DPA independence and ‘indirect’ access—illusory in Belgium,France and Germany?

1. Introduction: The right to ‘indirect’ access and the powers of DPAs

Article 17 LED on the exercise of rights by the data subject and verification by the supervisory authority reads:

1. …Member States shall adopt measures providing that the rights of the data subject may also be exercised through the competent supervisory authority…

Like the General Data Protection Regulation (GDPR), the Law Enforcement Directive 2016/680, or ‘LED’ ¹ took effect in May 2018. Both texts were published on the same day in 2016. The LED deals with the processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR. The LED is a Directive rather than a Regulation, and this requires transposition into domestic law to take effect. One of its provisions concerns the exercise of the right of access to one's data as processed by different law enforcement authorities.

In a previous article ² we studied both the direct access procedure under Article 14 LED, that is, directly against the law enforcement authorities, which we argued should be the default, and then we studied the procedure for access through a Data Protection Authority (DPA) under Article 17(3) LED, which most scholars refer to as ‘indirect access’ and which we argued should be evoked exceptionally, that is, when the controller has imposed a restriction on access in an individual situation. Our interpretation was recently confirmed by the Court of Justice of the European Union (CJEU) in Ligue des droits humains ASBL. ³

In our previous paper we focused on three problems related to this Article 17(3) LED procedure, stemming from the LED itself and/or especially its implementation into national law: (1) in Belgium, the Article 17(3) LED procedure is not phrased as the exception, a situation which we argued breaches the letter and spirit of the LED; (2) Member State law does not always put DPAs in a position to verify the legality of the processing, either because they might not be able to check the accuracy of the processing if they are not aware of some facts in the same way as the data subject is, or because Member State laws restrict the access of DPAs to certain information (what we called ‘limited review’); and (3) the decision-making power of the DPAs in Belgium, France and Germany ⁴ as to what information they are allowed to communicate to the concerned data subjects about the processing of their data and about the findings of their legality review is differently but seriously restricted (what we called ‘limited transparency and publicity’). ⁵ In other words, we argued that the individual right of access to one's data – based on a joint reading of Articles 14, 15 and 17 LED – was not adequately transposed.

What is also becoming evident from the above summary of the transposition problems of Article 17(3) LED is that they do not concern only the individual right (the right of access in casu). Furthermore, in Ligue des droits humains ASBL, the CJEU examined the topic of ‘indirect’ access also as a matter of the independent functioning of DPAs. ⁶ Thus, the following research question arises: Do the studied implementation laws reduce DPA independence in a way which contradicts the LED provisions on the independent exercise of the powers and tasks of DPAs and the concept of DPA independence in Article 8(3) Charter of Fundamental Rights of the EU (CFREU)?

In the present article, we engage in but also go beyond textual analysis of the LED and study the research question from the perspective of the EU law requirements on independence of the DPAs, as anchored in Article 8(3) CFREU ⁷ and EU secondary law on data protection (especially Articles 41 and 47 LED), and as interpreted by the CJEU. We will argue that the restrictions on DPA independence in the three Member State laws examined in terms of the publicity of their findings and their freedom to actually provide access to the data, as well as on their powers to carry out effective legality reviews, are difficult to justify, especially as concerns proportionality, and that there are doubts whether any restrictions on DPA independence can be in principle justified at all.

Our article is structured as follows. First, we will elaborate briefly on the procedure for indirect exercise of the right of access under Article 17 LED to set the background for the paper, integrating the recent CJEU judgment in Ligue des droits humains ASBL on this topic. The judgment is furthermore relevant, because it frames the role of the DPAs in this procedure, amongst others, as a matter of the principle of DPA independence under Article 8(3) CFREU (Section 2). We note that the discussion on DPA independence in that case is limited and is also restricted to the provisions in the LED on ‘indirect access’ and does not tackle national implementing law. Thus, in order to be able to discuss later the three national implementing laws, we will in the second place continue by examining the rationale and objectives for DPA independence in EU primary and secondary law, as developed by CJEU case law and as discussed by fellow academics (Section 3). Third, we will discuss the elements of DPA independence as developed in these sources, mostly based on the interpretation of the GDPR and its predecessor (Section 4) and as they have been integrated into the LED (Section 5). Fourth, we will briefly expose the restrictions on DPA independence in the three Member States, framing them in terms of the above-mentioned elements of DPA independence. We will demonstrate that they are highly likely to be classified as interferences with Article 8 CFREU, which in principle need to be justified (Section 6). Fifth, we will study the question whether DPA independence in relation to their tasks under the Article 17(3) LED procedure may be legally restricted and justified pursuant to Article 52(1) CREU at all. We will argue that if the restrictions could be theoretically justified, the studied restrictions in the three implementing laws will not likely pass the test of Article 52(1) CFREU and would be probably deemed to be illegal (Section 7). Finally, we will conclude the discussion by proposing how the national implementing laws should be amended in order to ensure compliance with the LED and with the CFREU on DPA independence, but also how the LED text could be improved (Section 8).

2. The ‘indirect access’ procedure and the role of the DPAs: Taking shape

As a recap, in our previous article we argued that the direct exercise of the right of access, that is, exercised directly against the controller, should be the rule (the Article 14 procedure). However, we noted that in the law enforcement field, the right of access may be restricted under Article 15 LED in individual situations, that is, exceptionally, especially where providing access would hinder ongoing investigations. We argued that in those exceptional situations individuals may ask the competent DPA to check the lawfulness of the data processing, that is, indirect exercise of the right under Article 17(1) and (3) LED. In those cases, according to Article 17(3) LED, DPAs have to inform the concerned individual that ‘at least’ the necessary checks have been carried out and about their right to seek judicial remedies. We argued that a correct transposition of Article 17 LED would allow DPAs to communicate on a case-by-case basis more information to the data subject, potentially disclosing or ordering the disclosure of the processed data and the other information which is provided in Article 14 LED. ⁸

In the recent judgment in the Ligue des droits humains ASBL case, the CJEU, referring to Advocate General (AG) Medina's Opinion, confirmed our interpretation on the relationship between Articles 14, 15 and 17 LED, ⁹ including that ‘indirect’ access should be only an ‘additional guarantee.’ ¹⁰ The case originated in Belgium, whose implementing law allows the competent DPA, in the exercise of its Article 17(3) LED tasks, to communicate to the concerned individual only that the necessary verifications have been carried out and that they have the right to judicial remedy. The question arose whether the Belgian courts may review the content of such a DPA decision. Eventually, two questions were sent to the CJEU: (1) whether the fundamental rights to an effective remedy (Article 47 CFREU) and to independent supervision as part of the fundamental right to data protection (Article 8(3) CFREU) require the existence of effective remedies against the decision of a DPA which exercises the right of access of the data subject against a controller and (2) whether Article 17 LED is compatible with these two provisions. ¹¹ In its ruling, the Court established that in principle, where the disclosure of the information on the verification of the lawfulness of the processing by the DPA is not restricted by one of the public interest reasons anchored in Articles 13(3), 15(3) and 16(4) LED and where the information is necessary for the data subject to exercise their right to effective judicial remedies under Article 53(1) LED, then national law should provide that DPAs should be able to provide additional information to the minimum information that the necessary verifications have been carried out in Article 17(3) LED. ¹²

The Court reached this conclusion after having established that when adopting an Article 17(3) LED decision, the competent DPAs adopt a ‘legally binding’ decision, that is, a decision which affects the legal situation of the concerned data subject ¹³ and which may be judicially reviewed. ¹⁴ Thus, DPAs should adopt such decisions in the exercise of their powers as independent public authorities, the requirement for DPA independence being anchored in Article 8(3) CFREU. ¹⁵ According to the Court, DPA independence in casu should be understood to mean that national implementing provisions should leave DPAs ‘a degree of discretion’ to decide whether one of the restrictions in Articles 13(3), 15(3) or 16(4) LED prevents them from informing the data subject of the ‘the result of its verifications and any corrective measures which it has taken’. ¹⁶ Furthermore, the Court clarified that this discretion is to be exercised in the manner of a ‘confidential dialogue’ with the law enforcement authorities, ¹⁷ that is, the latter may not unilaterally restrict the information which DPAs may communicate to the concerned data subject, neither may the DPA automatically order the disclosure of the data to the data subject.

In addition, the Court ruled that where national implementing legislation limits the information which DPAs may disclose to the concerned data subject, the adopted decision should nevertheless be judicially reviewed, so that the courts can examine ‘the existence and of the merits of the reasons which warranted the limitation on that information and of the correct execution, by the supervisory authority, of its task of verifying the lawfulness of the processing.’ ¹⁸ We understand this to mean that national law may not effectively restrict the independent exercise of the DPAs’ tasks under Article 17(3) LED and DPAs remain responsible for deciding which information to disclose to the concerned data subject, following the above-mentioned ‘confidential dialogue’. Finally, the Court concluded that Article 17(3) LED in itself is compatible with the Charter, especially with the requirement for respecting the essence of the right to an effective judicial remedy, as well as the principles of necessity and proportionality in Article 52(1) CFREU. Hence, it did not invalidate Article 17(3) LED. ¹⁹ What is notable about the ruling is that the Court did not delve into a discussion of whether and how Article 17(3) LED respects the requirement for independent supervision and potentially – the restrictions which can be placed on it, in the same way as it examined it in relation to the requirement for effective judicial remedies.

This leaves quite some room for discussing the question of the powers of DPAs under national law in the framework of the Article 17(3) LED procedure in light of the requirement for DPA independence, as anchored in Article 8(3) CFREU and in the LED itself. ²⁰ We will take as examples the implementing laws of Belgium, France and Germany, which, as previously noted, contain restrictions on the DPAs’ powers to check the lawfulness of the processing and on their powers to decide what information to communicate to the concerned data subject and which, as previously argued, constitutes an improper transposition of Article 17 LED. ²¹

Before we engage in a discussion of the LED and CFREU provisions on independence in the framework of the Article 17 LED procedure and an analysis of how this independence is restricted by the studied implementing laws, which in our opinion cannot be justified, we will proceed with a legal and historical background on the European notion of DPA independence and the role of independent DPAs, including specifically in the law enforcement sector to provide background for the following discussion on the studied national implementing laws.

3. Independent authorities to safeguard personal data: Steady development of their rationale on European and international level

The consideration for setting up an independent oversight authority in the data protection field has been reported to exist at least since the 1978 Lindop Report. ²² However, in the following decades on the further work on data protection instruments in Europe, in as much as the topic of independent supervision was mentioned, the rationale for an independent supervisory authority was barely explained. For example, the 2001 Council of Europe Protocol on Independent Authorities only clarified that the requirement for ‘complete independence’ is ‘an element of the effective protection of individuals.’ ²³

Notably, when the work on law enforcement cross-border cooperation between what became the Schengen Member States commenced in the 1980's and culminated in the Convention Implementing the Schengen Agreement (CISA), ²⁴ one of the conditions for allowing the exchange of personal data between the law enforcement authorities was setting up an independent data protection supervisory authority, that is, independent from the law enforcement authorities (LEAs). The provisions on these DPAs were rather few and the CISA did not elaborate on the concept of independence or regulate in detail the exact role and tasks of these DPAs in the same way as these are regulated in the LED. What is clear, though, is that the necessity for external oversight over the processing of personal data by the LEAs seemed to be essential for ensuring the mutual trust between the Member States. ²⁵

The Schengen Agreement also provided for the establishment of a Joint Supervisory Body, consisting of two representatives from each national supervisory authority. Its role consisted, amongst others things, of supporting the supervision performed by the national supervisory authorities in each Member State. ²⁶

The Schengen introduction of independent oversight in the law enforcement area underlines the fact that independent supervision does not contradict or prejudice per se law enforcement work. It seems rather to be a necessary precondition for the successful implementation of law enforcement tasks and for giving a certain degree of autonomy to police forces in their data handling, for example by ensuring the accuracy of the processed personal data. ²⁷

As to the parallel development of the concept independent supervision under the emerging data protection rules in the EU, in the initial Commission Proposal on what became Directive 95/46/EC (DPD), mention was only made of the necessity to set up an ‘independent supervisory authority’, because it is ‘an essential component of the protection of individuals in relation to the processing of personal data.’ ²⁸ This became later the requirement for ‘complete independence’ in the DPD. ²⁹ This short explanation of the rationale for independent DPAs was taken over in the preparatory work on the LED ³⁰ and the LED itself. ³¹

We note that no explanation of the rationale for independent oversight was provided in the CFREU, although Article 8(3) CFREU codifies the requirement for independent supervision as one of the elements of the fundamental right to data protection into primary law. ³² The provision itself is rarely analysed in the CJEU case law on DPAs; it is mentioned most often as a reference to primary law when discussing the elements of independent supervision in secondary law.

The foregoing shows a certain silence in primary law about the whys of independent oversight by DPAs. Primary law does not provide further requirements on independence and the substance of the concept of independent supervision seems to be determined by secondary law. ³³ We do, however, find some further guidance on the objectives of independent supervision under EU law in the CJEU case law on the DPD (and the literature on this case law), albeit scant. According to the CJEU, the principle of DPA independence ‘is intended to ensure the effectiveness and reliability of the monitoring of compliance with the rules concerning protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim.’ ³⁴ Thus, the emphasis is on the result of the work of the supervisory authorities and its impact on protecting individual rights. As Lynskey notes, ‘independence must be interpreted in a teleological way that enhances the effectiveness of individual rights protection.’ ³⁵ Also, Szydło argues for a teleological interpretation of independent supervision: ‘the identified objectives of independence of DPAs should always affect the interpretation of the EU legal provisions concerning that independence’ in order to guarantee the protection of the concerned individuals and in this way increase the trust which citizens have in their work and in the data processing in general. ³⁶

According to Lynskey's analysis of the case law and literature on the topic, the overall objective of horizontal independence, that is, DPA independence from governmental institutions, can be broken down into the following three purposes. It is needed in order to (1) ‘prevent the State from acting to pursue political objectives’; (2) prevent the State from abusing the data protection rules for the advancement of its own self-interests; and (3) prevent the chilling effect on DPAs if they know their decisions are going to be supervised by another governmental authority (what we understand Lynskey's reference to ‘anticipatory disobedience’ means). ³⁷

Therefore, independent supervision seeks shielding DPAs from external and potentially abusive, especially governmental, interferences in the performance of their different tasks.

For our case study this means that when performing their tasks – dealing with the access requests under Article 17(3) LED – the DPAs should examine these requests independently from the concerned law enforcement authorities in order to ensure a high protection of the rights and interests of the data subjects. Furthermore, the quality and substance of DPA decisions as they concern access and the publicity of their findings on the legality of the processing are especially important, because in general, ‘DPAs play a major role in arbitrating the degree of information privacy that we enjoy as a fundamental right.’ ³⁸ Turning this around, partial and biased decisions could lead DPAs to unjustly restrict the rights and freedoms of the concerned individuals by refusing them access to their data when access should have been granted and thus disproportionately interfering with individuals’ fundamental rights. ³⁹ Independent decision-making about the verification of the legality of data processing, as well as about the disclosure of the findings to the concerned data subject as part of the concept of DPA independence was also recently confirmed by the CJEU, as discussed in Section 2.

4. The EU Acquis on independent DPAs: Three constitutive elements

Having briefly sketched the rationale (objectives) of independent oversight, we will now explore the constitutive elements of DPA independence as defined in CJEU case law on independent oversight. One of these central elements identified by the Court is the complete decision-making independence of the DPAs and the institutional independence of their members from other public administrations. ⁴⁰ As scholars have noted, this case law contains only non-exhaustive criteria and further factors could be added to it, depending on the specific context. ⁴¹ Thus, it can be said that the case law contains only minimum requirements. ⁴²

The three landmark cases on independent oversight go back to 2014 and earlier (pre-GDPR) and are those of the Commission against respectively Germany, Austria and Hungary concerning the independence of their DPAs. ⁴³ In Germany, the DPA in each province (Land) is responsible for overseeing the private entities subject to the data protection law of the respective province. For the supervision of the private entities, these DPAs were previously subject to governmental supervision. ⁴⁴ In Austria, the main problem was that the managing official at the Federal DPA had to be at the same time an official at the Federal Chancellery. ⁴⁵ In addition, the DPA was ‘structurally integrated with the departments of the Federal Chancellery’ and was subject to the latter's supervision. ⁴⁶ In addition, the Chancellor had the right under applicable law to obtain information about the work of the DPA. ⁴⁷ In Hungary, the problem lay in the premature termination of the term of the Data Protection Supervisor. ⁴⁸

In its case law, the CJEU established that ‘complete independence’, as anchored in the 1995 Data Protection Directive (predecessor of the GDPR), is an autonomous notion in EU law. ⁴⁹ In Commission v. Germany, the Court also ruled that the concept is harmonious across the then applicable data protection instruments. ⁵⁰ On that basis Zerdick argues that the General Data Protection Regulation (GDRP), its predecessor (the DPD) and the Data Protection Regulation for the EU institutions, bodies and agencies ‘are based on the same general concept of independence’. ⁵¹ Similarly, De Hert and Sajfert note that the notion of ‘complete independence’ in the LED is the same as in the GDPR. ⁵² Taking into account this generality, we find it reasonable to base our further analysis of the DPA powers under the LED and national implementation law on the notion of independence as developed in the framework of these other data protection instruments and the case law on them.

First of all, in substance, in its case law, the Court established that the DPAs ‘must act objectively and impartially’ ⁵³ and that they should be able to exercise ‘a decision-making power independent of any direct or indirect external influence on the supervisory authority.’ ⁵⁴ Furthermore, DPAs should enjoy complete functional and operational independence: ‘[t]he operational independence of supervisory authorities, in that their members are not bound by instructions of any kind in the performance of their duties, is thus an essential condition that must be met if those authorities are to satisfy the criterion of independence […]’. ⁵⁵

This decision-making independence should exist in relation not only to the entities which fall under the DPAs supervision, but also vis-à-vis any Member State governmental influence, ⁵⁶ and even where an adequacy decision for international transfers as adopted by the Commission exists. ⁵⁷ In the LED context that would mean independence from the law enforcement authorities. The requirement that the DPAs should not be influenced by the wishes of national and EU law enforcement authorities is very relevant, especially in the law enforcement context, because very often the interests of the law enforcement and national security authorities are perceived as ‘trumping’ the requirements and principles of data protection law. However, the Court does not preclude exchanges between the law enforcement authorities and the DPAs in the decision-making process, referring to a ‘confidential dialogue’ between them, as seen in Section 2.

Furthermore, independent decision-making should result in effective enforcement. ⁵⁸ A contrario, DPAs will be rubber-stamping other authorities’ decisions. According to the CJEU, enforcement should also come with the possibility to bring the data protection infringements DPAs have identified to court, ⁵⁹ for example where they believe that a law enforcement authority has illegally restricted direct access and continues refusing to disclose the data to the concerned data subject.

Second, and tightly related to the element of decision-making independence, in Commission v. Austria the Court was disturbed by the fact that one of the key DPA members was an official within the public administration. ⁶⁰ Such dependencies could lead to a ‘prior compliance’ by the affected DPA members in that they do not dare take decisions which might not be approved by their superiors in the supervising and at the same time supervised administrations. ⁶¹

Scholars have added that such chilling effect could also happen where the DPA members are not directly supervised by the government, but where they are likely to strive or have to continue their career within the administrations they are currently supervising. Thus, in order to obtain a better position after their term at the DPA, they might refrain from actions which might be undesirable for the said administration. ⁶²

Third, also in relation to independent decision-making, the CJEU has established that independent supervision requires also a balancing act which DPAs should be carefully struck in each decision they take: DPAs should be free from any kind of interference ‘which could call into question the performance by those authorities of their task consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data.’ ⁶³

What is interesting is that the Court has recently expanded this notion of a balancing act in the criminal law context to a balancing act between the data protection rights of the data subjects and the interests of law enforcement. Admittedly, the recent cases do not concern the role of a DPA in data protection law, but rather the role of authorities which should independently examine the legality of the disclosure of personal data collected by private entities to the law enforcement authorities in the framework of the processing of PNR data and of electronic communications data, that is, conduct prior review. When setting out the requirements for the independence of these authorities, the Court repeated the much familiar sentence which the Court established in the framework of DPAs: ‘[…] such an authority must have a status that enables it to act objectively and impartially when carrying out its duties and must, therefore, be free from any external influence.’ ⁶⁴ The Court clarified that ‘[…] in the criminal field, the requirement of independence entails that the said authority […] must have a neutral stance vis-à-vis the parties to the criminal proceedings […].’ ⁶⁵

These elements of independence, three in total, are needed in order to ensure the balance between the fundamental rights of data protection rights and privacy of the concerned data subjects and the work of the law enforcement authorities. ⁶⁶

We can safely transfer this to the LED context, including to the interpretation of Article 17(3) LED, because there seems to be a consensus in literature that the general role of the independent DPAs in the LED is to ensure the balance between the law enforcement tasks and the protection of the data subjects in relation to the processing of their personal data. ⁶⁷ Thus, we doubt that DPAs can ensure that this balance is fairly struck in individual cases of a conflict between an individual and the law enforcement authorities (LEAs) if the DPA is not neutral, for example if it is independent from the LEAs, that is, from the executive authorities and the political will, especially when the rhetoric on the fight against terrorism is playing such a prominent role nowadays.

In the following section we will demonstrate that the LED anchors the CJEU requirement on decision-making independence, including the related points on staff independence and ability to guarantee a fair balance between law enforcement work and the data protection rights of the concerned individuals. The following discussion will enable us to then argue that the studied national implementing laws do not respect the requirement for DPA independence either in the LED or in primary law.

5. In-depth analysis of the LED provisions on DPA independence in indirect access procedures: Good enough but minimalistic?

According to Hijmans, the requirement for DPA independence creates both positive and negative obligations for the legislator. ⁶⁸ This means that Member States and the EU should not only not restrict DPA independence. They should take proactive steps in order to ensure and enhance DPA independence. In what follows we will see that the relevant LED provisions do not hamper DPA independence in relation to the fulfilment of their tasks under Article 17(3) LED, but the applicable provisions are rather minimalistic, because they are not phrased in a way which particularly promotes the independent fulfilment of their tasks.

We note that the key requirements from the CJEU case law on ‘complete independence’ have been taken over almost literally into the LED. The LED clearly provides that a DPA should ‘act with complete independence in performing its tasks and exercising its powers in accordance with the Directive.’ ⁶⁹ Moreover, it requires that DPAs should ‘remain free from external influence, whether direct or indirect, and that they shall neither seek nor take instructions from anybody’. ⁷⁰

Further to this general requirement on independence, the LED contains more detailed requirements which touch upon more or less directly its tasks when examining Article 17(3) LED requests.

First, under Article 17(3) LED, DPAs are required to provide a minimum of information that a review has been performed pursuant to such a request. As we argued in our previous paper, this provision should not be interpreted as a restriction on the independent decision-making power of the DPA to provide further information. It was supposed to be a guarantee that the concerned data subject will receive a response by the DPA, following an obligatory legality check by the DPA. In addition, as we explained in our previous paper, Article 46(1)(g) LED, which requires DPAs to ‘check the lawfulness of processing pursuant to Article 17, and inform the data subject within a reasonable period of the outcome of the check pursuant to paragraph 3 of that Article or of the reasons why the check has not been carried out’, should be interpreted as giving DPAs a margin of appreciation to decide what information to communicate about the outcomes of the legality review and about the personal data processed. ⁷¹

Second, according to the LED, in order to perform their tasks, DPAs should have access to all the personal data processed by the supervised authorities and all the information which they need in order to fulfil their (investigatory) tasks. ⁷² Although, to the best of our knowledge, the CJEU has not tackled the topic of DPA access to data and information in the framework of DPA independence, ⁷³ we repeat that in its case law it has emphasized effectiveness, objectivity and impartiality in the performance of the DPA tasks. We argue that DPAs cannot perform their tasks effectively and independently from the law enforcement authorities if they cannot check the legality of the data processing due to the lack of access to information. Thus, this requirement is implicit in the CJEU case law.

Third, in terms of their corrective powers, the LED provides that DPAs should have the authority ‘to order the controller or processor to bring processing operations into compliance with the provisions adopted pursuant to this Directive […]’. ⁷⁴ Whereas this provision mentions explicitly as an example ordering the rectification or erasure of the processed data as a legality compliance measure, it could equally mean that DPAs may order the controller to grant data subjects access to the personal data concerning them, for example where the non-disclosure is in breach of the provisions on the restrictions to the right of access in Article 15 LED and the national implementing law implementing this provision. The fact that DPAs may take enforcement actions which are not explicitly provided for in the LED can be furthermore derived from its overall task of ‘monitor[ing] and enforc[ing] the application of the provisions adopted pursuant to this Directive and its implementing measures’. ⁷⁵

Fourth, in relation to the independence of its staff members, the LED requires the Member States to guarantee that ‘each supervisory authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory authority concerned’. ⁷⁶ It can be said that this provision implements the CJEU requirement that DPA staff members should not take instructions from external parties, in casu from the LEAs, when they are preparing an order or decision.

Fifth, as mentioned above, the LED provides that DPAs should have the power to bring to court infringements to the LED ‘and, where appropriate, to commence or otherwise engage in legal proceedings, in order to enforce the provisions adopted pursuant to this Directive’. ⁷⁷ This provision gives DPAs an additional weight in the face of the law enforcement authorities because it enables them to pursue their understanding of legality with the judicial authorities, for example where the LEAs seek to disproportionately restrict individuals’ access to their personal data.

The above are examples of the concrete requirements from the LED contributing to the independent functioning of DPAs. However, as Zerdick has noted, DPAs should act independently in any action they are taking, not only in relation to the tasks and powers which are spelled out in the LED and national law. ⁷⁸ A fortiori, the requirement for independence applies per se when DPAs exercise their Article 17(3) LED tasks and decide what information to disclose and to any DPA activity which relates to its overall mission of ‘monitoring the application of this Directive, in order to protect the fundamental rights and freedoms of natural persons in relation to processing […].’ ⁷⁹ The right of access to one's data being one of the elements of the fundamental right to data protection (Article 8(2) CFREU), it is natural that when DPAs examine the restrictions to this right, they take the decisions independently in order to protect the affected fundamental right.

Finally, we note that the LED does not contain any provisions which seek to restrict the independence of the DPAs vis-à-vis the LEAs. The only reference to a potential substantive control of the DPA actions and decisions concerns the judicial oversight over their work. ⁸⁰ At the same time, the LED does not clarify more explicitly and strongly, for example in Article 17(3) LED, that the DPAs should be at liberty to provide additional information, independently from the decision of the LEAs not to grant an individual access to their data.

6. National restrictions on DPA independence: Breaching CJEU and LED requirements?

The entirety of the LED provisions on DPA independence has not prevented certain Member States from imposing restrictions on the DPAs’ decision-making powers in their national laws by allowing the respective law enforcement authorities to influence the decisions taken by the DPA as to what information they may disclose to the concerned data subjects about the processing of their personal data.

In the present section we will briefly summarize the restrictions on the DPA independent decision-making powers we have previously identified in the three national implementing laws. ⁸¹ What we will do differently from our previous paper is that we will present these from the point of view of the above-studied case law.

Before we start, we would like to draw a distinction between two types of restrictions relevant for our examination. The first one is the restriction on the right of access to one's data itself as imposed by the controller, following the examination of an access request by the concerned data subject. The second one is the restriction on the decision-making power of the DPAs to disclose information and data to the concerned data subject, and to examine the legality of data processing, usually imposed directly or indirectly by the controller, or per national law, on the DPA. ⁸² We will focus on the latter.

Not only do the national implementing laws of Belgium, Germany and France not contain provisions to enhance the DPA independence, they contain restrictions on DPA independence in the framework of the Article 17(3) LED procedure also in breach of the CFREU, as the next section will demonstrate. The restrictions are ordered topically.

First, the implementing laws of France and Germany explicitly anchor the possibility for external influence over the decisions of the DPAs by allowing the supervised LEAs and even national security authorities to give the DPAs instructions over which data and information they may disclose to the data subjects. This restriction applies to any type of law enforcement data. ⁸³ We note that this runs contrary to the ‘confidential dialogue’ between DPAs and law enforcement authorities and the discretion of DPAs to decide on the basis of proportionality what information to disclose to the concerned data subjects, as recently established by the CJEU (see Section 2). This means that the DPAs may not decide on the basis of proportionality which information may be disclosed to the data subject. For instance, when access is withheld illegally by the LEAs, DPAs may not use their corrective powers in order to rectify this illegality and uphold data subjects’ right of access to their data where there is no applicable restriction on access.

Second, the DPAs in Belgium and Germany do not seem to have unrestricted access to all the information, as processed by the law enforcement authorities, in order to perform the legality checks on the processing, which is one of their core tasks, that is, to use their investigative powers. As we saw in our previous paper, in Germany, sometimes the concerned LEA might withhold its approval to grant the Federal DPA access to the concerned police information. ⁸⁴ The Federal DPA has reported that LEAs do make use of this provision in practice. ⁸⁵ In Belgium, when LEAs process personal data which they received from the national security authorities, then the legality check on the processing may be performed by the Standing Committee I, not by the Belgian Data Protection Authority responsible for the oversight over the law enforcement authorities (called the ‘COC’). ⁸⁶ Thus, the latter is not completely independent, albeit that in that case the dependence comes from another supervisory authority.

Third, it looks like some of the staff members in the Belgian COC are not completely independent from the executive. This is because two of the managing members are magistrates and one is an expert. It might be the case that the latter is aspiring later for a career within the executive or other governmental branches. Thus, they might be prone to be more lenient towards the police. In addition, amongst the experts working at the COC, two come directly from the police and might be more willing to take the side of the police when taking decisions. ⁸⁷ We note that this is a rather indirect type of influence. However, as the Court has established, the mere risk of dependence is enough in order to cast doubts on DPA independence and this mere risk suffices for the establishment of a breach on the principle of DPA independence. ⁸⁸

Fourth, we note that in Belgium there is a political restriction on the COC independence. This is because Belgian law legalizes all restrictions on access to one's data as processed by the police ⁸⁹ and the customs and financial intelligence authorities. ⁹⁰ Thus, the law leaves no space for individual examinations by the COC and the COC may only notify individuals that the necessary checks have been made. This is also the case for data processed by the police which originates from the national security authorities and where the COC may inform the concerned individuals that a verification has been made (this verification having been made by the Standing Committee I). ⁹¹ Whereas the CJEU, in its Ligue des droits humains ASBL case, did not rule whether the Belgian law is compatible with Article 17(3) LED, we note that AG Medina argued in her Opinion that it breaches this LED provision, because it does not allow the COC to provide further information to the concerned data subjects. ⁹²

With the above examples, we do not claim for exhaustiveness of the restrictions on DPA independence in the examined national laws. We argue that they exemplify breaches of the CJEU case law on independent oversight, because of the direct and indirect external influence over the DPAs’ decision-making powers and the lack of staff independence in Belgium. Because of this, they should be deemed as an interference also with Article 8(3) CFREU. In the next section we will examine their compatibility with the CFREU, especially with Article 8(3) and 52(1) CFREU.

7. Restricting DPA independence cannot be justified under the EU Charter on Fundamental Rights

In the present section we will argue that the above-mentioned restrictions in the three Member States cannot be compatible with the CFREU. We start with the caveat that we have identified rather little academic literature and almost no doctrinal guidance on the question of whether the requirement of independent supervision in Article 8(3) CFREU may be restricted and under what conditions. Our analysis is based on the presumption that all restrictions to Article 8(3) CFREU are illegal per se, an argument defended by Hijmans. ⁹³ Whereas we agree with Hijmans, we note that academics have pointed out that Article 8(3) CFREU does not contain the requirement for ‘complete’ independence, ‘leaving potential scope for a less onerous interpretation of the concept of independence in the future.’ ⁹⁴ This raises the question whether certain restrictions on the completeness of independence might be tolerated in the future, in casu with regard to the DPA powers in the framework of the Article 17(3) LED procedure. For the sake of the academic debate, we will suggest a hypothesis that if restrictions on DPA independence were not per se illegal, the restrictions on the ‘complete’ independence which we examine in our paper would nevertheless not be acceptable, because they would not satisfy the cumulative requirements of Article 52(1) CFREU.

In its case law on different aspects of Article 8 CFREU, the CJEU has ruled that in principle the fundamental right to data protection is not an absolute right and may be restricted in accordance with Article 52(1) CFREU. ⁹⁵ However, in those cases in which the restrictions to Article 8 CFREU were discussed, the question of independent supervision in Article 8(3) CFREU was not discussed. ⁹⁶ In the case law on the independence of DPAs as examined above, the CJEU seems to frame DPA independence in absolute terms and does not leave space for restrictions. It neither mentions that these might be possible in relation to Article 8(3) CFREU, nor under what conditions. ⁹⁷

Hijmans is one of the scholars who most explicitly claims that because of the constitutional status of DPA independence, it ‘cannot be restricted either by the EU legislator or by the Member States in their national laws […].’ ⁹⁸ If Hijmans' statement holds true, it would entail a significant consequence for the powers of DPAs under Article 17(3) LED and its implementation in Member State laws: the requirement for independent supervision in all data protection instruments is absolute. As a consequence, a restriction does not even need to be examined in light of Article 52(1) CFREU, it is illegal per se. That would resonate with the silence of the CJEU on the potential justification for restrictions on DPA independence. Thus, potentially the examined national laws might be automatically in breach of Article 8(3) CFREU.

For the sake of the argument, we will put forward a hypothetical proposal, contrary to Hijmans' claim: if a restriction on DPA independence fulfils the four cumulative requirements of Article 52(1) CFREU, ⁹⁹ then it could be legal. The caveat with that argument is that the Court has never performed such an examination and always concluded that where there were even doubts about the independence of the DPAs, then this was incompatible with Article 8(3) CFREU. Let us have a closer look at the four Charter requirements.

8. Conclusion: Deficiencies of DPA independence in LED and implementing laws in need of rectification

Our present paper was inspired by our previous article, which studied the ‘indirect’ access procedure for the exercise of the individual right under Article 17 LED from the point of view of the effectiveness of the exercise of the right of access. In this previous article we noted that the three national implementations – Belgium, Germany and France – contradict the Article 17(3) LED procedure, because they restrict the decision-making powers of the DPAs which perform indirect access and do not always allow them to ensure a proper legality check of the processing personal data. Already, then, we noticed that the said problems could be also problematic from the point of view of DPA independence. This question became even more important after the CJEU judgment in the Ligue des droits humains ASBL case.

Thus, in the present paper we set out to study the question whether the three studied national provisions implementing the procedure for the exercise of the right to access under Article 17(3) LED (what some call ‘indirect access’) in Belgium, France and Germany interfere with the requirement for ‘complete independence’ of the supervisory authorities and whether this interference can be deemed compatible with the CFREU and the case law of the CJEU on the principle of independent supervision.

We demonstrated that the doctrinal requirements on independent supervision have been integrated into the LED and this leaves no margin of appreciation for the Member States to restrict DPA independence. However, the implementing laws of Belgium, France and Germany anchor the requirement for or at least opportunity for the LEAs and national security authorities to influence the decisions of the DPAs as to whether these may disclose information to the concerned data subjects about the processing of their data and about the results of the legality check. This is visible in the requirement for the DPA to obtain the approval of the concerned LEA or even national security authorities before disclosing any information. Further restrictions on DPA independence are evident from the lack of complete access of the German and Belgian DPAs to the information systems of the LEAs in order to perform legality checks and from the composition of the Belgian COC, which casts doubts on whether all its members are independent from the law enforcement authorities.

We then demonstrated that these restrictions cannot be deemed to be compatible with the CFREU. One argument is that DPA independence as such may not be restricted under any circumstances. The other argument is that it may be theoretically restricted. However, we demonstrated that the studied restrictions do not fulfil the requirements of Article 52(1) CFREU. Our argument focused on the problem that it is not clear how independent DPA decision-making may prejudice law enforcement work and that the studied interferences with independent supervision severely restrict the possibility of the DPAs to react to illegal processings and to illegal restrictions on the right of access to one's data.

In order to rectify this situation, we propose that the European and national legislators should adjust the LED and the discussed Member State laws. Whereas the LED does not per se restrict DPA independence, it could do better to clarify that Member States do not have a margin of appreciation to restrict DPA independence.

For example, it could specify more explicitly that DPAs should check the legality of the restriction and the lawfulness of the processing, independently from the concerned law enforcement authorities, and should decide independently what information to communicate to the concerned data subjects. Because all the DPA decisions can be challenged in court, also by legal persons such as the law enforcement authorities, ¹¹⁶ it is clear that DPA independence will not weaken the position of the law enforcement authorities. ¹¹⁷

As to the examined national laws, we note that the only way for them to be rectified is that the problematic provisions we discussed above should be removed from the respective laws.