Following a series of previous judgments, the Court of Justice of the European Union (CJEU) confirmed in the case of the Commission v Hungary (case C-288/12) the independence of national data protection authorities in the Member States. Data protection authorities must not be bound by instructions in the performance of their duties, and no political influence may impact or intervene with their decision making.
Until 31 December 2011, the authority competent for monitoring the application of national data protection legislation was the data protection supervisor, notably Mr András Jóri. The data protection supervisor had been appointed on 31 December 2011, for a term of office of six years (ending in September 2014). However, following an amendment of the Hungarian legislation, the post of the data protection supervisor was withdrawn and the latter was removed from office before expiration of the six year term. With effect from 1 January 2012, a new authority responsible for the supervision of data protection in Hungary – a supervisory board – was created with the establishment of the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), headed by Mr Attila Péterfalvi for a term of nine years.
Following this change of scenario, and with the belief that Hungary had infringed its obligations under the European Data Protection Directive 95/46, the European Commission brought an action against Hungary. In its judgment dated 8 April 2014, the CJEU emphasized that the data protection authorities established in accordance with Directive 95/46 must be able to operate in an independent manner, free from any external influence or pressure.
On the one hand, this implies that data protection authorities must not be bound by instructions in the performance of their duties, and on the other hand that no political influence may impact or intervene with their decision making. The CJEU concluded that it results from the above that the independence of data protection authorities is inextricably linked with the obligation for governments to allow the authorities to serve the full term of office, and that deviation from such obligation is only possible where there are overriding and objectively verifiable grounds for doing so. Hungary was found to have failed to meet its obligations under Directive 95/46.
The present ruling confirms similar, previous judgments of the CJEU, notably the ruling in Commission v Germany, where Germany was found to infringe the independence rule by providing too much parliamentary accountability for the local data protection authorities, and the ruling in Commission v Austria, where the latter was found to be in breach with the law because the local data protection authority was formally a part of the civil service.
A link to the judgment in Commission v Hungary can be found here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=150641&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=419567