The process of adapting the Austrian legal framework to comply with the EU General Data Protection Regulation (GDPR) which is applicable from 25 May 2018 has been quite hasty these days: The first draft of the new Austrian Data Protection Act (DPA), which had been long awaited in view of the already overdue preparations for GDPR-compliance, was published in May 2017. The following legislation process was quite bumpy and unusual:
Just three days prior to the vote in Parliament, crucial changes were made for political reasons. Some of these amendments also considered the 111 statements submitted by various individuals, organisations and institutions in the course of the public assessment phase of the legislation process. We (as only law firm in Austria) also submitted some proposals for adjustment based on our long lasting experience in the field of data protection. Yesterday, the Austrian Parliament has actually adopted the amendment of the Austrian Data Protection Act:
Instead of the planned complete revision of the Austrian data protection framework, an entirely new approach was chosen for political reasons: Apparently, the Austrian government anticipated not to achieve the 2/3 majority in Parliament to agree on constitutional changes. Since the Data Protection Act also contains constitutional provisions, it could not be repealed but has "merely" been amended. In fact, the GDPR-amendment was packed into the old cover of the Austrian Data Protection Act from 2000 leading to structural issues.
Nevertheless, the now adopted new DPA (full text is available in German here) indicates that at least some comments and statements received from the public during the assessment phase were taken into account. Compared to the first draft (you can find our overview here), the following new changes are of particularly relevance:
The old wording of the constitutional right to data protection remains unchanged: This leads to the consequence that the base right still covers personal data of legal entities, whereas this is not supported by the GDRP. The constitutional provision is thus in breach of the GDRP. Since the new Act does, however, not explicitly expand the GDRP to legal entities, the constitutional clause has to be strictly interpreted and does not actually grant any additional rights.
Age for child's consent lowered to 14 years: Based on Art 8 GDPR, the new act now provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR and the first draft of the new Austrian law. This is, as requested in our opinion in the legislation process, beneficial for practice due to the intense usage of digital services (such as apps or social media) by the youth.
New provisions on the processing of criminal-relevant data: Art 10 GDPR generally provides that criminal data may only be processed "under the control of official authority", unless otherwise authorised by the Member States. This general rule is in practice especially bothersome for CCTV systems and Whistleblowing hotlines as these processing are used to identify potential offenders and thus potentially process criminal data. The Austrian legislator closed the potential gap by the new DPA providing that criminal data may also be processed based on legitimate interests pursued by the controller.
However, the constitutionally critical provisions on imposing fines by the new data protection authority remain unchanged (see further details here). At least the official explanatory remarks to the new DPA provide that generally companies are liable and an additional fine to individuals shall be imposed in special circumstances, only.
Further, practical rules for the facilitation of data processing in the field of scientific research shall follow in specific laws. Until then, however, the quite strict general provisions of the DPA which simply took over the old Austrian regime remain unchanged.
It is also unclear whether existing consent declarations, lawfully obtained according to the current data protection framework, shall remain valid under the GDPR. The Austrian legislator merely refers to recital 171 of the GDPR. This does not create sufficient legal certainty. We had suggested that in line with the German approach consent declarations obtained and valid under the current law shall remain enforceable (without a double check under to the DSGVO).
Overall, it is definitely positive that the new Austrian data protection regime was finally adopted since all companies conducting business in Austrian are at least given a legal basis for their implementation projects for GDRP compliance. The big downside is, however, that the political circumstances resulted in a weaker solution which also raises some constitutional issues instead of the originally planned complete restart. Further, the rapid and chaotic legislation process leads to the fear that further data protection provisions may follow in specific laws instead of the central DPA in order to close potential gaps or comply with desires of various stakeholders, thus causing data protection fragmentation.