Parliament recently enacted the Third, Fourth and Fifth COVID-19 Acts. Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new law – namely, the conflict of interests between the amended Social Insurance Act and the EU General Data Protection Regulation.
Due to the COVID-19 pandemic, telecoms providers must now send mass alerts (eg, regional access prohibitions) via text message on order of the government and provide traffic and location data for the purposes of evaluating whether individuals are complying with quarantine orders. In addition, a number of legislative developments have taken place with respect to data protection. This article outlines these recent changes.
With the adoption of the EU General Data Protection Regulation, the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
The Austrian Data Protection Authority (DPA) recently published its first decision on retention periods following the enactment of the General Data Protection Regulation. The decision is final. The DPA had to decide how long a telecoms service provider must retain so-called 'master data' – that is, data required for the controller's legal relationship with the users of its services.
Members of Parliament recently filed an application to amend the Data Protection Act 2018 in order to clarify certain aspects which have led to confusion over the past couple of months. In addition to several provisions relating to competence, the proposed act, among other things, contains a rephrased version of the fundamental right to data protection, introduces the mandatory appointment of data protection officers and suggests enabling the matching of images with explicit consent.
It is common knowledge that the European Court of Justice (ECJ) has found the EU Data Retention Directive to be invalid. However, the spotlight should be on the ECJ's considerations on data security, as these may have an impact beyond the case that triggered the ruling, potentially influencing the privacy aspects of international data transfers as they are known today.
Austria has no specific data security rules for cloud computing. However, depending on the data categories involved, specific data-related security regulations may apply. To date, there has not been a homogenous market approach to tackling the risks connected to cloud services, although companies are starting to become aware of the related risks.
The European Court of Justice (ECJ) recently declared the EU Data Retention Directive, which has been the subject of much debate, invalid. The ECJ held that the directive interferes with the fundamental rights to respect for private life and the protection of personal data. If this decision reflects the ECJ's general stance on the matter, it will have an impact that goes far beyond telecommunications data retention considerations.
Employers are increasingly keen to introduce a 'bring your own device' (BYOD) policy, which allows them to assign company device management to employees and, by doing so, save manpower and costs on device support and maintenance. However, there is a downside: BYOD involves allowing employees to access (sometimes sensitive) company data through their private devices.
The European Commission recently published a new regulation on the measures applicable to the notification of personal data breaches under the EU Directive on Privacy and Electronic Communications. When the regulation enters into force, national rules that are in contradiction to European law must cease to apply. This raises some substantial questions with regard to the application of the Austrian Telecommunications Act.
Mobile applications are convenient, entertaining, easy to handle, cheap and versatile. However, the processing of other people's personal data through an app triggers full responsibility under data protection laws. Users would thus be well advised to consider whether they would wish to have their own data processed in the same way before processing other people's data through an app.
The European Court of Justice (ECJ) recently ruled that the Austrian Data Protection Authority is not a sufficiently independent regulatory body and therefore is not in line with the respective requirements of the EU Data Protection Directive. In particular, the ECJ took offence at the fact that the day-to-day business of the authority is managed by a federal official.
Following European Commission proceedings against Austria for breaching EU law by failing to implement the EU Data Retention Directive, and a related European Court of Justice ruling against Austria, the government has now decided to implement the directive. The draft legislation implements the minimum requirements set out by the directive by providing for a retention period of only six months.
In early 2010 substantial revisions to the Data Protection Act entered into force. Among other things, the revised act introduced to the data protection regime a notification duty requiring every data controller in Austria to inform data subjects accordingly should they become aware of systematic and seriously unlawful misuses of personal data.