28
Thu, Mar
51 New Articles

Guest Editorial: GDPR Implementation in Austria – A Milestone Rather Than the Finish Line

Guest Editorial: GDPR Implementation in Austria – A Milestone Rather Than the Finish Line

Legal Markets
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

There are only a few days left until the GDPR comes into force on May 25, 2018. Despite having had a two-year grace period before the new regime becomes effective, companies all over the European Community and their advisors are struggling to meet that deadline. We at Dorda are as well, despite having introduced a nine-person GDPR implementation project team – which is relatively huge for a country the size of Austria.

We have seen an extreme increase in requests for legal data protection assistance during the last couple of months, leading to a serious shortage of expert availability. This is due to many companies having failed to take advantage of the two-year period, and which are thus starting last minute implementation projects only now. Given the seriousness of the changes, the harsh penalties, and the wide publication of what was to come, one may ask why they waited so long. 

In the past, data protection compliance has not always taken a place of high priority in Austrian companies. The Austrian system was known to be extremely stringent – often going beyond what was required by the underlying EU directives – and it involved formalities such as notification duties (for almost all data processing) and the requirement for authorities’ pre-approval even for data transfers based on EU Standard Contractual Clauses. Thus, it was tough and costly for companies to achieve compliance. Further, penalties for breaches of the Data Protection Act were fairly low – with EUR 25,000 being the highest possible fine (indeed, in practice, the few penalties actually imposed never exceeded a three-or-a-low-four digit figure). Thus, as a consequence, most companies did not put too much effort into data protection compliance, as it was deemed to be too expensive in relation to the risk exposure. 

In this light, the GDPR came quite as a shock for Austrian companies. Although companies always complained about the old formalistic system, the strong involvement of authorities is historically deeply rooted in Austrians’ hearts and minds and thus also gave some comfort: If authorities were notified of data processing activity, let alone approved it, one could rely on its propriety. Thus, the GDPR’s requirement that companies set up a register of all data processing and conduct risk assessments as a basis for their own decisions regarding whether or not to pursue a particular application or process, however, conflicts with how Austrian companies were taught to proceed.

Besides the issue of the GDPR’s conflict with Austrian practices, many critics have pointed out that the ambiguousness of the new provisions is contrary to its intention to provide more transparency for the data subjects concerned. Missing guidelines and the necessity of further legislative acts to specify the requirements were also perceived as good excuses for holding back the implementation processes. 

In addition, the new and extremely high fines for any wrongdoing under the GDRP – including those for false assessments or decisions – are perceived by the companies as being as excessive as those under the previous regime were low. Finally, the more US-style system, which gives companies freedom to act in a certain way, coupled with high sanctions for wrongdoing, is not familiar to the continental Europe legal system. Thus, European companies not also acting on the US market have a general issue with the GDPR, concept-wise. 

As a consequence, although enterprises in certain sectors like insurance, banking, or health care have been among the early adopters in GDPR implementation, most companies have been quite reluctant to adapt to the upcoming system on time. For Austria I estimate that only around 30% of the companies have already initiated proper processes and will be ready with their implementation by or close to May 25. In the public sector – which in Austria is exempt from the fines – the compliance rate and awareness of the upcoming issue is even lower.

May 25, 2018 therefore represents not a long-awaited finish line but simply an important milestone in a lengthy marathon. However, we are confident that the missing guidelines, acts of law, and guidance papers both on EU and national level will help the late adapters to conclude their projects quicker than those who started only on the basis of the GDPR. It is also just a matter of time until ECJ rulings bring more clarity to the ambiguous provisions of the GDPR. Meanwhile, we have already heard voices from various national data protection authorities that they intend to take a balanced position regarding potential fines to allow the companies time to adjust to the new regime. Ultimately, I am confident that industry will be able to adapt to the GDPR regarding the teething troubles. However, this requires ongoing legal assistance. Thus, my personal expectation is that law firm data protection practice groups will remain busy and in demand in the future.

By Axel Anderl, Partner, Dorda Rechtsanwalte

This Article was originally published in Issue 5.3 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue