Recent developments and future prospects
Trends and developments
Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?
The EU General Data Protection Regulation (GDPR) (applicable since 25 May 2018) has brought major change to online and digital business. The GDPR has resulted in a complete overhaul of the Austrian (and European) data protection regime and provides several new obligations for both business-to-business and business-to-consumer relationships. The Data Protection Act implements and also supplements the GDPR in Austria. Further sector-specific data protection laws have and will continue to follow for special laws regarding, for example, healthcare, banking and insurance.
For online business, the Regulation on Cross-Border Portability of Online Content Services in the Internal Market (EU Regulation 2017/1128) resulted in adaptions. These provisions came into force on 20 March 2018 and prohibit geo-blocking and discrimination among EU customers.
The EU Directive on Security of Network and Information Systems (NIS Directive, 2016/1148) provides for additional security measures in order to increase the level of cybersecurity in the European Union. Although the directive had to be adopted and implemented into national law as of 10 May 2018, the Austrian legislature has thus far published only an informal draft.
The EU Directive on Payment Services in the Internal Market (2015/2366) was implemented in Austria through the Payment Services Act 2018, which contains stricter rules for online payment service providers.
Besides these regulatory aspects, the collective societies are active in Austria, which has resulted in a number of court decisions restricting the exploitation of online content and limitation of the liability restrictions of hosts and access providers (eg, the enforced implementation of filter software to avoid copyright infringement).
What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?
Regarding data protection, it is assumed that the Austrian legislature will implement further provisions for specific areas (eg, banking, insurance and healthcare) to fine tune the existing set of rules making use of the opening clauses in the GDPR.
The EU ePrivacy Regulation (which is still in the legislation process at EU level) will trigger further need for adjustments in the digital environment, especially in the context of electronic marketing and communication.
What primary and secondary legislation governs the conduct of digital business in your jurisdiction?
There is no central legal act governing digital business in Austria. In fact, the main basis is general civil law supplemented by special provisions for certain areas. Most of the special provisions are based on respective EU requirements (usually EU directives). Further, the case law of the Austrian courts and the European Court of Justice is of great importance, since it fills the gaps in the laws.
Electronic contracts are regulated by:
- the Remote and External Business Act;
- the E-commerce Act;
- the Remote Financial Services Act; and
- the General Civil Code.
The Consumer Protection Act must be considered for digital business in the business-to-consumer field. Further, the Signature Act governs electronic identification and e-signatures.
In addition, the amended Data Protection Act contains the main rules for data protection in Austria next to the EU General Data Protection Regulation (GDPR). There are also several other sector-specific data protection provisions.
The Telecommunications Act, which is based on the EU ePrivacy Directive (2002/58/EC), foresees provisions on data protection in the field of electronic communication and marketing.
Which authorities regulate the conduct of digital business and what is the extent of their powers?
The competent authority varies depending on the specific business field and legal area.
The Austrian trade authorities monitor compliance with Austrian trade laws, especially the Industrial Code. In general, every online and digital business conducted with the intention of making a profit is subject to a prior registration with the competent trade authority.
The Austrian Data Protection Authority is competent for the enforcement of the GDPR and the Data Protection Act. The act may conduct onsite audits and request information from data controllers or processors. Usually, the Data Protection Authority initiates proceedings based on complaints by data subjects or during sector-specific investigations. Further, the authority is competent to impose the high penalties under the GDPR.
The Regulatory Authority for Broadcasting and Telecommunications is responsible for approvals of general terms and conditions of business, electronic signatures, frequency allocation procedures and competition regulation. It also provides for alternative dispute resolution.
The Austrian Telecommunication Offices are competent to investigate potential infringements of telecoms and electronic marketing provisions (especially spam and cold calling).
There are several authorities competent to ensure compliance in specific areas (eg, finance and electronic payments).
The Austrian courts are usually competent for claims for damages and omission. The district administrative authorities are usually also competent to impose administrative penalties for violations of legal provisions in the field of digital business.
Government policy and regulatory approach
How would you describe the government’s policy and regulatory approach to digital business?
In general, the government has a strict approach to digital business and often exceeds EU minimum standards. Further, Austrian digital business provisions are sometimes quite formalistic and can be cumbersome in practice. Most recently, the government introduced a minister for digitalisation to boost modernisation.
Establishing digital businesses
What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?
The E-commerce Act provides that information society services (ie, digital businesses) are not generally subject to any separate administrative authorisation, approval, permit or concession compared to offline businesses. Therefore, the general regulatory and trade law requirements must be taken into account when establishing a digital business in Austria. Thus, no distinction is made in relation to more traditional bricks-and-mortar businesses. Depending on the field of business, special laws may apply (eg, on-demand media, online payment services and insurance).
However, the E-commerce Act and the Remote and External Business Act provide for additional requirements when conducting digital businesses (eg, information obligations and withdrawal rights).
Electronic contracts and signatures
Electronic contract availability
Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?
Following Austria’s ‘freedom of form’ principle, electronic contracts are generally legally valid and binding. For contracts that are subject to handwriting, a qualified electronic signature may be used as an equivalent.
However, some special formal requirements are provided by the E-commerce Act and the Remote and External Business Act. For consumers, a mechanism must be provided where the customer presses a button expressly stating an obligation to pay when ordering. Nevertheless, these special provisions do not directly affect the conclusion or legal validity of contracts, but contain either mere rules of ordinance – the infringement of which requires compensation, is punishable and could possibly be anti-competitive – or lead to additional rights granted to the consumer (eg, the right of withdrawal).
Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?
Restrictions apply to certain contracts where formal requirements must be met for the contract to be fully legally binding. For instance, a handwritten signature is required for guarantees and special formal requirements apply to testamentary dispositions.
However, according to the Signature Act, the written form may be substituted by way of a qualified electronic signature.
Do any data retention requirements apply to electronic contracts?
There are no special provisions for the retention of electronic contracts. Thus, the general retention obligations apply. According to Sections 190 and 212 of the Company Law Act and Section 132 of the Federal Fiscal Code, all documents relevant for bookkeeping and fiscal purposes, as well as business letters (including contracts, electronic contracts and business-relevant electronic communication such as emails), must be retained for a minimum period of seven years starting from the end of the relevant calendar year.
Are any special remedies available for the breach of electronic contracts?
No. In case of a breach of electronic contracts, the rules of the General Civil Code apply (ie, warranty, damages, recession of the contract and termination). There are no special remedy rules regarding electronic contracts.
Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?
In Austria, the use of electronic signatures is legally valid. The use of a qualified electronic signature replaces a traditional handwritten signature. In addition, an electronic signature also ensures that the electronically signed contract cannot be altered afterwards and thus establishes confidence. Electronic signatures are governed by the Signature Act.
Electronic payment systems
Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?
The EU Directive on Payment Services in the Internal Market (2015/2366) was implemented in Austria through the Payment Services Act 2018, which contains stricter rules for online payment service providers. The focus lies on the regulation of new payment systems, which have been a grey area in Austria. Providers that trigger payments in the online business will have to obtain a concession and account information providers will have to register with the Austrian Financial Market Authority. Further, they must also implement a client authentication system when conducting online payments. Additionally, the confidentiality of the authentication data must be safeguarded.
Are there any rules or restrictions on the use of virtual currencies (eg, Bitcoin)?
The draft of the fifth Anti-money Laundering Directive contains the first legal definition of ‘virtual currencies’:
[a] digital representation of value that can be digitally transferred, stored or traded and functions as a medium of exchange, but does not have legal tender status in any jurisdiction and which is not funds as defined in point (25) of Article 4 of the Directive 2015/2366/EC nor monetary value stored on instruments exempted as specified in Article 3(k) and 3(l) of that Directive.
It is assumed that virtual currencies should also be considered in anti-money laundering checks. There are no special rules or restrictions on the use of virtual currencies in Austria.
Data protection and cybersecurity
Collection, use and storage
What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?
The processing, collection, use and storage of personal data is generally governed by the EU General Data Protection Regulation (GDPR). Further details are governed by the Austrian Data Protection Act, which implements and supplements the GDPR while providing some special provisions for certain data processing activities. Special data protection provisions governing the collection, use and storage of personal data are contained in special laws for certain areas.
Further, for telecoms, electronic communication, electronic marketing and cookies, the Telecommunication Act 2003 prescribes additional rules and requirements for the processing of personal data in this regard.
International data transfers
What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?
The GDPR has eliminated prior notification and approval obligations for international data transfers. Both formal acts are replaced by the data controller's internal record of processing activities, as well as mandatory data protection impact assessments for more sensitive data processing activities.
Regarding data transfers from a data controller to another controller, a concrete legal justification is required (eg, a legal obligation to transfer the data, the transfer is required to fulfil the contract with the data subject or the transfer is based on the data subject's consent declaration). Further, international data transfers to recipients outside the European Union and the European Economic Area (EEA) require an appropriate safeguard according to Article 46 of the GDPR (eg, binding corporate rules, standard contractual clauses or Privacy Shield certification).
Regarding data transfers to a mere processor, Article 28 of the GDPR requires the conclusion of a data processing agreement with a prescribed minimum content. Since the new regime requires a more detailed agreement, already existing data processing agreements will have to be amended in order to comply with the GDPR. Again, international data transfers to processors outside the European Union and the EEA require an appropriate safeguard according to Article 46 of the GDPR (eg, binding corporate rules, standard contractual clauses or Privacy Shield certification).
What rights are afforded to consumers in relation to their personal data?
The rights of consumers in relation to their personal data mainly derive from the GDPR. All data subjects have:
- a right to information (Articles 13 and 14);
- a right of access (Article 15);
- a right to rectification (Article 16);
- a right to erasure (Article 17);
- a right to restriction of processing (Article 18);
- a right to data portability (Article 20); and
- a right to object (Article 21).
Further, all data subjects have the right to withdraw consent declarations at any time with effect for the future and without affecting the lawfulness of processing based on the consent before its withdrawal.
In addition, every data subject has the right to lodge a complaint with the competent data protection authority (Article 77 of the GDPR and Section 24 of the Data Protection Act).
Finally, all data subjects may request compensation for material or non-material damages suffered resulting from an infringement of data protection provisions (Article 82 of the GDPR and Section 29 of the Data Protection Act).
- the processed data categories;
- the respective purposes of the processing;
- the legal basis;
- retention times; and
- potential data recipients.
What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?
A data breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
According to Article 33 of the GDPR, the data controller must notify the competent data protection authority about every such data breach without undue delay, usually within 72 hours of having become aware of it. However, such a notification obligation does not exist if the data breach is unlikely to result in a risk to the affected data subjects. In order to meet the tight deadline, internal processes and sample data breach notifications should be implemented.
Further, according to Article 34 of the GDPR, the controller must additionally communicate the data breach directly to the data subjects without undue delay in case the data breach is likely to result in a high risk for the data subjects.
What cybersecurity regulations and/or standards apply to the conduct of digital business?
Criminalisation of cybercrime activities are currently regulated under Austrian law.
The Criminal Code penalises (through monetary fines and imprisonment) certain cybercrimes, including:
- unlawful access to a computer system (hacking);
- breach of telecoms privacy;
- abusive interception of data;
- data corruption;
- disturbance of the functionality of a computer system;
- abuse of computer programs or access data; and
- data falsification.
Data security provisions are regulated in accordance with the GDPR and the Austrian Data Protection Act.
Further, the EU Directive on Security of Network and Information Systems (NIS Directive, 2016/1148) foresees additional security and was expected to have been implemented on 10 May 2018, although no steps have yet been taken. It is expected that the directive will be implemented with the Cybercrime and IT Security Act. The Ministry of the Interior is currently at the beginning of the legislative process to implement such an act and it is expected to be similar to the German IT Security Act.
Is cybersecurity insurance available and commonly purchased?
Cyber-risk insurance is available in Austria and is typically used by banks, insurers, healthcare providers and international companies of a certain volume. However, small businesses are not usually covered for cybersecurity risks.
Are there regulations or restrictions on the use of encryption?
Under the GDPR, encryption plays a vital role in ensuring the security of data (Article 32(1)(a)). However, there is no strict statutory requirement to use encryption.
Nevertheless, encryption is obligatory in certain areas of governmental use of data (eg, the electronic court system and health data systems). Encryption is also required by certain special data security obligations in specific areas (eg, online payment services).
What rules and procedures govern the authorities’ interception of communications and access to consumer data?
Section 1 of the Data Protection Act contains a strong base right to data protection. The authorities are bound by this provision that has the status of a constitutional law. Restrictions of the base right to data protection are possible if the data subject consents or if vital, as well as public interests or the predominant legitimate interests of another person are at stake, and there is a legal basis for it. These limitations must be necessary and proportionate regarding the purpose and nature of the processing.
Exceptions to this right exist primarily on the level of criminal law and police enforcement:
- Section 117 of the Criminal Procedure Code contains the rules for the search of places, objects and people;
- Section 118 specifies the elicitation of data that enables police to enquire about the name, gender, date of birth, profession and address of a person, as well as to determine their height, take photographs, record their voices and take fingerprints;
- Section 135(1) contains regulations for the seizure of letters and documents;
- Section 135(2) regulates requests for information on telecoms data processed by telecoms service providers or information society services; and
- Section 135(3) governs the monitoring of other communications and applies to the content of messages exchanged or transmitted by telecoms service providers or information society services.
There is also the possibility of a secret observation pursuant to Section 129. It allows the observation in the form of watching, following and tapping the person, as well as observing their post and telephone conversations, among other things. This kind of observation requires special conditions, such as the suspicion of a crime with intent and an authorisation by the district attorney. There are further gradations depending on the severity of the suspected crime and the intensity of the interference with the respective person's rights.
Advertising and marketing
What rules govern digital advertising and marketing in your jurisdiction?
Restrictions on sending electronic messages for marketing purposes pursuant Section 107 of the Telecommunication Act 2003 are particularly relevant for digital advertising and marketing. According to Section 107, sending electronic messages (including emails and text messages) usually requires the recipient's prior consent (opt-in).
Further, there is an obligation to clearly label online advertisements that are made against payment according to the Media Act. In addition, Austrian case law has developed restrictions on keyword advertising under trademark law.
Are there any specific regulations governing the use of targeted advertising?
There are no specific regulations governing the use of targeted advertising.
In practice, all targeted advertising activities usually require the prior consent of the affected person due to data protection and telecoms provisions.
Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?
There are some restrictions and limitations in specific laws. For instance, according to the Medical Products Act, prescription-only medication must not be sold online, but can be purchased solely at registered pharmacies.
Further, pursuant to the Tobacco Act, tobacco products (including e-cigarettes) must not be advertised, marketed or sold online.
What rules and restrictions govern the sending of spam messages?
Electronic messages (eg, email and text messages) that are sent for direct marketing purposes usually require the recipient's prior consent (opt-in) according to Section 107 of the Telecommunication Act 2003.
Digital content and IP issues
Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?
According to the Media Act, the Company Law Act and the E-commerce Act, all websites and all other digital content that is available for a large group of persons must contain an imprint containing, among other things, the name and contact details of the respective entity or natural person publishing the content.
Liability for content
What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?
The E-commerce Act contains the core provisions on liability for online content. According to Section 18, the information society service provider is not obliged to monitor the content hosted, transferred or published. Thus, the service provider (eg, website provider) is generally not liable for digital content posted on its website that is defamatory or infringes another party's IP rights. However, the service provider is obliged to delete or block defamatory content or content that infringes another party's IP rights as soon as the provider becomes aware of such a situation.
How can liability be excluded or limited?
The E-commerce Act sets in place various liability privileges for internet service providers.
A host provider is not liable for the content of users if it has no knowledge of illegal activity and acts immediately on knowledge by removing or disabling access to the content.
Search engines and access providers are not held liable for the information transmitted if they have not caused, manipulated or chosen the transmission of the information or chosen its recipients.
Further, responsibility is excluded for caching when the service provider does not:
- manipulate the information;
- use industry standards for updating and gathering information; and
- immediately delete or block access to stored data after becoming aware of the fact that the information has been blocked or deleted from the initial source or the authorities or a court have ordered the deleting or blocking of the information.
The service provider is not responsible for linking or referring to third-party content when it does not know about the infringement and when it is not obvious. Further, the service must delete the link or reference when becoming aware of the infringement.
Finally, according to general Austrian civil laws and consumer protection provisions, it is possible to limit liability for damages to a certain degree. However, particularly liability for damages caused by gross negligence or wilful misconduct cannot be excluded or limited. The same applies to liability for violation of core obligations.
Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?
As a general rule, only the concrete person publishing the defamatory content or infringing a third party's rights can be held liable. Thus, in their role as host or access providers, internet service providers enjoy several liability privileges and can be made liable only in certain scenarios (especially if they have concrete knowledge about the defamatory or infringing content). However, this does not exempt the access provider from being a target for cease-and-desist obligations. The access provider may also be forced to implement filter software to avoid future infringements.
Recently, the Vienna Commercial Court decided that the liability privileges require a neutral, merely technical role for the host provider (eg, providing connections and sorting data). As soon as the service provider filters the content, generates additional links, determinates users’ surf behaviours and creates customised surf suggestions, the provider cannot invoke the privilege as being a mere host provider. If this first-instance court decision is upheld it might have a significant effect on a number of platforms (eg, YouTube and Facebook) which would then have to check all content for legal violations in advance, as the judgment is not limited to copyright infringements.
What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?
To avoid liability for defamatory or infringing content, an internet service provider should delete or deny access to impermissible content once it becomes aware of the infringement. There is no general obligation to monitor or screen content, provided that the service provider is a mere host provider. However, monitoring is required when there have already been infringements and the balancing of rights of the potential claimant and the hosting provider dictates that monitoring is necessary.
What rules, restrictions and procedures govern the licensing of domain names?
In general, there are no specific rules, restrictions or statutory procedures governing the licensing of domain names. However, the general rules on designation under the Competition Act and trademark laws must be considered when licensing domain names.
How are domain name disputes resolved in your jurisdiction?
Generally, best practice is to send a warning letter to the opposite party and to aim to settle the matter amicably before initiating court proceedings. There are no domestic alternative dispute resolution centres for domain name disputes. Domain disputes are often based on the Competition Act and trademark laws and are settled in court proceedings.
What special measures and safeguards should rights holders consider in protecting their online/digital content?
The following can be considered when protecting online and digital content:
- Online and digital content usually contains a clear copyright notice and clear indication that it cannot use the contents without permission of the rights holder.
- Online and digital content can be registered as trademark or design in order to prevent copycats.
- A stringent enforcement strategy and monitoring of infringements is essential.
How are online sales taxed?
Online sales of goods and services are subject to the general taxation rules outlined in the Value Added Tax Act. There is no distinction between in-shop and online sales. Value added tax (VAT) is generally up to 20%. Exceptions may apply on certain goods (eg, food, water, milk, books and newspapers) that are subject to a reduced VAT of 10%.
What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?
According to the Income Tax Act and the Corporation Taxes Act income generated by a business is generally – depending on the business form – subject to tax. There is no distinction between whether business is conducted solely as a digital business or a non-digital business.
Jurisdiction, governing law and dispute resolution
Jurisdiction and governing law
How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?
Place of jurisdiction
In Austria, the general place of jurisdiction of the defendant applies in principle. Thus, the courts at the defendant's residence or seat are competent. However, the parties may agree on a deviating place of jurisdiction.
Nevertheless, in business-to-consumer (B2C) relationships, Section 14 of the Consumer Protection Act provides for restrictions and the general place of jurisdiction of the customer applies at all times. Hence, no deviating place of jurisdiction can be agreed on.
In case of cross-border transactions or disputes, the provisions of the EU Regulation on Jurisdiction and the Recognition and Enforcement of Judgments in Civil and Commercial Matters (1215/2012) apply. According to these provisions, the general place of jurisdiction also refers to the place of residence of the defendant. However, there are also special provisions regarding the place of jurisdiction in B2C matters. If an entrepreneur is sued by a consumer, the consumer may choose between the court of the company's registered office and the court of his or her own place of residence. A divergent agreement is possible only in very limited situations.
These general rules apply to online and digital transactions and disputes, as there are no specific or exceptional rules for these matters in Austria.
Governing law Contractual relationships are usually governed by the laws agreed between the parties. Unless the parties expressly agree on a specific governing law, the laws of the country in which the respective party rendering the characteristic service applies (usually the seller of a product or the provider of a service).
In case of cross-border transactions or disputes, the EU Regulation on the Law Applicable to Contractual Obligations (Rome I, 593/2008) applies. According to these provisions, in the absence of choice, a contract for the sale of goods will be governed by the law of the country where the seller has his or her habitual residence and a contract for the provision of services will be governed by the law of the country where the service provider has his or her habitual residence. However, there are special provisions for consumer contracts. The consumer always enjoys the protection of the mandatory provisions at his or her country of residence – this protection cannot be amended by a choice of law.
These general rules apply to online and digital transactions and disputes, as there are no specific or exceptional rules for these matters in Austria.
Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?
There are no specific courts dealing with online issues.
Alternative dispute resolution
What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?
In general, it is best practice before initiating court proceedings to contact an infringer directly through a warning letter and a declaration to cease and desist.
Consumers may also contact the internet ombudsman for disputes concerning online purchases in B2C relations or the Consumer Conciliation Board.
The European Union has implemented an Online Dispute Resolution Platform (Regulation 524/2013) specifically for online disputes.
Until recently, such alternative dispute resolution was not common in practice.