Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Even though cybersecurity and, as a related topic, cybercrime have a long history in Austrian rules of law, efforts to establish dedicated and detailed rules on cybersecurity that are binding, not only for governmental agencies and (partially) state-owned companies but also the private sector, are fairly recent.
The first legal provision on cybersecurity in its widest sense was article 10 of the then new Austrian Data Protection Act (DSG 1978), which entered into force in 1980. In this provision, data processors were obliged to set up work rules regarding data security, such as measures for access security or software testing. Although the provision did not contain any details on the required rules and, further, took economic and technical feasibility into account, it required these internal rules to be approved by the Austrian Data Protection Commission (now the Data Protection Authority, or DSB), thus granting at least a minimum level of homogeneity.
In hindsight, article 10, despite its lack of detail, provided a solid basis for a unified understanding of required data security measures. But in 1987, this provision was amended with far-reaching consequences: first, the new article 10 no longer required data security measures to be compiled in a set of work rules; and second, the requirement for approval by the now DSB was removed. However, the modified provision still took into account the economic and technical feasibility of the measures as well as their adequacy related to the processed data.
In Austria, a country dominated by small and medium-sized enterprises, the flexibility of article 10 DSG 1978, coupled with a legal and factual lack of control of the security measures taken, has led to wide variation of levels of cybersecurity and has, in extreme cases, led to very small enterprises not taking any relevant security measures at all, arguing that they were neither economically feasible nor required by the type of processed data. Unfortunately, this relatively toothless rule has found its way into article 14 of the current Austrian Data Protection Act (DSG 2000) in mostly unmodified form. Although article 14 DSG 2000 applies to data controllers and data processors alike and corresponds in essence to article 17 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the EU Data Protection Directive), it is, nevertheless, a step backward from its predecessor, article 10 DSG 1978. As of 25 May 2018, however, the DSG 2000 was replaced by Regulation (EU) No. 2016/679 (the General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which provides for slightly more detailed rules on data security in its article 32.
The first cybercrime-related rules were established in 1987 with articles 126a and 148a of the Austrian Criminal Code (StGB). These provisions penalised the damaging of data and the abuse of automated data processing (including the modification of processed data as well as the processing software), respectively. Depending on the damage caused, these actions were punishable by imprisonment for up to five or 10 years respectively.
In 2002, Austria adopted the Council of Europe’s Convention on Cybercrime, modifying the StGB to also penalise acts such as the illegitimate access to a computer system (article 118a) or the abusive interception of data (article 119a).
With these provisions of the DSG 2000 and the StGB, a first basic set of cybersecurity rules was in place, obliging enterprises to take protective measures while protecting their efforts and systems by means of the Criminal Code.
Although it was not until 2014 that new legal rules on cybersecurity were announced, Austrian private entities as well as the federal government were far from inactive in the meantime.
The first industry-wide initiative to centrally collect and manage cybersecurity incidents from the private as well as the public sector was the Computer Incident Response Coordination Austria (CIRCA), established by the Internet Service Providers Association (ISPA) in cooperation with the Austrian Federal Chancellery. In 2008, CIRCA was incorporated into the newly created Austrian Computer Emergence Response Team (CERT) as well as the Austrian Government Computer Emergency Response Team (GovCERT) with the former being primarily operated by NIC.at, the Austrian domain registry, and the latter by the Federal Chancellery. Though factually important and well recognised, the main purpose of both CERT institutions lies in the collection of information on incidents and the coordination of the incident response. As such, both institutions may only advise on prevention measures but have no authority to demand certain actions.
Apart from these two most important CERTs, there are others established at authorities or formerly state-owned enterprises, such as the City of Vienna, A1 (the former state-owned telephone operator) or the Austrian Federal Computing Centre (BRZ), which is the former federal data centre and now e-government partner of the federal administration in Austria. These are all organised in the Austrian CERT network, which was established in 2011.
The most recent addition to the Austrian organisations active in the field of cybercrime is the Cyber Crime Competence Centre (C4), which was established in 2012. In contrast to the CERTs, C4’s aim is to actively combat cybercrime. Therefore, its personnel consists of members of the Austrian Federal Police as well as the Austrian Federal Ministry for Internal Affairs.
In May 2014, the Austrian government announced the introduction of a dedicated Austrian Cybersecurity Act. This announcement came in the wake of similar efforts in Europe, most notably the presentation of the draft version of a Network and Information Security Directive by the European Commission in February 2012, in the meantime published as Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, and of a German law on cybersecurity (the IT Security Act) in March 2013. In June 2016, a White Paper was published that contains recommendations for the planned Austrian Cybersecurity Act. Following these recommendations, the new Act will be a transposition of the Network and Information Security Directive into Austrian law, taking into account Austria’s experiences in combatting cybercrime so far, as well as the government’s Austrian Strategy for Cybersecurity, which is based not only on general experience but also on the results of larger scale cybersecurity exercises held for the purpose of evaluating and improving cyber defence readiness.
While the promised draft of the Austrian Cybersecurity Act was still outstanding, another law established itself as the first legal act to require Austrian companies to ascertain an appropriate level of cybersecurity: Regulation (EU) No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, better known as the General Data Protection Regulation (GDPR). This Regulation first and foremost aims at protecting personal data (ie, data by which a natural person can be identified). However, in contrast to the currently existing rules on data protection, the GDPR is no longer satisfied with requiring companies to have appropriate contractual provisions in place but explicitly also requires appropriate technical and organisational measures, thus, basically, cybersecurity measures.
In the meantime, the Austrian government has revived the Cybersecurity Act as the Network- and Informationsystems Security Act (NISG) and submitted a draft to the Austrian Parliament on 21 November 2018.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
According to the official communications of the Austrian government, the envisioned NISG should ultimately regulate a broad selection of public as well as private entities. However, at first the focus should lie on public authorities including courts and private providers of critical infrastructure, in particular, finance, communication, energy and transportation. However, as the NISG will be a transposition of the NIS Directive, which already goes slightly beyond the regulation of critical infrastructures, its scope is expected to be the same.
The Austrian communication industry, including internet service providers, already has a head start in the field of cybersecurity. This is not only because of IT forming the core or at least a substantial part of its business, but also owing to the involvement of the Austrian communication industry in the CIRCA and now CERT. The same applies to a few public authorities, most notably the Austrian Federal Chancellery and the BRZ. These entities are also the ones to have made the most progress towards promoting cybersecurity.
Other industries, however, still need to improve to varying degrees. For instance, the financial sector in Austria features some leading as well as, unfortunately, some less stellar examples. The Austrian energy sector has in the past mostly focused on downplaying the potential risks of networked power grids and smart metering in the media. The transportation sector has also appeared unevenly prepared to face cybersecurity challenges, with, for example, the Austrian Federal Railway (ÖBB) being one of the positive examples.
In 2014, the initiative Trust in Cloud (www.trustincloud.org) was launched by EuroCloud Austria, the Austrian association of EuroCloud Europe, an independent non-profit organisation. Participants include national and international enterprises from the IT sector, but also public and private entities from other sectors, such as the Austrian Federal Chancellery, the ÖBB, an international supermarket chain and an international producer of skiing equipment. Though the aim of the initiative is to promote cloud computing in general, cybersecurity is one of the major focal points.
In general, the discussion around cybersecurity in recent years has benefited Austrian businesses, turning a problem most would refuse to talk about for fear of gaining the reputation of not being secure enough into something that could affect anyone, no matter how well prepared. A significant degree of improvement of awareness, as well as of readiness, could be noted in the course of the many expert discussions during the conception of the NISG, as well as during the cybersecurity exercises held for the same purpose. The Austrian government today claims that Austria is a model example of cyberthreat readiness. Though this evaluation may need to be taken with a grain of salt, it is nevertheless true that Austria is among the better-prepared member states of the European Union.
With the GDPR entering into force on 25 May 2018, for the first time any and all companies are subject to binding, though as yet not detailed, rules on cybersecurity.
Has your jurisdiction adopted any international standards related to cybersecurity?
The Austrian Standards Institute (ASI), which is the Austrian member of the European Committee for Standardization and the International Organization for Standardization, has adopted all relevant international standards related to cybersecurity, most notably, ISO/IEC 27001:2013 (currently ÖVE/ÖNORM EN ISO/IEC 27001: 2017 07 01 in Austria).
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Though Austrian law knows the concept of responsible persons (ie, employees responsible for certain areas of business within their company) this concept does not extend to cybersecurity or (unlike, for example, Germany) even data protection. Thus, managerial employees or directors in Austria are liable only according to the general legal rules, which basically means that they need to act with due diligence and with the care of a prudent businessperson, as set forth by Austrian law and further detailed by rulings of Austrian courts.
The GDPR requires any company or organisation to periodically verify the effectiveness of the technical and organisational measures they have taken and document the results. This obligation exists indifferent of whether the company or organisation in question is required to have a dedicated data protection officer. However, as before the GDPR entered into validity, the consequences of default are generally borne by the company rather than any internally responsible employee or the director.
How does your jurisdiction define cybersecurity and cybercrime?
Austrian law knows no definition of either cybersecurity or cybercrime. Though article 32 GDPR stipulates data security measures, it does not define data security, much less cybersecurity. Also, the StGB penalises and defines certain acts of cybercrime, though it lacks a general definition of cybercrime as a whole.
In any case, cybersecurity in Austria is distinct from data privacy. Even though neither term is defined in Austrian law, from the provisions of the laws containing relevant provisions, above all the GDPR and the StGB, it becomes apparent that data privacy in Austria primarily deals with the rights and obligations related to the usage of data obtained legitimately, while the aim of data security as an aspect of cybersecurity is to prevent illegitimate access to and use or abuse of data.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
Article 32 GDPR requires any controller or processor of personal data to implement measures to ensure data security. However, such measures need to take into account the type, extent and purpose of the processed data, the state of the art and the economic feasibility.
Therefore, even though this provision does stipulate minimum protective measures, it is not clear what the minimum requirements in each case may be. Further, this provision only applies to personal data rather than any type of data.
As a result, in the field of cybersecurity, industry standards and the recommendations of the CERT and GovCERT are more important in Austria than legal rules. This is especially true for relatively new technology such as cloud computing or the issues associated with various forms of ‘bring your own device’.
Of course, the GDPR explicitly mentions that the European Commission, national data protection authorities and industry-specific organisations should define recommendations and standards for appropriate technological and organisational measures. These will, in the end, set forth the minimum requirements for cybersecurity any company will need to meet. Currently, however, except from individual rulings, the only binding rules and guidelines issued by the Austrian Data Protection Authority are two regulations on privacy impact assessments (PIA), one listing processing operations that do not require a PIA to be performed (DSFA-AV, published 25 May 2018) and one listing processing operations, which, in any case, require a PIA to be performed (DSFA-V, published 9 November 2018).
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
Article 40(e) and (f) of the Austrian Intellectual Property Act stipulates rules on decompilation of software and the use of databases, respectively. While these rules do not address cyberthreats specifically, they are the only ones addressing this subject explicitly within the context of intellectual property.
Where cyberthreats to intellectual property involve acts of cybercrime, the rules of the StGB apply.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
Currently, no Austrian laws exist that specifically address cyberthreats to critical infrastructure. Though the deadline for transposition of the NIS Directive, which establishes rules explicitly on this topic, into national law by the member states ended on 9 May 2018, it wasn’t until 19 September 2018 and 21 November 2018 that the responsible ministry and then the government respectively submitted drafts for a Network and Information Systems Security Act (NISG). Once that act has entered into force, it will introduce such rules also in Austria and in effect introduce the new EU standards.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
Austria does not have any laws that would serve to restrict the divulging or sharing of information related to cyberthreats or cybersecurity incidents. On the contrary, the upcoming NISG is planned to oblige affected companies or institutions to report not only cybersecurity breaches, but also incidents such as unsuccessful breaching attempts or activities that might indicate an impending attack. For this purpose, the planned NISG will most probably further require companies or institutions to which it applies to set up an effective cyber risk management system.
The GDPR also sets forth data breach notification requirements. However, the national data protection authorities only need to be informed if the breach may result in a risk to the rights and freedoms of natural person. Such risks, however, may be avoided (eg, by appropriate encryption measures).
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
The principal acts of cybercrime, relevant to businesses, which are penalised by the StGB depending on the amount of damage caused, are:
- illegitimate access to a computer system (article 118a);
- breach of telecommunication secrecy (article 119);
- abusive interception of data (article 119a);
- abuse of audio recording or listening devices (article 120, paragraph 2a);
- damaging of data (article 126a);
- disruption of the functionality of a computer system (article 126b);
- abuse of software or access data (article 126c);
- fraudulent abuse of data processing (article 148a); and
- forgery of data (article 225a StGB).
The fines are determined by the income of the culprit. Therefore, neither a minimum nor a maximum amount is stipulated by Austrian law.
How has your jurisdiction addressed information security challenges associated with cloud computing?
For the time being, the Austrian government, on the one hand, has not specifically addressed any of the challenges associated with cloud computing. On the other hand, private and non-profit organisations, such as EuroCloud Austria or the Austrian Chamber of Commerce, have made significant efforts to educate providers and especially (private and business) users of cloud computing solutions, be it by means of events or publications, such as White Papers or even a recommendation catalogue relating to cloud contracts (some of these publications are available in English and can be obtained from the website of EuroCloud Austria: www.eurocloud.at).
Currently, the most important Austrian initiative regarding cloud computing is Trust in Cloud (www.trustincloud.org), which has formulated recommendations to the Austrian government, among others, in the field of cybersecurity. As the Austrian Federal Chancellery takes part in this initiative, it is realistic that those recommendations will be taken into account in the future.
To what extent cloud computing will be addressed in the planned NISG remains to be seen. In the current draft, published and submitted to the Austrian Parliament on 21 November 2018, cloud computing is defined as a specific type of ‘digital service’ and the same rules are planned to apply to cloud computing offerings as to other digital services, thus making no principal distinction. It remains to be seen whether this generalised approach will be upheld.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
According to the current draft of the NISG, published 21 November 2018, only businesses offering regulated services in Austria - that is, services regulated by the NISG - with at least a branch office in Austria will be affected. In contrast to the NIS Directive’s article 18, foreign businesses desiring to provide regulated services in Austria are not obliged to designate a representative. Such businesses would thus be exempt from the NISG, unless other legal rules require then to establish a branch in Austria.
In any case, the rules of the European Union regarding the free movement of goods and services will need to be observed. In principle, this would mean that businesses already established in the European Union, be it with a seat or a representative, should fall under the jurisdiction of the member state in which they are established. In contrast to this the current draft of the NISG rather applies the Austrian rules to all affected businesses with seats or branches in Austria, indifferent of whether they are also established in any other EU member states or not. Exceptions are only envisioned to be granted after consultations between the relevant authorities in Austria and the other relevant member states.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
As there are currently no substantial laws on cybersecurity in Austria nor binding guidelines or best practices established on grounds of the data security requirements set forth in the GDPR, enterprises need to rely on industry standards and recommendations by various organisations and authorities.
The first contact in the field of cybersecurity in Austria is the CERT for private entities and the GovCERT for the public sector. Both institutions not only coordinate responses to cyberthreats but also advise on prevention measures. Thus, they constitute the most important contributors to a harmonised understanding of required and recommended cybersecurity measures. To facilitate intra-sectoral exchange of information, sector-specific CERTs are planned with the Austrian Energy CERT for the energy sector already being established. Additionally, sector-specific cybersecurity exchanges for providers of various critical infrastructures have been established in the form of the Austrian Trust Circles.
Further, interested parties can find a multitude of freely available publications on this topic; for example, from the Federal Ministry for Internal Affairs, the Chamber of Commerce or associations specialised in IT topics.
It remains to be seen whether or how far the relevance of these institutions and their recommendations will be affected by the planned Cybersecurity Act and whether they will participate in formulating recommendations in accordance with the GDPR, since the current draft of the NISG envisions the establishing of a new and separate authority for the purpose of reporting and coordination of cybersecurity events.
How does the government incentivise organisations to improve their cybersecurity?
Although the Austrian government is very active in promoting cybersecurity directly as well as indirectly (eg, by means of the GovCERT), there are currently no incentives in this context.
Judging from the discussions on the NISG and the current draft, it is currently expected that the Act will not change this situation but rather follow the ‘classical’ approach and penalise inadequate cybersecurity measures.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
In Austria, ÖNORM ISO/IEC 27001: 2017 07 01 (which can be obtained from the ASI against payment) as well as the recommendations of the CERT (available from their homepage: www.cert.at) can be regarded as the main industry standards and codes of practice in the field of cybersecurity.
Comprehensive guidelines summarising the relevant rules and recommendations, as well as a checklist created specifically for very small enterprises, have been created by the Austrian Chamber of Commerce and can be obtained from the microsite: www.it-safe.at.
Are there generally recommended best practices and procedures for responding to breaches?
Best practices and procedures can be derived from industry standards or recommendations of the CERT. They may vary depending on the type, severity and potential danger of a breach. Thus, there are no general rules apart from containing the breach and saving any information for later analysis.
After the incident it is considered best practice to have the existing data analysed by a trustworthy and independent third party to determine the methods and reasons for which the system could be breached and to take measures to prevent such occurrences in the future.
It is possible that further recommendations and best practices may arise owing to the GDPR.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Voluntary information on cyberthreats should be addressed to the CERT (or the GovCERT, in the case of a public entity) by means of an email containing:
- details of where the incident has occurred (eg, IP address, website);
- details of the nature of the incident (eg, a virus, a DoS attack);
- details of how the incident has been noticed (eg, log files);
- a request for feedback; and
- an electronic signature.
As there are no recommended standard procedures that the notifying entity can follow in the meantime, it will need to wait for a response from the CERT. In any case, records of the incident should be saved in case they are destroyed or modified during the incident.
Unfortunately, there are currently no incentives to voluntarily disclose information on cyberthreats, apart from peer pressure within the industry.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
In the field of cybersecurity, cooperation between the private and the public sector has a long tradition in Austria, its first highly visible project being the CIRCA, established in 2003 by the ISPA and the Federal Chancellery.
Nowadays, the cooperation continues mainly within the Austrian CERT network, where the most important stakeholders from the private and public sectors are united either directly or indirectly through the participating CERTs. Within this network, not only is the collected information on incidents or threats exchanged, but the incident response and the advice on prevention measures are also coordinated.
The results are then propagated by the participants to other organisations, such as the Chamber of Commerce, which issue recommendations to their members, usually in the form of publications. Of course, the flow of information works both ways.
In December 2014, Curatorship Safe Austria, an independent association focused on issues related to internal security, organised a large-scale cybersecurity exercise focused on threats to critical infrastructures, in which, among others, the CERTs, the Federal Ministry for Internal Affairs and various private enterprises participated. The aim of the exercise was to optimise communication between the participants, especially the stakeholders as well as the organisations serving as information hubs for their respective sectors. Smaller exercises were conducted annually in the following years. The results and experience gained during those exercises were taken into consideration in white papers on cybersecurity published by the Curatorship Safe Austria in early summer of the following year, containing recommendations for the then planned Austrian Cybersecurity Act, now NISG.
Further cooperation is expected in the issuing of industry-specific recommendations according to the GDPR.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Insurance against cybersecurity incidents, covering the costs of, for example, data recovery or downtime, are offered by every major insurer active in Austria. In detail, the covered risks, of course, vary from offer to offer, with some covering even in the case of negligence or fault.
Despite the availability, cybersecurity insurance is as yet far from common. It remains to be seen whether this will change upon the introduction of the NISG.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
Currently, as the GDPR provides the only regulatory rules regarding cybersecurity, the DSB is solely responsible for enforcing data security rules and penalising non-compliance in Austria.
According to article 83, paragraph 4 GDPR, the DSB may impose a fine of up to €10 million or up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, on any business that has failed to implement the data security measures set forth in article 32 GDPR.
The prosecution of cybercrime is handled by the C4, which acts as a special unit of the Austrian Federal Police or the Austrian Federal Ministry for Internal Affairs, as the case may be. Therefore, the powers of the C4 equal those of the authority they represent.
Breaches of the GDPR (thus, also a breach of the provision on data security measures) constitute an act of unfair competition under Austrian law. As a consequence, enterprises may call upon the courts if they accuse a competitor of breaching data privacy or data security provisions. In practice, owing to the very low fines the DSB has imposed in the few months since the GDPR entered into validity despite much higher ones being possible by law, this poses the most relevant risk of litigation in the context of the GDPR.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
In the case of a data breach notification according to article 33 GDPR or an alleged breach of data security provisions, the DSB initiates formal proceedings in which it can request statements and documents from any company concerned. Should the DSB find that the company has failed to comply with or document the data security rules set forth in article 32 GDPR, the DSB, similar to Austrian courts, is entitled to base its decision on the facts at hand but it cannot force the company to disclose any further information
The C4, however, has access to all measures available to the Austrian Federal Police or the Austrian Federal Ministry for Internal Affairs. Thus, they are, for instance, even able to have documents confiscated. Since they are limited to the prosecution of cybercrime; however, they may not use their powers to merely monitor compliance with or prosecute infringements of data security rules.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Because of the current state of cybersecurity rules in Austria, no enforcement actions have been brought against the concerned companies by the Austrian authorities. Though this most likely will change owing to the GDPR, changes are not expected to take place before binding and thus enforceable rules and guidelines exist. In the publicly known cybercrime cases, especially attacks by the hacktivist group Anonymous, Austrian police have prosecuted the participating persons with varying degrees of success. However, no enforcement measures have been taken against the companies and institutions whose IT systems have been breached. Rather, they have received support from cybersecurity organisations to better secure their systems for the future.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
Apart from court actions by competitors, the only possible penalty under Austrian law is, as yet, a fine of up to €10,000, which may be imposed by the DSB. As of 25 May 2018, article 83, paragraphs 4 and 5 of the GDPR respectively allow administrative fines up to €10 million or €20 million or, in the case of a company, up to 2 per cent or 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
See question 20.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
The two data breach provisions in Austrian law are articles 33 and 34 GDPR.
According to article 33, the controller must notify the DSB without undue delay and not later than 72 hours after having become aware of a personal data breach. A notification may only be omitted in if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where a breach has occurred with a processor, he or she must notify the controller who will then notify the DSB.
Irrespective of whether a personal data breaches may result in a risk to the rights and freedoms of natural persons, and thus require notification to the DSB, or not, a controller is obliged to document each breach, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation has to be presented to the DSB upon request to enable the DSB to verify compliance with article 33.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is furthermore obliged to notify the affected data subject (ie, natural persons) without undue delay. However, appropriate remedial or technological measures (eg, a secure encryption of the personal data) may be considered to lower the risk enough to relieve controllers from the notification duty of article 34 GDPR. Unlike the former Austrian notification rule of the DSG 2000, the controllers may not omit notification of the data subjects in case that individual notifications would be considered disproportionate. Rather, they are now obliged to instead publicly communicate the personal data breach.
The DSB may review the controller’s interpretation of the severity and possible consequences of an incident and oblige him or her to inform the data subjects or confirm that level of risk is sufficiently low for such notification to be omitted.
These provisions, however, only apply to breaches where personal data is affected. As a result, no notification requirement exists for cyberthreats or breaches where no personal data is involved (though the latter is statistically quite unlikely).
That said, it is expected that the planned NISG will introduce data breach notification requirements that will go well beyond the scope of articles 33 and 34 GDPR.
Article 83, paragraph 4 of the GDPR allows the DSB to impose fines of up to €10 million or 2 per cent of the total worldwide annual turnover of the preceding financial year if the data breach notification and documentation requirements are not met.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
As a result of the lack of any specific rules on cybersecurity and the consequences of non-compliance, private redress can only be sought before civil courts following general tort rules. This means that any person seeking redress would need to claim a concrete amount for damages and also prove that the damages in the desired amount have actually been caused by the defendant.
Even in the case of a breach of data protection rules, parties would need to call upon civil courts for any redress as the DSB may only impose fines. Nevertheless, the decision of the DSB would be required in such a case to determine whether a breach of data protection rules has occurred in the first place.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
Apart from industry standards and recommendations, the only Austrian legal rule is that of article 32 GDPR.
See question 6.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
As such records do not fall within the scope of Austrian legal rules on the keeping of documents (eg, contracts, invoices), the only applicable rules are article 32 GDPR and those determined by industry standards or recommendations.
See question 15.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Once again, apart from industry standards and recommendations, the only relevant Austrian legal rule in this regard is that of article 14 DSG 2000. This provision does not require the processor to notify the authority but rather the concerned data subjects.
See question 24.
What is the timeline for reporting to the authorities?
Article 14 DSG 2000 requires data subjects to be notified ‘without delay’. However, this provision does not require the notification of any authority.
As of 25 May 2018, the date the GDPR entered into validity, companies will need to notify the national data protection authority in case of any risk to the rights and freedoms of natural person. If said risk is high, the natural person will need to be notified additionally.
See question 24.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Austrian legal rules neither require the reporting of cyberthreats, nor do they require reports to be issued to others in the industry or the general public. See question 24 for details.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Since the GDPR has entered into validity on 25 May 2018, many companies have faced and are still facing insecurities regarding how to interpret certain provisions of the GDPR and which technological or organisational measures to take to ensure compliance. Clarifications are only slowly being issued by the national data protection authorities and other relevant bodies. Nevertheless, more and more are coming, slowly but surely, and thus a better understanding of the rules and their improved implementation is expected in the course of the next few months.
Additionally, most probably early 2019 will see the long-overdue finalisation and entry into force of the NISG. This act is likely to introduce new rules regarding cybersecurity as well as on notifications of breaches. Though it will only affect providers of critical infrastructure, including providers of digital services, recommendations, guidelines and best practices issued in regard to the NISG are also expected to serve to improve compliance with the GDPR.