The EU General Data Protection Regulation ("GDPR") will apply from 25 May 2018 in all Member States and completely changes the Austrian data protection regime: Instead of prior notifications to and approvals by the Austrian Data Protection Authority, the new system addresses companies' individual responsibility and requires a self-assessment of data protection compliance. Thus, the Authority will subsequently ex-post assess the admissibility of any data processing, only, and has (for the first time) the power to directly impose harsh administrative fines. To increase the pressure, the GDPR foresees fines of up to 4% of the total worldwide annual turnover or 10 to 20 Mio Euro. Therefore, companies are highly required to adapt their internal processes to prevent such fines by diligent implementation, amending and planning.
About one year before the deadline, the long-awaited first draft of the new Austrian Data Protection Act as being the national implementation and supplementation of the GDPR was published ("Data Protection Act"). With the new set of rules, the existing special data protection provisions in the Austrian law are adjusted to the requirements set out by the GDPR. The DORDA data protection experts — Axel Anderl, Felix Hörlsberger, Nino Tlapak and Dominik Schelling — already extensively reviewed the first draft of the new Data Protection Act:
Surprisingly, the Austrian legislator uses just a few flexibility clauses of the GDPR in a very moderate way. This intentional restraint in providing local deviations complies with the interest of full harmonization of European data protection rules. Further, stricter rules beyond the GDPR's minimum requirements might have had negative impacts on Austria as business location. Thus, we appreciate the Austrian legislator's minimalistic approach.
At the same time, the draft also foresees that specific local provisions and GDPR-deviations might follow in other relevant Austrian laws since the Data Protection Act shall be limited to the required general provisions. Thus, we will learn in the future whether the Austrian legislator keeps up with its restraint or if stricter local rules and a fragmentation of data protection provisions will come through the backdoor of other specific laws.
Besides, it is in any case positive that a few local peculiarities causing additional efforts for commencement of business in Austria will be erased by the new draft or at least amended in a more practical way (eg regarding video surveillance).
The seven most important changes of the new draft in more detail:
1. Data of legal entities no longer subject to data protection provisions
As the GDPR, the new Data Protection Act applies to the processing of personal data of natural persons only and will thus no longer cover data of legal entities. We already expected that the Austrian tradition of protecting legal entities by privacy provisions (unique even within Europe) will no longer be upheld. However, the new approach will have limited impact only since actually every relevant data can be assigned to a natural person (eg employee or customer as well as individual companies that are not qualified as legal entities). Besides, company know-how and trade secrets will be covered and protected by the EU Trade Secrets Directive that is currently in the process of implementation.
2. No stricter obligations for private companies to appoint a data protection officer beyond the requirements of the GDPR
For the time being, the Austrian legislator does not require data controllers or processors to designate a data protection officer in cases other than those set out in the GDPR. Stricter rules would especially have been possible based on the company's size or – as done by Germany – based on the number of employees engaged with data processing activities. Thus, the designation of a data protection officer for Austrian companies is still depending on the blurred GDPR-criterion of "core activities". However, in cases where a data protection officer has to be appointed, the Austrian draft provides for some stricter confidentiality obligations.
3. No additional provisions for the record of processing activities and the privacy impact assessment
These two new sets of rules are the actual core of the GDPR and require most of the amendments within a company in practice: Instead of a mere notification with the Authority, companies are required to internally record their processing activities upon 25 May 2018. In addition, more sensitive data processing activities are subject to a prior data protection impact assessment to be conducted by the company on its own. These central new aspects are (intentionally) not even mentioned in the draft of the new Data Protection Act since directly applicable by the GDPR. Particularly, there are also no new guidelines on how to address the practically relevant issues of the internal documentations. However, the draft – in accordance with the GDPR – entitles the Authority to establish lists of processing operations which are (or are not) subject to an impact assessment ("Black and White Lists"). Nevertheless, the publication of these lists will still take some time due to the necessary EU-wide coordination between data protection authorities.
4. Data Protection Authority may impose fines directly against legal entities
As of today, Austrian law provides that administrative penalties may generally be imposed against natural persons, only. This is also true when legal entities breach the law. Thus, in the latter case, especially the managing directors or a representative appointed under administrative law are responsible for administrative fines. This can obviously not be upheld for the harsh penalties under the GDPR. As a result, the new draft of the Austrian Data Protection Act provides that the extremely high fines of up to EUR 20 Mio or 4 % of the total worldwide turnover shall primarily be imposed directly against the responsible legal entity. Besides, the Authority is still entitled to punish natural persons in charge (again managing directors or representatives appointed under administrative law; not the data protection officer). However, as long as it is not required by special circumstances of the individual incident, the responsible legal entity shall be fined, only. This legal mechanism, however, does not solve the problem concerning individual entrepreneurs: In this case, there is no legal entity that could bear the high fines. Thus, it remains open if the current provisions and liability construct withstands a constitutional review (especially the principal of equality).
5. Administrative penalties of up to EUR 50,000 for violations of Austrian-specific provisions
Besides, the draft of the new Austrian Data Protection Act provides for a catch-all administrative penalty of up to EUR 50,000 that applies to some less intensive infringements of data protection provisions – in case no fines under the GDPR are triggered. This penalty shall especially cover violations of the Austrian data protection specifics.
6. Reworded conditions for special processing activities
Further, the draft contains reworded provisions for special data processing activities which are adapted to meet the preconditions of the GDPR. At the same time, the Austrian legislator reflected practical experiences in the past. In practice the following areas are of particular interest:
- No amendments on data protection concerning employees' data: The already existing Austrian Labour Constitution Act (Arbeitsverfassungsgesetz, ArbVG) is generally declared as being the source of special provisions for the processing of employees' data. In this regard, the legislator assumes that no new or stricter rules are necessary – the current provisions and especially case-law by the Authority are anyway rather strict and reluctant.
- Amendments on video surveillance ("image processing"): The completely reworded new provisions on "image processing" cover every observation of events (no matter if systematic, extensive or done for surveillance reasons). This leads to an extended scope (eg photographs shall also be covered). However, the exceptions on permitted image processing have been extended and adjusted to practice. The draft especially allows the protection of private property as well as the surveillance of public areas based on overriding legitimate interests.
7. Data Processing Register abolished, proceedings closed
As a result of the no longer existing general notification obligation, the Austrian Data Processing Register will be upheld until 31.12.2019 for archiving purposes, only. This should especially enable the transfer of information in order to have a reliable basis for the new documentations (record of processing activities and impact assessment). However, as of 25 May 2018, no new registration or amendments will be possible. Besides, notification and approval proceedings will be closed – expect in cases were an approval is still necessary according to the GDPR.
Given the time pressure for implementation of the new obligations by companies, we hope that the new draft quickly passes legislation process. Therefore, certainty on the legal framework is absolutely necessary – also considering the new strict fines.