The Austrian Constitution does not explicitly recognize the right of privacy.[624] Some sections of the data protection law (Datenschutzgesetz, or DSG) have constitutional status and may only be restricted under the conditions of Article 8 of the European Convention of Human Rights (ECHR). The entire ECHR has constitutional status and Article 8 is often cited by the constitutional court in privacy matters.
A new data protection law (Datenschutzgesetz 2000) was approved in December 1999 and went into force in January 2000.[625] The Act replaces a 1978 law[626] of the same name and incorporates the EU Data Directive. It protects the right of individuals in relation to the processing of their personal data irrespective of the mode of data processing. Individuals have the right to access, correct, delete, or keep confidential personal data.[627] Data controllers are required to notify the data subject who has right to access the data, its origin, and the identity of any recipients. Disclosure to third parties is only allowed when the data subject gives express written permission; it is in the legitimate objective of the data controller to disclose the information; if information is not anonymous, or if it is necessary for the protection and interests of a third party.[628] Claims against private sector data controllers can be brought under the law by an individual data subject or by the Data Protection Commission. Civil and criminal provisions apply.[629]
Experts have criticized the new law as inadequate because it retains the cumbersome structure of the original 1978 Act rather than replacing it.[630]
Under the 2000 Act, a Data Protection Commission (DPC) and a Data Protection Council are established and have powers of investigation and enforcement to ensure compliance with the Act. The Commission is an advisory body (currently staffed with 6 permanent directors, 6 deputies, and 10 full-time employees (Arbeitsplatzstelle (working places) )[631] responsible for resolving private sector complaints, investigating public sector data processing, and reporting bi-annually to the federal government on public sector data processing. It oversees all private sector activity including the authorization of international data transmissions and applications for data processing registration. The DPC will only deny the export of data if such transport conflicts with public interests, violates international legal obligations, disregards data disclosure requirements, damages the interests of the person warranting protection or has inadequate safeguards. The DPC is also responsible for submitting proposals to federal and state government on improvements to the Data Protection Act.[632]
As of December 2001, there were 96,828 registered data controllers who are defined as "the legal person ordering the collection, processing or disclosure of data or causing it to take place."[633] Data controllers are required to notify the data subject who has right to access the data, its origin, and the identity of any recipients. Disclosure to third parties is only allowed when the data subject gives express written permission; it is in the legitimate objective of the data controller to disclose the information; if information is not anonymous, or if it is necessary for the protection and interests of a third party.[634] Claims against private sector data controllers can be brought under DSG 2000 by an individual data subject or by the DPC on behalf of data subjects. Civil and criminal provisions both apply.[635]
However, due to a severe reduction of personnel during the last three years (2001-2003), the DPC has complained that it is not longer able to actively pursue investigations and file claims.[636]
A proposal to introduce into the Austrian Civil Code a new claim for damages caused by privacy intrusions was drafted by the Department of Justice in 2002. The draft provides for a new right for damages caused by any illegal privacy intrusions. In addition, individuals would be granted a right to claim for a minimum of EUR1,000 for pain and suffering or other immaterial loss. The draft has already been introduced in Parliament but has to be reintroduced after the new elections.[637]
There are also several sectoral privacy laws. The telecommunication law contains special data protection provisions for telecommunication systems, particularly problems like phone directories, unsolicited calls or ISDN calling line identification.[638] The Genetic Engineering Act of 1994 requires prior written consent for information to be used for purposes other than the original purpose. While there are no specific provisions in the Act relating to medical data, there are provisions in other statutes dealing with the transmission of medical or health data. These include section 2 and 3 of the AIDS Act, which requires hospitals and physicians to report every case of Aids to the Federal Ministry of Health and Social Affairs.[639]
The Banking Act of 1993 deals with special requirements in relation to credit data. Section 18 of the Data Protection Act (Datenschutzgesetz or "DSG 2000") states that a data application containing information regarding a person's creditworthiness requires prior authorization. Moreover, financial institutions cannot use or share any information derived from secrets their customers revealed during business transactions. In their regular business relations, all financial institutions must comply with DPA provisions stating that they cannot use personal data obtained through client accounts for other purposes.[640] However, since June 2002 banks have to know their customer before conducting any money transfers.[641] Austria adopted new anti-money laundering law according to the requirements of the Organization for Economic Cooperation and Development (OECD).[642]
In 2000, the Austrian Provinces (Länder) adopted various laws relating to data protection. Some have passed legislation regarding notification about suspicions of neglect, mistreatment or sexual abuse, and the collection of personal data related thereto. There are also additional laws adopted regarding military authorities' standards regarding the use of personal data for military affairs.[643]
In June 2002, the Parliament discussed a bill which would allow the Austrian military to request from Internet Service Providers (ISPs) or other telecommunication service providers the name, address and telephone number of every telecommunication user.[644] The military would simply have to pretend that it necessarily needs this information for intelligence purposes or for the fulfillment of its own duties. The draft was strongly opposed by Austrian privacy organizations and has not been adopted yet.[645]
Over the past few years, Austria has been working on introducing a smart card for social security. This smart card, which will replace the present health insurance certificate after 2004, will be given to every person who benefits from social security.[646] It will contain a digital signature. Currently, only the name, the social security number and the date of birth will be stored. But recent discussions show that health data for emergency cases shall be stored as well. This would, however, need further legislation and it would not be mandatory but only based on an opt-in system.[647] The previous project to introduce a mandatory "citizen card" with tax number and other information has been abandoned. Today, all privately-issued smart cards, such as private member organization cards or bank debit cards that fulfill special technical requirements, can be used to act as an electronic citizen authentication card. The card can therefore be used for several kinds of interaction with private businesses or government agencies.[648] The Austrian Computer Society issued the first examples of these citizen cards in December 2002.[649]
The Code of Criminal Procedure regulates wiretapping, electronic eavesdropping and computer searches.[650] Telephone wiretapping is permitted if it is needed for investigating a crime punishable by more than one year in prison. Electronic eavesdropping and computer searches are allowed if they are needed to investigate criminal organizations or crimes punishable by more than ten years in prison. The provision concerning electronic eavesdropping and computer searches became effective between October 1, 1997, and July 1, 1998. The bill previously contained sunset clauses that were later repealed in the Fall of 2001.[651] Criticism of the drafts for this law has led to several restrictions, but whether or not these provisions can effectively prevent eavesdropping on innocent persons remains unresolved. In February 2001, the Federal Minister of Transport, Innovation and Technology issued a draft ordinance that would require all telecommunication operators to install technical equipment to facilitate the surveillance of telecommunication traffic in accordance with the Code of Criminal Procedure.[652]
On October 15, 2001, in response to the terrorist attacks in the United States, the federal government announced a package of measures to fight money laundering and terrorism. Police forces increased surveillance on diplomatic missions, airports, and other sensitive sites.[653] A week later the government passed legislation increasing punishment for those found guilty of terrorist hoaxes, increased spending on additional security personnel and equipment including a helicopter and voted on an extension of police permission to carry out electronic surveillance.[654]
The Auskunftspflichtgesetz is a Freedom of Information law that obliges federal authorities to answer questions regarding their areas of responsibility.[655] However, it does not permit citizens to access documents, just to receive answers from the government on the content of information. The nine Austrian Provinces have laws that place similar obligations on their authorities.
In April 2001, the Ministry of Justice presented draft amendments of the Code of Criminal Procedure, which would bring about important changes to the Austrian judicial system. According to the draft Law on the Security of Information, authorities, journalists and other persons who disclose classified information could face sanctions if the disclosure impairs Austria's public security, national defense, foreign relations or economic interests.[656] It would be possible, thus, to imprison journalists who publicly disclose secret documents from public officials even if its publication would be of public interest. Violations could lead to up to one year in prison. While the main aim of the law is to protect military secrets, critics claim that since the law is so poorly formulated it could potentially adversely affect the free flow of information. Moreover it seems that since any official could declare their files classified, they could also restrict public scrutiny of their actions and limit freedom of information access.[657]
Austria is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[658] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[659] In November 2001, it signed, but did not ratify, the Council of Europe Convention on Cybercrime.[660] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.