As in all EU member states, the EU General Data Protection Regulation (GDPR) came into effect in Austria on 25 May 2018. The centrepiece of Austria's GDPR implementing legislation was the Data Protection Amendment Act 2018 (for further details please see "Draft Data Protection Amendment Act 2018 in appraisal" and "Proposals to alter national Data Protection Act").
In addition to the Data Protection Amendment Act 2018, the Austrian federal legislature developed a broad approach to reconcile Austrian legislation with the GDPR and adjusted more than 230 ordinary laws. Further, the Data Protection Authority (DPA) issued two ordinances. Pursuant to Articles 35(4) and 35(5) of the GDPR, the DPA published a whitelist (BGBl II 2018/108) and a blacklist (BGBl II 2018/278) of processing operations which are subject to data protection impact assessments. Notably, processing activities not covered by these lists remain subject to the controller's independent assessment.
Further, legislators from the nine Austrian provinces adopted data protection amendment acts to achieve GDPR compliance. These legislative acts will not be addressed here.
Federal data protection legislation
In two major pieces of legislation, 227 administrative legal acts were amended. The first Administrative Acts Data Protection Amendment Act 2018 (BGBl I 2018/32) was limited to the public sector. The second Administrative Acts Data Protection Amendment Act 2018 (BGBl I 2018/37) mostly addressed private sector governance. The second act is directed at:
- the finance sector;
- the health and social sectors; and
- the transport, innovation and technology sectors.
Particularly in the health sector, data subjects' rights were restricted based on Article 23(1)(e) of the GDPR. For instance, most healthcare professions were excluded from the rights and duties under Articles 13, 14, 18 and 21 of the GDPR. Moreover, data subjects' rights with regard to personal data that is collected by certain healthcare professionals and further processed for scientific or historical research purposes can be restricted. Data controllers may exclude data subjects' rights pursuant to Articles 15, 16, 18 and 21 of the GDPR if the specific purpose for which the data is being processed may be impaired otherwise.
Science and research
Legislation was also passed to amend 17 administrative acts in the science and research sector (BGBl I 2018/31). Pursuant to Article 35(10) of the GDPR, 28 data protection impact assessments were carried out to accompany the new legislation. The results of these assessments were published in the Austrian Official Journal. Future data protection impact assessments in Austria can be used for guidance when drafting assessments, even though they deviate to some extent from the needs of private companies. Notably, the DPA was not consulted.
Constitutional Act and others
The Constitutional Act was amended alongside a few ordinary legislative acts. The Supreme Administrative Court, as well as the federal and provincial administrative courts, must rule on their own alleged GDPR infringements if accused of having infringed the GDPR while acting in their respective judicial capacities (BGBl I 2018/22).
Legislation interfering with personal data protection
The federal legislature also passed legislation governing data protection issues independently from the GDPR. This will have a significant impact on the protection of personal data in Austria.
Criminal Procedure Code and others
The Criminal Procedure Code, the Telecommunications Act and the Prosecutor's Office Act were amended to:
- transpose Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA; and
- implement the Austrian government's programme (BGBl I 2018/27).
Under these amended acts, law enforcement has been authorised to:
- use new investigative tools, such as international mobile subscriber identity catchers to localise technical installations and collect location data; and
- order telecoms providers to 'quick freeze' already collected personal data where a criminal offence is suspected.
Further, law enforcement has been authorised to seize letters linked to criminal offences which are punishable by imprisonment for over one year. The most controversial amendment in this regard was authorising law enforcement to install software (federal spyware known as Bundestrojaner) on computer systems – without the holder's knowledge – to bypass encryption and monitor encrypted messages. This amendment will enter into force only on 1 April 2020 and will expire after five years. The introduction of the federal spyware was postponed so that the minister of the interior may acquire the needed software.
Security Police Act and others
- The Security Police Act, the Telecommunications Act and the Road Traffic Act were also amended (BGBl I 2018/29). The amendments concern matters such as:
- covertly using image processing equipment to identify vehicles;
- matching data collected through image processing equipment with wanted lists;
- data transferring to prevent attacks in connection with football games organised by the Austrian Football Association;
- data processing regarding emergency calls;
- the competency of the DPA to decide over complaints regarding data processing by law enforcement; and
- CCTV at public places for law enforcement purposes.
Further, the identification of users of prepaid SIM cards was introduced.
The Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was transposed into Austrian law (BGBl I 2018/64). Air carriers must transfer PNR data to the Passenger Information Unit located at the Ministry of the Interior. While the PNR Act obliges only air carriers regarding extra-EU flights, the minister of the interior is authorised to extend that obligation to flights from other EU member states to Austria and vice versa. The minister of the interior made use of this authorisation and issued the PNR Ordinance simultaneously with the PNR Act on 16 August 2018 (BGBl II 2018/208). The PNR Ordinance will abrogate after six months. Until then, for the second half of 2018, air carriers must transfer PNR data to the Passenger Information Unit regarding each cross-border inter or extra-EU flight.
Administrative Penal Act
Pursuant to the Administrative Penal Act, the presumption of innocence does not apply. Whenever an administrative provision is infringed, there is a presumption of fault and the accused must thus prove their innocence. However, this provision may be superseded by Article 83(2) of the GDPR which, according to legal literature, stipulates a presumption of innocence. That said, there is no legal certainty as to whether the authorities will apply the presumption of fault. Therefore, it comes as welcome news that after 1 January 2019, the presumption of fault will apply only to administrative fines up to €50,000. Another notable amendment of the Administrative Penal Act is the introduction of an approach which obliges authorities to advise the accused before imposing a fine in case of small infringements. Both mentioned amendments are already published in the Official Journal but will enter into force on 1 January 2019 (BGBl I 2018/57).
The GDPR has created a new understanding and awareness of data protection. Despite its nature, a directly applicable legal act, the GDPR has created significantly more work for the legislature than simply transposing a directive. The Austrian federal legislature has chosen to impose the GDPR by implementing the narrow but general Data Protection Act and introducing amendments to ordinary legal acts individually. However, these amendments are essentially limited to wording adjustments and restrictions on data subjects' rights.
That said, a legal framework for data processing for research and scientific purposes has been created. In addition, the federal legislature has broadened the powers of law enforcement to process data and transposed, among other things, the PNR Directive. Although not directly linked to the GDPR, the amendments to the Administrative Penal Act also offer some relief concerning the GDPR's fine regime.
By Janos Boszormenyi, Associate Schoenherr