nothing to prevent them from so doing. Given that Article 28(1) of Directive 95/46 requires Member States to ensure that the functions of the supervisory authorities are exercised with complete independence, and not to ensure that those authorities are themselves independent, it allows them some discretion in deciding how they will comply with that requirement.

16.      It should also be borne in mind that the term ‘independence’ is a relative term, since it is necessary to specify in relation to whom or what and at what level such independence must exist.

17.      At first sight one might think that such relativity is removed by the addition of the words ‘with complete’ to the term ‘independence’. I consider, however, that it would be wrong to draw that conclusion. If one were to accept it as being correct it would mean that Article 28(1) of Directive 95/46, by providing that the data protection supervisory authorities must act with complete independence in exercising their functions, calls for independence in all its possible forms, that is to say, institutional, organisational, budgetary, financial, functional and personal independence and independence in decision-making.

18.      I am of the view that such a reading of Article 28(1) of Directive 95/46 cannot be accepted and, therefore, despite the words ‘with complete independence’, the independence required remains relative and requires to be defined.

19.      In the process of adopting such a definition, which involves at the same time a process of establishing the meaning of the requirement that the authorities must act ‘with complete independence in exercising [their] functions’, it is necessary, in my view, to take as a basis the purpose for which the data protection supervisory authorities were established.

20.      It should be observed in that connection that that purpose is closely related to the main purpose of Directive 95/46 itself. Consequently, those supervisory authorities are one of the means by which the objectives of Directive 95/46 can be achieved. It follows that independence in the context of those supervisory authorities exercising their functions must be such that it enables them to contribute towards establishing the balance between the free movement of personal data, on the one hand, and protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, on the other hand.

21.      The degree of independence that the data protection supervisory authorities should enjoy in order to exercise their functions effectively depends on the purpose of the existence of those supervisory authorities, interpreted in that way.

22.      As regards the question from whom the data protection supervisory authorities must be independent in order to be able to exercise their functions effectively, I do not share the Federal Republic of Germany’s view that it is only independence in relation to the entities being supervised.

23.      I consider that the data protection supervisory authorities should also be independent in relation to other parts of the executive, of which they form an integral part, and to a degree that ensures that their functions are exercised effectively.

24.      It appears difficult and, in the circumstances of this case, of little use to specify all the factors that are necessary in order that the public authorities act with complete independence in exercising their functions. In taking a decision with regard to the action brought by the Commission it would be better to adopt a negative approach.

25.      The question therefore arises whether the existence of State oversight is compatible with the requisite degree of independence of the data protection supervisory authorities in the exercise of their functions.

 Compatibility of State oversight with the requirement that the data protection supervisory authorities must act with complete independence in exercising their functions

26.      Both the Commission and the Federal Republic of Germany accept that the wording of the second subparagraph of Article 28(1) of Directive 95/46 is the result of a compromise. Both parties maintain, however, that that wording corroborates their arguments concerning the scope of the requirement that the data protection supervisory authorities must act with complete independence in exercising their functions.

27.      With regard to the Federal Republic of Germany’s argument that during the discussions that preceded the adoption of Directive 95/46 (15) the applicant’s representative confirmed the Federal Republic of Germany’s reading of Article 28(1) of Directive 95/46, it is sufficient to draw attention to Case 278/84 Germany v Commission, (16) in which the Court held that it is not possible to interpret a provision of a Community regulation of general scope on the basis of negotiations between a Member State and one of the Community institutions. That is all the more reason, therefore, for an exchange between one of the Member States and the representative of a Community institution which drafted a proposal for a Community act not to serve as a basis on which to interpret a provision of Community law.

28.      In the present case, the body in question is not independent from an institutional point of view and is therefore part of a particular system, namely, the executive. In such a case there would appear to be genuine tension between, on the one hand, the independence of the body and, on the other hand, its duties. In my view, oversight might offer one of the solutions in such a situation.

29.      Independence should not be confused with the lack of opportunity for supervision. In my view, State oversight is one of the ways in which monitoring may be carried out.

30.      In order to answer the question whether State oversight is compatible with the requirement that the data protection supervisory authorities must act with complete independence in the exercise of their functions, it is important to take into consideration the purpose of such oversight. It is apparent from the description of the oversight given by the Commission that such oversight is designed to establish whether the monitoring carried out by the data protection supervisory authorities is rational, lawful and proportionate. From that point of view, it seems to me that State oversight contributes to the functioning of the system of monitoring the application of the provisions adopted pursuant to Directive 95/46. If it were to emerge that the data protection supervisory authorities do not act in a rational, lawful and proportionate manner, protection of the rights of individuals and, consequently, achievement of the objective of Directive 95/46 would be jeopardised.

31.      It should be observed that there is no evidence in the documents before the Court to suggest that achievement of the objective of oversight might be affected. Moreover, there is nothing to indicate that oversight is exercised in a way that might hinder the data protection supervisory authorities in exercising their functions with complete independence. The Commission cannot merely make assertions that this is so; it is up to it to establish that oversight does have such effects.

32.      The Commission has failed to prove the negative consequences of the oversight as regards the exercise by the data protection supervisory authorities of their functions with complete independence. According to the Commission, the existence of State oversight is sufficient evidence that the data protection supervisory authorities do not act with complete independence in exercising their functions. It is apparent from this that the Commission only presumes that supervision hinders the data protection supervisory authorities in exercising their functions with complete independence.

33.      According to the case-law of the Court, in an action for failure to fulfil obligations brought under Article 226 EC it is for the Commission to prove that the obligation has not been fulfilled without being able to rely on any presumption. (17)

34.      I am of the opinion that the Commission has not satisfied the burden of proof imposed on it. It has not proved either the failure of the system of oversight nor the existence of a consistent practice on the part of the overseeing authorities of abusing their powers and thus hindering the data protection supervisory authorities in the exercise of their functions with complete independence.

35.      Consequently, the mere fact that supervisory authorities such as those in this case are under State oversight cannot give rise to the conclusion that those authorities are not acting with complete independence in exercising their functions pursuant to Article 28(1) of Directive 95/46.

36.      The Commission has failed to establish that oversight of the data protection supervisory authorities prevents those authorities from acting with complete independence in exercising their functions. For that reason, its action must be dismissed.

 Costs

37.      Under the first subparagraph of Article 69(2) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the Federal Republic of Germany has applied for costs to be awarded against the Commission and the latter has been unsuccessful, I am of the view that the Commission must be ordered to pay the costs.

 Conclusion

38.      In the light of the foregoing, I propose that the Court should:

1)         (1)      dismiss the action;

2)         (2)      order the Commission of the European Communities to pay the costs;

3)         (3)      order the European Data Protection Supervisor to pay his own costs.

1 – Original language: French.

2 – So far as the pre-litigation phase of the proceedings is concerned, suffice it to say that it was conducted in accordance with Article 226 EC and no argument was put before the Court casting doubt on the lawfulness of that phase of the proceedings.

3 – OJ 1995 L 281, p. 31.

4 –      Other acts of Community law also provide for the existence of such authorities. For example, Article 41 of Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ 2008 L 218, p. 60) and Article 9 of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, p. 54).

5 – The Commission explained that in the Länder of Bremen and Hamburg, express provision is made only for the oversight of service-related aspects. The Federal Republic of Germany stated that the national data protection supervisory authorities for entities outside the public sector in all the German Länder, that is to say, in the Länder of Bremen and Hamburg as well, are subject to oversight not only as regards service-related aspects, but also as regards issues of legality.

6 – On the one hand, the so-called ‘classic’ or ‘traditional’ concept based on the exercise of executive power by the administration through its hierarchical structure and, on the other hand, the concept based on decentralisation of the administration resulting in the creation of independent administrative authorities.

7 – OJ 2008 L 218, p. 30.

8 – OJ 2007 L 53, p. 1.

9 – OJ 2002 L 108, p. 33.

10 – The European Code of Good Administrative Behaviour is available at: http://www.ombudsman.europa.eu/resources/code.faces.

11 – See Case C‑11/00 Commission v ECB [2003] ECR I‑7147.

12 – See Case C‑167/02 Rothley and Others v Parliament [2004] ECR I‑3149.

13 – See Case C‑305/05 Ordre des barreaux francophones et germanophone and Others [2007] ECR I‑5305.

14 – In Case C‑54/96 Dorsch Consult [1997] ECR I‑4961, paragraph 35, and Case C‑53/03 Syfait and Others [2005] ECR I‑4609, paragraph 31.

15 – More specifically, the preliminary discussions for the meeting of the ‘Economic Questions (Data Protection)’ working party of September 1994.

16 – [1987] ECR 1, paragraph 18.

17– See Case C‑183/05 Commission v Ireland [2007] ECR I‑137, paragraph 39 and the case-law cited.