The General Data Protection Regulation (Regulation (EU) 2016/679, the GDPR) is intended to directly and comprehensively regulate data protection within the European Union. However, the GDPR contains a certain amount of so called ‘opening clauses’ granting Member States the discretion, and even a certain degree of leeway, as to how to they enact their domestic laws to specify the GDPR. Further, in some cases, Member States are even obliged to provide for specifications on a national level.
The first consultation draft of the new Austrian Data Privacy Act was published on 12 May 2017 and contained multiple proposals on how to deal with this discretion and leeway in specifying the GPDR. In the course of the legislative process, more than one hundred statements to the draft law were submitted and the draft law itself was revised in many areas. In particular, the provisions aimed at amending the constitutional provisions in the old data privacy act failed to gain the required two-thirds majority in parliament. Thus, the new Data Privacy Act has been passed without amending the constitutional provisions and was published in the federal law gazette on 31 July 2017 (see hereunder in German). The main changes of the new Data Privacy Act, as compared to the draft law (for which we have already presented the main points hereunder), can be summarised as follows:
The main changes of the new Data Privacy Act, as compared to the draft law (for which we have already presented the main points hereunder), can be summarised as follows:
- The fundamental right to data privacy, which was supposed to be amended to only apply to natural persons, will remain in its current form. So, the existing protection of legal persons' data in the same way as the data of natural persons is still in force. It remains to be seen if, after the parliamentary elections scheduled for mid October 2017, the new legislator will – in line with common European practice – attempt to restrict the fundamental right to data privacy to natural persons before the GDPR becomes applicable on 25 May 2018. If the fundamental right to data privacy remains unchanged, the protection of legal persons would be unclear as the terms in the fundamental right to data privacy are rather vague and subject to interpretation.
- In relation to the offering of information society services directly to a child, the child's consent to the processing of the minor's personal data shall be lawful without the consent of its legal guardian if the child is at least 14 years old
- The processing of data relating to criminal convictions and offences is permitted if it results from a legal duty to exercise due diligence or if it is necessary for the purposes of legitimate interests pursued by the controller or a third party. This will serve as legitimate grounds of justification to process personal data in most types of internal investigations.
- The draft law already provided for further grounds of justification for the processing of personal data for journalistic, scientific, artistic, or literary purposes. In addition, the final Data Privacy Act now also provides additional grounds of justification for the processing of personal data for public benefits related to archiving purposes, scientific and historical research purposes and statistical purposes.
- According to the new Data Privacy Act, large parts of the GDPR will not be applicable to the processing of personal data by media companies, media service providers or its employees when conducting journalistic activities.
- The draft law intended that the Austrian Data Privacy Authority as national supervisory authority should exercise its competences independently also in respect of the highest executive authorities, like the president, the ministers and the state secretaries as well as the members of the state governments. However, this provision has not been enacted as it has not reached the required two-thirds majority in parliament.
- According to the draft law, data protection should have become an exclusive federal legislative and executive competence. However, in parliament the required two-thirds majority to expand federal competences has not been reached and therefore the legislative competence for the protection of manually processed data remains with the states.
It should be noted that the Austrian parliament has been cautious with deviations from the GDPR. This is a very good approach towards a common and largely harmonized data privacy regime within the European Union. Some regulations of the new Data Privacy Act (in particular those perpetuating the status quo) are likely to be in contradiction with the GDPR (e.g. the lack of the Data Privacy Authority's authority towards the highest executive bodies). In the end, however, this will have to be decided by the courts.
It remains to be seen if the new Data Privacy Act will be further amended after the up¬coming parliamentary election (in particular, whether the envisaged constitutional changes will be effected). We will keep you updated on further developments.