With 31 July, the Austrian law amending the Data Protection Act 2000 (Data Protection Amendment Act 2018 – DSG 2018) was promulgated. This Act shall align the Austrian data protection law with the new General Data Protection Regulation (GDPR) and enters into force on 25 May 2018. One controversial topic arising with the DSG 2018 is its scope of applicability. The GDPR is clearly limited in its scope to personal data of natural persons. In contrast, the currently applicable Data Protection Act 2000 (DSG 2000) explicitly protects natural and legal persons as data subjects. There was an expectation that the DSG 2018 shall be aligned regarding the scope of protection with the GDPR.
The regulation and concept of the DSG 2000 was somewhat different than the Data Protection Directive 95/46. In particular, Section 1 DSG 2000 has provided a general right to data protection as a basic (human) right. This provision was adopted as a constitutional provision. The exact wording of this provision is that “everyone […] has the right to protection of his/her personal data, to the extent there is a legitimate secrecy interest”.
While the DSG 2018 amends and abolishes the majority of the DSG 2000, Section 1 was not abolished and shall remain in force after 25 May 2018. On the basis of this provision, an opinion of the Head of the Data Protection Department with the Office of the Austrian Federal Chancellor was recently published, stating that this wording of Section 1 DSG 2000 means that the basic right of protection of personal data still shall apply to legal persons.
This view is problematic in our opinion for a number of reasons. First of all, while the quoted official was involved in the formulation of the DSG 2018 and therefore his opinion might be seen as an “authentic interpretation” of the law, we consider the conclusion that the reference to “everyone” necessarily includes legal persons as problematic. In this respect, the DSG 2000 was much clearer, not by legal persons being implied in the meaning of the term “everyone”, but rather based on the definition of “personal data”. In the DSG 2000, personal data was defined as “information on data subjects”, whereas “data subjects” were expressly defined as natural and legal persons. However, these definitions were provided in Section 4 DSG 2000, which was now abolished. The only definition of personal data applicable to Austrian law after 25 May 2018 is the definition of the GDPR, which is limited to information regarding natural persons. Therefore, while the term “everyone” might be interpreted in such way to include legal persons, the wording “everyone has the right to protection of his/her personal data” is limited to natural persons by virtue of “personal data” being information related to natural persons only.
Furthermore, we have some doubts that extending the right of data protection to legal persons is in line with the GDPR. While there is no clear statement that the GDPR constitutes full harmonization, it is in our opinion clear from the intention of the GDPR as well as various of its provisions (in particular, the references to free movement of personal data, such as in Article 1 Para 1), as well as its nature as an EU Regulation, that it should constitute a full harmonization and not allow more extensive regulation for the national legislators, except where this is expressly allowed by an opening clause.
In fact, the prevalent opinion to date in Austria is that the Section 1 DSG 2000 was not left in force intentionally, but rather only because, as a constitutional provision, its abolishment required a qualified constitutional majority, which was not achievable at the time.
That said, while the GDPR, as a detailed data protection regulation, does not protect legal entities, it should also be mentioned that the European law does in fact provide some basic protection for personal data of legal entities as well, since the protection of personal data under the EU Charter of Fundamental Rights (Art 8) also refers to “everyone”. Furthermore, protection of personal data also follows from Art 8 ECHR, which the European Court of Human Rights also applies to legal persons. For this reason, while the DSG 2018 may be in contradiction with the GDPR, it does have some basis in the broader European regulation.
As described above, it is at the moment unclear how this issue shall be approached by the authorities and practice in the future, as well as whether the Austrian legislator shall react. In our opinion, a limiting interpretation of the DSG 2018, limiting the right of data protection to natural persons, would not only be covered by the wording of the law, but also be in line with European law. Furthermore, because of the changes in the Parliament due to the last parliamentary election, the legislator may now be able to achieve the required majority to abolish Section 1 DSG 2000 and align the Austrian data protection law with the GDPR.
That said, the current status of the law, backed by the mentioned opinion, may imply a broader scope of data protection in Austria. The data controllers should therefore be aware of this possibility and consider that data protection in Austria under the GDPR might not be limited to natural persons but might apply to legal persons as well (as it is currently the case). In our view, the most likely outcome at the moment, save any further legislative measures, is that the basic right of data protection will continue to apply to legal entities as well, whereas the detailed regulation of the DSG 2018 and the GDPR would be limited to natural persons.