Austria: Outsourcing data retention obligations to the US

This article is also available in:
Deutsch: [VDS in Österreich: Auslagern der Speicherverpflichtung an die USA | https://www.unwatched.org/EDRigram_11.14_VDS_in_Oesterreich_Auslagern_der_Speicherverpflichtung_an_die_USA?pk_campaign=edri&pk_kwd=20130717]

During the ECJ lawsuit against the data retention (DR) directive it
became clear that DR obligations may have been outsourced to
contractors, maybe even to US-based companies, thereby giving US
authorities potentially unrestricted access to all such retained data.

Austria is one example of EU member state with data retention in place.
Therefore, the Austrian NGO Initiative für Netzfreiheit asked the
national data protection authority (DPA) whether it could rule out that
Austrian service providers have outsourced their DR obligations, maybe
even to US based contractors and storage locations.

The head of the Austrian DPA answered that they had no way of knowing
whether Austrian service providers have outsourced their DR obligations
at all, let alone to US based contractors. If DR obligations were
outsourced to unsafe third countries, this would have to be registered
with them. However, due to the safe harbor provision, US based companies
that take part in it are exempted from the registration obligation.

The Austrian DPA has the authority and duty to ensure that appropriate
security measures have been established for all DR obligations. For this
purpose, the Austrian DPA also has the right to inspect the data centers
where data retention occurs in order to be able to assess the
effectiveness of the security measures in place. The Austrian DPA stated
to the Initiative für Netzfreiheit that in over 15 months of the data
retention being required by law they did not assess any data retention
security measures at all but that they were planning to do so. Also,
when asked if they thought that they could really get access to the
datacenter of a US based service contractor, the DPA admitted that they
had not thought of such a case yet and that they didn’t think they could
actually execute their inspection rights at US located data centers.

In summary, it has to be concluded that there is no way for the Austrian
DPA to even know about US-based outsourcing of DR data handling. Nobody
can rule out that Austrian service providers have outsourced their DR
obligations and thus nobody can rule out that Austrian DR data are
stored on servers in the US, thereby giving US authorities direct access
to the DR data of Austrian citizens.

The Initiative für Netzfreiheit thus demands the immediate repeal of
the data retention in Austria as well as the annulment of the safe
harbor provision. “It is completely unacceptable that US services might
have direct access to the location and connection data of Austrian
citizens. This demands immediate action.”, says Josef Irnberger for the
Initiative für Netzfreiheit.

“Not even the data protection authority can rule out direct access by US
authorities to the data retention data of Austrian citizens, nor could
they even rightfully demand access to US data centers. Seen alongside
the blatant human rights violation created by the very existence of the
data retention directive itself, this really takes the biscuit” added
Josef.

Original press release (only in German, 11.07.2013)
https://netzfreiheit.org/2013/07/11/pressemitteilung-prism-vorratsdaten-durch-us-spionage-in-akuter-gefahr/

CEJ Data retention case – live blogging (only in German, 9.07.2013)
https://netzpolitik.org/2013/live-ticker-vom-eugh-verfahren-gegen-die-vorratsdatenspeicherung/

Safe harbor
https://en.wikipedia.org/wiki/Safe_harbor_%28law%29

(contribution by Josef Irnberger – EDRi member Initiative für
Netzfreiheit – Austria)