Kim Lane Scheppele, Princeton University
On 8 April, Hungary lost again at the Court of Justice of the European Union (ECJ). The European Commission had alleged that that Hungary violated the independence of its data protection officer and the ECJ agreed. The case broke little new legal ground. But it is important nonetheless because it signals serious trouble within the EU. The case exposes Hungary’s ongoing challenge to the EU’s fundamental principles. And it exposes the limitations of ordinary infringement proceedings for bringing a Member State back into line.
The Commission may have won this particular battle, but it is losing the war to keep Hungary from becoming a state in which all formerly independent institutions are under the control of Fidesz, the governing party. The Commission clearly sees the danger of one-party domination and it has attempted to challenge the Hungarian government before. But the Commission has so far not picked its battles wisely or framed its challenges well. It could do better. The case of the data protection officer is a case in point.
The case involved András Jóri, Hungary’s former data privacy ombudsman, who was mid-way through a six-year term in 2011 when his office was closed down and a new data protection authority constituted with a different person in charge. The new data protection officer was appointed by the Fidesz-affiliated President of the Republic upon the nomination of Prime Minister Viktor Orbán, the leader of Fidesz. In the course of this constitutional reorganization, Jóri, who had been appointed by a previous parliament, was fired before he could finish his term.
The Commission took Hungary to the ECJ because every Member State is required to have a data protection official whose job it is to ensure that Data Protection Directive 95/46 is enforced within the Member State. This official, according to the Directive, must be able to act with “complete independence” (Art. 28(1)). The Commission alleged that firing the data protection ombudsman before the end of his legally established term, outside the conditions established in domestic law for removing him, constituted a violation of the independence of the office, and a Grand Chamber of the Court agreed:
“54. If it were permissible for every Member State to compel a supervisory authority to vacate office before serving its full term, in contravention of the rules and safeguards established in that regard by the legislation applicable, the threat of premature termination to which that authority would be exposed throughout its term of office could lead it to enter into a form of prior compliance with the political authority, which is incompatible with the requirement of independence.”
While the meaning of the “independence” of an office may be fuzzy at the margins, a government that first removes a person from office by abolishing his job and then sets up a new office with a new head to do the same work as the fired official surely challenges the core of the concept. This was not a hard case.
Nor was it a novel case. Germany and Austria had both been brought to the ECJ by the Commission for violation of the independence of their data protection officers and the ECJ had found against the countries in both cases. But these cases represented much smaller intrusions on the independence of the office. In the German case, Case C‑518/07, 9 March 2010 (Grand Chamber), independence was found to have been infringed by a system in which the Länder’s data protection officers were subject to parliamentary oversight and therefore, in the view of the Court, theoretically susceptible to having their actions controlled by political officials. In the Austrian case, Case C‑614/10, 16 October 2012 (Grand Chamber), independence was found to have been infringed by locating the data protection officer within the Federal Chancellery assisted by a civil service staff reporting up through the Federal Chancellery to a minister. In both cases, any compromise of the independence of the office was theoretical; concrete interference with the independence of the data protection officer was not alleged. But in both cases, there was a good remedy available: an alteration of the reporting relationships to get the data protection offices out from under direct political oversight.
By contrast, the Hungarian case involved the actual firing of the data protection officer, which was a serious and real infringement on his ability to carry out his job. By finding that Hungary therefore breached its legal obligation under the Directive to ensure that its data protection officer was “completely independent,” the ECJ judgment was no surprise. But a good remedy was harder to see.
This was precisely what Hungary pointed to in its defense. The government argued that the only way to remedy the alleged breach would be to reinstate Jóri. But because Jóri had already been replaced by someone else, the independence of the new data protection officer would be compromised if Jóri were reinstated. Firing the new data protection officer to replace him with Jóri would require a second breach of EU law because the new data protection officer would also have to be fired outside the grounds made available by domestic law. Therefore, Hungary argued, the case should be thrown out. In forwarding this argument, Hungary sounded rather like the child who kills his parents and then throws himself as an orphan on the mercy of the court. Needless to say, the ECJ didn’t think much of this argument.
But Hungary had a point. What, exactly, could the Commission demand by way of a remedy? The reinstatement of someone illegally fired is the most obvious way to reverse a breach. But it had already been two-and-a-half years since Jóri was fired, and by now the new data protection officer, Attila Péterfálvi, has a legitimate interest in keeping his job, with its new term of nine years.
The Commission had been at this crossroads with Hungary before. This is the second major case that the Commission has brought against Hungary for engaging in a massive overhaul of its constitutional order, firing people who got in the way of the reorganization. The first case challenged the sudden lowering of the retirement age for judges from 70 to 62, a move that suddenly freed up about 10% of the most senior jobs in the judiciary, including 20% of Supreme Court justiceships and a substantial share of the lower court presidencies. The Commission cleverly pressed the case on grounds of age discrimination. The ECJ, in an expedited procedure that attempted to get ahead of the judicial firings while they were still going on, ruled quickly and forcefully against Hungary. Hungary first delayed in enforcing the judgment until all of the judges were fired, then complied by compensating the prematurely retired judges in exchange for promises from the compensated judges to renounce any claims on their jobs. Because the matter was framed as an issue of discrimination, compensating the victims was not an unreasonable remedy. But the decision did nothing to change the facts on the ground. The new government was able to remake the judiciary with its preferred new judges despite having lost the case. Eventually, the Commission had to declare Hungary in compliance with the ECJ’s decision without successfully challenging the threat to judicial independence, which was the real danger that should have been addressed.
These cases about premature judicial retirements and the independence of the data protection officer are in fact connected in a way that ought to alarm the EU. Since coming to power in 2010, the Fidesz government has undermined the independence of all formerly independent bodies by replacing their personnel with those who owe their jobs to this government. The senior judges and the data protection officer were not alone in being fired to open up space for government-friendly appointees. The government also fired Justice András Baka, the President of the Supreme Court, on the theory that his court had been renamed and reorganized so that his old job disappeared. Justice Baka, previously a European judge for 17 years, decided to turn to his former court for a remedy, and he has an action pending at the European Court of Human Rights. The independent Election Commission was also reorganized after the Orbán government took office, and all of its prior members fired in mid-term. The OSCE election monitors’ report on the election that recently took place deemed this new body a “partisan commission.” Ditto with the independent Media Board, which was reorganized, renamed and all of its members replaced with those close to the governing party. The government also attempted to get rid of the president of the National Bank, before the European Central Bank rode to his rescue. But eventually, he too was replaced when his term expired and the bank is no longer considered independent by many. There are virtually no state institutions left that the Orbán government has not reorganized – and almost no independent officials left in office that this government not replaced. There are still a few pre-Fidesz constitutional judges left, but they are outvoted by the Fidesz-named judges, and there are still some brave judges in the ordinary judiciary who stand up to the government, but their numbers are shrinking. The data protection officer’s plight is just one piece of a larger pattern.
In the cases of the prematurely retired judges and the data protection officer, the Commission acted forcefully, swiftly, creatively and correctly. But not effectively. In both cases, the Hungarian government was able to rid itself of people whom it had not appointed and to replace them before the ends of their lawful terms with people whom the government preferred. Even though both cases were successful, the successful infringement action could not accomplish a rollback of what had already been done.
So what, then, could the Commission have done instead? The Commission should stop aiming at the impossible by bringing cases in which full compliance would require reversal of actions that have already taken place, so that new legally protected interests would be harmed. Instead, the Commission should aim its infringement actions so that, when it wins, it can design a program of compliance that would in fact allow EU law to have a more effective presence within the Member State.
The Commission’s infringement procedures could have a more impressive effect if the Commission assessed infringing actions in context, rather than singling out just one piece of a larger pattern for a narrowly targeted infringement procedure. To expand its purview, the Commission could bundle together a set of infringing practices of an offending Member States into what I have previously called a systemic infringement action. Such an action would take a set of individual infringements and frame them as part of a larger whole, by alleging either that the Member State, though its systematic conduct, failed to follow the loyalty principle under Article 4(3) of the Treaty of the European Union (TEU) or that it has directly breached the principles laid out in Article 2 TEU. In either case, the Commission would point to the violation of a more general principle through showing that the Member State has systematically breached EU law in multiple, connected ways. If proven to the satisfaction of the ECJ, the finding of a systemic violation would allow the Commission to insist on a principled remedy – that a Member State remove impediments to the realization of European law or that it comply with the basic principles of the EU which, precisely because of the generality of these aims, have more than one avenue for their realization. A more broadly pitched infringement action tied to a basic principle of EU law opens up many more possibilities when it comes to fashioning remedies than does a more narrowly framed action. The Commission would not in this sort of procedure be backing itself into a corner by asking for the one thing that cannot be done, even by a government operating in good faith. To figure out what infringement proceedings it should bring, the Commission should think ahead to the sort of compliance that would be both possible and desirable, and then design its infringement actions to achieve those goals.
Of course, a systemic infringement procedure would not be appropriate for the usual case, the lone infringement, or even for most Member States, whose behavior is overall unproblematic. The customary infringement procedure works well to handle discrete violations of EU law. But where the violations are more systemic and pervasive, the legal strategy should be more systemic as well. Bundling a set of alleged infringements together in a single action permits demonstration of the systemic nature of the Member State’s violations and allows for more comprehensive remedies to guide a Member State back to the European path.
A systemic infringement action has the additional advantage of giving the ECJ better information about the relevant context of a case. Even if the Commission were to bring a small flotilla of individual infringement actions against a rogue Member State as a way of making clear that the Member State is veering early and often from EU norms, judges at the ECJ are divided across multiple chambers, so there is no guarantee that the same judges will see all or even most of the cases coming from a single Member State. As a result, the judges will not necessarily have relevant information about the Member State’s conduct overall that might affect the assessment of each individual piece. The systemic infringement procedure ensures that a single configuration of ECJ judges is presented with the forest and not just individual trees.
But EU law is thick as a rain forest on some topics and parched as a desert on others. When an issue touches on the common market – as was true with age discrimination in employment and the independence of the data protection officer who, among other things, must ensure the free flow of information across national borders – EU law provides dense cover and Member States is surrounded by precise EU legal obligations. But when the issues stray beyond the common market – for example to the independence of state institutions necessary for running a proper democratic government – then there is nearly barren sand. Europe may advertise itself as a club of democracies, but there are few tools to bring Member States openly violating EU principles in the desert back into the rain forest where they clearly come back under the EU legal canopy. The Commission may not, at this point, have a truly effective way to pressure Hungary to restore the independence of all of its accountability institutions, but it can still do something more than it did when it operates within the scope of EU law.
So let’s revisit the case of the data protection officer to see how the Commission might have framed its action differently – and more effectively – by taking a more systemic approach. While Jóri’s dismissal was clearly a warning signal, it was not the only matter infringing EU law. In fact, had the Commission looked at the context within which Jóri was fired, it would have seen the issue that caused such a public battle between Jóri and the Hungarian government in the first place. Before he was fired, Jóri had alleged that the government of Hungary had violated EU law and the implementing Hungarian legislation by distributing personally identifiable questionnaires to Hungarian citizens asking for their political opinions. The government had resisted complying with Jóri’s demand that the data from these questionnaires be destroyed. But after he was fired, the legal complaint against the “social consultations” (as they were known) was dropped. Perhaps the Commission could pick up the violation that Jóri had charged to see whether the ECJ would agree with Jóri’s assessment.
The social consultations controversy began in February 2011, when a government agency distributed a questionnaire asking all citizens their views about what the new constitution should contain. Then, in May 2011, the government launched a second social consultation, asking the public’s views on social and economic rights. Jóri first warned the agency that the questionnaires violated both Hungarian and EU law. But the government agency did not address his objections. In June 2011, Jóri issued a formal resolution against the agency.
As Jóri explained in the formal complaint, the questionnaires not only required people to fill in their names and addresses, but also contained barcodes that permitted the answers to be associated with the names, addresses and citizenship numbers of specific individuals even when citizens’ identifying information was detached from their questionnaires. This personally identifiable information had been collected, Jóri argued, without meaningful informed consent about the uses that could be made of the barcodes. Moreover, this data collection activity was not accompanied by an explanation of how the data would be used, who would have access to it and how long the data would be stored, as EU law required. In his formal resolution, Jóri ordered the agency managing the questionnaire to destroy the data it had collected. The state office then took Jóri to court, challenging his resolution.
While the case was pending, the Orbán government reorganized the data protection office without withdrawing any of the social consultations or complying with Jóri’s request to destroy the data. Jóri’s ombudsman position was eliminated and a new data protection office was established on 1 January 2012, with a new head of office, Attila Péterfálvi. When the agency’s case challenging Jóri’s resolution came to a judicial hearing, the new data protection officer intervenedbefore the court to ask for a separate agreement with the agency about how the case would be handled. The court said that no such agreement was possible in an administrative hearing and it dropped the case. While Jóri insists that his resolution is still valid because it was never formally nullified, Péterfálvi has not attempted to enforce it.
Since that time, the government has continued to send out social consultations on many of the same terms that Jóri had flagged as violations of EU law, consultations asking the public’s views on economic policy, on homelessness and on reductions in utility bills. The latter consultation was done through collecting opinions in person rather than by mail. And Péterfalvi has not objected to the continued practice of social consultations.
Instead of challenging the removal of the data protection officer, serious though it was, and instead of attempting to get Jóri restated, a goal which was impossible to attain without a further breach of EU law, the Commission could have mounted a systemic infringement action in this instance. It could have bundled the case about the independence of the data privacy officer along with other alleged infringements with regard to the social consultations to make the case a broader challenge to the operation of the Data Protection Directive within Hungary.
It’s not too late. Even though the question of Jóri’s firing has been decided, Jóri’s claim that the Hungarian government violated EU law as it gathered the political opinions of its citizens is still open. The government continued the practice of social consultations and is still storing the data it collected.
The Commission go beyond the matter of Jóri’s dismissal to take up the alleged infringement that Jóri could not correct because he was fired. The collection of identifiable political opinions by the government is a direct violation of the Data Protection Directive (Article 8(1)). In addition, collecting personal data without valid consent is another, independent violation (Article 7(a)). Collecting personal data without indicating what the data would be used for, who would see it or how long it would be kept is still another independent violation (Article 6(1)).
The Commission could bundle this set of alleged infringements with another related matter. As he left office, Jóri filed several libel actions against state officials, particularly the Minister of Justice and the prime minister’s key spokesperson. They had claimed, in response to Jori’s resolution on the social consultations, that he had been consulted on all matters involving data protection and he had approved everything, including the social consultations and a new data protection law that came out later that year. Jóri claimed in his libel actions that he was never consulted and that he would not have approved the government’s actions if he had. He claimed that the campaign by state officials to say he approved of the government’s data protection policies was an attempt to smear his reputation as a legal expert. He lost his case because the court required him to prove a negative – that he was never consulted. But proving a negative is notoriously difficult.
Whether Jóri was consulted or not on the government’s data protection policies is not just a matter of his own personal integrity and reputation, however. The Data Protection Directive requires in Article 28(2) that “Each Member State shall provide that the supervisory authorities are consulted when drawing up administrative measures or regulations relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data.” If Jóri weren’t consulted, it was not just a personal affront to him, but also a violation of the Directive. If Jóri were consulted, the government should have some record of it which the ECJ could demand as proof that the government complied with its obligations under EU law. It should not be up to Jóri to prove he was not consulted. Instead, it should be up to the government to prove that he had been, because the government had a positive obligation to consult him under Article 28(2) of the Directive. The Commission could take up this matter also and add it to a systemic infringement action.
The Commission could bring a systemic infringement action against the Hungarian government now, alleging that the government violated key provisions of the Directive with its practice of social consultations and alleging that the government failed to consult with the data protection officer, as the Directive requires. It could also add Article 4(3) to the mix, because the pattern of first failing to consult with the data protection officer, then firing him when he challenged the government’s policies publicly, and then continuing to violate EU law with repeated social consultations that the fired officer had challenged, if proven, adds up to a violation of the loyalty principle, which requires that Member States not thwart the operation of EU law on their territory. If the ECJ agrees that all these actions occurred as alleged and that there have been repeated breaches of the Data Protection Directive, then the ECJ could also find that Article 4(3) had been violated by this systematic campaign of infringement.
Why would the Commission benefit from going this route, toward a systemic infringement action? A systemic infringement should require systemic compliance. And, most crucially, compliance could be tailored to actually make a difference in how EU law operates within Hungary. And that is – after all – the point.
If Commission won its challenges to the practice of social consultations, it could ask – as Jóri did – that the Hungarian government destroy the collection of political opinions of its citizens that it has been keeping for years. That would permit Hungarian citizens to get some of their privacy back, a tangible and real accomplishment. And if the Commission could establish that Jóri was not in fact consulted by the Hungarian government as the directive required, it would establish another independent breach of the Directive. The Commission might not be able to reinstate Jóri to his previous job, but it could restore his reputation, something that might be even more important to him at this point. For good measure, the Commission could also require that the new data protection official vigorously enforce EU law in the way that his predecessor had started.
Recovering citizens’ privacy, the fired officer’s reputation and assurances that the new data protection officer would assiduously enforce EU law from now on are remedies that would begin to move Hungary from systemic infringement to systemic compliance.
And what if the Hungarian government didn’t go along with such a program? As I have argued, the EU should enact secondary legislation permitting EU funds to be cut to a systemically infringing state. At the moment, the only punishment envisioned in Article 260 TFEU, for cases in which a Member State fails to comply with a decision of the ECJ, is the assessment of fines. For some Member States, however, failing to receive funds from Brussels is a far more serious sanction than being fined because the sanction could be administered quickly by the Commission without waiting for the Member State to get around to paying. Moreover, the Commission would not have to remove the funds forever, but could simply withhold them, offering payment of these funds as an incentive for a government that would bring itself into compliance. This would add a positive incentive to the negative one. While cutting funds for systemic noncompliance with EU law is not presently a legal option, its initiation would not require treaty change. The new Commission might consider initiating legislation to permit such a course of action so that the Commission would have more effective tools to use in especially serious cases like this one.
This story about Hungary and its data protection officer contains a lesson. When confronted with an alleged breach of EU law by a Member State, the Commission should think ahead to what would be the most desirable and practical outcome, and then aim its infringement action to achieve this goal. With its latest Hungarian case, the Commission instead backed itself into a corner from which it can do very little to concretely improve prospects for data protection within Hungary. If the Commission would revise its strategy for bringing infringement actions to take a more systemic approach, it could have a much bigger effect on wayward Member States than it presently does.