Author: Stephanie Schiedermair
1. The Board shall act independently when performing its tasks or exercising its powers pursuant to Arts. 70 and 71.
2. Without prejudice to requests by the Commission referred to in point (b) of Art. 70 para. 1 and in Art. 70 para. 2, the Board shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody.
I. Introduction
Like the national data protection authorities, the EDPB is also independent and is not bound by instructions in performing its activities, including its reporting.[1] The independence of national and European data protection authorities is one of the cornerstones of European data protection law, as is also underscored by the emphasis placed on this characteristic in European primary law (Art. 8 para. 3 EU CFR and Art. 16 para. 2 sub-para. 1 sentence 2 TFEU).[2] Although the independence of the SAs is considered a relatively unchallenged characteristic of European data protection law, it has also been met with criticism from a democratic perspective.[3]
II. Case law
In the CJEU’s judgement of 9 October 2010, which looked at the lack of independence of German SAs outside the public sector, the CJEU did, however, make it clear that the independence of the SAs responsible for data protection was a key element of the DPD and that it was imperative to establish the same high level of data protection in all Member States.[4] It emphasised that the independence of the SAs did not run counter to the EU’s enshrined principle of democracy either.[5] As a result, it stated that the Member States were free to have the management of the SAs appointed by the parliament or the government, to have the legislator define the powers of those authorities or to impose an obligation on the SAs to report their activities to the parliament.[6] On independence of SAs, the CJEU has further stressed that these authorities must be completely independent, remain uninfluenced[7] and choose their own workforce[8] which must serve the ‘full term of office’.[9] Broadly speaking, the GDPR, influenced by the CJEU’s case law, gives the SAs an even stronger position than the Directive does, further reinforcing the independence of the authorities in comparison. Its strong, independent data protection authorities also differentiate European data protection law from the data protection system in the US.[10]
III. Analysis
The activities of the SAs nevertheless remain justiciable – in line with the rule of law that applies as a general legal principle in the Member States of the EU and to the EU itself.[11] As a result, Art. 78 GDPR requires the Member States to provide effective judicial remedies to assess measures taken by their SAs.[12] Making the SAs independent is designed, in terms of intention and purpose, to ensure data protection supervision that is as effective as practicable. As far as the authorities of the Member States are concerned, this objective is not to be countered by efforts of Member States to put relatively ineffective data protection supervision structures in place in order to potentially give companies operating in that Member State an advantage owing to their location.[13]
Art. 52 para. 2 GDPR defines the independence of the members of the SAs as meaning that they are free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody. This applies in general vis-à-vis all official authorities.[14] The fact that the Comm can seek advice from the Board in all matters relating to the protection of personal data and can set the Board a deadline by which to make a statement in urgent matters within this context does not change the substantive independence of the Board. The Board is, however, obliged to comply with requests made by the Comm. This means that the Comm has certain ‘agenda setting’ powers as far as the Board is concerned. However, the Board has discretion to decide in what form to respond to the Comm’s requests and to define the content of these responses, except for the deadline set in urgent matters, meaning that the Comm’s influence would again appear to be limited.[15]
As a result, the relationship between the Comm and the Board will also depend on how, and to what extent, the Comm makes use of its opportunity to influence the topics addressed by the Board and how the Board will react to this. With its first report in 2020, the Comm “invites” the EDPB to release more guidelines regarding the scope and interpretation of the GDPR and to intensify the effort on the cooperation with and between national SAs.[16]
[…]
[1]Cf. recital 139 GDPR.
[2]In this respect, see also Albrecht/Jotzo, Das neue Datenschutzrecht der EU, p. 114.
[3]For a fundamentally critical view of the independence of the data protection authorities that speaks out in favour of closer links between the parliament and these authorities, see Masing, NJW 2012, 2305 (p. 2311).
[4]See CJEU, Case C–518/07 European Commission v Federal Republic of Germany [2010] OJ C113/3, para. 50.
[5]Ibid, para. 41 et seq.
[6]Ibid, para. 44 et seq.
[7]Ibid, para 25.
[8]CJEU, Case C–614/10 European Commission v Republic of Austria (Grand Chamber, 16 October 2012), para. 59.
[9]CJEU, Case C–288/12 European Commission v Hungary [2014] OJ C175/6, para. 50.
[10] In this respect, cf. Schiedermair, ‘Data Protection – is there a bridge across the Atlantic?’ in Dörr/Weaver (eds), The Right to Privacy in the Light of Media Convergence, Perspectives from three Continents (2012), p. 357 (pp. 365 et seq). For information on data protection conflicts between the US and the EU and possible solutions, see Baumann, Datenschutzkonflikte zwischen der EU und den USA (2016), pp. 203 et seq.
[11]This is also emphasised in recital 118 GDPR.
[12]For more details, cf. → Art. 78.
[13]See also Albrecht/Jotzo, Das neue Datenschutzrecht der EU, p. 114.
[14]Cf. the fundamental judgment of the CJEU, Case C–518/07 European Commission v Federal Republic of Germany [2010] OJ C113/3, para. 16 (30).
[15]See also BeckOK DatenSR/Brink/Wilhelm, Vol 33, DSGVO, Art. 69 paras. 17-19; differing view, Paal/Pauly, Vol. 2, Art. 69 para. 3, who assume that the Comm can “determine the topics to be addressed by the EDPB to a large extent”.
[16]See Communication from the Commission to the European Parliament and the Council on Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation, dated 24 June 2020, COM (2020) 264 final, pp. 19 et seq., https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0264&from=EN (1 October 2020).