Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

New Austrian data law enters into force in January [1999] PLBIRp 50; (1999) 51 Privacy Laws and Business International Report 3

New Austrian data law enters into force in January

A report by Hans G. Zeger

ON 1ST OF JANUARY a completely new data protection law implementing the EU Data Protection Directive will enter into force in Austria. Implementation takes place 14 months after the EU deadline. How good are the results?

The debate to enact the first Austrian data protection law lasted about six years. It was eventually adopted in 1978 and entered into effect in 1980. Approximately the same length of time has been needed for a new law (165/1999) to emerge. Between these two milestones there has been a rapid evolution of information technologies and the information society, but nearly no evolution of the data protection law in Austria.

PRIVACY LAW'S MARGINAL IMPACT

In 1998 a broad study (see info box) was carried out on the experience of enforcing the old Data Protection Act in Austria. Approximately 1,663 cases that were studied give a comprehensive picture of Austrians' understanding of privacy, or, in this case, the lack of understanding. The main problem area has been the violation of secrecy of personal information. There have also been problems in enforcing individuals' rights, such as the right to know what personal data were being processed. The existing data processing rules have clearly been inefficient.

The study suggests that many violations are structural in nature rather than merely isolated cases. It is not surprising, therefore, that the problems of law enforcement, high legal costs and the long duration of legal proceedings are the most negative experiences of the old law.

LESSONS FROM THE PAST

The EU Directive was a response to the change of paradigm in the information society. In the 1970s, the idea of "big brother" was prominent in the privacy debate. Only few, mostly governmental data processing systems were controlled and monitored. Today, everyone can process data on computers and the challenge is to control abuse without harm to the positive aspects of information processing.

In addition, there was the misconception that automatic data processing was much more dangerous than manual data processing. Today we know that it is the content and amount of information, not the method of processing, that is important.

Another misconception was that every single step in data processing (such as collecting data, transferring data or processing data) should be regulated separately. Now we know that data processing operations should be looked at as a whole.

THE MOST IMPORTANT CHANGES

Major changes have been made in the new law. Improvements include the following:

1. Up until now only automatic data processing was within the scope of the law. Now manual processing is also regulated in detail.

2. Now the regulations are the same for the public and private sectors. Unfortunately enforcement of the law has not been adjusted. The Data Protection Authority can only investigate complaints in the public sector. Complaints about data processing in the private sector have to be dealt with by the civil court.

3. Many data controllers will no longer need to register in the future. This will make administration much easier for many organisations.

4. The processing of sensitive data (Art. 8 "special categories of data") may be subject to prior checking by the Data Protection Authority.

5. The Data Protection Authority has wider powers than before. In cases where it suspects problems, the authority can inspect all data controllers, regardless whether they are in the private or public sector.

6. The obligation of the data controller to inform data subjects about collecting personal data has been introduced (Art. 10). Also, data subjects have the right to object to processing (Art. 14).

7. There is a right to compensation in all cases where a breach of privacy has taken place. It is not necessary to prove causal material damage.

8. Data flow within the European Union is generally free.

9. For the first time, the situation of having joint controllers is explicitly regulated.

10. Data controllers are now obliged to notify, in general terms, their security arrangements to the Data Protection Authority.

DOES THE AUSTRIAN LAW MEET THE "SPIRIT" OF THE DIRECTIVE?

In spite of the multiplicity of new approaches and new regulations, there are substantial doubts whether the new law conforms with the Directive. There is no reform of the offical data protection institutions. The goals of data protection are to both authorize data controllers to process personal data and also to protect data subjects against breaches of the law. However, the role of acting as an advocate for data subjects is still missing.

There is no unification of the enforcement function. Data subjects who wish to exercise their rights against private sector controllers have to resort to expensive legal proceedings in the civil court.

Unfortunately, there are no extra resources to undertake the work that will result from the increase in power of the Data Protection Authority. Now only 4-8 persons work for the authority, most of them without specific knowhow in information technology. Such a small number of people are not able to supervise and inspect 600,000 Austrian data controllers.

The individuals' right to object to processing, and the obligation of the data controllers to inform data subjects have too many exceptions and cannot be effectively exercised by the data subjects. Also, the question of authority between the nine Austrian states and the federal government leads to ten (!) different data protection laws (one federal + nine statespecific laws).

THE NEXT STEPS

The new law needs some additional regulations which will show us, in the long run, whether the new law will bring about improvements for data controllers or data subjects.

The new law, however, brings a new drive to the Austrian privacy debate, which is an achievement on its own. Another benefit is positive is the regulation of specific areas within the law, such as joint controllers of data, the processing of sensitive data or data for scientific and statistical purposes.

In the near future, it will be necessary to define specific regulations for online services, and address the question of privacy in open networks, such as the Internet. I hope that these future steps will not take as long as the change from the 1978 law to the new law.

This report was written for Privacy Laws & Business by Hans G. Zeger, Head of Arge Daten - the Austrian Society for Privacy and Data Protection. The society examines the interaction between computer science, information law and society. The society is open for individuals and organisations to join. The new Austrian law (165/1999), Bundesgesetz über den Schutz personenbezogener Daten is available on Arge Daten's website at http://www.argedaten.at/dsg2000 (in German). The society has recently published a study on experience with the old law and enforcing data protection in Austria (Zeger, Widerin, Kronegger: Erfahrungen zum Datenschutz 1980-1998, Wien 1999). To order, contact Arge Daten, Sautergasse 20, A-1170 Vienna, Austria, Telephone: + 43 1 4897893, Fax: +43 1 489789310, e-mail: privacy@ad.or.at. Price: ATS 2,700.