Choose the experimental features you want to try

This document is an excerpt from the EUR-Lex website

Document 62007CN0518

Case C-518/07: Action brought on 22 November 2007 — Commission of the European Communities v Federal Republic of Germany

SL C 37, 9.2.2008, p. 8–9 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

9.2.2008   

EN

Official Journal of the European Union

C 37/8


Action brought on 22 November 2007 — Commission of the European Communities v Federal Republic of Germany

(Case C-518/07)

(2008/C 37/10)

Language of the case: German

Parties

Applicant: Commission of the European Communities (represented by: C. Docksey and C. Ladenburger, acting as Agents)

Defendant: Federal Republic of Germany

Form of order sought

declare that the Federal Republic of Germany has failed to fulfil its obligations under the second sentence of Article 28(1) of Directive 95/46/EC (1), by making the supervisory authorities responsible for the monitoring of data processing within the private sector in the Länder Baden-Württemberg, Bayern, Berlin, Brandenburg, Bremen, Hamburg, Hessen, Mecklenburg-Vorpommern, Niedersachsen, Nordrhein-Westfalen, Rheinland-Pfalz, Saarland, Sachsen, Sachsen-Anhalt, Schleswig-Holstein and Thüringen subject to State supervision and thereby incorrectly transposing the requirement of ‘complete independence’ of the data protection supervisory authorities;

order Federal Republic of Germany to pay the costs.

Pleas in law and main arguments

The second sentence of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council puts Member States under an obligation to make ‘one or more public authorities’ responsible for monitoring ‘the application … of the provisions adopted by the Member States pursuant to this Directive’, that is to say, of provisions on data protection. The second sentence of Article 28(1) of the directive requires the ‘complete independence’ of the supervisory authorities responsible. By virtue of its wording, the provision provides that the supervisory authorities are not to be subject to influence from other authorities or from outside of the State administration; the rules of the Member States must therefore preclude external influence from being exercised on the decisions of the supervisory authorities and on the implementation thereof. The wording ‘complete’ independence implies not only that there should be no dependence on any party, but also that there should be no dependence in any respect whatsoever.

It is thus incompatible with the second sentence of Article 28(1) of the directive to make the supervisory authorities which are responsible for the monitoring of data processing in the private sector subject to technical, legal or administrative supervision by the State, as has occurred in all 16 Länder of the Federal Republic of Germany. As the legislation of every Land makes the supervisory authority subject to those three types of supervision in varying combinations, the legislation of every Land constitutes a failure by the Federal Republic of Germany to fulfil the obligation in the second sentence of Article 28(1) of the directive to ensure the ‘complete independence’ of the supervisory authorities. Irrespective of the differences between legal, technical and administrative supervision, all these types of supervision constitute an infringement of the independence required by the directive.

From a teleological point of view, the Community legislature regarded complete independence as necessary so that the functions which the supervisory authority was intended to have under Article 28 of the Directive could be carried out effectively. Furthermore, light is also shed on the concept of ‘complete independence’ by the legislative background to the provision. The requirement of ‘complete independence’ of the supervisory authorities of the Member States also fits in systematically with the Community acquis existing in the area of data protection law. In addition, Article 8 of the Charter of Fundamental Rights of the European Union requires that compliance with the rules on the protection of personal data must be ‘subject to control by an independent authority’.

The concept of relative independence advocated by the Federal Republic of Germany, that is to say, the independence of the supervisory authority only from that which is being supervised, cannot in any event be brought into conformity with the unambiguous, comprehensive wording of the directive, which requires ‘complete’ independence. In addition, on that interpretation, the second sentence of Article 28(1) would be completely meaningless. Furthermore, the argument that Article 95 EC, as the relevant legal basis for the directive, and the principles of subsidiarity and proportionality suggest a restrictive interpretation of the requirement of ‘complete independence’ must be rejected. The Court has already held that the directive was adopted in accordance with the areas of competence of the European Parliament and of the Council and that a restrictive interpretation of its provisions in non-economic situations is out of the question. Furthermore, the provision which is at issue does not exceed the limits of that which is necessary to achieve the objectives which the directive, in accordance with Article 95 EC and the principle of subsidiarity, pursues.


(1)  OJ 1995 L 281, p. 31.


Top