The legal status of public authorities on personal data protection: the EU experience
Ukraine’s ratification of the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” has meant the implementation of a number of new laws, including the law “On Personal Data Protection”, as well as other regulations.The subsequent implementation has been far from entirely successful.
Ukraine’s ratification of the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” has meant the implementation of a number of new laws, including the law “On Personal Data Protection”, as well as other regulations.The subsequent implementation has been far from entirely successful. Implementation has caused concern amongst legal experts. Critics have highlighted that the legislation fails to guarantee the protection of information concerning private individuals, and to provide a clear definition of important concepts such as “personal data”, or “database of personal data” resulting in problems in the law’s application. It also fails to separate the various forms of personal information that the agency accumulates and increases the risk that more sensitive data is properly protected or used (for example data on health, property status, religious beliefs, tax number, biometric data, etc.). Current legislation also fails to provide for an independent government agency that inspects the use of personal data.
The question of an independent state agency for the protection of personal data has been ignored. This is not the case in the rest of Europe. There is much that Ukraine can learn from the way that other European states have attempted to protect the private information of citizens. The experience of the member states of the European Union (EU) is particularly interesting, not the least their experience with creating independent agencies to protect data.
Many member states of the EU struggle with protecting the personal data of their citizens. The member states have put a lot of resources into solving issues concerned with data protection. The right to protection of personal data is part of the basic premises of the entire EU project and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union (One of the two treaties that make up what is popularly known as the Lisbon Treaty). The EU has been given jurisdiction over ensuring the protection of personal data.
Within the EU the protection of data concerning individuals is regulated by a directive from 1995 (Directive 95/46 of 24 October 1995). Directives are devised in Brussels and are directly applicable in each member state from the time they come into force. Domestic laws that are written in order to apply the directive in each member state must be equivalent the directive and to each other. Domestic laws that do not follow the directive are a breach of the treaty of the EU.
There is a mechanism within the treaty on the functioning of the European Union that allows the Commission to bring a member state before the Court of Justice of the EU if a domestic law is incongruent with a directive or a member state fails to implement a directive in an appropriate manner (Article 258).
The bringing of a member state before the Court of Justice by the Commission is relatively speaking uncommon (just over 50 decisions last year, out of a total of nearly 600 decisions). The Commission prefers the use of diplomacy via direct contacts with member states. The use of letter of formal notice is more common than court proceedings (Article 258) and member states usually correct themselves to avoid the embarrassment of being brought to court by the Commission. The Commission will not shy away from court proceedings if it feels that its criticisms are not being met.
The Commission resorted to turning to the Court of Justice of the EU (CJEU) recently with regards to the failure of a state to properly apply a directive (Case C 614/10 from 16 October 2012), particularly the failure of Austria to establish a sufficiently independent data protection supervisory authority. The Commission argued that while the establishment of the authority was a necessary step, the Austrian government failed to ensure that the authority “enjoy[ed] an independence which allows them to perform their duties free from external influence”.
The Commission was particularly concerned with the independence of the supervisory authority’s staff. The managing director of the supervisory authority is an official of the Federal Chancellery and the staff itself is all federal employees. The Commission also pointed out that the the office of the supervisory authority is structurally integrated with the Federal Chancellery and the Federal Chancellor has the right to be informed about the authority’s activity.
The Federal government of Austria argued that their domestic legislation properly ensured the independence of the data supervisory authority and thus fulfilled the requirements of the directive. The employees of the supervisory authority need not be employees of the federal government (although all the current employees are all Federal employees), that legislation concerning federal employees did not affect their independence, that the fact that the supervisory authority was housed in a federal building or that there existed a staff liaison to the government did not affect its independence. the right to information of the Federal Chancellor on the activities of the supervisory authority does not give him any opportunities to influence him, and the right to information does not contradict the requirements of independence on courts and tribunals.
In siding with the Commission against Austria, the CJEU cited a previous decision, one concerning Germany’s implementation of the same paragraph of the data directive, and argued that “authorities must remain free from any external influence, direct or indirect, which is liable to have an effect on their decisions.” A service-related link between the managing director and the Federal Chancellery allows the activities of the managing director to be supervised by his hierarchical superior. The evaluation of the managing director of the data protection authority by his hierarchical superior for the purposes of encouraging his promotion could lead to a form of ‘prior compliance’.
It is particularly indirect influence that Austria is criticized for. The fact that the authority’s office is composed of officials of the Federal Chancellery, which is itself subject to supervision by the authority carries a risk of influence over the decisions of the authority and therefore incompatible with the directive. The authority was perhaps functionally independent from the federal government, but the fact that the employees of the authority remained federal employees meant that they could not be seen as being free from indirect influence. “The independence required under the second subparagraph of Article 28(1) of Directive 95/46 is intended to preclude not only direct influence, in the form of instructions, but also … any indirect influence which is liable to have an effect on the supervisory authority’s decisions.” That influence could as be found in the Federal Chancellor’s right to information in all of the work of the supervisory authority.
The focus on the independence of the supervisory authorities seems logical, as efficient corruption prevention and data misuses by officials from different branches and levels of power can only be provided by a truly independent body.
The current Ukrainian authority in charge of protecting personal data has the status of a central authority, whose work is directed by the Cabinet of Ministers through the Minister of Justice. The leadership of the authority is directly appointed by the President after being recommended by the Prime Minister. This is hardly good conditions for the independence of the authority. There is currently a process within the Verkhovna Rada to move the authority to an ombudsman.
The protection of personal data must be comprehensive and include protection against not only from attacks by ordinary citizens and businesses, but also from government officials. Effective protection can only be attained via a truly independent authority, one that is both directly and indirectly independent. Ukraine, given the requirements of the Action Plan on the liberalization of the EU the visa regime to Ukraine, and the declared policy of European integration, should promptly establish an effective mechanism for the protection of citizens’ personal data, including ensuring the independence of the authority meant to ensure that protection.