In Summer 2017, and thus before the autumn parliamentary elections took place, the legislature rushed through the national Data Protection Amendment Act 2018. In the pre-election phase, the governing parties could not find the required majority to amend the constitutional law provisions which are part of the current legal framework. As such, those constitutional law provisions remained as they were, which resulted in problematic provisions remaining in effect. The most prominent example was that legal entities' fundamental right to data protection remained in effect, despite the fact that the EU General Data Protection Regulation (GDPR) covers only the protection of natural persons regarding the processing of personal data.
On March 22 2018 members of Parliament filed an application to amend the Data Protection Act in order to clarify certain aspects which have led to confusion over the past couple of months. In addition to several provisions relating to competence, the proposed Privacy Deregulation Act 2018 contains the following features which might be relevant to companies.
No fundamental right for legal entities
As mentioned, there were ongoing (academic) discussions on the applicability of legal entities' fundamental right to data protection, as the Data Protection Act 2000 protected both natural and legal persons. Article 1 of the Data Protection Amendment Act 2018 was not rephrased. However, the Privacy Deregulation Act 2018 contains a rephrased version of the fundamental right in Article 1 which narrows its scope explicitly to natural persons, but also tries to improve readability. Apart from this amendment, the recitals state that the scope of this article underwent no significant changes. Article 1(3) explicitly clarifies that the third-party effect of the fundamental right to data protection remains unchanged.
The suggested version of Article 4(5) of the Privacy Deregulation Act 2018 provides a limitation of data subjects' access rights: if the controller fulfils sovereign tasks and providing the information endangers those tasks, the access right according to Article 15 of the GDPR "does not exist". The EU law basis for this restriction is found in Article 23 of the GDPR, which provides a rather broad basis for restricting data subjects' rights under the GDPR with respect to "public security purposes".
Mandatory DPOs for regional authorities
According to the recitals of the Privacy Deregulation Act 2018, Article 5(3) now clarifies the obligation to designate a data protection officer (DPO) in the public sector. Notably, the obligation applies only to bodies established in public law – in particular, as an authority of a regional authority. Entrusted bodies will be exempt from the obligation to appoint DPOs (unless one of the other obligations in Article 37, apart from "being a public authority or body" according to Article 37(1)(a), applies).
Processing personal data in employment context
The current version of Article 11 of the Data Protection Amendment Act 2018, which states that the Labour Constitution Act will (insofar as it regulates the processing of personal data) be seen as a rule within the meaning of Article 88 of the GDPR and further that powers granted to the works council under the Labour Constitution Act remain unaffected, has been removed in the recitals.
The proposed new version states that the powers of the workforce according to the third section of the Labour Constitution Act – in particular, according to Paragraphs 89, 91, 96, 96a and 97 – as well as the rights of participation in relation to employee representation, remain unaffected as far as the processing of personal data is concerned. The recitals further state that not every violation of the Labour Constitution Act will lead to criminal liability under Article 83 of the GDPR, but that violations of the Labour Constitution Act's protective provisions concerning the processing of personal data are subject to Article 83.
Article 12(4)(3) currently prohibits automatically matching personal data obtained from image recordings with other personal data. Simply put, it makes face identifications from mobile devices illegal. The proposed amendment suggests enabling the matching of images with explicit consent (ie, an expression of will which is made voluntarily and in an informed and unambiguous manner, given in the form of a statement or other unambiguous confirmatory act, by which the data subject indicates that he or she agrees to the processing of the personal data). In other words, implied consent is not enough.
Since there are already numerous uncertainties deriving from the GDPR itself, the suggested alignments – which aim to provide further clarity at least on a national level – are warmly welcome. At first glance, some of the suggestions even seem to meet those expectations.
For further information on this topic please contact Günther Leissler or Veronika Wolfbauer at Schoenherr Attorneys at Law? by telephone (+43 1 5343 70) or email ([email protected] or [email protected]). The Schoenherr Attorneys at Law website can be accessed at www.schoenherr.eu.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
