Europe: National data protection authorities should be independent


Following a series of previous judgments, the Court of Justice of the European Union (CJEU) confirmed in the case of the Commission v Hungary (case C-288/12) the independence of national data protection authorities in the Member States. Data protection authorities must not be bound by instructions in the performance of their duties, and no political influence may impact or intervene with their decision making.

Until 31 December 2011, the authority competent for monitoring the application of national data protection legislation was the data protection supervisor, notably Mr András Jóri. The data protection supervisor had been appointed on 31 December 2011, for a term of office of six years (ending in September 2014). However, following an amendment of the Hungarian legislation, the post of the data protection supervisor was withdrawn and the latter was removed from office before expiration of the six year term. With effect from 1 January 2012, a new authority responsible for the supervision of data protection in Hungary – a supervisory board – was created with the establishment of the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), headed by Mr Attila Péterfalvi for a term of nine years.

Following this change of scenario, and with the belief that Hungary had infringed its obligations under the European Data Protection Directive 95/46, the European Commission brought an action against Hungary. In its judgment dated 8 April 2014, the CJEU emphasized that the data protection authorities established in accordance with Directive 95/46 must be able to operate in an independent manner, free from any external influence or pressure.

On the one hand, this implies that data protection authorities must not be bound by instructions in the performance of their duties, and on the other hand that no political influence may impact or intervene with their decision making. The CJEU concluded that it results from the above that the independence of data protection authorities is inextricably linked with the obligation for governments to allow the authorities to serve the full term of office, and that deviation from such obligation is only possible where there are overriding and objectively verifiable grounds for doing so. Hungary was found to have failed to meet its obligations under Directive 95/46.

The present ruling confirms similar, previous judgments of the CJEU, notably the ruling in Commission v Germany, where Germany was found to infringe the independence rule by providing too much parliamentary accountability for the local data protection authorities, and the ruling in Commission v Austria, where the latter was found to be in breach with the law because the local data protection authority was formally a part of the civil service.

A link to the judgment in Commission v Hungary can be found here:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:


DLA Piper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.