We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
07 December 2018
As in all EU member states, the EU General Data Protection Regulation (GDPR) came into effect in Austria on 25 May 2018. The centrepiece of Austria's GDPR implementing legislation was the Data Protection Amendment Act 2018 (for further details please see "Draft Data Protection Amendment Act 2018 in appraisal" and "Proposals to alter national Data Protection Act").
In addition to the Data Protection Amendment Act 2018, the Austrian federal legislature developed a broad approach to reconcile Austrian legislation with the GDPR and adjusted more than 230 ordinary laws. Further, the Data Protection Authority (DPA) issued two ordinances. Pursuant to Articles 35(4) and 35(5) of the GDPR, the DPA published a whitelist (BGBl II 2018/108) and a blacklist (BGBl II 2018/278) of processing operations which are subject to data protection impact assessments. Notably, processing activities not covered by these lists remain subject to the controller's independent assessment.
Further, legislators from the nine Austrian provinces adopted data protection amendment acts to achieve GDPR compliance. These legislative acts will not be addressed here.
In two major pieces of legislation, 227 administrative legal acts were amended. The first Administrative Acts Data Protection Amendment Act 2018 (BGBl I 2018/32) was limited to the public sector. The second Administrative Acts Data Protection Amendment Act 2018 (BGBl I 2018/37) mostly addressed private sector governance. The second act is directed at:
Particularly in the health sector, data subjects' rights were restricted based on Article 23(1)(e) of the GDPR. For instance, most healthcare professions were excluded from the rights and duties under Articles 13, 14, 18 and 21 of the GDPR. Moreover, data subjects' rights with regard to personal data that is collected by certain healthcare professionals and further processed for scientific or historical research purposes can be restricted. Data controllers may exclude data subjects' rights pursuant to Articles 15, 16, 18 and 21 of the GDPR if the specific purpose for which the data is being processed may be impaired otherwise.
Science and research
Legislation was also passed to amend 17 administrative acts in the science and research sector (BGBl I 2018/31). Pursuant to Article 35(10) of the GDPR, 28 data protection impact assessments were carried out to accompany the new legislation. The results of these assessments were published in the Austrian Official Journal. Future data protection impact assessments in Austria can be used for guidance when drafting assessments, even though they deviate to some extent from the needs of private companies. Notably, the DPA was not consulted.
Constitutional Act and others
The Constitutional Act was amended alongside a few ordinary legislative acts. The Supreme Administrative Court, as well as the federal and provincial administrative courts, must rule on their own alleged GDPR infringements if accused of having infringed the GDPR while acting in their respective judicial capacities (BGBl I 2018/22).
The federal legislature also passed legislation governing data protection issues independently from the GDPR. This will have a significant impact on the protection of personal data in Austria.
Criminal Procedure Code and others
The Criminal Procedure Code, the Telecommunications Act and the Prosecutor's Office Act were amended to:
Under these amended acts, law enforcement has been authorised to:
Further, law enforcement has been authorised to seize letters linked to criminal offences which are punishable by imprisonment for over one year. The most controversial amendment in this regard was authorising law enforcement to install software (federal spyware known as Bundestrojaner) on computer systems – without the holder's knowledge – to bypass encryption and monitor encrypted messages. This amendment will enter into force only on 1 April 2020 and will expire after five years. The introduction of the federal spyware was postponed so that the minister of the interior may acquire the needed software.
Security Police Act and others
The Security Police Act, the Telecommunications Act and the Road Traffic Act were also amended (BGBl I 2018/29). The amendments concern matters such as:
Further, the identification of users of prepaid SIM cards was introduced.
The Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was transposed into Austrian law (BGBl I 2018/64). Air carriers must transfer PNR data to the Passenger Information Unit located at the Ministry of the Interior. While the PNR Act obliges only air carriers regarding extra-EU flights, the minister of the interior is authorised to extend that obligation to flights from other EU member states to Austria and vice versa. The minister of the interior made use of this authorisation and issued the PNR Ordinance simultaneously with the PNR Act on 16 August 2018 (BGBl II 2018/208). The PNR Ordinance will abrogate after six months. Until then, for the second half of 2018, air carriers must transfer PNR data to the Passenger Information Unit regarding each cross-border inter or extra-EU flight.
Administrative Penal Act
Pursuant to the Administrative Penal Act, the presumption of innocence does not apply. Whenever an administrative provision is infringed, there is a presumption of fault and the accused must thus prove their innocence. However, this provision may be superseded by Article 83(2) of the GDPR which, according to legal literature, stipulates a presumption of innocence. That said, there is no legal certainty as to whether the authorities will apply the presumption of fault. Therefore, it comes as welcome news that after 1 January 2019, the presumption of fault will apply only to administrative fines up to €50,000. Another notable amendment of the Administrative Penal Act is the introduction of an approach which obliges authorities to advise the accused before imposing a fine in case of small infringements. Both mentioned amendments are already published in the Official Journal but will enter into force on 1 January 2019 (BGBl I 2018/57).
The GDPR has created a new understanding and awareness of data protection. Despite its nature, a directly applicable legal act, the GDPR has created significantly more work for the legislature than simply transposing a directive. The Austrian federal legislature has chosen to impose the GDPR by implementing the narrow but general Data Protection Act and introducing amendments to ordinary legal acts individually. However, these amendments are essentially limited to wording adjustments and restrictions on data subjects' rights.
That said, a legal framework for data processing for research and scientific purposes has been created. In addition, the federal legislature has broadened the powers of law enforcement to process data and transposed, among other things, the PNR Directive. Although not directly linked to the GDPR, the amendments to the Administrative Penal Act also offer some relief concerning the GDPR's fine regime.
For further information on this topic please contact János Böszörményi at Schoenherr Attorneys at Law by telephone (+43 1 5343 70) or email (firstname.lastname@example.org). The Schoenherr Attorneys at Law website can be accessed at www.schoenherr.eu.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.