The Italian Data Protection Authority (GPDP), a formally independent supervisory authority (DPA) and a cornerstone in the enforcement of the General Data Protection Regulation (GDPR), is currently at the centre of an unprecedented judicial crisis. Recent searches conducted by the finance police, under warrant from the Public Prosecutor’s Office of Rome, have involved the entire Board – including the President – on grave allegations of embezzlement and corruption.

The scandal surrounding the Italian Authority is not merely a case of individual corruption but rather exposes a structural vulnerability in the European governance model for data protection. While Article 52 GDPR guarantees the independence of DPAs as a fundamental requirement for the effective protection of rights, the Italian case demonstrates that this independence risks degenerating into immunity if it is not balanced by a robust and proactive system of external accountability regarding the integrity of its members.

The paradox is evident: independence, conceived to protect the DPA from external influence, has been exploited to shield its members from internal or ethical oversight, undermining public trust and the entire cross-border cooperation mechanism of the GDPR.

Facts as a symptom of systemic failure

The allegations brought by the Public Prosecutor’s Office of Rome should not be read merely as judicial news, but as empirical evidence of a systemic failure. The contested facts outline a presumed system in which the boundaries between public prerogative and private benefit have been systematically blurred.

The charges of embezzlement (peculato, Article 314 of the Italian Criminal Code) do not only concern the misappropriation of public funds but, more significantly, the lack of transparency in the management of institutional assets. Alleged abuses in the use of resources – such as renting properties at inflated rates or using official cars for non-institutional meetings – are symptomatic of a distorted perception of Public Office. When the leadership of an independent authority perceives the entity’s resources as an extension of their private estate, public ethics collapse. Such conduct undermines the duty of diligence and transparency that should serve as the moral foundation of an institution tasked with protecting a fundamental right.

The allegation of corruption (Articles 318-319 of the Italian Criminal Code) is the most severe, as it strikes at the very heart of administrative impartiality. The alleged exchange of favours – such as “Executive Class” flight passes received in return for failing to issue, or reducing, sanctions against major economic players – demonstrates how independence can be exploited to commodify official acts. In this scenario, the supervisory function shifts from a tool for protecting citizens’ rights to a bargaining chip for personal gain, thereby corrupting the very essence of the DPA’s role.

Administrative inefficiency as silent corruption

The investigation casts a shadow over the effectiveness of the GPDP’s sanctioning power, particularly in the case of Meta Platforms Ireland Ltd. The GPDP had initially launched a proceeding that could have led to a fine of 44 million euros. However, the amount was drastically reduced and, subsequently, the entire sanction was annulled due to alleged procedural delays that led to the statute of limitations expiring (prescription) (see also here).

This episode reveals the mechanism of “silent corruption”: administrative inefficiency, or deliberate procedural sluggishness, can be used as a tool to nullify the legal consequences of a violation. This achieves the same result as active corruption but leaves a much less obvious trail. The expiration of a sanction of such magnitude undermines the principles of effectiveness, proportionality, and dissuasiveness (Article 83 GDPR).

Dissuasiveness is both an ethical and a legal imperative: if DPAs fail to impose effective sanctions, the GDPR loses its coercive force. Furthermore, the Italian case raises serious doubts regarding the principle of sincere cooperation (Article 4.3 TEU) among Member States. If a lead authority (as the GPDP in many cross-border cases) fails to manage proceedings with due diligence, it compromises the consistent application of the Regulation throughout the Union, betraying the trust of other European DPAs.

The paradox of independence and CJEU jurisprudence

The core of the issue lies in the institutional paradox created by the GDPR. The independence of DPAs is a European constitutional principle, enshrined in the EU Charter of Fundamental Rights (Article 8.3) and reaffirmed by the Court of Justice of the European Union (CJEU).

Historically, the CJEU has staunchly defended the independence of DPAs, ruling that any external influence – particularly political – is inadmissible. Landmark judgments such as Commission v. Germany (C-518/07) and Commission v. Austria (C-614/10) have clarified that DPAs must remain free from any instructions or external pressure.

However, the Italian case poses the opposite question: who protects the system from the Authority itself? While CJEU jurisprudence has focused on the protection of the DPA, it has not yet developed an equally robust framework for the protection from the DPA. Independence, understood as the absence of external constraints, cannot equate to an absence of internal responsibility. The appointment process, which is inherently political in Italy (as Parliament elects the members of the Board), requires an ethical and legal counterweight that, in the case of the GPDP, has failed.

The Italian crisis suggests that independence, unless accompanied by a rigid code of ethics and conduct oversight mechanisms, transforms into an accountability vacuum. In such a vacuum, criminal action can only intervene ex post, arriving only when the institutional damage is already irreparable.

Bold proposals for European governance

The crisis of the Italian GPDP is not merely an Italian affair; it is a wake-up call for the entire European data protection governance. The European Data Protection Board (EDPB) must act to restore trust and strengthen the system’s resilience by overcoming the independence-immunity paradox through two bold mechanisms at the European level.

What I propose is the establishment of a European Ombudsman for DPAs. This body should be independent and impartial, with a specific mandate to receive and investigate complaints regarding the ethical conduct, financial management, and integrity of the internal processes within national Supervisory Authorities. While this Ombudsman would not interfere with the merits of privacy decisions – which must remain the sole competence of the DPA – it would focus on the institutional quality and the integrity of its members, thereby creating an external oversight mechanism that reinforces ethical legitimacy without violating functional independence. Such a framework would necessitate a targeted revision of the GDPR – specifically strengthening Article 59 – to evolve from a model of “self-reported accountability” to one of “proactive external oversight”. This transition would require Member States to accept a limited transfer of administrative sovereignty to the European level, ensuring that the EDPB’s oversight is underpinned by investigative powers rather than remaining confined to the realm of non-binding soft law.

Second, the EDPB should implement a mandatory peer-review mechanism that extends beyond the current evaluation of decision consistency under Article 63 GDPR. This expanded framework should focus on institutional integrity, incorporating independent financial audits of resource management and rigorous ethical evaluations regarding conflicts of interest and relations with regulated entities. Furthermore, such a mechanism must monitor procedural efficiency to prevent the “silent corruption” that occurs when statutes of limitations expire in high-profile cases.

These measures should not be viewed as an attack on independence, but rather as an investment in its long-term sustainability.

The need for a new public ethic

The scandal that has engulfed the Italian Privacy Authority serves as a stern warning for the European Union, demonstrating that the protection of fundamental rights cannot rely solely on formal structures. It requires an irreproachable public ethic from those entrusted with oversight. Consequently, the challenge for the EDPB and the European Union is to fill the accountability vacuum that the Italian case has so dramatically exposed. Only through the introduction of external oversight mechanisms and the promotion of a culture of institutional integrity can we ensure that DPA independence remains a bulwark for citizens’ rights rather than a refuge for immunity. Independence is not an absolute privilege but a functional condition for the protection of rights; as such, it must be constantly earned through conduct that remains ethically beyond reproach.