It has been reported that today Mr. Peter Schaar, head of the Federal Commissioner for Data Protection and Freedom of Information, announced at the Data Protection Congress 2012 that is currently held in Berlin that the EU “Cookie Directive” – which has not yet been implemented into German law – has EU law’s “direct effect” (also known as “immediate applicability”), making Art 5 (3) of the Directive directly applicable and effective under German law. He (as reported) added that therefore Art. 5 (3) of the Directive can be applied and enforced by the German data protection authorities in their day to day business. Ooops!
Do you know the feeling when you are absolutely certain of a particular fact, and then someone comes along, someone who should actually know, and alleges the exact opposite making you immediately insecure of what you thought you firmly knew? Now, the last time I looked, a Directive’s “direct effect” (assuming that the corresponding provision in the Directive are unconditional and sufficiently clear and precise, which I very doubt in this case) does lead to a vertical applicability of the directive – “vertical applicability”, however, meaning that an individual can demand of the state that the state apply the directive’s provisions, and not that the state can enforce a directive against its citizens and companies which has failed to implement.
But now? In my despair for reassurance, I could not leave the desk without looking it up at the source of all EU law wisdom, the ECJ case law. Well, seems like I won’t have to be twisting and turning tonight after all. I did not find the proverbial smoking gun, which I assume to be due to the fact that no one would actually think of bringing a case to the Court alleging that the enforcement by state organs of a unimplemented directive against individuals is just what the doctor ordered. But how about this:
“[A directive which is not implemented] may not of itself impose obligations on an individual and [a] provision of a directive may not be relied upon as such against such a person.” As can be read in Marshall v Southampton and South West Hampshire Area Health Authority (Teaching)  Case 152/84 p.422.
There is no way that a data protection authority should even be thinking about handing out administrative fines and fines for data protection misdemeanors on the basis of an EU directive that not been implemented by the member state! It should really be obvious, shouldn’t it? But then again, you just wait and see…
For more updates on German and EU IT law and other IT-related matters please follow us on Twitter @germanitlaw.