The days of the Austrian DPA are numbered

By EDRi · October 10, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The lack of adequate independence of the Austrian Data Protection Authority
(Datenschutzkommission) is an issue the European Commission deals with since
a complaint was filed by the data protection association Arge Daten
back in October 2003.

In July 2005 the Commission started infringement procedures against Austria
for a faulty implementation of Article 28 (1) second sentence of the data
protection directive (95/46/EG) which requires that data protection
authorities shall exercise their functions with complete independence.

The Austrian Data Protection Commission is, in terms of organisation and
staff, integrated in the Federal Chancellery.

According to a draft law, aiming to change various regulations of the
Austrian Constitution that was open for public consultation until mid
September, the DPA will be closed down. Some of the duties of the DPA are
planned to be assigned to nine administration courts (one in each of the
nine Austrian provinces) that will be established with this new law. By
which organisation(s) the remaining duties will be fulfilled remains
unclear.

In its bi-annual activity report for the years 2005 – 2007 the DPA strongly
opposes these plans, arguing that the possibilities to assign the duties of
the DPA to administration courts are limited, since these courts can only
deal with complaints about unlawful behaviour of administrative bodies.
Complaints about unlawful behaviour of private sector entities will then be
dealt with by civil courts.

This will not only make it difficult for citizens to find the responsible
court but also increases the barrier and costs to execute ones’ rights,
since (administration) court procedures are by far more formal than the very
informal procedures of the existing Data Protection Authority.

While it remains unclear which organisation(s) will fulfil the remaining
duties of the DPA the draft law includes provisions to create “independent”
institutions that are not bound to directives of their superior
institutions. But superior institutions will be granted the right to examine
all procedures of the “independent” institution and to withdraw the
“independent” institutions for “important reasons”.

If this draft law comes into force without substantial corrections this will
lead to an even lower level of enforcement of data protection rights than
Austria enjoys today. This level is rather low in Austria since the DPA
suffers of a lack of staff while its workload constantly increases.

In a comparison of the number of staff of European DPAs in relation to
inhabitants of their countries, the Austrian DPA is on rank 27 (24 in the
year 2004) out of 31 countries. On the average, similar sized countries have
DPAs with 40 staff members, the Austrian DPA only has 20.

While in most other countries the number of staff increased between 2004 and
2006 it remained the same in Austria, but even worse, the important position
of the contact person to international organisations like the Article 29
working party had to be given up due to new duties that were assigned to the
DPA.

Concluding, it has to be said that the draft law, that will result in
shutting down the Austrian DPA, seems to be a consistent step further in a
history of non-ambitious data protection policy. While Austria’s officials
are proud to be rated again number one in E-Government they should rather be
ashamed of being tail-light in data protection.

Austrian Data Protection Authority
http://www.dsk.gv.at

Arge Daten
http://www.argedaten.at

EDRI-gram: EC: data protection inadequate in Austria and Germany
(24.08.2005)
http://www.edri.org/edrigram/number3.17/DPA

Draft law – on the Austrian Parliament webpage
http://www.parlinkom.gv.at/portal/page?_pageid=908,6614640&SUCHE=J&_dad=portal&_schema=PORTAL

Bi-annual report of the Austrian DPA for the years 2005 – 2007
http://www.dsk.gv.at/Datenschutzbericht2007.pdf

(contribution from Andreas Krish – EDRI-member VIBE! – Austria)