Steve Peers

A recent judgment on data protection, while not as impactful as a prior ruling, is still significant. In Commission v Hungary, the Court of Justice of the European Union (CJEU) expanded on earlier decisions in Commission v Germany and Commission v Austria concerning the independent operation of data protection authorities. The judgment’s implications, however, reach beyond this specific area.

Background

The EU’s data protection Directive mandates that data protection authorities be established to uphold the Directive’s regulations, in addition to individual legal action. As the Directive applies to both public and private sectors, and these authorities are part of the public sector, there is an inherent risk that they might hesitate to challenge the government or its private sector allies. To prevent this, the Directive requires Member States to guarantee that data protection authorities operate “with complete independence.”

In Commission v Germany, the CJEU determined that Germany violated this rule by subjecting its data protection authorities to excessive parliamentary scrutiny. In Commission v Austria, the Member State in question breached the law by formally placing the data protection authority within the civil service, creating a potential perception of bias.

The judgment

This latest judgment addressed a different problem. Hungary replaced its individual data protection supervisor with a supervisory board and shortened the supervisor’s term upon the board’s establishment.

The Court found Hungary in violation of the Directive. Similar to the Austrian case, the national regulations could lead to “prior compliance” with government desires (also known as “self-censorship”) due to the threat of early termination of the supervisor’s or supervisory board’s term.

Therefore, while Member States are free to structure and modify their national data protection authorities, any significant alterations must include transitional periods to avoid undermining these authorities’ independence.

Comments

Given previous case law, the Court’s judgment is not unexpected. The possibility of early dismissal could give the impression of bias or even lead to self-censorship by the supervisor, who might be concerned about future employment prospects. The private sector might also hesitate to hire someone perceived as out of favor with the government.

More broadly, this judgment is part of a wider concern about the rule of law in Hungary. It represents one of several actions initiated or threatened by the Commission due to concerns about potential interference with the central bank, the judiciary, and data protection authorities in Hungary.

The CJEU had previously criticized Hungarian regulations lowering the retirement age for judges, as this contradicted the EU’s framework equality Directive regarding age discrimination. Though not explicitly stated by the CJEU, the implicit aim of manipulating judicial appointments was likely recognized.

Furthermore, the Commission had initiated, and later dropped due to legislative changes in Hungary, proceedings regarding the Hungarian central bank’s independence. The Commission also threatened separate proceedings concerning the judiciary’s overall independence, arguing that impartial judges are necessary for the proper application of EU law. While this argument is theoretically sound, the Commission ultimately chose a non-judicial approach and issued a communication on upholding the rule of law within the EU.

The CJEU seems to be proceeding cautiously on the political front. Neither this recent judgment nor the earlier one on judicial retirement addresses the broader context. Additionally, the timing of the judgment, released after the re-election of the incumbent government, appears more than coincidental. Such a judgment highlights both the strengths and limitations of EU law when addressing such fundamental issues.

Barnard & Peers: chapter 9