National room for manoeuvre
Complaints and compensation for damages
Approximately one year before the General Data Protection Regulation will come fully into force, the Austrian legislature has officially started a six-week consultation process for the national Data Protection Amendment Act 2018. In general, the General Data Protection Regulation will harmonise EU data protection laws. However, numerous so-called 'opening clauses' allow national leeway. Further, EU Directive 2016/680 must be implemented into national law and provides specific regulations on data processing by security authorities for the purpose of law enforcement. The published draft of the national Data Protection Amendment Act implements the directive's provisions in a separate chapter.
If and to what extent the legislature will make use of the competencies provided for by the opening clauses is highly relevant to companies, and the amendment act has answered this question. Apart from implementing the directive and making necessary adjustments to the Data Protection Authority's structure, the amendment act contains the following interesting provisions.
The penalties under the General Data Protection Regulation will increase significantly to €20 million or 4% of the company's annual turnover. According to the general Austrian administrative penal provisions, such penalties were imposed on a company's management unless a responsible representative was appointed. The concept of an association's direct responsibility is rather uncommon under the Austrian administrative law (eg, in Paragraph 99d of the Banking Act). The published draft provides that General Data Protection Regulation fines can be imposed on legal entities only if the underlying offence was caused by the management or responsible representative of the legal entity.
According to the General Data Protection Regulation, the competent national authority will impose the penalties. The amendment act upholds this policy and confirms the competency of the Austrian Data Protection Authority. However, a case pending before the Constitutional Court is challenging the Financial Market Authority's competency to impose these high fines. Thus, an adjustment might be necessary before the draft comes into force.
The General Data Protection Regulation is silent on video surveillance. The legislature intends to modernise the Austrian-specific provisions which came into force with the 2010 amendment to the Data Protection Act. However, the new draft provisions will go beyond the existing scope – in particular, Section 6 of the amendment act applies to images in general. This means that, in future, pictures in general will also be subject to the amendment act. As a counterweight to this far-reaching scope, a rather broad private use exception will apply: images made for private documentation purposes will be excluded from the amendment act, as long as they do not seek to identify any "uninvolved" persons. In other words, holiday snapshot are still allowed.
Complaints and compensation for damages
The General Data Protection Regulation provides data subjects with several options to act against data protection violations. These actions can be taken in addition to any administrative fines imposed under the General Data Protection Regulation.
On the one hand, any affected data subject can file a complaint with the Data Protection Authority. Obviously, this option must be embedded into the national administrative structure and the existing draft does so. Appeals against Data Protection Authority decisions can be brought to the Federal Administrative Court. Further, in the event that the Data Protection Authority does not comply with its obligations to handle a complaint in a timely manner, the matter can be brought before the Federal Administrative Court. Lay judges will continue to oversee cases brought before the Federal Administrative Court's senate.
On the other hand, an affected data subject can address the civil courts in order to receive compensation for any material or non-material damage suffered as a result of a General Data Protection Regulation infringement. Under Austrian civil law, compensation for non-material damages is possible only in exceptional cases, and the General Data Protection Regulation adds to this list of exceptions. The draft also provides for a choice between the domicile of the data subject and the seat of the defendant (ie, the controller or the processor).
A core principle of the General Data Protection Regulation is the accountability of the controller. As part of these strengthened obligations, controllers must maintain an internal record of processing activities. Consequently, the existing obligation to notify all data processing activities to the Data Processing Register will no longer apply. For archiving purposes, the Data Processing Register will remain until the end of 2019. Any pending notification procedures will be terminated in May 2018, once the General Data Protection Regulation comes fully into force.
The Standard and Model Regulations will also cease to be in force. However, the Data Protection Authority will have to issue different ordinances in order to list data applications which will require privacy impact assessments.
Legally binding acts of the Data Protection Authority (eg, approvals for international data transfers) will in general remain valid. However, their compliance under the General Data Protection Regulation must be evaluated.
Finally, data protection is still considered a constitutional right, and any breaches therein will continue to have third-party effect (ie, valid between private parties). However, the Austrian law which extends data protection to legal entities will no longer apply. In future, only natural persons will be covered by the General Data Protection Regulation and the Data Protection Amendment Act 2018.
For further information on this topic please contact Veronika Wolfbauer at Schoenherr Attorneys at Law by telephone (+43 1 5343 70) or email ([email protected]). The Schoenherr Attorneys at Law website can be accessed at www.schoenherr.eu.