[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Republic of Austria

Constitutional Privacy Framework

The Austrian Federal Constitutional Law (Bundes-Verfassungsgesetz[1193]) does not explicitly recognize the right of privacy but several civil rights are contained in special laws. Data protection is a civil right in Austria.[1194] Some sections of the data protection law (Datenschutzgesetz, or DSG) have constitutional status and may only be restricted under the conditions of Article 8 of the European Convention of Human Rights (ECHR). The entire ECHR has constitutional status and the constitutional court in privacy matters often cites Article 8.

Data Protection Framework

Austria’s data protection law (Datenschutzgesetz 2000, DSG 2000) was approved in December 1999 and went into force in January 2000.[1195] The Act replaces a 1978 law of the same name and incorporates the EU Data Protection Directive (1995/46/EC).[1196] It protects the right of individuals in relation to the processing of their personal data. The civil right to secrecy protects data contained in paper files, but most of the other rights (access, rectification, and deletion) only cover data that are automatically processed. The Austrian law also protects organizations, such as companies, religious or political organizations. Individuals have the right to access, correct, delete personal data, or keep them confidential.[1197] Data controllers are required to provide information to the data subject who has the right to access the data, its origin, and the identity of any recipients. Disclosure to third parties is only allowed when the data subject gives express written permission; if it is in the legitimate objective of the data controller to disclose the information; if it concerns legitimate published data or only indirectly personal data, or if it is necessary for the protection and interests of a third party.[1198]

Following the tsunami disaster in early 2005, the DSG 2000 was amended, introducing clarifications regarding the use of personal data by call centers established by airlines and other organizations in case of catastrophes.[1199]

Data Protection Authority

All claims against public-sector controllers must be brought before the Data Protection Commission (DPC).[1200] Claims against private sector data controllers must be brought before the courts, with the exception of claims about the refusal to give information pursuant to Section 26 DSG 2000, which are brought before the DPC. An individual data subject can bring claims before the DPC. The DPC decides with a ruling that can be enforced. Civil and criminal provisions apply.[1201] The Austrian member states (Länder) have adopted their own legislation. Experts have criticized the new law as inadequate because it retains the cumbersome structure of the original 1978 Act rather than replacing it.[1202]

Under the 2000 Act, a DPC and a Data Protection Council (the Council) are established. The DPC has powers of investigation and enforcement to ensure compliance with the Act. The Council (Datenschutzrat) is a political advisory body.[1203] The Commission (Datenschutzkommission) is currently staffed with six permanent members, six deputies, and four full-time employees; another eight employees work in the Data Processing Register (Datenverarbeitungsregister, or DVR).[1204] The DPC is responsible for investigating public sector data processing and reporting bi-annually to the federal government on public sector data processing. It oversees private sector activity including the authorization of international data transmissions and applications for data processing registration, but excluding claims that must be brought before the courts. The DPC will only deny the export of data if such transport conflicts with public interests, violates international legal obligations, disregards data disclosure requirements, damages the interests of the person warranting protection or has inadequate safeguards. The DPC can act as an ombudsman and make recommendations to private and public sector data controllers, which are not binding.[1205]

The DPC handles complaints concerning infractions of the rights to secrecy, access to data, right to information and right to rectification and erasure against public-sector data controllers, or the right of access to data against private-sector data controllers.[1206] Bi-annually the DPC handles 80-100 formal complaints.[1207] All of these cases are complex. A complaint case ends with a formal ruling (Bescheid) that can be appealed. The rulings are legally binding, and can be enforced where appropriate. All the decisions of the DPC are available for public access through the DPC’s decision database.[1208]

The Ombudsman's function is often used to resolve private sector disputes that do not require a lawsuit. Instead Ombudsman’s cases require an administrative decision. The DPC can act on a complaint by a citizen pursuant to Section 30 DSG 2000. These are called "ombudsman" cases because the DPC acts as a privacy ombudsman, and makes recommendations. These cases vary widely in terms of complexity. Some can be resolved by simply contacting a data controller and asking him to fix some mistake or oversight; others require much work and can involve several companies.[1209]

The DPC has investigated many issues that were not rated as "complaints," but have a similar impact. Moreover, the office of the DPC routinely answers informal help requests by e-mail or telephone. While most of these are just requests for information, some can involve elements of a complaint, or can help prevent an unnecessary complaint.[1210]

The DPC uses different enforcement tools for Ombudsman's cases.[1211] To establish the rightful state, the DPC can issue recommendations; an appropriate period for compliance shall be set if required. If a recommendation is not obeyed within the set period, the DPC shall, depending on the kind of transgression and ex officio: 1) initiate an administrative inquiry to check the registration pursuant to Section 22 para. 4 DSG 2000; or 2) bring a criminal charge pursuant to Sections 51 or 52 DSG 2000; or 3) in case of severe transgressions by a private sector controller file a lawsuit before the competent court of law pursuant to Section 32 para. 5 DSG 2000; or 4) in case of a transgression by an organ of a territorial corporate body (Gebietskörperschaft), involve the highest competent authority. This authority shall within an appropriate period, not exceeding 12 weeks, take measures to ensure that the DPC's recommendation is complied with, or inform the DPC why the recommendation is not complied with. The reason for non-compliance may be publicized by the DPC in an appropriate manner, as long as it is not contrary to official secrecy.

Registered data controllers can be roughly defined as the natural or legal person ordering the collection, processing, or disclosure of data.[1212] It must be noted that one data controller may notify multiple data processing. 2,300 changes were recorded in 2004 (new registrations, corrections and deletions). The DSG 2000[1213] contains many exceptions from notification, which should make notification unnecessary for most normal businesses that run typical bookkeeping, inventory, and staff management software. Moreover, many controllers who go out of business or who do not need to register anymore do not have to formally withdraw their notification. The number of data controllers has to be estimated for this reason.[1214] Data controllers are required to notify the data subject who has right to access the data, its origin, and the identity of any recipients. Disclosure to third parties is only allowed when the data subject gives express written permission; it is in the legitimate objective of the data controller to disclose the information; if an explicit legal authorization or obligation exists to use the data, the data subject has given his consent; or if it is necessary for the protection and interests of a third party.[1215] Claims against private sector data controllers can be brought under DSG 2000 by an individual data subject, or by the DPC on behalf of data subjects. Civil and criminal provisions both apply.

Due to a severe reduction of personnel from 2001 to 2003, the DPC has complained that it is no longer able to actively pursue investigations and file claims.[1216] In July 2005 the European Commission began infringement procedures against Austria and Germany for not creating adequate independence of their Data Protection Authorities.[1217] The EU Data Protection Directive requires that data protection authorities exercise their functions with complete independence, but the Austrian DPC is integrated in the Federal Chancellery and its managing member is a senior official of the Chancellery.[1218]

Statutory Rules Related to Privacy

Since 2004, the Austrian Civil Code contains a provision[1219] offering individuals a right to obtain damages caused by any illegal privacy intrusions where individuals are granted a right to claim for a minimum of EUR 1,000 for pain and suffering or other immaterial loss.

There are also several sectoral privacy laws. The telecommunications law contains special data protection provisions for telecommunications systems, particularly problems like phone directories, unsolicited calls, spamming or calling line identification.[1220] The Genetic Engineering Act of 1994 requires prior written consent for information to be used for purposes other than the original purpose and the use of genetic data by insurance companies and employers is explicitly prohibited. The Data Protection Act (DSG 2000) deals with medical data in a very general way, by considering them sensitive data, with benefit of special protection, as well as by providing some provisions on research in Sections 46 and 47. There are provisions in other statutes dealing with the use of medical or health data. As in most countries, Austria has laws requiring that carriers of dangerous diseases be reported to health authorities.[1221] The normal rules for medical confidentiality apply, although with exceptions, as doctors must report serious injuries that were obviously caused by criminal activity or cruelty to children.

The Banking Act of 1993 deals with special requirements in relation to credit data. Section 18 of the DSG 2000 states that a data application containing information regarding a person's creditworthiness requires prior registration and authorization by the DVR. In their regular business relations, all financial institutions must comply with DPA provisions stating that they cannot use personal data obtained through client accounts for other purposes. Austria adopted a new anti-money laundering law according to the requirements of the Organization for Economic Cooperation and Development (OECD).[1222] Banks must establish the identity of customers who wish to open an account, or in case of money transfers exceeding EUR 15,000.[1223]

In 2000, the Austrian Provinces (Länder) adopted various laws relating to data protection. Some have passed legislation regarding notification about suspicions of neglect, mistreatment or sexual abuse, and the collection of personal data related to these notifications. There are also additional federal laws regarding military authorities' standards in their use of personal data for military affairs.[1224]

In June 2002, the Parliament adopted a law that allows the Austrian military to request from Internet Service Providers (ISPs) or other telecommunications service providers the name, address and telephone number of every telecommunications user.[1225] The draft was strongly opposed by Austrian privacy organizations since the military would simply have to pretend that it necessarily needs this information for intelligence purposes or for the fulfillment of its own duties.[1226]

In January 2003, the Bildungsdokumentationsgesetz (Law on the Documentation of Education)[1227] went into force. It regulates the use of data on pupils and students for purposes of long-term documentation. It mandates schools, universities, and other professional academies to collect a large set of data including social security numbers, religious affiliation, need for special educational assistance, grades and degrees, and transmit that information to the Federal Ministry of Education, Science, and Culture and the Austrian Agency for Statistics where the data will be stored for up to 60 years. During all these years, all data on individuals can be identified by social security numbers.[1228]

Identity Cards

Over the past few years, Austria has been working on introducing a smart card for social security. This smart card, which was scheduled to replace the health insurance certificate in 2005, was scheduled to be given to every person who benefits from social security.[1229] It was designed to contain a digital signature. Currently, only the name, the social security number and the date of birth will be stored. The card will also serve as a European health insurance card. Earlier discussions on the inclusion of health data for emergency cases did not lead to storage of such data on the card. The previous project to introduce a mandatory "citizen card" with tax number and other information has been abandoned. Today, many privately issued smart cards, such as private member organization cards or bank debit cards that fulfill special technical requirements, can be equipped with the functionality of an electronic citizen authentication card if so desired. The card can therefore be used for several kinds of interaction with private businesses or government agencies.[1230] The Austrian Computer Society issued the first examples of these citizen cards in December 2002.[1231] The social security card satisfies these technical requirements as well.

In March 2004 the E-Government-Act[1232] went into force. It introduces in an identity card (Bürgerkarte, or citizen's card) a variant of the citizen's number (Stammzahl) known in other countries to enable citizens to electronically interact with state agencies and certain private entities. The "Bürgerkarte" is defined as a functionality (electronic signature combined with certified identification of the signer, Personenbindung), not as a certain type of physical object.[1233] The citizen's number stored on the citizen's card is based on the unique number of a citizen's residence-registration file. Starting from this citizen's number, each administrative body will derive an identification number that is unique for its administrative area (bereichsspezifisches Personenkennzeichen, or bPK[1234]) and that – under certain circumstances – can be used to reveal the citizen's number again. The Bürgerkarte functionality can be implemented in various forms, without any card. One of its forms is, for example, being used with mobile phones or ATM cash cards. The DPC will administer the citizen's number. Austrian privacy organizations have strongly criticized the DPC's role because it will be its own control board and no independent control will be established at the heart of this national identification system.

Wiretapping and Surveillance Rules

The Code of Criminal Procedure regulates wiretapping, electronic eavesdropping and computer searches.[1235] A judge can permit telephone wiretapping if it is needed for investigating a crime punishable by more than one year in prison. Electronic eavesdropping and computer searches[1236] can be allowed by a judge if they are needed to investigate criminal organizations or crimes punishable by more than 10 years in prison. The provisions concerning electronic eavesdropping and computer searches became effective between October 1, 1997, and July 1, 1998. The law previously contained sunset clauses that were later repealed in the fall of 2001.[1237] One of the high points of the discussion on eavesdropping was the controversy over who had to bear the cost of surveillance measures. The Federal Constitutional Court declared unconstitutional an ordinance that would have placed most of the cost on the telecommunication operators.[1238] In August 2003 a new telecommunications law (TKG 2003) came into force that still requires telecommunications providers to provide the necessary surveillance equipment. This equipment is specified in an ordinance issued by the Federal Minister of Transport, Innovation and Technology in December 2001.[1239] A separate ordinance issued by the Federal Minister of Justice in September 2004 specifies the reimbursement of costs to telecommunications providers on a case-by-case basis for their assistance in surveillance measures.[1240] Costs for staff and installation, maintenance and monitoring of surveillance equipment are subject to reimbursement.

In January 2005, an Amendment to the Sicherheitspolizeigesetz (SPG, Police Law) went into force. It allows police to keep public places under audio and video surveillance and to store the data collected up to 48 hours, or longer in case there is a suspicion that a criminal offence was conducted (§ 54 (6) SPG).[1241]

In 2005, the DPC rejected a research center’s application for permission to use personal data of drug addicts who submitted themselves to a detoxification therapy.[1242] The center intended to use the records of persons who had been criminally convicted before treatment to evaluate a new program in the country allowing drug addicts to submit themselves to therapy instead of criminal penalty.[1243] The DPC stated that the law required the center to obtain consent from the addicts before using their personal records.[1244]

The Austrian Supreme Court ruled in 2005 that Internet Service Providers (ISPs) must hand over names and addresses of customers to rights holders in the case of infringement.[1245] While the music industry has praised the decision, privacy groups have been up in arms and the decision is heavily disputed.[1246]

A Viennese lawyer reported during a forum in October 2006 that there are an estimated 100,000 illegal monitoring systems with recording functions in Austria.[1247] The use of recording devices in Austria requires a permit, and certain restrictions including deletion of recordings after 48 hours and restricted access to the recordings only to qualified staff that work in pairs are imposed by the DPC.[1248] Because almost all video monitoring systems with a record function are being operated illegally in the country, the DPC has been largely unable to enforce these restrictions.[1249] The Viennese lawyer urged the DPC to make the permit process faster.[1250] Those who operate a recording camera without a permit face fines of more than 9,000 euros.[1251] Before the forum, the DPC had issued a permit granting preliminary permission to the country’s public transportation authority to install video surveillance for the purpose of preventing vandalism.[1252] The DPC imposed preliminary permission because there was insufficient documentation that surveillance would decrease vandalism. The DPC imposed special requirements, including requiring public transportation to document all incidents leading to an analysis of the recordings.[1253]

The EU approved a Directive on mandatory data retention in December 2005 after minor amendments.[1254] The Directive requires Internet Service Providers (ISPs) and phone companies to keep data on every electronic message sent and phone call made for between six months and two years. The directive has been criticized as a threat to the personal privacy of European citizens. A spokesman of Austria’s Federal Ministry of Transport, Innovation and Technology announced in July 2007 that due to the flood of responses to the proposed law implementing the directive, Austria will postpone implementation of the directive.[1255] The spokesman said the ministry needs to process statements voicing opposition to the proposed law, and it will process all complaints even if the EU issues a caution against the country.[1256] There is a general aversion to data retention in Austria, and the movement has been growing.[1257] At least two political parties oppose data retention, and the federal Chancellor’s office has expressed concerns that the directive might violate the Austrian Constitution.[1258]

DNA Matching

In December 2006, Germany and Austria became the first countries in the world to match their DNA databases. Using a hit/no-hit procedure, police officers retrieving the data are informed whether or not data on the profile in question are also contained in the database of the other contracting state. The offices then get in touch with one another or request mutual legal assistance in order to obtain more detailed information, e.g. on the identity of the person concerned. There were more than 1,500 hits when Austrian data were matched against data held in Germany, and vice versa over 1,400 hits were produced.[1259] The Prüm Treaty signed between Germany and Austria is the core of a system that also includes Belgium, Spain, France, Luxembourg and the Netherlands. Italy, Sweden, Greece, Slovenia, Finland, Bulgaria and Romania have all said that they will join the scheme and the Germany-Austria data sharing model will be expanded in the coming year to some of these countries. The Treaty makes automatic the sharing of certain kinds of information. Vehicle registration, DNA analysis and fingerprint records are all automatically searchable, as are entire profiles of people.[1260] The European Data Protection Supervisor, however, considers the privacy elements of the Treaty to be incomplete.[1261]

Voting Privacy

Voting in Austria is compulsory for those 18 years or older. Although the law is not strictly enforced, non-voting could result in a request for the reason for non-compliance and a fine.[1262] In 1990, following a ruling by the Austrian Constitutional Court, postal voting or Internet voting was introduced for the first time, to allow those living abroad to exercise their right to vote in elections.[1263] Since that time, Austria has engaged in ongoing discussions regarding the application of Internet voting as an alternative to the ballot box.[1264] As of 2005, there were no laws that govern Internet voting at the national, regional, or local level. In two Länder, Lower Austria and Upper Austria, members of the public may vote by e-mail on non-legally binding consultations on measures being considered by the assembly and the regional council.[1265]

Open Government

The Auskunftspflichtgesetz is a Freedom of Information law that compels federal authorities to answer questions regarding their areas of responsibility.[1266] However, it does not permit citizens to access documents, just to receive answers from the government on the content of information. The nine Austrian Provinces have laws that place similar obligations on their authorities.

In April 2001, the Ministry of Justice presented draft amendments of the Code of Criminal Procedure, which aimed at bringing about important changes to the Austrian judicial system. According to the draft Law on the Security of Information (Informationssicherheitsgesetz), authorities, journalists and other persons who disclose classified information could have faced sanctions if the disclosure impaired Austria's public security, national defense, foreign relations, or economic interests.[1267] It therefore would have been possible to imprison journalists who publicly disclose secret documents from public officials even if the publication had been of public interest. While sanctions against journalists and other persons did not find their way into the law, violations committed by public officials can lead to up to one year in prison. While the main aim of the draft law was to protect military secrets, critics claimed that since the law was so poorly formulated, it could have potentially adversely affected the free flow of information. Moreover it seemed that since any official could have declared their files classified, they could also have restricted public scrutiny of their actions and limited freedom of information access.[1268] The purpose of the law, as well as its scope, was modified before it was adopted. The aim of the adopted Informationssicherheitsgesetz (Law on the Security of Information (Informationssicherheitsgesetz - InfoSiG)[1269]) is to fulfill requirements of international law to protect classified information that is provided to Austria by international organizations.

International Obligations

Austria is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1270] It has signed and ratified the ECHR.[1271] In November 2001, it signed, but has not ratified, the CoE Convention on Cybercrime.[1272] It is a member of the OECD and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[1193] B-VG, Federal Law Gazette No. 1/1930.
[1194] Austrian law permits the adoption of regulations which are "constitutional provisions" (Verfassungsbestimmungen), even though they appear in a regular law. These provisions are part of the constitution, the core of which is the federal constitutional law (Bundes-Verfassungsgesetz). Federal Law Gazette No. 1/1930, available at <http://www.ris.bka.gv.at/hilfe/erv/law_list.html>.

[1195] Datenschutzgesetz 2000 (DSG 2000), Austrian Federal Law Gazette part I No. 165/1999 <http://www.dsk.gv.at/legal.htm>.
[1196] Datenschutzgesetz (Data Protection Act), Federal Law Gazette No. 565/1978, available at <http://www.dsk.gv.at/legal.htm>.
[1197] Christopher Millard & Mark Ford, Data Protection Laws of the World, Austria Report (Clifford Chance 2001).
[1198] Section 7-9 Datenschutzgesetz. See also Christopher Millard & Mark Ford, supra.

[1199] Amendment to the DGS 2000 available at Federal Law Gazette I, Nr. 13/2005, <http://ris1.bka.gv.at/authentic/findbgbl.aspx?name=entwurf&format=html&docid=BR_DOKV-BR_1109> (in German).

[1200] Organs of legislation or jurisdiction may not be examined by the data protection commission pursuant to Section 31 DSG 2000. One cannot appeal a law before the DPC nor bring a complaint against a parliamentary control committee (similar to a senate subcommittee). The DPC cannot overturn a court decision, either.
[1201] Id.
[1202] See Viktor Mayer-Schoenberger & Ernst Brandl, Datenschutzgesetz 2000 (Line Publishing Vienna 1999).

[1203] See Section 41-44 DSG 2000 <http://www.dsk.gv.at/dsg2000e.htm#E41>. English version available at <http://www.ris.bka.gv.at/erv/erv_1999_1_165.pdf>.
[1204] The DVR is the register where data controllers have to declare their activities if they are not included in the list of standard data processing activities that do not require a declaration. Datenschutzbericht 2001, at 8 (Official Report of the Data Protection Commission), available at <http://www.dsk.gv.at/Datenschutzbericht2001.pdf> (in German).
[1205] Section 30 DSG 2000.

[1206] E-mail from Mag. Georg Lechner, Austrian Data Protection Authority, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center (EPIC), June 3, 2005 (on file with EPIC).
[1207] The DPC makes their statistics on a yearly basis, from January 1 to December 31. For the purposes of this report, the numbers have been estimated for the period of January 1 to April 30.

[1208] See <http://www.ris.bka.gv.at/dsk/> (in German).

[1209] E-mail from Mag. Georg Lechner, supra.

[1210] Id.

[1211] See Section 30, Paragraph 6, DSG 2000.

[1212] Section 4 No. 4, DSG 2000.
[1213] Austrian Federal Law Gazette part I No. 165/1999.
[1214] E-mail from Mag. Georg Lechner, supra.
[1215] See DSG 2000 s. 8.

[1216] Id. at 8.
[1217] “EC: data protection inadequate in Austria and Germany,” EDRI-gram newsletter, number 3.17 August 24, 2005, available at <http://www.edri.org/edrigram/number3.17/DPA>.
[1218] Id.

[1219] § 1328a ABGB, available at <http://www.dsk.gv.at/abgb.htm> (in German).

[1220] §§ 92-107, Telekommunikationsgesetz 2003 (Telecommunications Law) ("TKG2003," BGBl I 70/2003).
[1221] A complete list can be obtained at <http://www.infektionsnetz.at/TextExtMeldepflicht.phtml> (in German).

[1222] Financial Action Task Force, FATF Welcomes Proposed Austrian Legislation to Eliminate Anonymous Passbooks, June 22, 2000 <http://www.fatf-gafi.org/dataoecd/59/10/35717942.pdf>.
[1223] Section 40 Bankwesengesetz, Federal Law Gazette No. 532/1993.

[1224] Data Protection Working Party - Article 29, Fifth Annual Report of the Situation Regarding the Protection of Individuals with Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries Covering the Year 2000, March 6, 2002, available at <http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2002/wp54en_1.pdf> and <http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2002/wp54en_2.pdf>.

[1225] § 22 (2a) Militärbefugnisgesetz (Federal Law Gazette I, Nr. 86/2000).
[1226] Arge Daten Privacy Service, "Militärs - Lauschgeil durchs Land," June 17, 2002, available at <http://www2.argedaten.at/php/cms_monitor.php?q=PUB-TEXT-ARGEDATEN&s=95162atc> (in German); VIBE, "Willkürlicher militärischer Zugriff auf Benutzerdaten," June 18, 2002, available at <http://www.vibe.at/aktionen/200206/mil_18jun2002.html> (in German).

[1227]Bildungsdokumentation, Austrian Federal Ministry for Education, Arts and Culture, available at <http://www.bmukk.gv.at/schulen/recht/bdok/Bildungsdokumentation9057.xml>.
[1228] The data types that are stored have been formulated as a standard application "SA025" in this ordinance: Standard- und Muster-Verordnung 2004 (StMV 2004), Federal Law Gazette II Nr. 312/2004.

[1229] "Daten auf der E-Card," available at <http://www.chipkarte.at/esvapps/page/page.jsp?p_pageid=220&p_menuid=51909&p_id=4>.
[1230] Chief Information Office (Bundeskanzleramt Österreich), Konzept Bürgerkarte <http://www.cio.gv.at/identity/>.
[1231] Oesterreichische Computer Gesellschaft (Austrian Computer Society), "OCG-Mitgliedskarte mit Bürgerkarten-Funktion," available at <http://www.members.ocg.at/>.

[1232] E-GovG, Federal Law Gazette I, Nr. 2004/10.
[1233] The name "Bürgerkarte" has been kept for historical reasons, although it no longer defines the card itself.
[1234] The bPK is the result of a mathematical one-way (hash) function, based on the individual citizen's number and the code of the specific administrative body. This function cannot be reversed, which means that the original citizen's number cannot be revealed via the bPK. However, in certain cases it will be possible to find out whether bPKs in different administrative areas refer to the same person. This is regulated in §10 E-GovG and is done as follows: The DPC receives the bPK and the person's name, and then calculates all bPKs of persons with the same name. Via "trial and error" the resulting bPKs will be compared until a match is found. Based on this the DPC will calculate the bPK of this person for the area of the applying administrative body and communicate the bPK to the applicant. At no time is the citizen's number of a natural person known to anybody outside the DPC. Neither is there a way to reveal the number via the bPK alone, without already "knowing" the citizen's number, i.e. the DPC's "trial and error" method.

[1235] § 149a to § 149p Strafprozeßordnung – StPO 1975, BGBl. Nr. 631/1975.
[1236] "Automationsunterstützter Datenabgleich," regulated by Section 149i of the Code of Penal Procedure.
[1237] "Österreich übernimmt Lauschangriff und Rasterfahndung ins Dauerrecht," Heise, October 13, 2001, available at <http://www.heise.de/tp/deutsch/inhalt/te/9806/1.html> (in German).
[1238] See for more details <http://www.epic.org/privacy/intl/austrian_vfgh-022703.html>.
[1239] Ordinance of the Federal Minister of Transport, Innovation and Technology over the Surveillance of Telecommunication (Überwachungsverordnung – ÜVO), Federal Law Gazette II, Nr. 418/2001.
[1240] Ordinance of the Federal Minister of Justice over the reimbursement of costs for the assistance in the Surveillance of Telecommunication (Überwachungskostenverordnung – ÜKVO) Federal Law Gazette II, Nr. 322/2004, available at <http://ris1.bka.gv.at/authentic/findbgbl.aspx?name=entwurf&format=html&docid=COO_2026_100_2_117197> (in German).

[1241]Amendment to the Police Law (Sicherheitspolizeigesetz, SPG) Federal Law Gazette I, Nr. 151/2004, available at <http://ris1.bka.gv.at/authentic/findbgbl.aspx?name=entwurf&format=html&docid=COO_2026_100_2_137404> (in German).

[1242] WP29, Ninth Annual Report on the Situation Regarding the Protection of Individuals with Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries Covering the Year 2005, 16, June 14, 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual_report_en.pdf>.
[1243] Id.
[1244] Id.

[1245] Id. at 18.
[1246] Id.

[1247] Daniel Sokolov & Craig Morris, “Legal Experts Say That Austria May Have 100,000 Illegal Video Monitors,” heise online, October 20, 2006, available at <http://www.heise.de/english/newsticker/news/79786>.
[1248] Id.
[1249] Id.
[1250] Id.
[1251] Id.
[1252] WP29, Ninth Annual Report on the Situation Regarding the Protection of Individuals with Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries Covering the Year 2005, 16, June 14, 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual_report_en.pdf>.
[1253] Id.

[1254] Directive 2006/24/EC, Official Journal of the European Union, March 15, 2006, available at <http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf>.
[1255] “The Austrian government has postponed the law for data retention,” EDRI-gram newsletter, number 5.13 July 4, 2007, available at <http://www.edri.org/edrigram/number5.13/austria-data-retention>.
[1256] Id.
[1257] Id.
[1258] Id.

[1259] “The Treaty of Prüm makes Europe safer - EU police forces share data,” German Ministry of the Interior, March 15, 2007, <http://www.eu2007.bmi.bund.de/nn_1059824/EU2007/EN/DomesticPolicyGoals/News/Content__News/Hanning__dbb.html>.
[1260] “Europe plans to extend DNA data sharing,” Out-Law News, February 20, 2007 <http://www.out-law.com/page-7786>.
[1261] “European DNA-data interchanges raise privacy concern,” BJHC&IM Newsletter, February 2007 <http://www.bjhcim.co.uk/news/1/2007/n702002.htm>.

[1262] International Institute for Democracy and Electoral Assistance (IDEA), Web page on Compulsory Voting, available at <http://www.idea.int/vt/compulsory_voting.cfm>.
[1263] Strengthening regional and local democracy in the European Union, Volume I, Austria page 71, available at <http://www.cor.europa.eu/document/documents/cdr171_2004_vol1_etu_en.pdf>.
[1264] Id.
[1265] Id., at 72.

[1266] BGBl, 1987/287 (May 15, 1987), available at <http://www.rz.uni-frankfurt.de/~sobotta/Austria.htm>.

[1267] International Helsinki Federation for Human Rights. 2002 Report on Austria (Events of 2001), May 28, 2002, available at <http://www.ihf-hr.org/viewbinary/viewdocument.php?download=1&doc_id=145>.
[1268] Id.
[1269] Federal Law Gazette I, Nr. 23/2002. See, for more details, the Parliament's Web site <http://www.parlament.gv.at/portal/page?_pageid=908,308521&_dad=portal&_schema=PORTAL>.

[1270] Signed January 28, 1981, ratified March 30, 1988, entered into force July 1, 1988, available at <http://conventions.coe.int/>.
[1271] Signed December 13, 1957, ratified September 3, 1958, entered into force September 3, 1958, available at <http://conventions.coe.int/>.
[1272] Signed November 11, 2001.