I. Legal framework
Constitutional privacy and data protection framework
The Austrian Federal Constitutional Law (Bundes-Verfassungsgesetz or B-VG) neither explicitly recognises the right to privacy nor contains a clear competence clause, which is why legislative power is split between the federal level and the nine states (BundeslÃ¤nder). The federal Act concerning the protection of personal data (Datenschutzgesetz 2000 or DSG1) contains a number of constitutional provisions2, among them a fundamental right to data protection.3 Also, the European Convention on Human Rights (ECHR) forms part of the Austrian Constitution, and the Constitutional Court often relies on Art. 8 ECHR in privacy cases. An amendment to the constitutional framework, including inter alia a single competence clause (in favour of federal legislation) as well as a more clearly worded version of the fundamental right to data protection failed to obtain the necessary qualified majority in 2009.4
Privacy and data protection laws and regulations
The DSG came into force in January 20005, transposing the EU Data Protection Directive 1995/46/EC while at the same time replacing a 1978 law of the same name.6 The DSG has been amended substantially as of January 2010.7 The basic framework, however, has by and large remained unaltered.
It regulates the use of data and â€“ under the heading "Fundamental Right to Data Protection" â€“ contains four different rights: a right to secrecy, a right to obtain information (who processes what data, for which purposes they are used, etc.), a right to rectification of incorrect data, and a right to erasure of illegally processed data.8 Whereas the latter three rights cover data destined for automated or manual processing (e.g. in filing systems), the right to secrecy comprises any personal data (e.g. contained in paper files) concerning the data subject, insofar as s/he has an interest deserving such protection.9 Moreover, prevailing opinion and case law acknowledge a right to keep data confidential.10 It is noteworthy that any natural or legal person or group of natural persons (e.g. companies, associations, religious or political organisations, etc.) can be data subjects, enjoying the fundamental right to data protection as outlined above.11
Restrictions to the right to secrecy are only permitted in the following cases.12 Either personal data is used in the vital interest of the data subject or with his/her consent or a restriction is necessary to safeguard overriding legitimate interests of others. Restrictions by public authorities have to be based on laws and to be necessary in a democratic society for at least one of the aims stated in Art. 8 paragraph 2 ECHR. A law restricting the right to secrecy concerning sensitive data13 additionally has to further substantial public interests and provide suitable extra safeguards. Section 48a DSG, which was introduced in 2005 following the tsunami disaster, deals with the use of data in case of a catastrophe and can serve as an adequate example. Still, even in the case of permitted restrictions any interference with the fundamental right has to be limited to the least intrusive of all effective means. These conditions also apply to restrictions of the rights laid out in Art. 1 Section 3.
Another peculiarity, influencing the choice of legal remedies, is the "direct third-party effect" (unmittelbare Drittwirkung) of the fundamental right to data protection. Apart from the right to information, this fundamental right can be asserted before the civil courts against organisations that are established according to private law, as long as they are not playing an enforcement role .14
Since 2004 the Austrian Civil Code contains a legal basis15 for damages caused by illegal privacy intrusions. Grave violations may also justify compensation for pain and suffering. The provision protects natural persons, with an exception for public figures.16 Additionally, the Enforcement Act (Exekutionsordnung) provides for injunctions whenever an applicant's right to privacy is at stake.17
Several sector-based laws contain privacy-relevant provisions. Chapter 12 of the Telecommunications Act (Telekommunikationsgesetz or TKG18) includes inter alia a guarantee of the confidentiality of communications as well as a provision on data protection, taking into account the specificities of the technical preconditions. Generally, the legitimate use of certain data for marketing purposes or the provision of value-added services depends on the user's (i.e. a natural person, using a publicly available communications service for business or private purposes) consent.19 Furthermore, the TKG contains special data protection provisions concerning subscriber directories, call tracing, unsolicited communications, and calling line identification.20
The Genetic Engineering Act (Gentechnikgesetz or GTG21) requires confidentiality of personal data gathered through genetic analysis and gives the person examined a right to access as well as a right to information. Many other statutes deal with single aspects of the use of medical and health data. The Gesundheitstelematikgesetz (GTelG22) regulates the use of telematics in the health service sector, including data security and information management.
The Banking Act (Bankwesengesetz or BWG23) deals with special requirements and restrictions concerning the use of client data.
Part Four of the Security Police Act (Sicherheitspolizeigesetz or SPG24) regulates the use of personal data by security authorities, generally referring to the DSG and underlining the (self-evident) principle of proportionality.25 It allows the use of personal data whenever it relates to the authorities' tasks and a cause exists which justifies the processing of such data. Section 56 SPG deals with the transmission of data and states that the DSG-regime26 is not applicable here. To a certain extent the means of gathering personal data overlap with the provisions set out in the Code of Criminal Procedure (Strafprozessordnung or StPO27) requiring a court or prosecutor's order. The line between crime or danger prevention and ordinary investigations cannot always be drawn easily.
In January 2003 the Law on the Documentation of Education (Bildungsdokumentationsgesetz28) came into force, regulating the use of pupils' and students' data for purposes of long-term documentation. Schools, universities, and other professional academies have to collect a large set of data including social security numbers, religious affiliation, need for special educational assistance, grades, and degrees, and transmit that information to the competent ministries and the Austrian Agency for Statistics, where the data will be stored and can be identified with the help of social security numbers. According to Section 8, the personal link has to be erased 20 years after the last data have been added.
As mentioned before, the legislative competence for data protection issues is split between federal level and states. That is why in 2000 the states adopted various laws relating to data protection. Some of the states have introduced rules regarding the notification of suspicions of neglect, maltreatment and sexual abuse of children.
Data protection authority
The Data Protection Commission (Datenschutzkommission or DSK) handles the vast majority of alleged violations of the rights granted by the DSG and is in charge of the Data Processing Register (Datenverarbeitungsregister or DVR), ensuring the publicity of data applications.29
When the DSG was drafted, it was criticised for maintaining the cumbersome structure of the original 1978 Act.30 The 2010 amendment substantially simplifies the registration procedure for data applications, in order to decrease the Commission's workload in this regard. Unless specific exceptions apply31, notifications will only be examined automatically as to completeness and plausibility. However, the DSK has the authority to examine notifications ex officio at any time.32
The amendment also introduces changes to the legal remedies, especially with regard to enhancing procedural efficiency. On the one hand, formal requirements are newly introduced, giving the DSK an opportunity to dismiss complaints on formal grounds.33 On the other hand, a new provision precludes parallel control (ombudsman) and complaint proceedings.34 In addition, it has been clarified that the DSK's decisions, which are by and large publicly available35, have a binding declaratory character. Nevertheless it can order private sector controllers to respond appropriately to requests for information.36 No regular remedy at law is permitted against the rulings of the DSK; however, the parties have the right to bring a case before the Administrative Court (Verwaltungsgerichtshof) or the Constitutional Court (Verfassungsgerichtshof).37
Persons or groups of persons can file complaints with the DSK. Regardless of the status of the controller, the right to information has to be asserted before the DSK. Additionally, the Commission is competent to render decisions on complaints lodged against public sector controllers38 for alleged violations of the rights to secrecy, rectification, and erasure of data.39 The Commission has the power to exercise its functions vis-Ã -vis the highest executive authorities (enumerated in Art. 19 B-VG)40, but it has no such power with regard to acts of Parliament or judicial decisions.41 Additionally, the DSK acts as an ombudsman institution, routinely grants legal advice (by e-mail or telephone), and administers the cross-border transmission and committal of data. Finally it acts as the sourcePIN Register Authority.42
The DSK consists of six members and six deputies (one of each group being a judge) on a part-time basis43 and a total of 20 established posts. More than half of the complaints lodged with the Commission concern alleged violations of the right to information, another third the right to secrecy. The number of ombudsman cases, 90 percent of which arise from the private sector, has been increasing constantly in recent years (around 300 in 2009). These cases vary widely in terms of complexity. Among other means, the Commission can issue recommendations, setting an appropriate period for compliance. But it can also bring a criminal charge or, in case of severe transgression by a private sector controller, file a lawsuit before the competent civil court. In case of transgression by an organ of a territorial corporate body (GebietskÃ¶rperschaft), the DSK gets the highest competent authority involved. Within a period not exceeding 12 weeks, this authority is supposed to ensure compliance with the DSK's recommendation or inform the Commission why the recommendation is not complied with. It is remarkable that this informal remedy has an outstandingly high rate of success; however, due to staff shortage the duration of these proceedings goes up.44
The licensing function concerning cross-border transmission and storing data leads to a relatively small amount of caseload. Exchanging data with recipients in European Economic Area countries is not subject to any restrictions, unless it concerns public sector controllers in fields that are not subject to the law of the European Union. No authorisation is needed for data exchange with recipients in third countries with an adequate level of data protection.45
Claims against private sector controllers have to be asserted before the civil courts. As the claimant bears a considerable financial risk concerning the litigation costs, the number of cases is moderate.46 The claimant has a right to interlocutory injunctions, can bring an action for a permanent injunction, or can sue controller or processor for damages.47 All rights granted by the DSG are subject to a limitation period of one year after knowledge of a potential violation and an absolute limitation period of three years.48
A second institution established by the DSG is the Data Protection Council (Datenschutzrat), which is a political advisory body. Members of the DSK can at the same time be members of the Council.49
In 2005 the European Commission initiated infringement proceedings against Austria and Germany for not creating fully independent Data Protection Authorities. The DSK is integrated into the Federal Chancellery and its executive member is a senior official of the Chancellery.50 In a 2009 avis motivÃ© the European Commission restated its concerns in terms of lacking independence, which were not resolved by the 2010 amendment either. Further steps have yet to be taken.51
Major privacy and data protection case law
The relevant Austrian case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.
- 1. BGBl. I Nr. 165/1999 as amended, available in English at http://www.ris.bka.gv.at/Englische-Rv/.
- 2. Austrian law allows for "constitutional provisions"(Verfassungsbestimmungen) within regular statutes. These provisions are part of the Constitution, the core of which is the B-VG.
- 3. Art 1 Section 1 DSG.
- 4. The non-constitutional parts of the amendment, however, have largely entered into force as of 1 January 2010. Whether the Government will try again to pass the proposed constitutional amendment is not yet foreseeable.
- 5. For an overview of other relevant laws and regulations see http://oesterreich.gv.at/site/5809/default.aspx.
- 6. BGBl. Nr. 565/1978.
- 7. BGBl. I Nr. 133/2009.
- 8. Art. 1 Section 1 (1) and (3) DSG.
- 9. Id.
- 10. VfSlg 12.228, Decision of the Constitutional Court, 30 November 1989, G 245-250/89, G 268-275/89, available via http://www.ris.bka.gv.at/Vfgh/.
- 11. Section 4 item 3 DSG.
- 12. Art. 1 Section 2 DSG.
- 13. Section 4 item 2 DSG.
- 14. Art. 1 Section 5 DSG.
- 15. Section 1328a Civil Code.
- 16. Decision of the Supreme Court, 23 September 2008, 4 Ob 150/08 z, available via http://www.ris.bka.gv.at/Jus
- 17. Section 382g EO, which entered into force as of 1 July 2006: BGBl. I Nr. 56/2006. The materials show clearly, that the lawmaker had privacy infringements by individuals (especially in the form of stalking) in mind.
- 18. BGBl. I Nr. 70/2003 as amended, available in English at http://www.ris.bka.gv.at/Englische-Rv/.
- 19. Section 96 TKG.
- 20. Sections 92-107 TKG.
- 21. BGBl. Nr. 510/1994 as amended; see Section 71 GTG.
- 22. BGBl. I Nr. 179/2004 as amended.
- 23. BGBl. Nr. 532/1993 as amended.
- 24. BGBl. Nr. 566/1991 as amended.
- 25. Section 51 SPG.
- 26. Sections 8, 9 DSG.
- 27. BGBl. Nr. 631/1975 as amended, e.g. Sections 134-140 StPO.
- 28. BGBl. I Nr. 12/2002.
- 29. Sections 16 â€“ 25 DSG.
- 30. See Viktor Mayer-SchÃ¶nberger & Ernst Brandl, Datenschutzgesetz 2000 (Line Publishing Vienna 1999).
- 31. Section 18 (2) DSG. The specific exceptions are : an application is carried out in the form of a joint information system or involves sensitive data, certain criminally relevant data or data whose purpose is to give information on the data subject's creditworthiness.
- 32. Section 22a (1) DSG.
- 33. Sections 31 (3), (4) DSG.
- 34. Section 31 (6) DSG.
- 35. See http://www.ris.bka.gv.at/dsk/. This database contains selected decisions since 2000.
- 36. Section 31 (7) DSG.
- 37. Section 40 DSG. Since the 2010 amendment, public sector controllers are in principle excluded from the right to bring a case before the Administrative Court.
- 38. According to Section 5 DSG these also include controllers who despite having been incorporated according to private law, execute laws.
- 39. Section 1 (5) DSG.
- 40. Constitutional provision in Section 35 (2) DSG.
- 41. Section 1 (5) DSG. In this context it is noteworthy that the Austrian Court of Audit ("Rechnungshof") as well as the Ombudsman ("Volksanwaltschaft") are technically parliamentary institutions.
- 42. E-Government-Gesetz or E-GovG (E-Government Act), BGBl. I Nr. 10/2004 as amended, Section 7. Cf. "E-Government & Privacy", infra.
- 43. Section 36 (3a) DSG.
- 44. Section 30 (6) DSG. See Datenschutzbericht 2009, (Official Bi-Annual Data Protection Report 2009), at 3, 15 â€“ 22, available in German at http://www.dsk.gv.at/DocView.axd?CobId=40344.
- 45. Section 12 DSG. An ordinance of the Federal Chancellor contains list of these countries.
- 46. See Datenschutzbericht 2009, supra at 18.
- 47. Section 32 DSG.
- 48. Section 34 (1) DSG.
- 49. Sections 41 â€“ 44 DSG.
- 50. "EC: Data Protection Inadequate in Austria and Germany" EDRIgram newsletter No. 3.17, 24 August 2005, available at http://www.edri.org/edrigram/number3.17/DPA.
- 51. Nicolas Raschauer, "Art. 8 der Grundrechtecharta (Grundrecht auf Datenschutz) und die Ãœberwachung durch eine unabhÃ¤ngige Kontrollstelle" ("Art. 8 GRC and the Supervision by an Independent Supervisory Body"), 8 September 2010, available at http://www.springerrecht.at/art-8-der-grundrechtecharta-grundrecht-auf-d....