On 12 May 2017 a Draft GDPR Implementation Act (“Draft“) has been submitted to the Austrian Parliament and is now to be reviewed, assessed and commented by various public bodies, organisations and groups.
With the GDPR Implementation Act the present Data Protection Act 2000 (Datenschutzgesetz 2000) will be repealed and a new Data Protection Act is issued which will become effective on 25 May 2018.
At first glance the Draft covers only a bare minimum of implementation: the major part of the Draft includes only the provisions necessarily required by the GDPR, but only few of the facultative opening clauses are actually included. A large part of the Draft concerns only the implementation of Directive 2016/680.
The review of the explanatory notes confirms this first impression as they state that the Draft shall mainly include the necessary implementation of the GDPR and only few of the opening clauses. The ministerial working party has deliberately not used the openings within the GDPR as it is their opinion that the GDPR is already providing a general rule which shall now apply without further specification in Austria.
Furthermore, in the explanatory notes it is stated that the majority of the opening clauses do not address general data protection matters and are therefore not to be included in the Draft. The ministerial working party was of the opinion that such “special” opening clauses should rather be implemented within the relevant specific laws, e.g. (presumably) Employment Act or Criminal Act.
On the other hand, the concern that the Austrian legislator will retain certain specific regulations of the current Data Protection Act 2000, which would not comply with the GDPR, has not been fulfilled due to the very minimalistic approach the ministerial working party took. As such, the various provisions of the Data Protection Act 2000 which were specific to Austria, such as the filing procedure or an obligation to obtain approval of the Data Protection Authority for an international data transfer even if the EU Model Clauses have been concluded, are not included in the Draft and will presumably not be part of the Austrian law anymore.
Scope of applicability and general provisions
The major change of the Austrian law which is implemented by the Draft is that, following the scope of applicability of the GDPR, its applicability is limited to natural persons, meaning legal persons are no more included in the material scope as they are now in the currently applicable Data Protection Act 2000. In this point as well the Draft follows the provisions of the GDPR.
In its first section the Draft also stipulates the fundamental right to data protection, which has already been included in the current Data Protection Act 2000. In both versions it is formulated as a constitutional provision and as a human right, but the new wording is more comprehensible than the previous one. Furthermore, as the GDPR does not apply to legal persons, the scope of the fundamental right in the Draft has also been limited to natural persons.
Data protection officers and Data Protection Authority
The first of the main implementation aspects of the Draft are the specifications regarding data protection officers. The Draft states an explicit duty of confidentiality for data protection officers, even though this shall not apply to information requests of the Data Protection Authority. Further, the Draft is providing additional provisions regarding the data protection officer in the public sector.
Another main aspect of the Draft is the specification of the supervisory authority, which will be the Data Protection Authority (“Datenschutzbehörde“) organized as the sole national supervisory authority.
Remedies, Liability And Penalties
The third section of the Draft provides specifying provisions regarding the implementation of remedies, liability and penalties. The implementation of administrative fines provides to a certain extent a possibility to impose fines primarily to legal persons, however in a very limited manner.
Thereunder, the Data Protection Authority shall only be able to impose a fine on a legal person if one of its organs holding a management position is subject to a negligence or breach of supervision. As of the scope of this provision the ministerial working party refers in its explanatory notes to a similar provision within the Austrian Banking Act (“Bankwesengesetz“), whereby the primary liability of the legal person only applies where organs of the legal person are concerned and not when an employee is acting on instructions. Therefore this limitation may not be in accordance with the GDPR as it is not providing an opening clause for the Member State to implement such limitation.
That said, the GDPR also does not specify how the remedies, liability and penalties provisions must be implemented as concerns the responsible persons, beyond the requirement that the remedies are “effective”, so it remains to be seen whether and how this manner of implementation is in line with the GDPR.
Processing for Specific Purposes
The provisions within section 5 of the Draft address data processing for specific purposes, as stated in Article 6 Sec 2 GDPR, and address points such as processing for the purpose of scientific research and statistics or in case of catastrophes.
This is one of the rare occasions in which the ministerial working party has made use of an opening clause. Unfortunately, the ministerial working party did not use the other opening clauses where in our opinion the GDPR is rather incomplete and further national legislation seems necessary. This concerns in particular the opening clauses provided in Articles 6 Sec 4 (processing for compatible purposes set out by member state law), 9 (processing of special categories of personal data) and 10 (processing of personal data relating to criminal convictions and offences) of the GDPR, even though this would have been necessary due to the very general regulation of the GDPR. It remains to be seen whether such provisions will be included in other laws; however, it is our opinion that provisions implementing the above mentioned opening clauses should in any case be included in the Draft itself and not in other laws as the ministerial working party suggests.
Processing of Employees Data
Similarly, as concerns employee data the Draft is providing only a provision stating that the existing provisions of the Employment Act (“Arbeitsverfassungsgesetz“) shall fulfil the requirements of Article 88 GDPR. According to the explanatory notes the ministerial working party wanted to clearly express with this provision that the specifics of processing employee data shall not be included in the Draft but rather in the relevant labour laws. It remains to be seen whether the legislator will stand by this decision and create provisions in the relevant laws or if there will be a modification in the Draft.
Video Surveillance / Processing of Image Data
It is quite surprising that the ministerial working party found it to be necessary to include in section 6 of the Draft provisions regarding the processing of images and video surveillance, especially in light of the very minimalistic approach implementing the GDPR. The explanatory notes explain the implementation to be based on Article 6 Sec 2 and 3 in connection with Article 23 GDPR, even though we have major doubts this approach is in line with the GDPR. It is at least our opinion that a clarification regarding the processing of data related to criminal convictions and offences or employee data would have been of greater importance than the processing of images.
Conclusion and outlook
To summarize, the Draft is taking a very minimalistic approach implementing the GDPR and leaves open many vital issues. As such, the Draft leaves the impression that the main intention was to initiate the legislative procedure and the discussion on the implementation, whereas the majority of important decisions regarding the implementation are postponed. Therefore, it remains to be seen how this draft will develop during the legislative procedure, but we are expecting either major amendments before the law is passed or further implementation actions amending other statutory laws.