Tag Archive: Austria

AUSTRIA: Draft GDPR Implementation Act

On 12 May 2017 a Draft GDPR Implementation Act (“Draft“) has been submitted to the Austrian Parliament and is now to be reviewed, assessed and commented by various public bodies, organisations and groups.

With the GDPR Implementation Act the present Data Protection Act 2000 (Datenschutzgesetz 2000) will be repealed and a new Data Protection Act is issued which will become effective on 25 May 2018.

General overview

At first glance the Draft covers only a bare minimum of implementation: the major part of the Draft includes only the provisions necessarily required by the GDPR, but only few of the facultative opening clauses are actually included. A large part of the Draft concerns only the implementation of Directive 2016/680.

The review of the explanatory notes confirms this first impression as they state that the Draft shall mainly include the necessary implementation of the GDPR and only few of the opening clauses. The ministerial working party has deliberately not used the openings within the GDPR as it is their opinion that the GDPR is already providing a general rule which shall now apply without further specification in Austria.

Furthermore, in the explanatory notes it is stated that the majority of the opening clauses do not address general data protection matters and are therefore not to be included in the Draft. The ministerial working party was of the opinion that such “special” opening clauses should rather be implemented within the relevant specific laws, e.g. (presumably) Employment Act or Criminal Act.

On the other hand, the concern that the Austrian legislator will retain certain specific regulations of the current Data Protection Act 2000, which would not comply with the GDPR, has not been fulfilled due to the very minimalistic approach the ministerial working party took. As such, the various provisions of the Data Protection Act 2000 which were specific to Austria, such as the filing procedure or an obligation to obtain approval of the Data Protection Authority for an international data transfer even if the EU Model Clauses have been concluded, are not included in the Draft and will presumably not be part of the Austrian law anymore.

Scope of applicability and general provisions

The major change of the Austrian law which is implemented by the Draft is that, following the scope of applicability of the GDPR, its applicability is limited to natural persons, meaning legal persons are no more included in the material scope as they are now in the currently applicable Data Protection Act 2000. In this point as well the Draft follows the provisions of the GDPR.

In its first section the Draft also stipulates the fundamental right to data protection, which has already been included in the current Data Protection Act 2000. In both versions it is formulated as a constitutional provision and as a human right, but the new wording is more comprehensible than the previous one. Furthermore, as the GDPR does not apply to legal persons, the scope of the fundamental right in the Draft has also been limited to natural persons.

Data protection officers and Data Protection Authority

The first of the main implementation aspects of the Draft are the specifications regarding data protection officers. The Draft states an explicit duty of confidentiality for data protection officers, even though this shall not apply to information requests of the Data Protection Authority. Further, the Draft is providing additional provisions regarding the data protection officer in the public sector.

Another main aspect of the Draft is the specification of the supervisory authority, which will be the Data Protection Authority (“Datenschutzbeh√∂rde“) organized as the sole national supervisory authority.

Remedies, Liability And Penalties

The third section of the Draft provides specifying provisions regarding the implementation of remedies, liability and penalties. The implementation of administrative fines provides to a certain extent a possibility to impose fines primarily to legal persons, however in a very limited manner.

Thereunder, the Data Protection Authority shall only be able to impose a fine on a legal person if one of its organs holding a management position is subject to a negligence or breach of supervision. As of the scope of this provision the ministerial working party refers in its explanatory notes to a similar provision within the Austrian Banking Act (“Bankwesengesetz“), whereby the primary liability of the legal person only applies where organs of the legal person are concerned and not when an employee is acting on instructions. Therefore this limitation may not be in accordance with the GDPR as it is not providing an opening clause for the Member State to implement such limitation.

That said, the GDPR also does not specify how the remedies, liability and penalties provisions must be implemented as concerns the responsible persons, beyond the requirement that the remedies are “effective”, so it remains to be seen whether and how this manner of implementation is in line with the GDPR.

Processing for Specific Purposes

The provisions within section 5 of the Draft address data processing for specific purposes, as stated in Article 6 Sec 2 GDPR, and address points such as processing for the purpose of scientific research and statistics or in case of catastrophes.

This is one of the rare occasions in which the ministerial working party has made use of an opening clause. Unfortunately, the ministerial working party did not use the other opening clauses where in our opinion the GDPR is rather incomplete and further national legislation seems necessary. This concerns in particular the opening clauses provided in Articles 6 Sec 4 (processing for compatible purposes set out by member state law), 9 (processing of special categories of personal data) and 10 (processing of personal data relating to criminal convictions and offences) of the GDPR, even though this would have been necessary due to the very general regulation of the GDPR. It remains to be seen whether such provisions will be included in other laws; however, it is our opinion that provisions implementing the above mentioned opening clauses should in any case be included in the Draft itself and not in other laws as the ministerial working party suggests.

Processing of Employees Data

Similarly, as concerns employee data the Draft is providing only a provision stating that the existing provisions of the Employment Act (“Arbeitsverfassungsgesetz“) shall fulfil the requirements of Article 88 GDPR. According to the explanatory notes the ministerial working party wanted to clearly express with this provision that the specifics of processing employee data shall not be included in the Draft but rather in the relevant labour laws. It remains to be seen whether the legislator will stand by this decision and create provisions in the relevant laws or if there will be a modification in the Draft.

Video Surveillance / Processing of Image Data

It is quite surprising that the ministerial working party found it to be necessary to include in section 6 of the Draft provisions regarding the processing of images and video surveillance, especially in light of the very minimalistic approach implementing the GDPR. The explanatory notes explain the implementation to be based on Article 6 Sec 2 and 3 in connection with Article 23 GDPR, even though we have major doubts this approach is in line with the GDPR. It is at least our opinion that a clarification regarding the processing of data related to criminal convictions and offences or employee data would have been of greater importance than the processing of images.

Conclusion and outlook

To summarize, the Draft is taking a very minimalistic approach implementing the GDPR and leaves open many vital issues. As such, the Draft leaves the impression that the main intention was to initiate the legislative procedure and the discussion on the implementation, whereas the majority of important decisions regarding the implementation are postponed. Therefore, it remains to be seen how this draft will develop during the legislative procedure, but we are expecting either major amendments before the law is passed or further implementation actions amending other statutory laws.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/austria-draft-gdpr-implementation-act/

AUSTRIA: ECJ Safe Harbor Decision and its impact in Austria

In its ground-breaking judgement in the Schrems vs. Data Protection Commissioner case (C-362/14), the European Court of Justice has declared the Safe Harbor decision of the EU Commission, 2000/560/EC, as invalid.

LEGAL SITUATION IN AUSTRIA

For Austria, the consequences of this judgement will likely be extensive, since the Austrian legislation provides as a general rule that a data transfer to a country without an adequate level of data protection is subject to approval on the case-to-case basis, even in cases where the data exporter and the data importer have concluded a contract in the form of EU Model Clauses or are subject to Binding Corporate Rules. On the contrary, a transfer of data to a safe harbor certified organisation was viewed as equivalent to a transfer of data to a country with an adequate level of data protection, and therefore exempt from approval.

Therefore, following the law, the main and immediate consequence is that the transfers of personal data to the USA from Austria are now in principle subject to the approval by the Austrian Data Protection Authority (ADPA), unless another exemption applies. Whereas the approval procedure was considerably shortened as of late, it can still take up to several months in specific cases, especially if the ADPA has to perform a detailed assessment of the application. Due to the general statements of the ECJ in the Schrems judgement in respect to the level of data protection in the USA, such detailed assessments regarding data transfers to the USA are possible.

STATEMENT OF THE AUSTRIAN DATA PROTECTION AUTHORITY

In the meantime, the ADPA has already issued a preliminary statement regarding the effects of the Schrems case, confirming that the data transfers to the USA are now in principle subject to approval by the ADPA. The approval is not required only if an exemption pursuant to Sect. 12 of the Austrian Data Protection Act, which corresponds broadly to the Art 26 of the Data Privacy Directive 95/46, can be relied upon.

The ADPA has also expressly addressed the case where the data are already being or have been transferred or processed in the USA, stating as a potential alternative that the data exporter entity can “retrieve” the data and continue processing them locally, either on a server within the EU/EEA, or in a third country with an adequate level of data protection. Based on this statement, it appears rather certain that the ADPA does not intend to apply the consequences of the Schrems judgement only to future data transfers, but rather considers the data transfers and data processings currently taking place also as “retroactively” becoming subject to approval, in lack of a relevant exemption. It is however unclear at the moment whether this should also apply on controller-to-controller transfers, where the Austrian-based data controller has effectively lost control over the transferred personal data.

As stated above, the exemptions from approval provided in Sect. 12 of the Austrian Data Protection Act, including in particular consent of the data subject(s), are still a possible alternative. However, the requirements for consent as set out by the Austrian Supreme Court and ADPA are rather high, so this alternative may not always be practically available.

IMPACT ON THE APPROVAL PROCEDURE

Regarding the approval procedure, the ADPA has only issued a very brief statement that the data transfer can be approved by a decision of the ADPA, based on an application of the data exporter. It remains however unclear whether the Schrems judgement will also have effect on such approval procedures in case of data transfers to the USA as well. Previously, and currently in respect to other countries, obtaining an approval was rather a formality, if the application was based on a contract in the form of EU Model Clauses between the data exporter and data importer, or Binding Corporate Rules to which the data exporter and data importer are subject.

It is however doubtful whether the ADPA would still accept these as a valid basis for an approval, considering that the main argument of the ECJ for declaring the Safe Harbor decision invalid was that the US authorities have possibilities to obtain an unlimited access to personal data without any recourse. This would however also be the case if the data recipient concludes EU Model Clauses or is subject to Binding Corporate Rules.

The public statement of the ADPA (in German) can be found here. Furthermore, we shall keep close contact with the ADPA in the following days and post any updates which may be issued in respect to the open issues.

Sabine Fehringer (Partner, Vienna) and Stefan Panic (Associate, Vienna)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/austria-ecj-safe-harbor-decision-and-its-impact-in-austria/