Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

A 2002 amendment to the statute regulating military competences (Militärbefugnisgesetz or MBG1) allows the Austrian military intelligence service to request the name, address, and identification number of potentially every telecommunications user from Internet service providers (ISPs) or other telecommunications service providers.2 The draft was strongly opposed by Austrian privacy organisations since the obligation is merely based on the assertion that a certain piece of information is needed for intelligence purposes.3

The Code of Criminal Procedure (StPO4) regulates practices such as wiretapping, electronic eavesdropping (Lauschangriff, audio as well as optical surveillance), or dragnet investigations (Rasterfahndung, cross-referencing of government and – in certain circumstances – private databases).5

Wiretapping can comprise master data, access data, location data, or the content of a telecommunications or other information society service.6 Getting access to the content is subject to stricter requirements, however the basic structure is the same: the intervention can be permitted by a judge if the wiretapping is deemed necessary for investigations into a wilfully (vorsätzlich) committed criminal offence punishable by more than one year of imprisonment.7 The lawfulness of electronic eavesdropping and dragnet investigations is subject to complex rules. Generally they can be judicially permitted if necessary for investigations into criminal or terrorist organisations or into crimes punishable by more than 10 years of imprisonment.8 When the latter two means of investigation were introduced they contained sunset clauses, which – despite their dubious rate of success – were repealed in 2001.9

A 2005 amendment to the Security Police Act (SPG) authorises the police to keep public places under audio/video surveillance and store the data collected for up to 48 hours or longer if necessary for the investigation of criminal offences committed.10 The annual Security Report (Sicherheitsbericht[63]) contains statistics on wiretapping as well as electronic eavesdropping. In 2008 two audio/optical surveillance operations were carried out and 4,073 wiretaps judicially authorised.11

A most contentious issue concerning wiretapping was who had to bear the costs of the surveillance measures. The Constitutional Court declared an ordinance imposing the major part of the costs upon the telecommunications operators unconstitutional.12 Still, the 2003 Telecommunications Act requires telecommunications providers to furnish the necessary surveillance equipment, specified by an ordinance by the Federal Minister of Transport, Innovation, and Technology.13 A second ordinance regulates the providers' reimbursement, which is based on a case-to-case evaluation of their assistance. The reimbursement contains personnel costs as well as installation, maintenance, and monitoring of the surveillance equipment.14

Another most controversial amendment to the SPG15, which was motivated by a decision of the DSK16, finding police authorities guilty of a violation of the right to secrecy, entered into force in January 2008. It obliges telecommunications service providers and providers of services under Section 3 item 2 E-Commerce Act (E-Commerce-Gesetz or ECG) to grant police authorities access to user data like names, addresses, or IP addresses.17 Moreover, in case of present danger for person's life and limb, police authorities now have the right to immediately access location data and the user's International Mobile Subscriber Identity (IMSI), as well as the right to use IMSI catchers.18 A court order is not required in any of these cases. In 2009 the Constitutional Court dismissed a case brought by a telecommunications service provider challenging these novelties.19

Technological development has raised yet another issue. Online searches, especially with the use of remote forensic software (commonly referred to as Trojaner) have been controversial since the Federal Ministers of Justice and the Interior came – in principle – to an understanding in October 2007.20 A working group reconsidering the legal framework as well as technical questions came to the result that some online surveillance measures are covered by the existing rules outlined above21, however, by and large necessary authorising provisions are lacking.22 The government programme 2008-2013 includes the aim of introducing online searches, but no action has been taken yet.23

In a groundbreaking 2009 decision24 the Supreme Court (Oberster Gerichtshof or OGH) held that – in the current legal framework – Internet access providers are not obliged to pass on the names and addresses of file-sharers to copyright holders. The relevant provision in the Copyright Act (Urheberrechtsgesetz or UrhG25) would require Internet providers to process traffic data (i.e. dynamic IP addresses) and link them with the time of a (copyright-infringing) download. However, the TKG26, consonant with EU Directive 2002/58/EC27, states that except for cases (explicitly) regulated by law, traffic data must not be stored and shall be erased or made anonymous after termination of the connection. Also, as a general principle, the Data Protection Act (DSG) requires the use of data to be strictly earmarked. The TKG, which is interpreted in the light of the Directive, contains exceptions, which allow the processing (and thereby storing) of traffic data for specific purposes. With regard to the principle of legal certainty, the OGH was not convinced that an implicit legal basis for an exception could be deduced from the copyright provision. As data must not be stored for the purpose in question, a civil obligation to disclosure cannot exist.

In 2005 the Data Protection Commission (DSK) rejected a research centre's application for permission to use personal data of drug-addicted convicts who underwent rehabilitation instead of serving their sentence.28 The researchers intended to use these records to evaluate this new penal approach. With a view to proportionality, the DSK found that the centre had to obtain the convicts' consent before using their personal records.29

National security legislation

No specific information has been provided under this section.

Data retention

So far, Austria has not transposed the EU Directive 2006/24/EC on data retention and therefore has been found guilty of a failure to fulfil its obligations by the European Court of Justice (ECJ), which refused to consider any (belated) fundamental rights objections.30 Data retention is largely perceived as a threat in Austria. Presumably legislative action will be deferred until after the European Commission's re-evaluation of the Directive (due in autumn 2010) or even the ECJ's ruling on the preliminary reference by the Irish High Court, challenging the fundamental rights conformity of data retention.31

National databases for law enforcement and security purposes

The Austrian Federal Ministry of Interior (Bundesministerium für Inneres) operates the national part of the Schengen Information System (N.SIS).32 The System contains data on certain wanted/controlled persons and objects. The N.SIS will allow the competent authorities and bodies access, through an automated search, to alerts regarding wanted/controlled persons or objects and persons with refusal of entry in order to fulfil their specific tasks in the field of border control, issuing of visas, residence permits, driver's licenses, customs regime, police and judicial activities, and also to guarantee public order and national and European security. The N.SIS receives additional data from the authorities of other Schengen countries through the SIS-Center in Strasbourg (C.SIS) which is relevant for entry into the Schengen area.33

National and international data disclosure agreements

In December 2006 Germany and Austria became the first countries to harmonise their DNA databases under the new "Prüm Treaty".34 National contact points are granted access to the reference data in the DNA analysis files and can conduct automated searches by comparing DNA profiles. In case of a hit the searching contact point receives an automated notification. By mutual consent the contracting parties can also compare unidentifiable DNA profiles with all DNA profiles from other national DNA analysis files' reference data. Similar rules apply to fingerprinting and vehicle registration data. Any excessive supply of available personal data is governed by the rules on mutual legal assistance.35 Even though the European Data Protection Supervisor considered the privacy elements of the Prüm Treaty were incomplete36, the Council decided to integrate the Treaty into EU legislation.37

The Austrian DNA database contains more than 132,000 DNA profiles.38 Officials in the Ministry of the Interior boasts that in terms of DNA database development and use, Austria is among the leading countries in the world.39

Newspapers report that Austria plans to grant the USA access to DNA databases, fingerprint data, and consequently identities of suspects and/or convicts. Allegedly the USA threatened to strike Austria off the Visa Waiver Programme if it did not cooperate sufficiently.40

Cybercrime

No specific information has been provided under this section.

Critical infrastructure

No specific information has been provided under this section.

Territorial privacy

Video surveillance

In 2006 a Viennese lawyer expressed concern that more than 100,000 illegal monitoring systems with recording functions existed in Austria.41 As most of these systems were used illegally, i.e. without prior permission of the Data Protection Commission (DSK), enforcement of the legal restrictions was hardly possible. The first-ever permission had provisionally been granted to Vienna's public transport system, Wiener Linien, to see whether such a system could help to prevent vandalism. However, at that time, police stations, banks, traffic monitoring, etc. used video surveillance legally.42

Before the amendment to the Data Protection Act (DSG) entered into force on 1 January 2010, video surveillance was covered by the general provisions of the DSG43, which were designed with a view to "classical" data protection challenges, increasingly leading to difficulties in their application to video surveillance issues. The newly introduced Chapter 9a, comprising Sections 50a – 50e, sets out a general framework for video surveillance, while sector-based specificities remain. Audio surveillance ("private eavesdropping") is not included.

Video surveillance is defined with a special emphasis on the aspect of systematic (especially continuous) monitoring.44 The rules on the legitimate use of data as well as the principle of proportionality apply. Furthermore video surveillance is only admissible if it is the least intrusive means. Notably, real-time surveillance is a less intrusive means than recording.

Section 50a (3) and (4) DSG contains leges speciales on the question of which interests in secrecy deserve protection. Video surveillance by the police is regulated in sector-based laws, especially the Security Police Act (SPG45).Subsection 4, requiring a balancing of interests, is relevant only for the private sector. Justifiable encroachments are concrete threats regarding objects or persons under surveillance, legal norms that prescribe exercising due care and real-time surveillance limited to rendition. The resulting interferences are then not considered violations of interests in secrecy deserving protection.46 However, even surveillance that is admissible under the rules outlined above may not capture intimate locations like private apartments, lavatories, or changing rooms.47

A controller can lawfully transmit random recordings (captured beyond the purpose and admissibility of a video surveillance measure) to the competent authorities when there is a reasonable suspicion that a criminal act has been committed. A controller cannot refuse delivery of recordings to courts or administrative authorities that are then solely responsible for the lawfulness of such requests.

Recordings have to be logged and erased after 72 hours.48 The installation of video surveillance is regularly subject to notification and to prior checking by the DSK.49 Moreover, the controller has an obligation to indicate areas under video surveillance in order to enable potential data subjects to avoid being recorded.50 As far as real-time video surveillance is concerned, there is no right to information. In all other cases the person seeking information is entitled to a copy of the recordings that relate to him/her. Third-party interests in secrecy etc. can conflict with the right to obtain a copy of the recordings. In such a case the right to information can be satisfied by a detailed, written description. Additional information such as origin, recipients, legal basis etc. can always be provided in writing or – with the data subject's consent – orally.51

In spring 2010 the DSK temporarily banned Google Street View after it became public that W-LANs had been sniffed and even unencrypted content data had been recorded during the systematic photographing of street views.52 According to Google, only bits and pieces were recorded. However, the DSK could not rule out that, contrary to the registration, additional informative data had been recorded and therefore temporarily banned the data application Google Street View while the case is pending with the Commission.53

Location privacy

No specific information has been provided under this section

Travel privacy and border surveillance

Since 2006 passports are equipped with RFID chips containing data such as the name, a photograph and – since March 2009 – two fingerprints, usually taken from the index fingers.54 Local or district authorities that issue the passport scan the fingerprints and then store the data only on the RFID chip.55 Minors under the age of 12 are exempt from fingerprinting.56

National ID and smart cards

In 2005 Austria introduced the "e-card", a social security smart card, which plays a fundamental role in the social security online administrative system ("ELSY"). The e-card, which has to be produced upon any consumption of health services, has replaced health insurance certificates throughout the European Economic Area (EEA) and grants access to a platform for many other e-health services. It is designed as a key card, containing name, date of birth, sex, and social security number.57 Upon the explicit request of the cardholder, emergency data can be stored on the e-card.58 With the consent of the cardholder, the e-card grants access to further personal data. To that end physicians etc. have a key-card authorising their access to the relevant data.59

Additionally the e-card can include the function of a citizen card (Bürgerkarte60). The idea of a mandatory citizen card including tax number and other data has been abandoned. Today many privately issued smart cards (e.g. bank cards, member cards) with certain technical specificities can be equipped with an electronic authentication function. The Austrian Computer Society issued the first examples of these citizen cards in December 2002, which were valid until 2005.61

RFID tags

No specific information has been provided under this section

Bodily privacy

No specific information has been provided under this section

Footnotes