Case C‑518/07, Commission and EDPS v Germany

With regard to the protection of individuals with regard to the processing of personal data of individuals, German law made a distinction depending on whether or not that processing was carried out by public bodies. There was therefore a difference between the authorities responsible, on the one hand, for monitoring compliance with the provisions concerning data protection by public bodies and, on the other hand, for monitoring compliance with data protection by non-public bodies and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen).


The processing of data by public bodies was supervised, at Federal level, by the Federal representedative responsible for the protection of personal data and freedom of information (‘Bundesbeauftragter für den Datenschutz und die Informationsfreiheit’) and, at regional level, by the representatives responsible for the protection of regional data (‘Landesdatenschutzbeauftragte’). Those representatives were solely responsible to their respective parliament and were not normally subject to any scrutiny, instruction or other influence from the public bodies which were the subjected of their supervision.

On the other hand, the organisation of the authorities responsible for supervising the processing of data by non-public bodies varied among the Länder. However, all the laws at Länder level expressly subject those supervisory authorities to State scrutiny.

By its application, the Commission of the European Communities requests the Court to declare that, by making the authorities responsible for monitoring the processing of personal data outside the public sector in the different Länder subject to State oversight, and by thus incorrectly transposing the requirement of “complete independence” of the supervisory authorities responsible for ensuring the protection of that data, Germany had failed to fulfil its obligations under the second subparagraph of Art. 28(1) of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The scope of the requirement of independence of the supervisory authorities

The Grand Chamber of the Court first of stressed that the assessment of the substance of the present action depended on the scope of the requirement of independence contained in of Art. 28(1) of Directive 95/46 and, therefore, on the interpretation of that provision. In that context, the wording itself of that provision and the aims and scheme of Directive 95/46 should, according to the Court, be taken into account.

With regard to Directive 95/46, it was apparent from the third, seventh and eighth recitals in the preamble thereto that, through the harmonisation of national provisions on the protection of individuals with regard to the processing of personal data, that directive sought principally to ensure the free movement of such data between the Member States, which was necessary for the establishment of and the functioning of the internal market, within the meaning of Art. 14(2) EC (see, Joined Cases C465/00, C138/01 and C139/01 Österreichischer Rundfunk and Others [2003], on this case, see also this Article I wrote for the Common Market Law Review).

The Court held that the supervisory authorities provided for in Art. 28 of Directive 95/46 were the guardians of those fundamental rights and freedoms, and their existence in the Member States was considered, as was stated in the 62nd recital in the preamble to Directive 95/46, as an essential component of the protection of individuals with regard to the processing of personal data.

In order to guarantee that protection, the supervisory authorities must ensured a fair balance between, on the one hand, observance of the fundamental right to private life and, on the other hand, the interests requiring free movement of personal data. Furthermore, under Art. 28(6) of Directive 95/46, the different national authorities were called upon to cooperate with one another and even, if necessary, to exercise their powers at the request of an authority of another Member State.

The guarantee of the independence of national supervisory authorities was intended to ensured the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions.


 It followed that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies.

State Scrutiny

The Court furthermore held that the mere risk that the scrutinising authorities could exercise a political influence over the decisions of the supervisory authorities was enough to hinder the latter authorities” independent performance of their tasks. First, as was stated by the Commission, there could be “prior compliance” on the part of those authorities in the light of the scrutinising authority’s decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it was necessary that their decisions, and therefore the authorities themselves, remained above any suspicion of partiality.
Therefore, State scrutiny exercised over the German supervisory authorities responsible for supervising the processing of personal data outside the public sector was not consistent with the above mentioned requirement of independence.

Principle of Democracy

Germany contended that it would be contrary to various principles of European Community law to interpret the requirement of independence in Art. 28(1) of Directive 95/46 in a way which would oblige that Member State to renounce its tried and tested system of scrutiny of the supervisory authorities with regard to the processing of personal data outside the public sector.
First, in the opinion of that Member State, the principle of democracy, in particular, precluded a broad interpretation of that requirement of independence.

The Court held that that principle, which was enshrined not only in the German constitution, but also in Art. 6(1) EU, required that the administration be subject to the instructions of the government which was accountable to its parliament. Thus, the legality of interventions concerning the rights of citizens and undertakings should be subject to the scrutiny of the competent minister. Since the supervisory authorities responsible for the protection of individuals with regard to the processing of personal data had certain powers of intervention with regard to citizens and entities outside the public sector under Art. 28(3) of Directive 95/46, a heightened scrutiny of the legality of their activities by means of instruments for monitoring legality or substance was absolutely necessary.

The Court furthermore stressed that the principle of democracy formed part of European Community law and was expressly enshrined in Art. 6(1) EU as one of the foundations of the European Union. The Court held that, as one of the principles common to the Member States, it must be taken into consideration when interpreting acts of secondary law such as Art. 28 of Directive 95/46.

According to the Court, that principle did not preclude the existence of public authorities outside the classic hierarchical administration and more or less independent of the government. The existence and conditions of operation of such authorities were, in the Member States, regulated by the law or even, in certain States, by the Constitution and those authorities were required to comply with the law subject to the review of the competent courts. Such independent administrative authorities, as existed moreover in the German judicial system, often had regulatory functions or carry out tasked which must be free from political influence, whilst still being required to comply with the law subject to the review of the competent courts. That was precisely the case with regard to the tasks of the supervisory authorities relating to the protection of data.

Admittedly, the absence of any parliamentary influence over those authorities was inconceivable. However, the Court pointed out that Directive 95/46 in no way made such an absence of any parliamentary influence obligatory for the Member States.
Thus, first, the management of the supervisory authorities might be appointed by the parliament or the government. Secondly, the legislator might define the powers of those authorities. Furthermore, the legislator might impose an obligation on the supervisory authorities to report their activities to the parliament. In that regard, a comparison might be made with Art. 28(5) of Directive 95/46 which provided that each supervisory authority was to draw up a report on its activities at regular intervals which would then be made public.

The Court held that, therefore, conferring a status independent of the general administration on the supervisory authorities responsible for the protection of individuals with regard to the processing of personal data outside the public sector did not in itself deprive those authorities of their democratic legitimacy.

Principle of conferred powers

The Court furthermore held that the principle of conferred powers enshrined in the first paragraph of Art. 5 EC, also pleaded by Germany, obliges the Community to act within the limits of the powers conferred on it and of the objectives assigned to it by the EC Treaty.
The Court held that the independence of the supervisory authorities, in so far as they must be free from any external influence liable to have an effect on their decisions, was an essential element in light of the objectives of Directive 95/46. That independence was necessary in all the Member States in order to create an equal level of protection of personal data and thereby to contribute to the free movement of data, which was necessary for the establishment and functioning of the internal market.

Therefore, a broad interpretation of the requirement of independence of the supervisory authorities did not go beyond the limits of the powers granted to the European Community under Art. 100a of the EC Treaty, which was the legal basis of Directive 95/46.