The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) is intended to directly and comprehensively regulate data protection throughout the European Union. However, the GDPR contains a number of so called ‘opening clauses’ granting Member States the discretion, and even a certain degree of leeway, to implement domestic laws to specify the GDPR. Further, in some cases, Member States are even obliged to provide for specifications on a national level. Several Member States (for instance Germany) have already adopted respective provisions. The long awaited legislative process has now also been initiated in Austria through the official publication of the consultation draft for the new Austrian Data Protection Act on 12 May 2017 (available here). This draft law will, on the one hand, adopt accompanying measures to the GDPR and, on the other hand, implement the Directive on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (Directive (EU) 2016/680). The draft law will also repeal the current Austrian Data Protection Act 2000 (Datenschutzgesetz 2000) and introduce a new data privacy act, which will enter into force simultaneously with the GDPR on 25 May 2018.
The draft law in its current form follows a rather cautious approach towards the utilisation of national deviation margins and, thus, should only have a limited effect on ongoing GDPR preparations. It remains to be seen, however, if any new accompanying provisions will be adopted for employee data protection before 25 May 2018, which would have to be considered for data privacy compliance purposes. Further, since the legislative process has just started, it is expected that a number of amendments will be made to the draft law. In the course of the parliamentary evaluation procedure, statements to the draft law may be submitted until 23 June 2017.
The key points of the draft law may be summarized as follows:
- In the current data protection regime, the data of legal persons is also protected in the same way as data of natural persons. This approach has been abandoned in the draft law. Like in the GDPR, starting from 25 May 2018 only natural persons will be protected by the new data privacy regime.
- As in the current Data Privacy Act, the new data privacy act will contain a fundamental right to data privacy. The horizontal direct effect of this fundamental right is going to be expressly acknowledged: the fundamental right to data protection may not only be invoked against state entities but may also be relied upon against undertakings or natural persons.
- The current special provisions regarding photographic data and video surveillance (regulated under the title “Bildverarbeitung”) remain basically unchanged. In particular, the applicable far-reaching justifications for the processing of photographic and video data in Austria will remain in place. E.g. according to the draft law, the overriding legitimate interests of the data controller may justify certain video surveillance activities. These extensions to the GDPR with regard to photographic data and video surveillance will have to be monitored closely in the ongoing legislative process.
- The provisions regarding data secrecy (which have no equivalent under the GDPR) as contained in the repealed data protection law will be kept in place. In Austria, data controllers and data processors must follow these additional requirements and ensure that their employees also comply with these requirements for data secrecy.
- Regarding employee data protection, the GDPR contains a very wide opening clause. The draft law does not contain any substantial provisions on employee data protection. As a result, data protection in the employment context will have to be regulated through specific provisions in the employment law regime. It remains to be seen if the legislator will adopt new provisions or amend the existing ones in this context before the GDPR enters into force.
- The processing of personal data for journalistic, scientific, artistic or literary purposes does not fall under the scope of the GDPR or the draft law to the extent necessary to balance the right to data protection with the freedom of speech and the right to information.
- The draft law contains special provisions for specific data processing activities: for example, in the context of the processing of data for scientific research and statistics, supplying addresses for information and question purposes, or the processing of personal data in disaster situations.
- The draft law specifies procedural provisions for proceedings before the Austrian Data Protection Authority.
- When it comes to fines imposed on legal persons, the draft law provides that the Austrian Data Protection Authority may only impose fines if one of the legal person's officers or representatives has engaged in misconduct or has failed to comply with their supervising obligation. This limitation is not in line with the GDPR, according to which the mere misconduct of any employee belonging to the respective undertaking may result in a fine for the undertaking itself. Thus, undertakings are well advised to implement respective technical and organisational safeguards to avoid data protection infringements by their employees. According to the draft law, GDPR infringements may also result in fines for a responsible person as per Section 9 of the Administrative Penal Act (§ 9 Verwaltungstrafgesetz 1991). This contradicts the GDPR, as under the GDPR only the undertaking itself is subject to sanctions (e.g. fines), but not its representatives or officers.
- Some of the administrative fines which are already contained in the current data protection act will remain (new maximum penalty up to EUR 50,000) and apply parallel to the respective sanctions as per the GDPR.
- As with the current data protection act, processing data with a profit motivation or the intent to cause damage will remain a criminal offence.
- So far, the legislative competence for the protection of manually processed data lies with the Provinces. With the draft law, data protection will now in its entirety constitute an exclusive federal legislative competence.
- The implementation of the Directive (EU) 2016/680: as the draft law refers to (substantially similar) concepts in the GDPR, this should lead to a very streamlined implementation of the directive.