EC: data protection inadequate in Austria and Germany

By EDRi · August 24, 2005

The European Commission has started infringement procedures against the
governments of Austria and Germany for not creating adequate independence
of the Data Protection Authorities.

In Austria, the Commission was alerted by a complaint from the data
protection association Arge Daten in October 2003. On 5 July 2005, the
Commission responded by instigating official proceedings against the
Republic for a faulty implementation of Article 28 (1) second sentence of
the data protection directive (95/46/EG) which requires that data
protection authorities shall exercise their functions with complete

The Austrian Data Protection Commission is, in terms of organisation and
staff, integrated in the Federal Chancellery and its managing member is a
senior official of the Chancellery.

In its 2005 activity report the Data Protection Commission (DPC) responds
to the European Commission by describing the history of its organisational
structures. It claims in 1999 Austria was one of the first states to
implement the directive in national law and that it was unclear at the
time what standards would develop for “independent protection

Besides the lamentable lack of independence the Austrian DPC suffers from
a chronical shortage of staff. After some increases in the last two years
the DPC now employs eight persons plus 10 persons working with the Data
Processing Register. This amounts to a proportion of 1 data protection
officer per 400.000 inhabitants. In a roughly equally sized country like
Sweden this ratio is 1:230.769. Larger countries like the Czech Republic
and Hungary still range before Austria, with 1:126.582 and 1:185.185.

This staff shortage results in the disability of the DPC to undertake
event-unrelated investigations and in an all time high of formal
complaints because of unjustified long processing times. In its activity
report the DPC states that while other problems remain at least the long
processing times should be a thing of the past. It is to hope that the
formal action of the European Commission will do its part to help resolve
the remaining problems.

Similarly, in Germany government has been given until 5 September 2005 by
the Commission to create full independence of the regional DPAs. This
decision was also inspired by a complaint filed in 2003, this time by the
legal scientist Patrick Breyer. On the provincial level, members of the
local government (Regierungspräsidium) act as data protection authority.
While these DPAs have formal independence regarding state data protection,
in civil cases they are supervised by the provincial ministries. The
e-zine Heise reports that Breyer elaborated on a specific example in the
province of Hessen, where the DPA allowed an internet company (T-Online)
to store the IP-numbers of a flat-fee service for a period of 80 days.
When a user of this service was prosecuted for posting a satirical
contribution, but acquitted, he took the data retention practice to court.
The provincial DPA said it was perfectly legal, only to be corrected much
later by an independent local judge who ordered T-Online to stop
collecting detailed traffic data.

According to Breyer, the state-embedded provincial DPAs also respond ‘in a
lethargic way’ to complaints from citizens, while the truly independent
provincial DPAs defend civil rights in a very engaged way.

Letter from the Commission to Arge Daten (22.07.2005)

Datenschutzbericht 2005, Report of the Austrian Data Protection
Commission covering 01.01.2002 until 30.06.2005

EU-Kommission pocht auf Unabhängigkeit der Datenschutzbehörden (23.07.2005)

(Contribution about Austria by Andreas Krisch, EDRI-member VIBE!AT)