On the ground | Privacy and data protection | Data protection standards | Privacy and confidentiality

Austria’s biggest privacy scandal: residential addresses made public

Nobody took data protection into account for the so-called “Supplementary Register for Other Concerned Parties” (Ergänzungsregister für sonstige Betroffene). The Ministry for the Economy and the Finance Ministry are responsible for a data breach to which the Austrian Economic Chambers were an accomplice.

By Epicenter Works (guest author) · May 13, 2020

Nobody took data protection into account for the so-called “Supplementary Register for Other Concerned Parties” (Ergänzungsregister für sonstige Betroffene). The Ministry for the Economy and the Finance Ministry are responsible for a data breach to which the Austrian Economic Chambers were an accomplice.

Personal data of at least one million people have been publicly posted on the Internet for years without any protective measures, as NEOS and epicenter.works explained in a joint press conference on 8 May. This is a gift from the Republic to every data dealer and identity thief. “The technical and organisational measures necessary for protecting the rights of the affected persons according to GDPR are completely absent”, adds epicenter.works’ managing director Thomas Lohninger. In contrast to the Central Register of Residents (ZMR), all protective mechanisms are missing here, such as requiring identification of the querying person or charging a fee for the release of data, or the option to protect one’s own data with an informational release block.

Private residential addresses are particularly sensitive

“We do not yet know exactly how many people are affected by this data scandal and which groups are involved,” Lohninger continues. “According to our estimates, there must be about one million concerned people.” It could also be deduced from the data when tax returns were filed or whether, for example, state assistance was received. “What is even more dramatic is that the private residential addresses of these people are publicly available on the Internet and there is no way to defend oneself against it. From the Federal President downwards, almost everyone can be found there who has and has had income other than from
non-self-employment”, the data protection expert adds.

No purpose, no information block, no protective measures

“The purpose of this public register is not apparent. Public registers regularly entail rights and obligations, such as Entries in the Civil Register, Register of Companies or Register of Associations. Although the internal provision of source numbers within the administration may be the reason for the creation of the supplementary register, this does not explain its years of public and barrier-free access,” says epicenter.works’ lawyer Lisa Seidl. In many cases, the scope of the accessible data goes beyond the data that can be retrieved from the ZMR and, in contrast, there are no protective mechanisms, such requiring the identification of the querying person, charging a fee for the release of information or providing the option of setting up an informational release block. Even if the 2009 regulation provides a legal basis for the publication of the register, this regulation could constitute a violation of the fundamental right to data protection, said Seidl.

On the basis of redacted excerpts from this database, we can show that the data of journalists, politicians and other persons who are particularly concerned about the confidentiality of their private data were included. For example, out of 183 members of Parliament, 100 were visible with their private addresses. You can find a corresponding list here. Furthermore, many Public Broadcasting (ORF) journalists could be found easily.

How is this different from the Commercial Register?

The Commercial Register is easily accessible, but it costs quite a lot – 12.90€ per extract – and is essential (i.e. it has an important purpose), because you have to and should know about the economic risk you are taking when you sign contracts with other companies. In any case, it does not contain private residential addresses, but the business addresses of the companies.

Is the regulation potentially even illegal or unconstitutional?

In principle, the Austrian state must comply with GDPR, but it is exempt from penalties. If data that are not already publicly accessible (e.g. tax data of private individuals – not companies!) are in the register, this needs its own legal basis (in this case a decree), and only then according to the GDPR the data can be processed. However, this decree could still be unconstitutional (§1 of the Data Protection Act (DSG) has constitutional status). Justified constraints of fundamental rights always require a legitimate objective that is necessary and proportionate. The register falls at this first hurdle, as making tax data accessible for the public is not a “legitimate objective”. Therefore, the constraint of fundamental rights is unjustified and a violation of the fundamental right to data protection. As long as the Austrian Constitutional Court has not repealed the regulation on the grounds of unlawfulness or unconstitutionality, it is to be applied.

Chronology of the register

  • Decision to establish this register publicly 2004/2009, Schüssel / Faymann
  • Register transferred to the Austrian Ministry for the Economy in December 2018 without question, no protective measures established, despite introduction of GDPR no enforcement of the rights of those affected
  • Austrian Finance Ministry continuously sends data to registers, unclear from which sources

Read more:

Größter Datenskandal der Republik: Über eine Million Wohnadressen öffentlich (08.05.2020)

Austrian government hacking law is unconstitutional (18.02.2019)

Austrian postal service involved in a data scandal (28.01.2019)

(Contribution by Thomas Lohninger, from EDRi Member epicenter.works)