Last summer and thus, before the elections of the Austrian parliament took place in autumn, the Austrian legislator rushed through the national Data Protection Amendment Act 2018 (Datenschutz-Anpassungsgesetz 2018, DSG 2018). In the pre-election phase the governing parties could not find the required majority to amend the constitutional law provisions which are part of the current legal framework.
The solution back then: those constitutional law provisions just remained as they were. The issue with this solution: content-wise, it did not really make any sense. The most prominent example was the remaining applicability of the fundamental right to data protection to legal entities, while the GDPR only covers the protection of natural persons regarding the processing of personal data.
On 22 March 2018, members of the national parliament filed an application to amend the Austrian Data Protection Act in order to clarify certain aspects which have led to confusions over the last couple of months. Besides several provisions relating to competence matters, the proposed "Privacy Deregulation Act 2018" (Datenschutz-Deregulierungs-Gesetz 2018) contains inter alia the following aspects which might be of relevance from a company's perspective:
- No fundamental right for legal entities As mentioned, there were ongoing (academic) discussions on the applicability of the fundamental right to data protection to legal persons since the Data Protection Act 2000 (DSG 2000) was protecting both – natural and legal persons – and Art 1 DSG 2018 was not rephrased. Now, the Privacy Deregulation Act 2018 contains a rephrased version of the fundamental right in Art 1 which narrows its scope explicitly to natural persons, but also tries to improve readability. Apart from that, the scope should not undergo any significant changes, the recitals state. Art 1 Paragraph 3 explicitly makes clear that the third-party effect of the fundamental right to data protection remains unchanged.
- Rescue of the "Official Secret" The suggested new version of Art 4 Para 5 Privacy Deregulation Act 2018 provides a limitation of the data subject's access rights: if the controller fulfills sovereign tasks and providing the information endangers those tasks, the access right according to Art 15 GDPR "does not exist". The EU law basis for this restriction is to be found in Art 23 GDPR which provides a rather broad basis for restricting the data subject's rights under the GDPR with respect to "public security purposes".
- Mandatory DPOs for regional authorities According to the recitals of the suggested Privacy Deregulation Act 2018 an insertion in Art 5 Para 3 shall clarify the obligation to designate a Data Protection Officer (DPO) in the public sector: it should be specified that the obligation applies only to bodies established in forms of public law, in particular as an authority of a regional authority (Organ einer Gebietskörperschaft). Entrusted bodies (Beliehene) shall be exempt from the obligation to appoint DPOs (unless one of the other obligations of Art 37 apart from "being a public authority or body" according to Art 37 Para 1 lit a applies).
- The processing of personal data in employment context The current version of Art 11 DSG 2018 which states that the Labour Constitution Act (Arbeitsverfassungsgesetz, ArbVG) shall insofar as it regulates the processing of personal data, be seen as a rule within the meaning of Art 88 GDPR and further that powers granted to the works council under the ArbVG remain unaffected, is "banned" in the recitals. The proposed new version purely states that the powers of the workforce according to the third main section of the ArbVG, in particular according to its Paragraphs 89, 91, 96, 96a and 97, as well as the rights of participation in relation to the employee representation, remain unaffected as far as the processing of personal data is concerned. The recitals further state that not every violation of the ArbVG leads to criminal liability under Art 83 GDPR, but violations of protective provisions of the ArbVG concerning the processing of personal data are subject to the regime of Art 83GDPR.
- Matching of images Art 12 Para 4 Subpara 3 currently prohibits automatically matching personal data obtained from image recordings with other personal data. Simply put, it makes face IDs from mobile devices illegal. The proposed amendment suggests enabling the matching of images with explicit consent, i.e. an expression of will, voluntarily and in an informed and unambiguous manner given in the form of a statement or other unambiguous confirmatory act by which the data subject indicates that he / she agrees to the processing of the personal data. In other words, implied consent is not enough.
Since there are already numerous uncertainties deriving from the GDPR itself, the suggested alignments which aim to contribute towards clarification at least on a national level, are warmly welcome. At first glance, some of the suggestions also seem to meet those expectations.