Christian Schmelz Günther Leissler March 15 2011 Austria implements EU Data Retention Directive at long last Schoenherr | Tech, Data, Telecoms & Media - Austria Christian Schmelz, Günther Leissler Tech, Data, Telecoms & Media Categories of dataData access requirementsPrivileged usersHandling of data access requestsCostsForecastIn 2009 the European Commission began proceedings against Austria for breaching EU law by failing to implement the EU Data Retention Directive (2006/24/EC). These proceedings resulted in the European Court of Justice ruling against Austria in 2010. Austria's reluctance primarily stemmed from major data protection and privacy concerns. After years of discussions, the Austrian government has now finally decided to implement the directive. This update sets out the key points covered by the draft legislation.Categories of dataProviders will be obliged to store data for phone, internet and email traffic, including data for failed connections. The draft legislation sets down no obligation to retain content data. A specific access regime will be implemented for IP address data. However, in order to prevent small providers from disproportionate costs, this obligation will apply only to providers that exceed a certain size.Providers which provide voice call services (including Voice over Internet Protocol) will have to store, among other things, the phone numbers of the caller and the called person, including call-forwarding data. In addition, the names and addresses of the call participants and the date, time and duration of the call must be retained. Providers of mobile phone services will additionally have to store international mobile subscriber identification and international mobile equipment identification data and the cell identification data of the call. This requirement will result in a future need for providers of mobile phone services to have their base stations sorted and registered by cell identifiers.Email traffic data regarding who sent and received emails, and when, will also have to be retained. However, the obligation to store such data will not apply to communications exchanged via social networking sites (eg, Facebook). Instead, the draft refers only to emails transferred via simple mail transfer protocols.Data access requirementsThe draft legislation provides for a retention period of six months. Law enforcement authorities and courts will be allowed to access the above-listed data for the purpose of criminal investigations with a valid court order, and only if the data is needed to investigate crimes that are penalised by a prison sentence of one or more years. However, internet protocol (IP) address data will be accessible even when the respective offences are penalised with prison sentences of less than a year. In addition, to access IP data no court order will be needed, but only a "well-founded request" from the state attorney will suffice. The reason for such diminished access requirements is to cover some child pornography offences that are penalised by prison sentences of less than one year (ie, offences that deal only with the viewing of illegal content). However, in such cases affected users must be informed about their data being accessed.Location data (which is stored during the use of mobile phone services) and billing data can be accessed by law enforcement authorities in case of "imminent danger" (ie, for the purpose of preventing imminent harm to life or goods). In such cases, location and billing data can be accessed without a court order. However, the affected users must be informed about their data being accessed.Privileged usersCertain professionals (eg, attorneys, doctors and journalists) enjoy statutory confidentiality privileges which, among other things, prevent their correspondence and communications from being monitored or intercepted. The draft legislation (rather vaguely) provides for such confidentiality obligations to be "observed" in regard to data access requests. However, it will not be up to the provider to determine whether the data to be accessed is protected by respective confidentiality obligations. Instead, it will be for the court and the competent authorities to decide whether the data can be accessed legitimately. There will be no blacklist to indicate professionals who are generally exempt from the data retention provisions.Handling of data access requestsThe provider will be the addressee of data access requests. It must then check the validity of the request and perform the subsequent data extraction by adhering to the following principles: Requests must be stored for at least three years so that the validity of the requests can be checked by the Data Protection Commission. The extracted data must be encrypted before being transferred to the authority. The technical details are to be determined through an ordinance. The provider must implement a 'push' system whereby the requesting court or authority cannot access the requested data directly, but the provider must proactively send the data to the requesting court or authority. CostsThe Internet Service Provider Association estimates the overall data retention costs for Austria to be somewhere between €15 million and €20 million. The current draft legislation requires the providers to bear 20% of these costs.ForecastThe draft legislation implements the minimum requirements set out by the directive by providing for a retention period of only six months. Parliament is expected to discuss the draft legislation in May 2011. While the outcome of the parliamentary discussions might lead to some amendments to the draft legislation, at this stage it is expected that the current draft will generally be transformed into statutory law.For further information on this topic please contact Christian Schmelz or Günther Leissler at Schönherr Rechtsanwälte GmbH by telephone (+43 1 5343 70), fax (+43 1 5343 76100) or email ([email protected] or [email protected]).