Austria: Some EU data protection policy developments in 2008

By EDRi · January 28, 2009

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

In Austria the international data protection day on 28 January will pass by
widely unrecognised. This year, as already in 2008, the Data Protection
Commission (DSK; the Austrian Data Protection Authority) and the Data
Protection Council (DSR; a political advisory board) will together organise
a meeting for a strictly limited amount of interested persons (max. 100
participants) where they will present European and international
developments in data protection. In contrary to 2008, where they were
confronted with by far more than 100 registrations, the event was promoted
very poorly. On the homepage of the DSK and on the ‘Data Protection Day’
website on the Council of Europe website it is not even mentioned!

This situation is somewhat symptomatic for Austrian data protection. Data
protection here usually is not for the masses, it is an administrative task
that rather involves formalised decisions than public debate and open
discussions. It’s a pity that the organisers of this years event chose to
maintain the access restrictions. Opening the event for a broader audience
would have given the option for further development towards an annual
Austrian Data Protection Conference. For this year the chance is gone but
there is another chance next year. We’ll keep you informed.

The following paragraphs provide a summary of major developments in the past
year with regard to legislative initiatives, surveillance trends and
important data breaches. Finally an outlook to the coming years will be

Legislative Initiatives

On 6. December 2007 the Austrian Parliament adopted a reform of the law on
security police. Ten minutes before midnight of that day (the last
parliamentary session of the year) members of the governing parties (Social
Democrats and Conservatives) tabled an amendment that significantly
increased the surveillance possibilities for security police, while ignoring
the usual parliamentarian workflow of discussing amendments in the relevant
committee before voting. Result of this initiative is that mobile
telecommunication and Internet providers have to provide location
information of mobile phones and IP addresses on request of security police.
A court permission is not required! In the first five weeks of 2008 location
data of 82 mobile phone users and the identity of 2.766 subscribers were
requested. According to an article published in the Austrian newspaper “Die
Presse” there are 32 such requests per day. The members of the Parliament
who tabled the mentioned amendment received the Austrian Big Brother Award
2008. Several complaints against the law were filed with the Austrian
Constitutional Court.

In April 2008 an amendment to the Data Protection Act 2000 was published for
comments. Key elements are legal requirements for video surveillance by
private operators, new requirements for private businesses with at least 20
employees to create the position of a data protection supervisors and
harmonisation of responsibilities (the federal government gets all data
protection competences). Currently the Data Protection Commission has to
approve video surveillance installations of private operators. According to
the proposed amendment video surveillance will be allowed in future if
dangerous attacks or criminal offences were committed in that area within
the last 10 years, or if expensive objects worth more than 100.000 EUR or of
exceptional artistic value need to be protected. Video surveillance needs to
be properly announced and will remain prohibited in toilets and changing
rooms. Furthermore the amendment proposes a centralised database of all
private video surveillance installations. If needed the police will be
allowed to access the data of these cameras. In general the retention of
video data will be limited to 48 hours, which can be extended on request to
the DSK. In future it will not be required to file realtime
video-surveillance with the DSK. Police access to highway video surveillance
is envisaged and fortunate discoveries may be used for penal action. Due to
the premature reelections of the Austrian Parliament in 2008 the amendment
to the Data Protection Act 2000 finally did not make its way through the
legislative process. It is expected to re-appear in 2009.

On the proposal of the European Commission on the use of Passenger Name
Record data, a Social Democrat MPs tabled a motion for resolution with the
Austrian Parliament. They proposed to wait for the decision of the European
Court on the structural similar data retention directive and on the entering
into force of the Lisbon treaty. Furthermore they ask to consider the
opinion of Article 29 working group on the Commission proposal, since there
are severe data protection concerns.

Data retention – The data retention directive is still not implemented in
Austria. There are no known plans to do so in the near future.

On biometric passports the Council of Ministers decided in June 2008, that
fingerprints of the two index fingers (if existing) will be stored on an
RFID chip on the passport. The data additionally will be stored for up to
four months at the Staatsdruckerei, which produces the passports. Currently
the parliamentarian decision making process is ongoing: On 21.01.2009 the
National Council adopted the respective law with votes of all represented
parties except the Greens. The Federal Council will vote on it on
27.01.2009, one day before the International Data Protection Day. It is
expected that the law will not be rejected there.

In 2007 the Federal Minister of the Interior and the Federal Minister of
Justice agreed on the implementation of hidden uses of remote forensic
software (so called federal trojan horses) and established a working group
to work on the details of the legal and technical issues. In April 2008 the
working group published its final report. The experts claimed that from a
constitutional point of view a number of fundamental rights are affected
which limit the implementation of such online-searches and constitute
warranty deeds for the state.

Surveillance Trends

The major surveillance trends of 2008 all focus on uses of video
surveillance. In traffic control we saw the introduction of systems for
automated checking of road tax vignettes, automated scanning of vehicle
number plates where the collected data is checked against a wanted vehicles
list, and the use of video surveillance for the execution of speed limits
(section control). In the case of section control Austrian highest courts
decided that it only may be used on a case by case order of the competent
Minister, including a detailed description of the special setup.

Other examples of increased video surveillance are the pilot-use of
video-surveillance in trains of Vienna’s underground, where data are stored
for 48 hours, video surveillance in trains from the Austrian Railway and
video surveillance in residential buildings owned by the City of Vienna
where garages, elevators and rooms for dust bin storage will be monitored.
The pilot phase of the so called dust bin monitoring was approved by the DSK
and will last until end 2009. Aim is the protection against vandalism.

Important data breaches

In 2008 the case of a teenage asylum seeker and her family received lots of
media coverage in Austria. When the pressure on the Ministry of the Interior
was too intense, personal data on a family member from the police
information system EKIS and from the police file index leaked to the public.
Pictures from these files together with a corresponding press release were
published on the Internet by a senior official of the Ministry. Police
investigations on this data leakage are ongoing.

The administration of the residential buildings of the City of Vienna,
Wiener Wohnen, sent a questionnaire to all 220 000 renters of their flats
asking for their opinion on their flat, their neighbours, the surrounding of
the building, the security situation, their administration and the City of
Vienna. Wiener Wohnen offered that the questionnaire could be returned
anonymously by blacking the Name printed on the form. The responsible City
Council said, that the barcode on the second page of the form only would be
used as a reference to the administrative district the answer came from.
This was in the best case misleading, since the barcode contained the
renters complete customer number, which allowed for a personalisation of the
answers given on the questionnaire. The director of Wiener Wohnen received
the Austrian Big Brother Award 2008.


After the premature reelections in 2008 a new government took office last
year. Their government programme includes the following topics relevant to
data protection: The use of remote forensic software (so called federal
trojan horses) by police will be allowed. It will be clarified that the DSK
is not competent in cases where the Criminial Investigation Department is
active in cases of criminal law. The cooperation with Schengen partners will
be intensified, common Visa- and Biometric-Centers will be established,
possible cooperation with external service providers (outsourcing) will be
analysed. A DNA-Offensive aims for a nationwide collection and analysis of
DNA samples and will serve as a basis for new application areas. Electronic
health records will gain increased importance.

The implementation of the data retention directive is not mentioned in the
government programme. A decision of the Constitutional Court on the
complaints against the law on Security Police is expected in 2009.

At this years election of the Austrian Students Union in May 2009 the
Federal Government wants to run an e-voting pilot. The Austrian Students
Union strongly opposes these plans due to unresolved legal and technical
questions. Also the Data Protection Council advised to refrain from this
plans. This pilot election is commonly considered to be a test-case for the
use of e-voting in elections to the Austrian Parliament.

Data Protection Commission

Law on Security Police (only in German)

Die Presse on access to location information and IP addresses by Security
Police (only in German)

Austrian Big Brother Awards (only in German)

Proposed amendment to the Data Protection Act 2000 (only in German)

Motion for a resolution on PNR-data (only in German)

Parliamentary decision on biometric passports (only in German)

Final report of the working group on remote forensic software (so called
federal trojan horses)(only in German)

Government programme of the Austrian Federal Government (only in German)

Opinion of the Data Protection Council on E-Voting at the elections to the
Austrian Students Union (only in German)

(contribution by Michael Hofer and Andreas Krisch – EDRi member VIBE!AT)