Quis custodiet ipsos custodes? Data protection in the judiciary in EU and EEA Member States

Key Points

• Compliance with data protection legislation shall be subject to control by an independent authority, also for the judiciary. However, in order to safeguard the independence of the judiciary, both the General Data Protection Regulation and the Law Enforcement Directive explicitly state that national Data Protection Authorities are not competent to supervise courts ‘when acting in their judicial capacity’.
• In this article, the notion of ‘courts acting in their judicial capacities’ is analysed to determine whether any common understanding of this notion exists. Apart from legal analysis, empirical research (survey and interviews) was carried out in 30 countries (27 EU and 3 EFTA EEA Member States).
• The concept of ‘courts acting in their judicial capacity’ can be contrasted with ‘courts not acting in their judicial capacity’ (the functional interpretation) or with ‘other organizations’ (the institutional interpretation).
• The functional interpretation is followed by most countries and in fairly similar ways. The institutional interpretation is followed by some countries, but in very different ways and some practices raise concerns, such as limited or no supervision for the judiciary (interfering with Article 8 of the Charter) and supervision of the judiciary by the ministry of justice (potentially interfering with the separation of powers according to the trias politica).
• Altogether, there is to a large extent a common understanding of the notion of ‘courts acting in their judicial capacity’ and this is the functional interpretation. The institutional interpretation, however, may lead to a gap in data protection supervision of the judiciary.