29
Fri, Mar
51 New Articles

Austria’s Struggle with the GDPR

Austria’s Struggle with the GDPR

Austria
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

With its National Data Protection Amendment Act 2018 (“DSG 2018”) enacted well before the May 25th 2018 deadline, Austria is considered to be one of the EU leaders regarding the implementation of the GDPR. To be precise, the DSG 2018 was implemented in May, 2017, shortly before Austria’s national elections took place. The consequence of Austria’s attempt to play a pioneering role is that the DSG 2018 was rushed, and thus, at least in some parts, extremely difficult to read – and it fails to take advantage of the majority of the permitted GDPR derogations.

Privacy Deregulation Act 2018 to Make Corrections

Unsurprisingly, then, the Austrian parliament proposed the Privacy Deregulation Act 2018 (“DDG 2018”) to make corrections to the DSG 2018 which are of particular importance from a business perspective. 

Prior to that it had not been clear whether fundamental rights to data protection applied to legal persons in addition to natural persons, as the Data Protection Act 2000 (“DSG 2000”) had protected both. With the DDG 2018 the issue has been clarified insofar as Article 1 explicitly states that “only” natural persons are captured. Furthermore, Article 5 states that the obligation to designate a Data Protection Officer also applies to bodies established in forms of public law – in particular to an authority of a regional authority. Entrusted bodies are still excluded from the obligation to appoint a Data Protection Officer. 

With respect to employment law, the DDG 2018 makes modifications to Article 11 of DSG 2018 with the effect that the powers of the workforce as well as the rights of participation in relation to employee representation remain unaffected as far as the processing of personal data is concerned. 

As opposed to the 69 clauses of the GDPR which allow for Member State derogation, the DSG 2018 provides only a handful – including a journalistic exemption. Under this derogation, data processing for journalistic purposes, including the publication of personal media reports, should be carried out in accordance with Article 5 of the GDPR (the data protection principles) – which are not particularly helpful in practice, and rather unclear. In addition, the Austrian data protection authority must take account of the need for publications to protect the identities of their sources.

The reason the DSG 2018 contains only a small number of derogations is that the majority of these clauses do not concern general principles of data protection law, and will, where required, be implemented by specific additional national laws, as stated in the explanatory remarks to the government bill of the DSG 2018.

Another big issue in Austria is the way the Austrian Data Protection Authority will handle the data protection impact assessment. The GDPR allows national supervisory authorities to compile and publish a list of types of processing operations that do not require a data protection impact assessment. This “White List” will be implemented in the form of a “Regulation on the Exceptions to the Data Protection Impact Assessment” (DSFA-AV). The Austrian Data Protection Authority, like the national supervisory authority under the GDPR, will make use of this competence and has published a first draft of such a “White List,” which includes video surveillance, membership administration, and management of inventories or the organization of specific events, just to name a few. The data processing activities mentioned in the DSFA-AV as well as those registered with the Austrian Data Protection Authority before May 25th are excluded from the data protection impact assessment. 

None of these data processing activities pose a high risk to the rights and freedoms of individuals. 

In comparison to the “White List”, the “Black List” will contain those data processes which will need to be included in the data protection impact assessment. An example for this is the collection of location data, which will enable the tracking of movement behaviors and thus affect privacy protection. The Austrian Data Protection Authority has not yet announced the date of implementation; however we assume that an appropriate bill will be railroaded close to May 25th. 

GDPR Compliance First

Finally, it should be noted that it will be interesting to see, after May 25th, in the absence of GDPR case law, how the Austrian Data Protection Authority interprets the new provisions in case-specific circumstances. Unfortunately, some critical voices are already claiming that some of the provisions of DSG 2018 could be unconstitutional and are thus likely to be abolished by the constitutional court. Anyhow, the main focus for businesses should currently be on the implementation of the GDPR, in order to avoid penalties.  

By Andreas Schutz, Partner, Jurgen Polzl, Associate, Taylor Wessing 

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue