The effectiveness of the European data protection framework depends on two essential pillars: robust individual rights and the institutional independence of the authority enforcing them. This principle is laid down in Article 8 of the Charter of Fundamental Rights of the EU, which requires that compliance with data protection rules must be subject to control by an independent authority. Without such independence, the rights laid down by EU law for all citizens cannot be guaranteed.
The requirement of complete independence of the European Data Protection Supervisor (EDPS) is enshrined in Article 55 of the Regulation (EU) 2018/1725, the so-called GDPR for EU institutions. The Court of Justice of the EU has clarified this principle in key rulings including C-518/07 Commission v Germany; C-614/10 Commission v Austria; and C-288/12 Commission v Hungary. These judgments establish that independence entails both freedom from influence external to the oversight authority, whether direct or indirect, and the exclusion of conflict of interests, such as supervising matters previously dealt with as a controlled entity in a different institutional capacity.
Consequently, the appointment procedure must meet the highest standards of transparency and procedural robustness and integrity.
Independence of the EDPS at risk
Current developments in the EDPS selection process raise serious concerns. Under Article 53 of the GDPR for EU institutions, the EU Commission, acting as data controller, leads the pre-selection procedure and proposes a shortlist of candidates. The European Parliament and the Council then appoint the EDPS by common accord. However, concerns have been raised regarding the transparency and impartiality of this procedure.
An open letter signed by renowned academics argues that the pre-selection procedure may have been steered to favour a particular candidate who previously held management positions, serving as Head of Unit for the Commission’s Data Transfers Unit, and senior roles in the Cabinet of the Commissioner for Justice. A formal complaint has been submitted to the European Ombudsman and an investigation is ongoing.
Further irregularities emerged during the European Parliament’s vote. The LIBE Committee in the European Parliament initially voted on four shortlisted candidates, but subsequently held a second vote restricted to two. While the first vote was conducted on an individual MEP basis, the second was carried out based on political group positions. This deviation injects a level of partisanship, which is incompatible with the principle of impartiality.
While these issues may not necessarily render the appointment procedure unlawful, they point to serious procedural shortcomings with potentially significant constitutional implications. What is at stake is public trust, which demands not only formal compliance with the law, but also a higher standard of integrity, impartiality and transparency.
Eligibility criteria must be clear and rigorous, screening for conflicts of interest must be systematic, and the composition of the selection panel must itself be free of political entanglements. Decisions must be published in a timely and accessible manner, enabling public scrutiny. These are constitutional imperatives grounded in the principle of good administration.
Why the EDPS independence matters
The EDPS oversees the processing of personal data by EU institutions and agencies, including Europol, Frontex and the EU Agency for Asylum. These entities are supervised by the EDPS for risks to the rights and freedoms associated with such processing. It is not the factual independence of the EDPS that matters, but also the perception of its autonomy by the public and civil society. This is especially relevant regarding the gaps in the oversight mechanism of EU agencies.
For example, the recently adopted AI Act reinforces the EDPS’s supervisory role under Art. 70(9). It is now responsible for supervising the use of AI systems by institutions such as Europol. The EDPS will assess not only compliance with data protection, but also broader fundamental rights implications. Public confidence in these agencies also depends on the EDPS being perceived as independent and effective in its supervisory role. A lack of perceived independence could weaken the EDPS’s ability to issue impartial opinions on Commission proposals or to scrutinise data processing practices in its agencies.
A call to restore independence
To prevent a drift towards a unitary theory of the executive power and the erosion of constitutional checks and balances and, ultimately the foundation of rights and freedoms in the European Union, the European Parliament must ensure that the selected European Data Protection Supervisor (EDPS) is completely independent. This requires excluding candidates who have held management roles in entities subject to EDPS supervision.
It is highly recommended to reinstate the procedure of voting by individual MEPs rather than by political groups. If necessary, the entire appointment procedure should be restarted.
The EDPS is tasked with providing formal opinions to the Commission on the impact of its legislative proposals on fundamental rights related to privacy and to the protection of personal data. Its independence is vital to ensure impartial legislative advice and scrutiny of future legislative initiatives. Such legislative proposals must be grounded in evidence, informed by in-depth and accurate impact assessments on civil rights, societal and environmental sustainability, and include civil society consultation.
By ensuring the transparency, independence, and accountability of the EDPS appointment process, the EU not only protects fundamental rights, but also reinforces the authority of the EDPS and the legitimacy of the European project. Strong data protection and privacy, democratic oversight and the rule of law are foundational commitments of the Union.
Aída Ponce Del Castillo is a senior researcher at the Foresight Unit at the European Trade Union Institute
Source link
