Privacy Law and Policy Reporter
The first part of this article in PLPR issue 11.2 compared the various structures of data protection authorities. (General Editor).
Independence of data protection authorities
Two essential features of data protection supervisory authorities are autonomy and independence. Autonomy requires that an agency be empowered, both in legal and practical fashion, to initiate and undertake appropriate data protection work without having to seek the permission of another agency. The need for independence relates to the subject matter with which the agencies deal - the enforcement of human rights and taking measures to ensure that agencies comply with data protection controls. It is important for DP agencies to be able to operate free from political interference and to withstand the influence of vested interests.
Parallel to the development of national supervisory authorities under data protection law, have been the establishment and operation of national institutions implementing human rights generally - often called “human rights commissions”. The United Nations Commission on Human Rights endorsed the Principles relating to the Status and Functioning of National Institutions for the Protection and Promotion of Human Rights (the “Paris Principles”) in 1992. These set out guarantees for the independence of national human rights institutions and of certain other matters relating to such institutions’ competence, responsibilities, and methods of operation. The International Conference of Privacy and and Protection Commissioners have adopted accreditation principles that emphasise, amongst other things, autonomy and independence.
Independence of national DP agencies is generally achieved by establishing the agency by primary legislation and including in the statute provisions relating to:
• the appointment and removal from office;
• the term of appointment.
These measures are not sufficient by themselves. Various other provisions are included in statutes, such as:
• the ability to report directly to the Head of Government or Legislature;
• an administrative structure recognised in the jurisdiction as being appropriate for an independent agency;
• constraints upon commissioners carrying out other businesses or professions for the duration of the appointment;
• a funding mechanism which recognised the need for independence;
• immunity against personal law suit for actions carried out as part of official duties;
• protection against remuneration being subject to political control;
• an ability for commissioners to speak out publicly on matters of concern;
• an explicit statutory direction to act with independence.
There are quite a variety of approaches taken in appointing DP agencies as these depend upon national traditions and laws. Two common examples are:
• appointment by the Legislature;
• appointment by the head of state.
In a number of Parliamentary jurisdictions the DP agency is appointed as an officer of Parliament. This approach is taken in many of the Canadian provinces. Sometimes the Legislature does not actually appoint the Commissioner but has a role in nomination, approval or objection.
Principal advantages for a legislative appointment process include:
• the prestige and status conferred upon the office;
• the potentially high degree of public and Parliamentary confidence invested in such an appointee;
• an enhanced relationship between the DP agency and the Legislature.
Disadvantages may include:
• politicisation of the appointment;
• delays in appointment if there is political deadlock.
Another common process is appointment by the head of state. For example:
• the UK Data Protection Registrar is appointed by the Queen by letters patent;
• the New Zealand and Australian Privacy Commissioners are appointed by their respective Governors-General.2
Removal from office
High level appointment provisions, such as those by the Legislature or head of state, are usually accompanied by special provisions allowing for removal in appropriate cases. The appropriate cases are circumscribed by law, so as to prevent the removal, or threat of removal, for political or other improper purposes.
The precise reason and the way they are expressed depend upon the legal tradition and the particular jurisdiction. Typically they include:
• general inability to perform the duties of the office or neglect of duty;
• specific physical, mental, or legal disabilities preventing the office holder performing the duties of office (including, for instance, bankruptcy or being absent from the jurisdiction for an excessively long period);
• serious “misbehaviour” or “misconduct” which are given a strict, and limited, legal meaning in most jurisdictions
Usually if an appointment is made by the Legislature or head of state, then dismissal or removal is by the same body. Sometimes where the appointment is by the head of state, a role is nonetheless accorded for the Legislature in the removal process. This is done to enhance the independence of the agency and to emphasise the careful scrutiny that will be given before the termination of an appointment. For example the Hong Kong Commissioner is appointed by the Governor who may also remove the Commissioner. However, removal may only be done with the approval of the Legislative Council.
Term of office
Data protection laws frequently stipulate the maximum term. This is intended to be sufficiently long to ensure that the person’s independence is ensured. Many, but not all, jurisdictions allow for renewals or reappointments. Some allow only one extension of term. Common terms appear to be 5 and 7 years.
Functions of data protection authorities
The EU Directive is the supra-national instrument having the most to say about DP agencies (although some of its wording has now been carried into the Additional Protocol to the Council of Europe Convention). In its preamble the member states record that the establishment of supervisory authorities, exercising their functions with complete independence, is an “essential component of the protection of individuals with regard to processing of personal data.” The preamble goes on to state that:
“such authorities must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings.”
At a more substantive level, Article 28 of the EU Directive deals with supervisory authorities and requires each EU member state to provide one or more public authorities that are responsible for monitoring the application within its territory of the provisions of the Directive. It is stated that these authorities must act with complete independence in exercising the functions entrusted to them. The supervisory authorities are to be consulted when states draw up administrative measures or regulations relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data.
Article 28(3) of the EU Directive states that each DP authority is to be endowed with:
• investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of supervisory duties;
• effective powers of intervention such as that of delivering and publishing opinions before especially risky processing operations are carried out; ordering the blocking, erasure or destruction of data; imposing bans on processing; warning or monitoring controllers; referring matters to national parliaments or other political institutions;
• the power to engage in legal proceedings where data protection laws have been violated.
The EU Directive goes on to provide that:
• decisions by DP agencies may be appealed against through the courts;
• DP agencies are to hear complaints by individuals and representative groups;
• DP agencies should regularly report on their activities.
This gives an indicative picture of some of the activities a DP agency may undertake.
The Paris Principles also give a guide to the sort of functions a DP agency performs. The principles discuss competence and responsibilities of national institutions for the protection and promotion of human rights and provide, amongst other things, that:
• a national institution shall be vested with competence to protect and promote human rights;
• a national institution shall be given as broad a mandate as possible, which, is to be clearly set forth in a constitutional or legislative text, specifying its composition and sphere of competence;
• a national institution is to have certain responsibilities including, amongst other things:
• To submit to the government, parliament and any other competent body, on an advisory basis either at the request of the authorities or of its own initiative, opinions, recommendations, proposals and reports on matters concerning the protection and promotion of human rights, and is to have a power to decide whether to publicise the. Those opinions etc. relate to areas such as legislative or administrative provisions, violation of human rights and need for government action.
• To promote and ensure the harmonisation of laws regulations and practices with international human rights instruments and their effective implementation.
• To assist in the formulation of programmes for teaching human rights.
• To publicise human rights and efforts to combat violations by increasing public awareness especially through information, education and use of the news media.
Notwithstanding similar core responsibilities, it is probably the case that no two DP agencies have identical mandates. However, the following lists typical functions carried out by DP agencies:
• Educational: To promote, by education and publicity, an understanding and acceptance of data protection principles. This mandate is carried out in numerous ways including, for instance, through the publication of leaflets and newsletters; presentations at conferences; using the news media; maintaining websites; organising seminars and workshops etc.
• Compliance: To help assist business and government agencies to comply with the law and to check that they do so (e.g. by audit).
• Individual redress: To investigate allegations that data protection laws have been breached. There is considerable variation between the approaches of national laws. A common arrangement is to enable individuals to lodge complaints with the DP agency that are investigated in the manner of an ombudsman. Some laws ascribe a role to a tribunal or court in the complaints process, particularly if a binding legal determination is required. Some DP agencies prosecute more serious breaches.
• Legislative scrutiny: To be a source of specialist advice for governments in the law making process and an independent adviser for Legislatures. Sometimes the views of DP agencies are actively sought. In other cases, DP agencies will volunteer opinions on proposed laws whether they are asked or not.
• Public reporting: although some work is carried out “behind the scenes” a DP agency has an important role to report on its own work and to raise issues for public discussion through reports and other means.
• International co-operation: Globalisation has meant that there is a need for consistency between data protection laws, and cooperation between DP agencies, around the world in order to avoid impediments to transborder data flows. In Europe, DP agencies are designated as national authorities under certain international instruments, which carry certain obligations.
• Specialist advice and research: As the premier source of expertise on data protection, DP agencies are asked to contribute their views in the development of new technologies, the enactment of laws or in a public debate on new technological developments. Many DP agencies have a mandate to research or review technological issues.
In addition to general data protection functions, some DP agencies also have specific functions conferred on them by other laws. These may involve special oversight or function to receive public complaints. For example several commissioners have special responsibilities in relation to such matters as credit reporting, criminal convictions, public registers and law enforcement databases.
Blair Stewart is an Assistant Privacy Commissioner, New Zealand
 See http://www.privacyconference2003.org/pdf/Criteria_and_Rules.pdf
 Privacy Act 1993 (New Zealand), s.12, and Privacy Act 1988 (Australia), s.19.
 Personal Data (Privacy) Ordinance 1999, s.5(5)