HElping to MakE fUndaMEntal rigHtS
FOCUS
a rEality for EvEryonE in tHE EUropEan Union
Elements of independence
of the data protection
authorities in the EU
Data protection authorities’
funding and staffing
Contents
Introduction .............................................................................................................................. 3
1. Data Protection Authorities’ tasks ................................................................................. 4
2. Legal
framework
.............................................................................................................. 5
3. Principles applied to comparable institutions .............................................................. 7
4. Financial
independence
................................................................................................
10
4.1. Separate and independent annual budget ...................................................................... 10
Promising practices ..................................................................................................................... 12
4.2. Adequate financial resources ............................................................................................ 13
Promising practices ..................................................................................................................... 18
5. Staffing
independence
..................................................................................................
18
5.1. Independent recruitment procedures .............................................................................. 19
Promising practices..................................................................................................................... 21
5.2. Adequate human resources .............................................................................................. 21
Promising practices..................................................................................................................... 22
5.3. Sufficiently qualified staff .................................................................................................. 23
Promising practices..................................................................................................................... 23
Conclusions ............................................................................................................................ 24
Summary ................................................................................................................................ 25
Annex ..................................................................................................................................... 26
© FRA
2
Introduction
On 5 May 2012, European Commission Vice-President Viviane Reding, responsible for Justice,
Fundamental Rights and Citizenship, delivered a speech on the importance of strong and independent
Data Protection Authorities (DPAs). The speech followed the adoption of proposals for a reform of the
EU's data protection rules by the Commission in January 2012. The proposed reform seeks to simplify
the application of the data protection rules at EU level and strengthen the independent national data
protection authorities in charge of its implementation.
In recognising that many data protection authorities have concerns when it comes to funding and
staffing issues in light of the reform proposals, Vice-President Reding stressed the importance of
“well staffed and properly resourced data protection authorities in all Member States,” reiterating
that financial autonomy is “a key aspect of full independence.”1
The need to ensure that data protection authorities are appropriately funded and staffed led to
Commissioner Reding proposing a study
to assess current practices and to identify good practices regarding funding and staffing for an effective, financially independent national data protection
authority that can make a strong contribution to cooperation and coordination with other data
protection authorities.
In facilitating this study, the European Commission – between July and November 2012 – sent
questionnaires to the DPAs in each EU Member State. The questionnaires covered five broad topics:
1. the current situation regarding budget;
2. staff and training issues;
3. task allocations;
4. the estimated impact of data protection reform proposals; and
5. IT tools.
Individual anonymity was granted to the DPA staff members responsible for completing the
Commission’s questionnaires, and the responses are noted as representative of the views held by
each DPA. The European Commission then requested that the European Union Agency for
Fundamental Rights (FRA) process the data received and report about the current situation,
identifying promising practices for Member States regarding the funding and staffing of DPAs. The
DPAs of Romania and Slovakia did not respond to the questionnaire, and are not included in the
analysis below.
The FRA did not take part in shaping or drafting the questionnaires, and the results presented are
solely based on the responses gleaned from the individual DPAs, as well as additional exchanges
between FRA and the DPAs, aimed at clarifying the answers. With regard to Germany, the responses
to the questionnaire and the data used are relevant to the Federal Commissioner for Data Protection
and Freedom of Information only, and do not cover the German federal states. The independence of
DPAs is a broad concept incorporating a number of key principles, many of which can be found within
the legal frameworks applied to other bodies and are included in an Annex to this analysis. Of these,
the standards applied to National Human Rights Institutions (NHRIs) and legal frameworks of National
Regulatory Authorities (NRAs) – including those from the broadcasting telecommunications, and
health sectors – are of particular relevance, and provide a comparative aspect to this analysis. NHRIs
benefit from a more developed structural framework that governs their composition and operation,
and as “guardians” of fundamental rights – in much the same way that DPAs are – there are a number
of promising practices to be drawn from the way in which they operate. FRA’s report on national
1 European Commission Vice-President Reding,
Strong and independent data protection authorities: the bedrock of the EU's
data protection reform, Speech, Luxembourg, 3 May 2012, available at www.springconference2012.lu/
files/10/6/document_id32.pdf.
© FRA
3
human rights institutions (NHRIs),2 provides essential contextual background to this comparative
approach.
While the concept of independence is a broad one, and not all aspects are covered within this
analysis, it is also worth noting that independence incorporates both positive independence –
independence
to carry out functions in a certain manner – and negative independence –
independence
from external influence. This analysis emphasises the importance of both. Although
independence and autonomy are closely linked, independence is seen as an overarching concept
within which autonomy from external control is often seen as a necessary component.
Whereas the European Commission’s questionnaire refers to the
sufficiency of resources, a number of
international instruments – namely the European Commission’s draft Regulation3 of the European
Parliament and of the Council on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (General Data Protection Regulation) – instead
make reference to the
adequacy of resources. In this paper,
sufficient and
adequate are used
synonymously with regard to both the adequacy of resources, staff members and training provisions.
Only those areas addressed by the European Commission’s questionnaire fall within the remit of this
analysis. From the Commission’s questionnaire, two key aspects related to independence have been
identified: financial independence and staffing independence. They will be addressed in turn after a
short overview of the tasks that DPAs are expected to perform based on the Directive 95/46/EC of
the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free movement of such data (Data Protection
Directive), the legal standards in place and the principles applied to similar institutions.
1. Data Protection Authorities’ tasks
Any assessment made of what constitutes adequate – for the purposes of assessing the adequacy of
resources, staff members and training provisions – should be made with reference to the duties, tasks
and powers of the DPAs. The Data Protection Directive requires Member States to endow their
national supervisory authorities with the general powers specified in Articles 28(2) (power to advise
legislative or administrative authorities in the process of drafting legislation or regulations relating to
the protection of individuals’ rights and freedoms with regard to the processing of personal data),
28(3) (power of investigation, of intervention and of engagement in legal proceedings) and 28(4)
(power to hear claims).4 The extent to which these provisions have been enacted varies between the
Member States.5 Article 28(5) of the Data Protection Directive requires DPAs to draw up a report of
their activities at regular intervals and to make it publicly available. DPAs also have a duty to raise the
awareness of privacy and personal data rights among EU individuals. This is particularly important
since the effectiveness of data protection legislation can be ensured only when individuals are aware
of their fundamental rights and actively involved in securing them.
As set out in the First Report on the implementation of the General Directive, published by the
European Commission in 20036, all data protection authorities are charged with investigating possible
breaches of the law within their jurisdiction. Such investigations can arise, in particular, out of doubts
about a proposed processing operation, or out of specific complaints from individual data subjects
2 FRA (European Union Agency for Fundamental Rights) (2010),
National Human Rights Institutions in the EU Member States –
Strengthening the fundamental rights architecture in the EU I, Luxembourg, Publications Office of the European Union
(Publications Office), available at: http://fra.europa.eu/sites/default/files/fra_uploads/816-NHRI_en.pdf.
3 COM (2012) 11.
4 Article 28 of Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with regard
to the Processing of Personal Data and on the Free Movement of such Data. 24 October 1995, available at
http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.
5 FRA (2010),
Data Protection in the European Union: The role of National Data Protection Authorities. Strengthening the
fundamental rights architecture in the EU II, Luxembourg, Publications Office, p. 20.
© FRA
4
(see Figure 3 below). The Report goes on to assert that when investigations are carried out, they are
extensive, detailed and in-depth.7
At the EU level, the DPAs cooperate and work jointly with each other under the framework of the
Working Party on the Protection of Individuals with regard to the Processing of Personal Data,
established by Article 29(1)(1) of the Data Protection Directive (also known as the “Article 29
Working Party”).
In addition, Articles 52 and 53 of the draft General Data Protection Regulation set out the duties and
powers of DPAs. These provisions are more detailed than those provided by the Data Protection
Directive. Any expansion of the role of DPAs has repercussions for any assessment of whether DPAs
have adequate resources, with wider duties and powers potentially leading to calls for additional
funds to carry out the resulting tasks.
2. Legal framework
At EU level, DPAs independence is enshrined in Article 8 (3) of the Charter of Fundamental Rights of
the European Union (adopted in 2000, legally binding as EU Primary law with the entry into force of
the Lisbon Treaty in 2009), which asserts that the rules laid down by the Charter “shall be subject to
control by an independent authority”. Independence of DPAs at EU level is also enshrined in Article 16
(2) of the Treaty on the Functioning of the European Union, which states that “the European
Parliament and the Council (…) shall lay down the rules relating to the protection of individuals with
regard to the processing of personal data” and that “compliance with these rules shall be subject to
the control of independent authorities.” Article 28 of Data Protection Directive certifies that DPAs
“shall act with complete independence in exercising the functions entrusted to them,”8 but the
Directive does not elaborate on the nature of this independence.
All 28 EU Member States, in compliance with the requirements of Article 28 (1) of the Data Protection
Directive have appointed one national supervisory authority with the wide remit of monitoring the
application of and ensuring respect for data protection legislation within their territories.
As observed by the CJEU in
European Commission v. Germany, DPAs are “the guardians of those
fundamental rights and freedoms, and their existence in the Member States are considered an
essential component of the protection of individuals with regard to the processing of personal data.”9
In the Council of Europe context, the Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data10 (Convention 108) itself did not originally provide for the
setting up of national supervisory authorities. The 2001 Additional Protocol to Convention 108,
however, enhanced the data protection guarantees by setting up supervisory authorities that “shal
exercise their functions in complete independence”.11
7 European Commission,
First Report on the implementation of the General Directive (95/46/EC), COM(2003) 265 final,
Analysis and impact on the implementation of Directive 95/46/EC in Member States, pp. 39–41
8 OJ 1995 L 281.
9 CJEU, C-518/07,
European Commission v. Germany, 9 March 2010, para. 23.
10 Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS
No. 108, 1981.
11 Council of Europe, Article 1 (3), Additional Protocol to the Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, CETS No. 181, 2001.
(Additional Protocol to the Convention 108). The Additional Protocol entered into force in 2004. It is ratified by 21 EU
Member States and Croatia. Belgium, Malta and Slovenia did not sign the Additional Protocol. Denmark, Greece, Italy and the
United Kingdom did not ratify the Additional Protocol.
© FRA
5
"A number of elements contribute to safeguarding the independence of the supervisory authority in
the exercise of its functions. These could include the composition of the authority, the method for
appointing its members, the duration of exercise and conditions of cessation of their functions, the
allocation of sufficient resources to the authority or the adoption of decisions without being subject to
external orders or injunctions."
Explanatory Report, Additional Protocol to Convention 108, para. 17.
The Court of Justice of the European Union (CJEU) has so far clarified the concept of “complete
independence” of data protection authorities in two landmark judgements delineating the precise
requirements regarding independence in relation to influence and supervision. In the 2010 judgment
European Commission v. Germany,12 the CJEU interpreted Article 28 of the Data Protection Directive
as a norm setting up DPAs, which “must enjoy an independence allowing them to perform their
duties free from external influence”.13 The CJEU reached this conclusion by interpreting the Directive
homogeneously with the requirements in Article 44 of Regulation (EC) No 45/2001 of the European
Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to
the processing of personal data by the Community institutions and bodies and on the free movement
of such data.14 Article 44 (2) of the Regulation 45/2001 states that: “the European Data Protection
Supervisor shall […] neither seek nor take instructions from anybody”. This does not however mean
that parliamentary influence is total y excluded, and Parliament may still play a role in appointing the
management of the supervisory authorities, defining the powers of these authorities, and obligating
them to report their activities to Parliament.15 In the 2012 judgment
European Commission v. Austria,
the CJEU
reiterated that the independence required under EU law “precludes not only any influence
exercised by the supervised bodies, but also any directions or any other external influence, whether
direct or indirect” which may affect the DPA’s decisions.16 The most recent case -
European
Commission v. Hungary – demonstrates how the procedures in place to govern the recruitment and
dismissal of staff members can also come under scrutiny, with indirect influence able to be exerted
through the recruitment process. In this case, the European Commission has brought an action against
Hungary before the CJEU, asking the court to declare that Hungary had failed to fulfil its obligations
under the Data Protection Directive by removing the data protection supervisor from office
prematurely.17 The case is currently pending before the CJEU.
Understanding the component parts of the concept of independence is essential to any assessment of
the extent to which DPAs operate free from external control. FRA’s report on Data Protection in the
European Union: the Role of National Data Protection Authorities highlights how autonomy with
regard to both recruitment and budget is central to this broader concept of independence:
“The guarantee of independence is, in fact, primarily assured by the procedure of nomination and
removal of the officers of the DPAs. The control over financial resources represents a second relevant
element in ensuring the autonomy of supervisory authorities.” 18
On 25 January 2012 the European Commission proposed a wide-reaching reform of EU data
protection legislation. Concerning independence of data protection authorities, the draft General Data
12 Court of Justice of the European Union (CJEU), C-518/07,
European Commission v. Germany, 9 March 2010.
13 CJEU,
C-518/07,
European Commission v. Germany, 9 March 2010, para. 30.
14 Council Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of
individuals with regard to the processing of personal data by the Community institutions and bodies and on the free
movement of such data. OJ 2001 L 8. (hereinafter Regulation 45/2001).
15 CJEU,
C-518/07,
European Commission v. Germany, 9 March 2010, para. 43.
16 CJEU,
C-614/10,
European Commission v. Republic of Austria, 16 October 2012, para 24.
17 CJEU,
C-288/12,
European Commission v. Hungary, Action brought on 8 June 2012, pending.
18 FRA (2010),
Data Protection in the European Union: The role of National Data Protection Authorities. Strengthening the
fundamental rights architecture in the EU II, Luxembourg, Publications Office, p. 8.
© FRA
6
Protection Regulation seeks to – among other things – strengthen the independence of DPAs. Draft
Article 47 of the General Data Protection Regulation stipulates that:
1. The supervisory authority shall act with complete independence in exercising the duties
and powers entrusted to it.
2. The members of the supervisory authority shal , in the performance of their duties, neither
seek nor take instructions from anybody.
3. Members of the supervisory authority shall refrain from any action incompatible with their
duties and shall not, during their term of office, engage in any incompatible occupation,
whether gainful or not.
4. Members of the supervisory authority shall behave, after their term of office, with integrity
and discretion as regards the acceptance of appointments and benefits.
5. Each Member State shall ensure that the supervisory authority is provided with the
adequate human, technical and financial resources, premises and infrastructure necessary for
the effective performance of its duties and powers, including those to be carried out in the
context of mutual assistance, co-operation and participation in the European Data Protection
Board.
6. Each Member State shall ensure that the supervisory authority has its own staff which shall
be appointed by and be subject to the direction of the head of the supervisory authority.
7. Member States shall ensure that the supervisory authority is subject to financial control
which shall not affect its independence. Member States shall ensure that the supervisory
authority has separate annual budgets. The budgets shall be made public.
Once adopted by EU legislators, the General Data Protection Regulation would enshrine many of the
key aspects of independence. The provisions set out in Article 47 – paragraphs 5 and 7 in particular –
are discussed below.
3. Principles applied to comparable
institutions
The principles set out above are also contained within other wel -established and recognised
European and international guidelines on independence. The frameworks applied to National Human
Rights Institutions and National Regulatory Authorities – including those from the broadcasting
telecommunications, and health sectors – are particularly valuable in informing any compilation of
independence standards to be applied. While DPAs typical y have a more focused mandate than
NHRIs, they are al meant to be independent monitoring bodies with a role in the fundamental rights
field.19
19 See also the discussions on the ‘Independence and powers of independent supervisory authorities’, which took place during
the 3rd Annual FRA Symposium: FRA (2012),
European Union data protection reform: new fundamental rights guarantees,
3rd Annual FRA Symposium, Vienna, 10 May 2012 (hereafter FRA Symposium Report), available at
http://fra.europa.eu/sites/default/files/fra_uploads/2280-FRA-Symposium-data-protection-2012.pdf, p.10, and FRA
(2010),
National Human Rights Institutions in the EU Member States. Strengthening the fundamental rights architecture in
the EU I, Luxembourg, Publications Office, available at: http://fra.europa.eu/sites/default/files/fra_uploads/816-
NHRI_en.pdf.
© FRA
7
“NHRIs hold a special position among independent mechanisms, since the rules governing their
composition, mandate and working methods – the Paris Principles – form the criteria for evaluating
these mechanisms, according to an OHCHR study.”
European Union Agency for Fundamental Rights (FRA) (2012),
EU Handbook on the establishment and
accreditation of National Human Rights Institutions, p. 4220
The Paris Principles provide comprehensive guidance on the effective governing and independence of
NHRIs. The International Coordinating Committee of National Institutions for the Promotion and
Protection of Human Rights (ICC) reviews and accredits NHRIs through its sub-committee in
compliance with these Principles. The ICC Sub-Committee’s General Observations concerning the Paris
Principles affirm that “[f]inancial systems should be such that the institution has complete financial
autonomy [and it should have] a separate budget line over which it has absolute management and
control.”21
“NHRIs must be ful y independent and guaranteed a sufficient infrastructure with adequate funding
so as to ensure the highest attainable level of operations irrespective of changes in the political
leanings of successive governments, economic downturns, or perceived sensitivity of the matters
they address. NHRIs should have a separate budget line and legislative prescription of adequate
resources, with clear goals and measurement of performance.
[…] NHRIs should also be […] sufficiently resourced to be able to collect data and conduct research
and awareness-raising.”
FRA’s Opinions as published in the Report (2010)
National Human Rights Institutions in the EU
Member States
The framework applied to equality bodies calls for the need for independence but does not provide
detailed principles to which the bodies must adhere to. Article 13 of Council Directive 2000/43/EC of
29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or
ethnic origin (Racial Equality Directive) provides that Member States shall designate a body or bodies
for the promotion of equal treatment of all persons, and that the competences of these bodies should
include providing independent assistance, conducting independent surveys, and publishing
independent reports.22 Further elaboration on the concept of independence is not provided.23
In the area of broadcasting regulation, Article 30 of Directive 2010/13/EU of the European Parliament
and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law,
regulation or administrative action in Member States concerning the provision of audiovisual media
services (Audiovisual Media Services Directive) only requires that Member States take appropriate
measures necessary for the application of the Directive “through their competent independent
20 See also Office of the United Nations High Commissioner for Human Rights (OHCHR) (2010),
National Human Rights
Institutions, History, Principles, Roles and Responsibilities, available at http://www.ohchr.org/Documents/Publications/PTS-
4Rev1-NHRI_en.pdf.
21 International Coordinating Committee of National Institutions for the Promotion and Protection of Human Rights, Report and
Recommendations of the Session of the Sub-Committee on Accreditation (SCA), Geneva, 29 March -1 April 2010, available
at http://nhri.ohchr.org/EN/ICC/AnnualMeeting/24/2Subcommittee%20on%20Accreditation/SCA%20REPORT%20-
%20March%20FINAL%20(with%20annexes).doc.
22 Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective
of racial or ethnic origin (Race Directive), OJ 2000 L 180, Art. 13.
23 See however, Principle 5, Council of Europe, European Commission against Racism and Intolerance (ECRI),
ECRI General
Policy Recommendation N°2: Specialised bodies to combat racism, xenophobia, antisemitism and intolerance at national
level, Strasbourg, Council of Europe, 13 June 1997 and Equinet, European network of equality bodies,
Between impartiality
and responsiveness – Equality bodies and practices of independence, December 2008.
© FRA
8
regulatory bodies,”24 without further elaborating on what is to constitute an independent regulatory
body. A 2011 study conducted on behalf of the European Commission stated that independence is in
many ways a relative term, the definition of which depends on the purpose of independence within
the given context. It notes that independence and effective functioning are closely interrelated and
can hardly be separated from one another. While the report acknowledges that there is no
comprehensive and consistent theory of independence that we could simply apply to derive criteria
and indicators, it does identify theoretically extractable criteria and descriptors, categorised under
different dimensions of independence. These comprise Status and Powers (legal provisions that
establish the regulatory body and specify its tasks and powers); Autonomy of Decision Makers (an
organisational structure and management board that safeguards against political influence); Financial
Autonomy (adequacy of the budget and autonomy in allocating the budget so as to minimise the
involvement of other actors in the budget allocation process); Knowledge (professionalism and
expertise of staff and board members); and Transparency & Accountability mechanisms (checks and
balances to ensure that the regulator does not stray from its mandate, engage in corrupt practices, or
become grossly inefficient).25 In March 2013, the European Commission launched a public
consultation to assess whether the independence of regulatory bodies should be strengthened. The
questions asked in the consultation sought – among other things – to identify key indicators of
independence.26
Council of Europe standards in the area of broadcasting are more detailed. In providing a
Recommendation on the independence and functions of regulatory authorities for the broadcasting
sector, the Council of Europe stated that the “funding of regulatory authorities should be specified in
law in accordance with a clearly defined plan; [and that] public authorities should not use their
financial decision-making power to interfere with the independence of regulatory authorities.” 27
The EU framework applied to electronic communications networks and services is even more explicit,
with many of the requirements directly informing the practices recommended in this paper. Directive
2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending
Directive 2002/21/EC on a common regulatory framework for electronic communications networks
and services provides that the independence of the national regulatory authorities should be
strengthened through express provision being made in national law to ensure that, in the exercise of
its tasks, a national regulatory authority is protected against external intervention or political pressure
liable to jeopardise its independent assessment of matters coming before it. It goes on to assert that
rules should be laid down at the outset regarding the grounds for the dismissal of the head of the
national regulatory authority. It also states that it is important that national regulatory authorities
should have their own budget al owing them, in particular, to recruit an adequate number of qualified
staff. In order to ensure transparency, this budget should be published annually. It goes on to affirm
that Member States shall ensure that national regulatory authorities have adequate financial and
human resources to carry out the task assigned to them.28
With regard to NRAs for the health sector, the World Health Organisation provides useful human
resources recommendations. Among them, they urge governments to ensure that competitive and
24 Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain
provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual
media services (Audiovisual Media Services Directive), OJ 2010 L 95, Art. 30.
25 INDIREG Final Report: Indicators for independence and efficient functioning of audiovisual media services regulatory bodies
for the purpose of enforcing the rules in the AVMS Directive” (SMART 2009/0001). February 2011, available at:
http://ec.europa.eu/avpolicy/docs/library/studies/regulators/final_report.pdf.
26 European Commission Consultations on Media Freedom and Pluralism and Audiovisual Media Regulator Independence, open
until 14th June 2013, available at: https://ec.europa.eu/digital-agenda/en/public-consultation-independence-audiovisual-
regulatory-bodies.
27 Council of Europe, Recommendation Rec(2000)23 of the Committee of Ministers to Member States on the Independence
and Functions of Regulatory Authorities for the Broadcasting Sector, Strasbourg, adopted on 20 December 2000.
28 Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives
2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on
access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the
authorisation of electronic communications networks and services, OJ 2009 L 337.
© FRA
9
attractive salaries are available for NRA staff; merit-based staff selection and recruitment policies are
in place; and that the NRAs are able to improve the knowledge and skills of their staff through in-
house and external training programmes.29
In several countries, normative or practical obstacles raise concerns as to the effective independence
of the national supervisory bodies from the political branches of government.30 An assessment of the
extent to which these obstacles prevent DPAs from carrying out their functions in complete
independence fol ows below in this report.
The key areas to be explored herein fall broadly within the first two categories addressed by the
Commission’s questionnaire that this FRA analysis is focusing on:
1. budget issues; the extent to which DPAs have a separate and independent annual budget
along with adequate resources and the ability to use those resources free from external
control (
financial independence); and
2. staff and training issues; the extent to which DPAs are able to hire an adequate number of
staff to fulfil their tasks, that they are able to recruit this staff independent of external
influence, and that they are able to provide adequate training for all staff members (
staffing
independence).
4. Financial independence
Financial independence is essential for the effective functioning of the DPAs. This incorporates DPAs
having a) a separate and independent annual budget – so as to ensure that influence is not exerted
on the DPA by the government through the budgetary process, and b) adequate financial resources to
carry out their mandate. Both of these issues will be addressed in turn, and are of particular relevance
in light of the proposal for a General Data Protection Regulation, which would abolish notification
requirements, thereby preventing DPAs from earning revenue through the use of notification fees.
4.1. Separate and independent annual budget
The budgets of DPAs should not be subject to influence by government. This relates to both their
initial allocation – deciding on the amount to be received during budgetary preparations – and the way
in which funds are subsequently spent (once the budget has been allocated), however the
Commission’s questionnaire only covers the budgetary preparations process and therefore discussion
here is limited to this issue. It is advisable that DPAs are given a separate and independent budget,
authorised by Parliament alone. The independence of DPAs is also increased by ensuring that they
are involved in all aspects of the budgetary preparations, making an assessment of the amount
needed in a detailed proposal, and being consulted throughout the decision making process. Such
involvement further minimises the risk of influence being exerted over the budgetary process by the
government.
Failing to involve the DPAs in the budgetary procedure risks placing them in a position whereby they
are unable to respond to fluctuating demands due to a lack of specific resources. The CJEU has
however indicated that, with regard to DPAs, budgetary independence can be achieved in the
absence of a separate budget line: In the case of
European Commission v Republic of Austria –
according to the CJEU – Article 28 of the Data Protection Directive, does not oblige EU Member States
29 World health organisation (WHO) 2003, Aide-Memoire: Strengthening National Regulatory Authorities, available at
http://www.who.int/medical_devices/publications/en/AM_National_Regulatory_Authorities_2003.pdf.
30 FRA (2010),
Data Protection in the European Union: The role of National Data Protection Authorities. Strengthening the
fundamental rights architecture in the EU II, Luxembourg, Publications Office.
© FRA
10
to reproduce in their national legislation provisions similar to Article 43 (3) of the Regulation 45/2001
(the Data Protection Regulation which applies to EU institutions), which states that the budget of the
European Data Protection Supervisor “shal be shown in a separate budget heading in […] the general
budget of the European Union”.31 Indeed, national legislation “can therefore provide that, from the
point of view of budgetary law, the supervisory authorities are to come under a specified ministerial
department”.32 In this case, the CJEU did, however, express concern that in instances where the
budgetary competence of the DPA falls within a specific ministerial department, “the attribution of
the necessary equipment and staff to such authorities must not prevent them from acting ‘with
complete independence’ in exercising the functions entrusted to them within the meaning of the
second subparagraph of Article 28 (1) of Directive 95/46.”33 As such, instances in which the
executive branch of government is responsible for the DPA budget risk undermining DPA
independence and risk placing the DPAs under the control of individual members of government.
Granting more control to the DPAs over their own budget would nevertheless decrease the likelihood
that external interference can be imposed. A situation that offers the maximum amount of budgetary
autonomy should be strived for as a way of increasing the financial independence of DPAs. As such –
in the interest of ensuring greater independence - it is suggested here that DPAs should be entrusted
with a separate budget line as well as control over how they allocate those funds. In the broadcasting
field, Council of Europe Recommendation (2000) 23 of the Committee of Ministers to Member States
on the Independence and Functions of Regulatory Authorities for the Broadcasting Sector “does not
rule out financing from the state budget. However, because in this case regulatory authorities are
more likely to be dependent on the budgetary favour of governments and parliaments, it states
explicitly that public authorities should not use their financial decision-making power to interfere with
the independence of regulatory authorities.”34 Similar calls have been made for Member States to
ensure that – with regard to NHRIs – they “provide for secure and stable funding from a central
budget under a separate budget line, with parliamentary oversight.”35
From the questionnaire results, the extent to which DPAs enjoy a separate and independent annual
budget varies across Member States, from those that play no role in budgetary preparations, to those
that are involved throughout and are answerable only to Parliament.
The responses provided indicate that the majority of DPAs are involved to some degree in the
process of drafting their budget, but their ability to influence the amount of funds that they wil
receive is limited. In most Member States, DPAs receive their funds from the State’s budget, and
often from the budget allocated to either the Ministry of Justice or Ministry of Finance. In these
instances, DPAs are usual y required to submit and defend proposals to the appropriate Ministry
before Parliamentary approval is given. The DPAs in
Austria,
Bulgaria,
Croatia,
Cyprus, the
Czech
Republic,
Denmark,
Estonia,
Greece,
Finland,
France,
Lithuania,
Luxemburg,
Malta,
Sweden and
Slovenia all detail procedures in their responses to the questionnaire involving submitting their
budgets to the relevant ministry, which is then able to propose amendments.
Other DPAs report that they are excluded from budgetary discussions altogether. In
Latvia, the
Cabinet of Ministers determines the amount of budgetary resources for all the public institutions. A
‘top-down’ approach is adopted, leaving the DPA without a say “in any preparatory work or decision
making regarding its budget.”36 In the
Netherlands, the Dutch DPA reports that it is “hardly informed
or involved in the [budgetary] process.”37 The
Portuguese DPA reports that a lack of budgetary
control has also been combined with a yearly 5% reduction in the DPA’s funding over the last two
years, which is imposed without taking in to account the needs of the DPA. While the DPA is required
31 CJEU, C-614/10,
Commission v. Republic of Austria, 16 October 2012, para. 58.
32
Ibid.
33
Ibid.
34 Council of Europe, Recommendation (2000) 23 of the Committee of Ministers to Member States on the Independence and
Functions of Regulatory Authorities for the Broadcasting Sector
35 Recommendations from the Preparatory Meeting of National Human Rights Institutions, organised by the OSCE Office for
Democratic Institutions and Human Rights, 14–15 April 2011, available at: http://www.osce.org/odihr/84064.
36 Information from Latvian DPA.
37 Information from Dutch DPA.
© FRA
11
to submit a budget proposal, “there is no discussion at all between the DPA and the budgetary
authority,”38 and the DPA’s specific needs are not taken into account.
The extent to which DPAs have stable budgets and are free to spend funds as they see fit was not
addressed by the Commission’s questionnaire and as such, falls outside of the remit of this analysis. It
is, however, worth stressing the importance of this aspect of independence to the effective
functioning of independent DPAs, distinct from the need for a separate annual budget. An example of
a stable budget is provided by the DPA of the
United Kingdom, wherein the DPA prepares its own
annual budget as wel as three year forecasts of income and expenditure. These are provided to the
Ministry of Justice and do not require approval.39 It is important to note however that the majority of
the United Kingdom DPA’s budget is funded through notification fees paid by data control ers, and
that these fees are subject to review by the Ministry of Justice.
Promising practices
There are a number of promising practices among EU Member States. In these instances, the DPAs
are involved in the budgetary process throughout, with Parliament ultimately responsible for
budgetary allocations. In
Denmark for instance, the DPA has independent budgetary status within the
state budget concerning the Ministry of justice. While the “Ministry of justice draws up a draft on the
budget – and the DPA comments – in the end it is for the Parliament to decide.”40 Similar collaborative
approaches are found in
Spain, where the DPA drafts its own budgetary proposals, which are included
in the draft Budgetary Act through the Ministry of Justice.41 In
Finland, negotiations are conducted
between the DPA and the Ministry of Justice. Parliament then makes amendments before the final
budget is published. The
Italian DPA’s budgetary proposal is submitted by the DPA to the government
and included directly in the State Budget – which is to be approved by Parliament. Despite the
submission of a financial application to the government, the DPA interfaces with Parliament with
regard to all issues relating to the final budgetary apportionment42
There are also examples in which DPAs are involved in budgetary preparations throughout and are
answerable only to Parliament. The
Polish DPA drafts its own budget which is then presented to
Parliament by the government. The government is unable to introduce any changes to the proposal,
and the only institution that decides is Parliament. Likewise, the
Belgian DPA files its budget with the
Parliament. Parliament is the only institution able to grant the budget and the government is not
involved in the budgetary process.
There are also examples in which DPAs enjoy a separate budgetary line, further strengthening the
independence of their budgetary procedures. The
Hungarian DPA reports that its budgetary
independence has been strengthened. Stable state funding is guaranteed through a separate
budgetary appropriation line43 and the DPA’s budget constitutes an independent title within the
budgetary chapter of Parliament.44
Indeed the practice of ensuring the maximum amount of budgetary autonomy can be seen among
other comparable institutions. The Paris Principles are the universally recognised primary source
establishing minimum standards for the effective functioning of an NHRI. These Principles are applied
to determine the accreditation status of NHRIs, whereby ful compliance with the Principles warrants
an A-status. There are currently 13 A-Status NHRIs across 10 Member States, each offering useful
38 Information from Portuguese DPA.
39 Information from UK DPA.
40 Information from Danish DPA.
41 Information from Spanish DPA.
42 Information from Italian DPA.
43 Information from Hungarian DPA.
44 Information from Hungarian DPA.
© FRA
12
examples of independent standards that could also be applied to DPAs.45 While the absence of a
separate budget line does not necessarily preclude A-Status accreditation, it is illuminating to note
that the budgetary procedures of both the Scottish Commission and the Spanish Ombudsman (which
have been accredited with A-status) are composed in this way. As highlighted in FRA’s 2010 report
on NHRIs in the EU Member States, the Scottish Commission is accountable only to the Parliament.
The annual budget is subject to approval by the Scottish Parliament, and its annual accounts are
scrutinised by the Scottish Parliament and the Auditor General. In the exercise of its functions, the
Scottish Commission is not to be subject to the direction or control of any member of the Scottish
Parliament, any member of the Scottish Executive, or of the Parliament itself. Moreover, unlike the
Northern Ireland and British commissions, the Scottish Commission is not what is called a non-
departmental public body, but a ‘body corporate’ which is entirely independent of government and
accountable directly to the Scottish Parliament. The annual budget of the Scottish Commission is
separate and subject to approval only by the Scottish Parliament. This is similarly the case with the
budget of the Spanish Ombudsman, which has a separate budget line from the Parliamentary
budget.46
4.2. Adequate financial resources
An essential aspect of DPAs independence is that they are given adequate resources. Human,
financial and technical resources are necessary to ensure that DPAs run efficiently and effectively as
independent supervisory authorities.
In spite of this, in the Commission’s questionnaire, the majority of DPAs – plus the Croatian Agency for
the Protection of Personal Data – report that they are under-funded and under-staffed, and that this
has a negative impact on the quality and quantity of the work they are able to carry out. Many DPAs
also report that a lack of resources limits their ability to control and sanction data protection
breaches.47
Figures 1-2 below detail the number of staff in each DPA, and the number of complaints received
from individuals. The Figures offer a comparison between the DPAs, across the Member States,
although in some instances incomplete statistics are held for Austria, Croatia, Denmark and Hungary.
All of the data was provided by the 14th Annual Report of the Article 29 Data Protection Working
party of 2010, and are correct for that year. In both Figures 1 and 2, the figures listed for Germany
and Spain relate to their respective federal DPAs, and do not include data from their regional
authorities. That is the Federal Commissioner for Data Protection and Freedom of Information in
Germany, and the Spanish Data Protection Agency in Spain only.
45 The accreditation of NHRIs is periodically reviewed, at least every five years (‘re-accreditation’). See Chart of the Status of
National Institutions accredited by the ICC, as of August 2011, available at:
http://www.ohchr.org/Documents/Countries/NHRI/Chart_Status_NIs.pdf
46 FRA (2010),
National Human Rights Institutions in the EU Member States. Strengthening the fundamental rights architecture
in the EU I, Luxembourg, Publications Office, p.34.
47 FRA (2013 forthcoming),
Data protection – redress mechanisms, Comparative report, Luxembourg, Publications Office, see
Section 8.3.
© FRA
13
Figure 1: Number of staff members at each DPA48
Source: FRA 2013
Figure 2: Number of complaints from individuals that DPAs receive, annually49
Source: FRA 2013
Figure 3 below details the annual budget of the DPAs in euros, and again offers a comparison
between the DPAs across the Member States. All amounts are taken as Euros, having been converted
48 Data was not available for the DPAs of Croatia and Hungary.
49 Data was not available for the DPAs of Croatia, Denmark and Hungary.
© FRA
14
at the time that the figures were compiled.50 These figures were provided by the 14th Annual Report
of the Article 29 Data Protection Working party of 2010, or the Annual reports of the individual DPAs
from 2010. The budgets of all DPAs in Germany51 and Spain52 have been col ated to give the ful
amount al ocated to DPAs across that Member State. It is, however, worth noting that the budget of
some DPAs – such as the United Kingdom – are calculated to include their Freedom of Information
work as well, meaning that the budgets of these DPAs will necessarily be inflated in comparison to
those DPAs that only carry out Data Protection work.
Figure 3: Budget of DPAs, annually (Euros)53
Source: FRA 2013
50 The figure from Hungary was converted from HUF to EUROs using Euro foreign exchange reference rates as at 1 June 2010,
taken from the European Central Bank, available at: https://www.ecb.int/stats/exchange/eurofxref/html/index.en.html.
51 The budget of the Federal Commissioner for Data Protection and Freedom of Information, was taken from the 14th Annual Report of the
Art.29 Working Party. In addition, Baden-Wuerttemberg, available at: http://www.statistik-bw.de/shp/2010-11/; Bayern, available at:
http://www.stmf.bayern.de/haushalt/staatshaushalt_2009/haushaltsplan/; Berlin, available at: http://www.berlin.de/sen/finanzen/
dokumentendownload/haushalt/haushaltsplan-/haushaltsplan-2010-2011-/2010_2011_band02_epl_01_02_20_21.pdf;
Brandenburg, available at: http://www.mdf.brandenburg.de/sixcms/media.php/4055/Einzelplan_01_2010.pdf; Bremen, available at:
http://www.finanzen.bremen.de/sixcms/media.php/13/Landeshaushalt_2010.pdf; Hamburg, available at: http://www.hamburg.de/
contentblob/806940/data/einzelplan2.pdf; Hessen, available at: http://verwaltung.hessen.de/irj/HMdF_Internet?cid=
113bcb3f51e32a34e1691054cf4f1dfc; Mecklemburg-Vorpommern, available at: http://www.regierung-
mv.de/cms2/Regierungsportal_prod/Regierungsportal/de/fm/Themen/Haushaltsplaene/Der_Haushaltsplan_20102011/index.jsp;
Niedersachsen, available at: http://www.mf.niedersachsen.de/portal/live.php?navigation_id=1049&article_id=1569&_psmand=5;
Nordrhein-Westfallen, available at: http://fm.fin-nrw.de/info/fachinformationen/haushalt/havinfo/hh2010.ges/daten/
pdf/2010/hh03/kap630.pdf; Rheinland-Pfalz, provided by the DPA; Saarland, available at: http://www.saarland.de/dokumente/
thema_haushalt_und_finanzen_hhpl_2010/01_Landtag.pdf; Sachsen, available at: http://www.finanzen.sachsen.de/download/
EPL_01_SLT.pdf; Sachsen-Anhalt, available at: http://www.sachsen-anhalt.de/fileadmin/Elementbibliothek/Bibliothek_Politik_und_
Verwaltung/Bibliothek_Ministerium_der_Finanzen/Dokumente/HHPL_E_2010_2011/Einzelplan01.pdf; Schleswig-Holstein, available
at: http://www.schleswig-holstein.de/FM/DE/Landeshaushalt/ArchivHaushaltsplaene/Haushaltsplaene200920010/Epl01__blob
=publicationFile.pdf; and Thueringen, available at: www.thueringen.de/imperia/md/content/tfm/haushalt/haushalt_20102/01_bp.pdf.
52 The budget of the Spanish Data Protection Agency was provided by 14th Annual Report of the Art.29 Working Party. In
addition, Catalan, available at: http://www.apd.cat/media/2592.pdf; Basque, available at:
http://www.avpd.euskadi.net/s04-5249/es/contenidos/informacion/memorias_anuales/es_memorias/r01hRedirectCont
/contenidos/informacion/memorias_anuales/es_mem2010/adjuntos/cifras10.pdf; and Madrid, available at:
http://www.madrid.org/wleg/servlet/Servidor?opcion=VerHtml&nmnorma=6176&cdestado=P.
53 Data was not available for the DPAs of Austria and Croatia.
© FRA
15
While these figures provide a useful comparison among EU Member States, in order to accurately
compare the amounts allocated to the DPAs in different countries, it is also important to take into
account the fact that the general price level varies from one Member State to the next, with the
relative purchasing power of the Euro varying between states. This means that in some countries, a
certain amount of money will go further than in others – with higher wages; resource costs etc. –
distorting any comparison drawn between Member States. In order to make the amounts spent by
each DPA comparable across the EU 28, Figure 4 has been compiled below, taking into account the
population of each Member State, as wel as a correction coefficient, which takes into account
purchasing power across the Member States. As such, the budget has been divided by the correction
coefficient, with the whole sum in turn divided by the population of the member state, producing the
relative amount available to DPAs per capita annually.
The population figures used to calculate the per capita amount spent are provided by the EU
Statistical Office (Eurostat) and are also correct as of 2010. The correction coefficient used has also
been provided by Eurostat, in collaboration with the National Statistical Institutes of the Member
States, which calculates the correction coefficients twice a year (for 1st July and 1st January). This
coefficient was used as the best available, because: i) The surveys are done by national officials who
are experienced in price surveys and at the same time know their local markets wel ; ii) They cover
far more products than other surveys;. iii) The results are officially validated by the National Statistical
Institutes.54
Figure 4: Euros Spent by DPAs per capita, annually55
Source: FRA 2013
Neither Figures 1-2 nor Figures 3-4 provide an assessment of what constitutes adequate resources
for the purpose of this paper, nor is a recommended amount provided, either annually or per capita.
The Figures also do not take into account the relative needs of the DPAs, nor do they account for
some DPA budgets being comprised largely from notification fees. The Figures do however prove
very useful in comparing the amounts allocated to DPAs across the Member States.
54 EU Statistical Office (Eurostat), 2010. Statistics available at:
http://epp.eurostat.ec.europa.eu/tgm/table.do?tab=table&plugin=1&language=en&pcode=tps00001.
55 Data was not available for the DPAs of Austria, Croatia.
© FRA
16
A lack of financial resources across Member States seriously impedes the DPA's ability to ensure
gradual and progressive realisation of the improvement of their operations and the fulfilment of their
mandate. With financial resources used to ensure everything from adequate premises to
remuneration of staff and establishment of communication systems, DPAs are unable to conduct their
activities in a comprehensive and independent manner without adequate funds.
The majority of DPAs answered the Commission questionnaire by stating that they do not have
sufficient financial resources. Many DPA claim that they have suffered indiscriminate cuts on a yearly
basis, with no assessment of their needs conducted beforehand. The
Portuguese DPA reports that
5% annual cuts have been levied in each of the last two years. Despite the
United Kingdom DPA
deriving adequate resources through the use of notification fees for its data protection work, it stil
relies on grants from the Ministry of Justice to fund its freedom of information work, and has reported
that in this area there has been a reduction of “20% year on year for three years.”56
This problem is compounded by the fact that a similar amount of DPAs consider their budget to be
following a decreasing trend. The
Irish DPA states that its resources are “not sufficient to meet [its]
obligations”,57 a concern echoed among the Member States. The
Bulgarian DPA lacks its own
administrative building, which is an important aspect of ensuring that the DPA is perceived as
independent by the outside world. Reliance on private or governmental institutions for the provision
of premises risks projecting the image that its independence may be compromised. The
Danish DPA
points out that it will need additional funds if it is to carry out all of its duties, and the
Dutch DPA
notes a “structural shortage of resources,”58 forcing the DPA to make “a risk-based prioritisation of
work and to continuously make far-reaching choices.”59
Having financial control over the budget incorporates both control over the amount allocated, and the
ability to spend that amount as the DPA sees fit. The adequacy of resources concerns the amount
allocated, and even though the majority of DPAs that lack adequate financial resources attribute this
to their inability to control the amount they receive, there are instances in which a lack of control
over the amount received is not to blame. As such, being heavily involved in budgetary preparations
does not necessarily guarantee that adequate funds wil be allocated, despite both being necessary
for DPAs to operate independently and effectively. The
Italian DPA for instance – despite being
heavily involved in budgetary preparations – notes that the apportionment that is envisaged for 2013
is decreasing and is noted to be absolutely insufficient to meet al of the requirements applying to the
DPA.60
A number of DPA report that a significant proportion of their funding is derived from external sources.
The most notable external source of funding – which reduces dependency on governmental
departments and generates an additional source of income – is the use of notification fees. By
al owing DPAs to charge data control ers (those responsible for storage and use of personal
information), they generate their own source of income which can be al ocated as they see fit. Indeed
the
United Kingdom DPA - which as previously noted derives the entirety of the funds necessary for
its data protection work in this way – asserts that “this method of funding ensures financial
independence from government and removes the funding of the DPA’s activities from the political
agenda.”61 The
Maltese and
Portuguese DPAs also derive a certain percentage of their budget from
notification fees.
Similar practices can also been seen among other comparable institutions. With regard to the
broadcasting sector, the Explanatory Memorandum of Recommendation (2000) 23 of the Committee
of Ministers to Member States on the independence and functions of regulatory authorities for the
broadcasting sector points out that the practice in most European countries shows that funding can
mainly come from fees or a levy. The Explanatory Memorandum states that “this arrangement [of
56 Information from UK DPA.
57 Information from Irish DPA.
58 Information from Dutch DPA.
59 Information from Dutch DPA.
60 Information from Italian DPA.
61 Information from UK DPA.
© FRA
17
funds derived from fees] would seem the best way of safeguarding financial independence inasmuch
as it does not leave them reliant on the public authorities’ goodwill.”62
Fees are also utilised to generate funds by NHRIs. The British Equality and Human Rights Commission
for instance is allocated a budget from the Secretary of State, but “the Commission can also obtain
funding from external sources”.63 It is worth noting however that the ICC Sub-Committee’s General
Observations recommend that “funding from external sources, such as from development partners,
should not compose the core funding of the NHRI as it is the responsibility of the state to ensure the
NHRI’s minimum activity budget in order to allow it to operate towards fulfilling its mandate. Financial
systems should be such that the NHRI has complete financial autonomy. This should be a separate
budget line over which it has absolute management and control.”64
Promising practices
The DPAs that are able to function most effectively are those that are given adequate funding to
carry out their tasks. It is therefore essential that Member States ensure that DPAs have adequate
access to these funds. As has been demonstrated, external sources of funding are available to some
of the DPAs, and this can indeed provide a useful supplement to the DPAs funds. This should not,
however, be the sole source of funding, and DPAs must be supported with core funding. If the draft
General Data Protection Regulation is adopted, it will no longer be possible to charge notification fees,
making the provision of core funding from each member state all the more important.
Whether notification fees are utilised or not it is essential that al Member States should ensure that
DPAs have adequate financial resources to fulfil their mandate. This would significantly increase both
the strength and independence of DPAs. There are a number of DPAs that indicate that they have
adequate financial resources without the need for additional sources of funding, most of which report
that their budget is on an increasing trend. The
Hungarian DPA, for instance, notes that they “were
able to achieve a reasonable increase concerning the Authority’s financial resources for the year of
2013.”65 The
Polish DPA also notes that its budget is increased yearly in line with the rate of inflation
and subsequently, the sum it receives is sufficient to meet its needs. Member States should ensure
that their DPA’s budget increases to meet its needs, with support from the DPA’s budgetary authority
even more crucial in instances where funding from additional sources is not available.
5. Staffing independence
Issues regarding human resources are closely linked to those regarding financial management, with
staff costs accounting for a significant part of any institutional costs. The extent to which DPAs are
able to exercise and to enjoy independence with regard to all aspects of their own staff is also an
important component of the overall ability of a DPA to carry out its functions.
62 Council of Europe. Recommendation (2000) 23 of the Committee of Ministers to Member States on the Independence and
Functions of Regulatory Authorities for the Broadcasting Sector.
63 FRA (2010),
National Human Rights Institutions in the EU Member States. Strengthening the fundamental rights architecture
in the EU I, Luxembourg, Publications Office, p. 32.
64 International Coordinating Committee of National Institutions for the Promotion and Protection of Human Rights,
Report and
Recommendations of the Session of the Sub-Committee on Accreditation (SCA), Geneva, 29 March -1 April 2010, available
at http://nhri.ohchr.org/EN/ICC/AnnualMeeting/24/2Subcommittee%20on%20Accreditation/SCA%20REPORT%20-
%20March%20FINAL%20(with%20annexes).doc.
65 Information from Romanian DPA.
© FRA
18
“The Paris Principles recognise that fundamental to ensuring the independence and efficient
functioning of an NHRI is the provision of adequate resources. An NHRI should be resourced in such
as manner as to permit the employment and retention of staff with the requisite qualifications and
experience to fulfil its mandate. Their terms and conditions should be equivalent to staff with similar
responsibilities and qualifications employed in other independent agencies of the state.”66
ICC SCA (2010) Accreditation report, March-April 2010
The extent to which DPAs are a) able to independently recruit staff; b) recruit an adequate number of
staff; and c) adequately train those staff members will be assessed in turn in the following.
Figure 5: DPA Recruitment Flexibility
Total, No Flexibilty,
4, 16%
Enough Flexibility
Limited Flexibility
No Flexibilty
Total, Enough
Total, Limited
Flexibility, 14, 56%
Flexibility, 7, 28%
* DPA assessment of the flexibility they have to recruit staff. 3 DPA
failed to respond. Source: FRA 2013
5.1. Independent
recruitment
procedures
Another essential aspect of DPAs independence is the need for transparent and meritocratic
recruitment procedures. It is important that DPAs are empowered to appoint and govern their own
staff. Ensuring that DPAs can recruit their own staff members, coupled with the ability to recruit an
adequate number of staff, should also ensure that they are able to recruit adequately qualified staff
members, and that appointments are made at the appropriate level. This is an important aspect of
independence, with inappropriate appointments having the ability to significantly undermine the
effective functioning of the DPAs.
It is worth noting that While the procedure for appointing and dismissing members of a DPA’s
governing body or Executive Committee has serious independence ramifications, discussion herein is
confined to staff working within the DPAs, and does not deal with members of the governing
bodies.67
66 Available at: http://nhri.ohchr.org/EN/AboutUs/ICCAccreditation/Documents/SCA%20REPORT%20MARCH%202010%20-
%20FINAL%20%28with%20annexes%29.pdf
67 For discussion on the ramifications of dismissal of staff members from the governing body, see: CJEU, C-288/12,
European
Commission v. Hungary, Action brought on 8 June 2012, pending. See also FRA (2010),
National Human Rights Institutions in
© FRA
19
From the questionnaire results, the DPAs can be placed into three broad categories based on the
practices identified across the EU Member States in relation to their involvement in recruitment
proceedings:
a) those that play no part in the recruitment process and are unable to influence either the
number of staff they recruit or the quality of those staff members;
b) those that have some degree of flexibility with regard to the recruitment procedure but
that are constrained due to financial restraints or national rules in place; and
c) those with sufficient flexibility in choosing their own staff members.
As shown in Figure 5, the majority of DPAs are of the opinion that they have sufficient flexibility in
the recruitment of their staff. A large number of DPAs do however, state that they either have limited
or no flexibility with regard to their recruitment procedures.
Of those that noted that they had no flexibility or only limited flexibility in this regard, the
Estonian,
Greek,
Portuguese,
Swedish and
Croatian DPAs, all note that the lack of funding available restricts
their ability to hire staff, either partially or completely. The Estonian DPA highlights how “there is
flexibility in recruitment among candidates but it is strongly subject to the budget,”68 while the
Swedish
DPA notes that they have “ful discretion over staff recruitment matters […] however, the
budgetary conditions natural y pose a limit in this regard.”69 The Greek DPA maintains that its
recruitment process is extremely cumbersome. It is also noted that due to the financial difficulties it is
nearly impossible to increase posts or fill vacancies.70
A number of DPAs also report how national regulations and legislation impede their ability to recruit
staff. The
Bulgarian DPA has to comply with requirements laid down in the Civil Servant Act,71
while
the
Latvian DPA, notes that there is a Cabinet of Ministers’ Regulation in place that determines the
structure of state institutions and so the director of the office cannot employ any councillors or
advisors for professional advice.72 A number of DPAs also note being restrained by recruitment
procedures in place in their Member State when hiring staff, often with regard to Civil Servants. The
Spanish DPA notes that it is subject to “the same procedural regulations on staff recruitment that
apply to all public authorities in Spain and thus is not completely free to make decisions on the
number of staff members.”73 It goes on to point out that staff has to be recruited, with a few
exceptions, from among civil servants,74 although they have a large degree of flexibility with regard
to job descriptions and selection of candidates. Similarly, the
Luxembourg DPA recruits its staff
members through a centralised recruitment procedure, although their “preferences are taken on
board for the final choice [… and] candidates may only apply if their qualifications are compatible with
the careers conditions and general regulations applicable to public administration.”75
Some DPAs report that they have no say in the recruitment procedures whatsoever. In
Ireland, DPA
“staff are Civil Servants assigned by the Department of Justice and Equality. There is no formal control
over the number or quality of staff assigned.”76 This is also the case in
Austria, where their DPA
reports that they do not recruit their own staff. This relates to a concern raised by the CJEU, wherein it
ruled that the regulatory framework in force in Austria fails to satisfy the condition that “the
attribution of the necessary equipment and staff to [DPAs] must not prevent them from acting ‘with
complete independence’ in exercising the functions entrusted to them within the meaning of the
the EU Member States. Strengthening the fundamental rights architecture in the EU I, Luxembourg, Publications Office; and
Opinion of the European Union Agency for Fundamental Rights on the proposed data protection reform package, FRA
Opinion – 2/2012, available at: http://fra.europa.eu/sites/default/files/fra-opinion-data-protection-oct-2012.pdf.
68 Information from Estonian DPA.
69 Information from Swedish DPA.
70 Information from Greek DPA.
71 Information from Bulgarian DPA.
72 Information from Latvian DPA.
73 Information from Spanish DPA.
74 Information from Spanish DPA.
75 Information from Luxembourg DPA.
76 Information from Irish DPA.
© FRA
20
second subparagraph of Article 28(1)”77 of the Data Protection Directive, insofar as the staff made
available to the DPA consists of officials of the Federal Chancel ery who are in turn subject to
supervision by the Federal Chancellery.
Promising practices
Despite deficiencies in some areas, there are examples of promising practice among the DPAs, with
14 out of the 25 respondents indicating that they have sufficient flexibility in the recruitment of staff.
In the
United Kingdom, the Information Commissioner’s Office is responsible for the recruitment of its
own staff and the selection process. It has in place a “Framework Agreement with the Ministry of
Justice [which] states that the Commissioner has responsibility for the recruitment, direction,
retention and motivation of his staff.”78 Similarly, the
French DPA’s “legal status gives it freedom in
its recruitment policy, within the limits of the budget allocated to it. Thus, the practical arrangements
for recruitment, allocation of staff between departments, and of course the choice of candidates
final y recruited, remain the prerogative of the President of [the] Commission.”79
Such freedom is also afforded to the
Italian DPA, in which the DPA's permanent staff is selected by
public competitive examinations decided autonomously by the DPA in accordance with its own needs.
The notices for these competitive examinations, organised by the DPA's Human Resources
department, are published in the Italian Official Journal and posted on the DPA's website.80 The Italian
DPA affirms that “there is no external influence exerted either before or during the recruitment
procedures.”81
This example of full and independent control granted over recruitment matters can be considered a
promising practice. It ensures that external influence is not indirectly exerted over the DPA through
the recruitment procedure, and is a practice that should be replicated by DPAs in other Member
States. Recruitment procedures should be in place in each Member State to ensure objective
standards are applied to the recruitment process.
5.2. Adequate
human
resources
The supervisory authorities should have the necessary technical and human resources (lawyers,
computer experts) to take prompt, effective action in a person’s favour.
Explanatory Report, Additional Protocol to the Convention 108, para. 8.
77 CJEU, C-614/10,
European Commission v.
Republic of Austria, 16 October 2012, para. 58.
78 Information from UK DPA.
79 Information from French DPA.
80 Information from Italian DPA.
81 Information from Italian DPA.
© FRA
21
Figure 6: Sufficient Human Resources?
Sufficient
Sufficient Human
Human
Resources?, Yes, 5,
Resources?,
19%
Partly, 3, 12%
Yes
No
Sufficient Human
Partly
Resources?, No, 18,
69%
*DPA Assesment of the sufficiency of their human resources. 2 DPA failed
to respond. Source: FRA 2013
It is integral to the functioning of the DPAs that they are adequately staffed, with specialist staff
members. As Figure 6 highlights, only five DPAs consider that they have sufficient human resources.
This lack of human resources among DPAs is severely hindering their ability to operate effectively.
Many DPAs linked the insufficiency of their human resources to a lack of adequate financial
resources. The
Czech DPA expressed its concern that due to its “limited payroll resources [it is unable]
to hire skilled experts from technological areas (namely ICT). Moreover, young and qualified experts
have often left for better remunerated jobs, mostly in the private sector.”82 Limited payrol resources
have also led to shortages for DPAs in other areas. The
Estonian DPA points out that they currently
have “no resources for special staff for international relations.”83 Consequently, their DPA attends to
all mandatory work but is unable to participate in all Article 29 Working Party subgroup work, where
a substantial amount of work is conducted. Similarly, the
Croatian DPA “is not able to employ the
necessary number of experts in the field of data protection,”84 and the
Latvian DPA is unable to
“carry out preventive control activities and privacy impact assessment.” The Latvian DPA goes on to
state that the salaries they can offer are low and therefore “it is difficult to get professional staff.”85
The
Portuguese DPA notes that it is subject to “restraining rules for staff admission in the public
administration, preventing the DPA from recruiting more people, in particular IT and legal officers.”86
The
Italian DPA states that the amount they receive for human resources is set forth in law and was
last updated by the Data Protection consolidation Code of June 2003. “Accordingly, [the amount
apportioned] is becoming insufficient to fulfil the tasks committed to the DPA, which have been
increasing over the years.”87
Promising practices
With almost all DPAs reporting insufficient human resources, prioritisation of tasks is essential to
ensure that the basic functions of the DPAs are carried out, and in order to justify additional funding
from the DPA’s budgetary authority. In
Finland, it is noted that through prioritisation, their DPA is able
to manage their basic duties, and in
Sweden, their DPA remarks that the answer to whether or not
82 Information from Czech DPA.
83 Information from Estonian DPA.
84 Information from Croatian DPA.
85 Information from Latvian DPA.
86 Information from Portuguese DPA.
87 Information from Italian DPA.
© FRA
22
they have sufficient resources to carry out their tasks depends on the goals that the DPA sets itself.88
The Swedish DPA goes on to assert that they deem their “resources largely sufficient with regard to
the currently set goals.”89
While the prioritisation of tasks can assist in justifying additional funding, it is imperative that the
DPAs enjoy the full support of those responsible for apportioning funds, insofar as they are given the
funds necessary to carry out their work. As the
French DPA notes, their budget has been increasing
over recent years. This increase ensures that it has the capacity “to implement all of its missions
[and] is the result of the unanimous support of successive governments and the French Parliament.”90
5.3. Sufficiently qualified staff
Integral to the requirement that DPAs have access to adequate human resources is the requirement
that their staff members are also sufficiently qualified. This is particularly pertinent given that the
DPAs operate in a rapidly developing field, with data protection issues increasing at the same rate as
technological advancements in the IT field. Having sufficient access to resources to provide adequate
training is essential to ensuring that staff are up-to-date with these developments. Whereas the
majority of DPAs are able to conduct training sessions, there is concern that budgetary restrictions
have a detrimental effect on the provision of these training sessions. The
Irish DPA notes for instance
that while it is able to provide occasional in-house seminars on specific issues their budget does not
permit them to avail of external data protection training.91 In
Greece, due to the lack of funds “for
self-organising training programmes due to a drastic reduction of the budget, no specialized training
has been organised.”92 This is also the case in both
Croatia and
Portugal. The
Lithuanian DPA is
unable to provide training on legal, technical or international aspects of data protection, “including
training on new developments in the field of data protection.”93 The
Latvian DPA reported that
“adequate training on data protection issues […] is not available and IT security trainings are too
expensive to be affordable.”94 It is also worth noting that the Latvian DPA must seek permission from
the Minister of Justice for “training abroad regarding all the employees.”95 Such government oversight
should be avoided in the interest of increased independence.
Promising practices
There are promising practices conducted in a number of Member States. The majority of DPAs report
that they are able to conduct training sessions. The
Bulgarian DPA “carries out training for the entire
staff […] involving legal, technical and international aspects of data protection. The programmes
make reference to the new developments in the area [and] the staff is given the possibility to
participate in external training programmes aimed at developing their professional skills outside the
data protection field.”96 The
Czech DPA has a “specialised training programme for newly recruited
staff”97 and fol ow-up is provided by external trainers. The
United Kingdom DPA has a “dedicated
team who develop, procure, deliver and manage [the] training programme.”98
88 Information from Swedish DPA.
89 Information from Swedish DPA.
90 Information from French DPA.
91 Information from Irish DPA.
92 Information from Greek DPA.
93 Information from Lithuanian DPA.
94 Information from Latvian DPA.
95 Information from Latvian DPA.
96 Information from Bulgarian DPA.
97 Information from Czech DPA.
98 Information from UK DPA.
© FRA
23
As these practices demonstrate, it is possible for DPAs to conduct regular, independent training
sessions when given the appropriate resources. All DPAs should strive to conduct regular training
sessions in areas relevant to their work and give al staff members the opportunity to benefit from
these.
Conclusions
This study looked at well-established and recognised European and international standards on
independence of bodies similar to DPAs. At a time when the European Institutions are discussing the
most far-reaching data protection reform in the last twenty years, analogies to similar independent
bodies can be useful in order to achieve a satisfactory reform.
This FRA analysis highlighted a number of promising practices among DPAs, identifying five key
principles of independence covered by the Commission’s questionnaire. Falling with two broad
headings of financial and staffing independence, these principles comprise: a separate and
independent annual budget; adequate financial resources; independent recruitment procedures;
adequate human resources; and sufficiently qualified staff.
The independence of DPAs seems to be strengthened when DPAs have a separate budget line
authorised by Parliament alone. While some DPAs are not involved in budgetary preparations and
most are susceptible to governmental influence, there are a number of DPAs that meet these
requirements. In ensuring that DPAs are financially independent, Member States could ensure that
DPAs are involved in all aspects of the budgetary preparations, further minimising the risk of
influence being exerted over the authority by the government. Such involvement would also ensure
budgetary stability and independence in deciding how to allocate funds.
Another essential aspect of DPAs independence is that they are given adequate resources. Human,
financial and technical resources are necessary to ensure that DPAs run efficiently and effectively as
independent supervisory authorities in a fast evolving technological world. Incorporated within this
are the requirements that DPA be given adequate funds to carry out their mandate, to recruit an
adequate number of staff members for their needs, and to be able to carry out regular training
sessions to ensure that their staff members are sufficiently trained and qualified. The majority of DPA
report that they are significantly underfunded, and that it curtails their ability to carry out their
mandate. While the use of notification fees is one possible solution to ensure that DPAs have enough
funds to meet their needs, this source should not negate the responsibility of Member States to
ensure that their DPA has adequate resources. A strong funding scheme would significantly increase
the strength, efficiency and independence of DPAs.
Another essential aspect of DPAs independence is the need for transparent and meritocratic
recruitment procedures. It is important that DPAs are empowered to appoint and govern their own
staff. The majority of DPAs report that they have sufficient flexibility and autonomy over their
recruitment procedures – in terms of hiring their own staff members – which is vital in ensuring that
external influence is not indirectly exerted over the DPA through the recruitment procedure.
Recruitment procedures should be in place in each Member State to ensure objective standards are
applied to the recruitment process.
A core element of the proposed data protection reform is to strengthen the national data protection
authorities. In order to provide strong and independent DPAs, the principles identified in this study
could be useful in this context to secure their implementation across the EU Member States.
According to the CJEU, DPAs are the “guardians” of the fundamental right to data protection. Ensuring
that they are equipped to fulfil their mandate – free from external control – will not only aid the
implementation of the proposed reform, but wil also improve the efficiency of the DPAs.
© FRA
24
Summary
The following summary is based on the analysis carried out above, taking particular account of the
promising practices highlighted:
Financial independence
DPAs operate most effectively when they have access to adequate resources. DPAs should
be given adequate human, financial and technical resources to ensure that they run
efficiently and effectively as independent supervisory authorities.
The financial independence of DPAs is strongest when they are granted a separate and
independent budget, authorised by Parliament alone.
It would be advisable if DPAs could be involved in all aspects of the budgetary preparations,
making an assessment of the amount needed, and being consulted throughout the decision
making process.
Where the budget is not authorised solely by Parliament, a minimal amount of governmental
influence over budgetary issues – both in terms of al ocation and subsequent spending
decisions – should be strived for. Where possible, the ability of governments to influence the
budgets of DPAs should therefore be limited. This relates to both their initial allocation and
the way in which funds are subsequently spent.
Having access to core funding is an important part of guaranteeing financial independence.
Member States should consider guaranteeing that adequate resources for the DPAs to
perform their tasks are available through core funding.
Staffing independence
The independence of DPAs is increased when they are empowered to appoint and govern
their own staff, free from external influence in the recruitment procedures.
The independence of DPAs is further increased when – in addition to having adequate
resources – they are also able to make their own decisions as to what constitutes an
adequate number of staff members to carry out their tasks.
In order for DPAs to operate most effectively, they should be able to recruit sufficiently
qualified staff members, with appointments made from a variety of fields, providing
expertise in all aspects of the DPA’s work. Where necessary, DPAs should be equipped to hire
specialist staff members. Any appointments should be made at the appropriate level.
Training is an essential part of ensuring that staff members are able to carry out their tasks
adequately. DPAs should have the resources to provide adequate training to ensuring that
staff members are up-to-date with developments affecting their work.
As a guarantee of independence, Member States should ensure that objective standards are
applied to ensure a fair and transparent recruitment process.
© FRA
25
Annex
Directive 2009/140/EC of the European Parliament and of the Council of 25 November
2009 amending Directives 2002/21/EC on a common regulatory framework for electronic
communications networks and services, 2002/19/EC on access to, and interconnection of,
electronic communications networks and associated facilities, and 2002/20/EC on the
authorisation of electronic communications networks and services
Official Journal L 337, 18/12/2009
(13) The independence of the national regulatory authorities should be strengthened in
order to ensure a more effective application of the regulatory framework and to increase
their authority and the predictability of their decisions. To this end, express provision should
be made in national law to ensure that, in the exercise of its tasks, a national regulatory
authority responsible for ex-ante market regulation or for resolution of disputes between
undertakings is protected against external intervention or political pressure liable to
jeopardise its independent assessment of matters coming before it. Such outside influence
makes a national legislative body unsuited to act as a national regulatory authority under
the regulatory framework. For that purpose, rules should be laid down at the outset
regarding the grounds for the dismissal of the head of the national regulatory authority in
order to remove any reasonable doubt as to the neutrality of that body and its
imperviousness to external factors. It is important that national regulatory authorities
responsible for ex-ante market regulation should have their own budget allowing them, in
particular, to recruit a sufficient number of qualified staff. In order to ensure transparency,
this budget should be published annually. (…)
3. Member States shall ensure that national regulatory authorities exercise their powers
impartial y, transparently and in a timely manner. Member States shall ensure that national
regulatory authorities have adequate financial and human resources to carry out the task
assigned to them.";
(b) the following paragraphs shall be inserted:
"3a. Without prejudice to the provisions of paragraphs 4 and 5, national regulatory
authorities responsible for ex-ante market regulation or for the resolution of disputes
between undertakings in accordance with Article 20 or 21 of this Directive shall act
independently and shall not seek or take instructions from any other body in relation to the
exercise of these tasks assigned to them under national law implementing Community law.
This shall not prevent supervision in accordance with national constitutional law. Only appeal
bodies set up in accordance with Article 4 shall have the power to suspend or overturn
decisions by the national regulatory authorities. Member States shall ensure that the head of
a national regulatory authority, or where applicable, members of the collegiate body
fulfilling that function within a national regulatory authority referred to in the first
subparagraph or their replacements may be dismissed only if they no longer fulfil the
conditions required for the performance of their duties which are laid down in advance in
national law. The decision to dismiss the head of the national regulatory authority
concerned, or where applicable members of the collegiate body fulfilling that function shall
be made public at the time of dismissal. The dismissed head of the national regulatory
© FRA
26
authority, or where applicable, members of the col egiate body fulfilling that function shall
receive a statement of reasons and shall have the right to request its publication, where this
would not otherwise take place, in which case it shall be published.
Member States shall ensure that national regulatory authorities referred to in the first
subparagraph have separate annual budgets. The budgets shall be made public. Member
States shall also ensure that national regulatory authorities have adequate financial and
human resources to enable them to actively participate in and contribute to the Body of
European Regulators for Electronic Communications (BEREC)
Declaration of the Committee of Ministers of the Council of Europe on the
independence and functions of regulatory authorities for the broadcasting sector
(Adopted by the Committee of Ministers on 26 March 2008 at the 1022nd meeting of the
Ministers’ Deputies)
III. FINANCIAL INDEPENDENCE
18. Another key factor for ensuring the independence of regulatory authorities is their
funding arrangements, which, according to the recommendation, should be specified in law
in accordance with a clearly defined plan, and with reference to the estimated cost of the
regulatory authorities’ activities, so as to allow them to carry out their functions fully and
independently (cf. Appendix to the recommendation, Section III, paragraphs 9 to 11).
19. The majority of Council of Europe member states have legal provisions defining the
source of funding of the regulatory body. By contrast, in at least a quarter of member states,
the legal framework does not appear to be clear on this subject.
20. It is common practice among many regulatory authorities in Council of Europe member
states to receive their funding directly through fees in order to be independent from public
authorities’ decision making. Nonetheless, the laws of a large number of member states
specify that the regulatory authority is to be financed by the state budget. In some member
states, the law mentions clearly that public authorities must not use their financial decision-
making power to interfere with the independence of the regulatory authority; however in
most countries where the regulatory authority is financed by the state budget no such
precautions are laid down in the law.
21. In some member states, the law stipulates that the regulatory authority proposes its
annual budget plan which then has to be automatically approved by a specific state body (or
the approval of such a body being a formality). However, in at least a third of all Council of
Europe member states, no clear rules exist to ensure that the approval for the regulatory
authority’s funding is not up to the discretion of such other state bodies.
22. It would appear that, despite the law envisaging an independent funding plan for the
regulatory authority, in certain Council of Europe member states those authorities claim to
feel under threat of or have experienced pressure from governments which go back on
agreed funding plans and/or use funding decisions as leverage in political power struggles.
Reportedly, in more than one case, broadcasting regulatory authorities which, according to
the law should be financed independently, in practice received their revenue from the state
© FRA
27
because of a weak broadcasting market or because the licence fee collecting system was
ineffective. In at least two member states, the regulatory authority did not publicly disclose
the source of their revenue after the licence fee system had collapsed.
23. In addition, many regulators also complain that they are not given the means (in
particular human resources) to adequately perform their duties (see below for further
details).
Recommendation No. R (2000) 23 of the Committee of Ministers to Member States on the
Independence and Functions of Regulatory Authorities for the Broadcasting Sector
(Adopted by the Committee of Ministers on 20 December 2000 at the 735th meeting of the
Ministers’ Deputies)
III. Financial independence
9. Arrangements for the funding of regulatory authorities - another key element in their
independence – should be specified in law in accordance with a clearly defined plan, with
reference to the estimated cost of the regulatory authorities’ activities, so as to allow them
to carry out their functions fully and independently.
10. Public authorities should not use their financial decision-making power to interfere with
the independence of regulatory authorities. Furthermore, recourse to the services or
expertise of the national administration or third parties should not affect their
independence.
11. Funding arrangements should take advantage, where appropriate, of mechanisms which
do not depend on ad-hoc decision-making of public or private bodies.
Explanatory Memorandum to Recommendation No. R (2000)23 of the Committee of
Ministers to member states on the independence and functions of regulatory authorities
for the broadcasting sector
(Adopted by the Committee of Ministers on 20 December 2000 at the 735th meeting of the
Ministers' Deputies)
III. Financial independence
24. The arrangements for funding regulatory authorities - like the procedures for appointing
their members - have the potential to work both as levers for exerting pressure and as
guarantees of independence. Experience shows that if regulatory authorities enjoy real
financial independence, they will be less vulnerable to outside interference or pressure.
25. With this in mind, the Recommendation provides that arrangements for the funding of
regulatory authorities should be specified in law in accordance with a clearly defined plan,
with reference to the estimated cost of the regulatory authorities' activities, so as to allow
them to carry out their functions fully and independently. As regards the question of
whether regulatory authorities should only use their own human and financial resources, the
Recommendation does not formally forbid national administrations or third parties from
© FRA
28
acting on a regulatory authority's behalf, provided such action is carried out in a context that
safeguards the independence of the authority.
26. The Recommendation does not indicate in a concrete manner the possible funding
sources of regulatory authorities. This being said, the practice in most European countries
shows that there are two main sources for the funding of regulatory authorities, which can
be combined where appropriate. Funding can mainly come from concession fees - or, where
appropriate, a levy on turnover - paid by licensees. Provided such licence fees or levies are
fixed at a level that does not constitute an operational impediment to broadcasters, this
arrangement would seem the best way of safeguarding the regulatory authorities' financial
independence inasmuch as it does not leave them reliant on the public authorities' goodwill.
At the same time, the Recommendation does not rule out financing from the state budget.
However, because in this case regulatory authorities are more likely to be dependent on the
budgetary favour of governments and parliaments, it states explicitly that public authorities
should not use their financial decision-making power to interfere with the independence of
regulatory authorities.
27. Whatever funding arrangements are adopted, account must be taken of the human,
technical and other resources which regulatory authorities need in order to perform all their
functions independently. Clearly, the more numerous and substantial those functions, the
more important it is that the funding of the regulatory authority should match its needs.
28. Where funding levels are fixed annually, account must be taken of the estimated cost of
the regulatory authorities' activities and of the fact that, in addition to the costs of regulation
itself, there are related expenses essential to the effective performance of the authorities'
tasks. In this respect, in order to perform those tasks competently, taking decisions based on
close analyses of the current, and indeed future, situation of the broadcasting sector,
regulatory authorities normally need to have recourse to consultants, carry out research,
fact-finding missions and studies and issue publications, all of which clearly entails additional
expenditure.
ECRI General Policy Recommendation N°2: Specialised bodies to combat racism,
xenophobia, antisemitism and intolerance at national level
Adopted by ECRI on 13 June 1997
Principle 5 Independence and accountability
1. Specialised bodies should be provided with sufficient funds to carry out their functions
and responsibilities effectively, and the funding should be subject annually to the approval
of parliament.
2. Specialised bodies should function without interference from the State and with all the
guarantees necessary for their independence including the freedom to appoint their own
staff, to manage their resources as they think fit and to express their views publicly.
3. Specialised bodies should independently provide reports of their actions on the basis of
clear and where possible measurable objectives for debate in parliament.
© FRA
29
4. The terms of reference of specialised bodies should set out clearly the provisions for the
appointment of their members and should contain appropriate safeguards against arbitrary
dismissal or the arbitrary non-renewal of an appointment where renewal would be the
norm.
International Coordinating Committee of National Institutions for the
Promotion and Protection of Human Rights
Report and Recommendations of the Session of the Sub-Committee on Accreditation (SCA)
(Geneva, 29 March -1 April 2010)
Annex III
GENERAL OBSERVATIONS
1. Composition and guarantees of independence and pluralism
2.1 Ensuring pluralism: The Sub-Committee notes there are diverse models of ensuring
the requirement of pluralism set out in the Paris Principles. However, the Sub-
Committee emphasizes the importance of National Institutions to maintain consistent
relationships with civil society and notes that this will be taken into consideration in
the assessment of accreditation applications.
The Sub-Committee observes that there are different ways in which pluralism may
be achieved through the composition of the National Institution, for example:
a) Members of the governing body represent different segments of society as
referred to in the Paris Principles;
b) Pluralism through the appointment procedures of the governing body of the
National Institution, for example, where diverse societal groups suggest or
recommend candidates;
c) Pluralism through procedures enabling effective cooperation with diverse societal
groups, for example advisory committees, networks, consultations or public
forums; or
d) Pluralism through diverse staff representing the different societal groups within
the society.
The Sub-Committee further emphasizes that the principle of pluralism includes
ensuring the meaningful participation of women in the National Institution.
2.2 Selection and appointment of the governing body: The Sub-Committee notes the
critical importance of the selection and appointment process of the governing body
in ensuring the pluralism and independence of the National Institution. In particular,
the Sub-Committee emphasizes the following factors:
a) A transparent process
b) Broad consultation throughout the selection and appointment process
c) Advertising vacancies broadly
© FRA
30
d) Maximizing the number of potential candidates from a wide range of societal
groups
e) Selecting members to serve in their own individual capacity rather than on behalf
of the organization they represent.
2.3 Government representatives on National Institutions: The Sub-Committee
understands that the Paris Principles require that Government representatives on
governing or advisory bodies of National Institutions do not have decision making or
voting capacity.
2.4 Staffing by secondment:
In order to guarantee the independence of the NHRI, the Sub-Committee notes, as a
matter of good practice, the following:
a) Senior level posts should not be filled with secondees;
b) The number of seconded should not exceed 25% and never be more than 50%
of the total workforce of the NHRI.
2.5 IMMUNITY: IT IS STRONGLY RECOMMENDED THAT PROVISIONS BE INCLUDED IN
NATIONAL LAW to protect legal liability for actions undertaken in the official capacity
of the NHRI.
2.6 Adequate Funding: Provision of adequate funding by the state should, as a
minimum include:
a) the allocation of funds for adequate accommodation, at least its head office;
b) salaries and benefits awarded to its staff comparable to public service salaries
and conditions;
c) remuneration of Commissioners (where appropriate); and
d) the establishment of communications systems including telephone and internet.
Adequate funding should, to a reasonable degree, ensure the gradual and
progressive realisation of the improvement of the organization’s operations and the
fulfilment of their mandate.
Funding from external sources, such as from development partners, should not
compose the core funding of the NHRI as it is the responsibility of the state to ensure
the NHRI’s minimum activity budget in order to allow it to operate towards fulfilling
its mandate.
Financial systems should be such that the NHRI has complete financial autonomy.
This should be a separate budget line over which it has absolute management and
control.
2.7 Staff of an NHRI: As a principle, NHRIs should be empowered to appoint their own
staff.
2.8 Full-time Members: Members of the NHRIs should include full-time remunerated
members to:
© FRA
31
a) Ensure the independence of the NHRI free from actual or perceived conflict of
interests;
b) Ensure a stable mandate for the members;
c) Ensure the ongoing and effective fulfilment of the mandate of the NHRI.
2.9 Guarantee of tenure for members of governing bodies: Provisions for the dismissal
of members of governing bodies in conformity with the Paris Principles should be
included in the enabling laws for NHRIs.
a) The dismissal or forced resignation of any member may result in a special review
of the accreditation status of the NHRI;
b) Dismissal should be made in strict conformity with all the substantive and
procedural requirements as prescribed by law;
c) Dismissal should not be allowed based on solely the discretion of appointing
authorities.
2.10 Administrative regulation
The classification of an NHRI as a public body has important implications for the
regulation of its accountability, funding, and reporting arrangements.
In cases where the administration and expenditure of public funds by an NHRI is
regulated by the Government, such regulation must not compromise the NHRI’s
ability to perform its role independently and effectively. For this reason, it is
important that the relationship between the Government and the NHRI be clearly
defined.
© FRA
32