skip to content
 

Data Protection Laws and Freedom of Expression Report: Austria Flag of Austria.svg

 

 

Constitutional/Primary Law Background - See also ECHR and EU Charter

Article 149(1) of the Austrian Constitution (as revised 2013) grants constitutional status to the Basic Law on the General Rights of the Citizen which was originally enacted in 1867. Article 13 of this law protects freedom of expression by establishing the right within legal limits to expression of thought and prohibiting press censorship or licenses. Although there is no right to privacy as such, Article 9 protects the inviolability of domicile and article 10 the secrecy of letters. In addition, Article 1 of Data Protection Act, originally passed in 1978, enunciates constitutional data protection rights to data secrecy (insofar as there is an interest in such), to request-based transparency and to the rectification of inaccurate and deletion of illegally collected data. Originally and prior to 2012, the article also protected the data of legal persons (albeit stressing that claims would need to go through the ordinary courts) but this was removed as the general scope of data protection in Austria was also amended.

 

First-Generation Statutory Law

On 18 October 1978, the Austrian Parliament adopted Austria’s first data protection law.

Special Expression Derogation
Austria generally exempted the journalistic activities of the mass media from all substantive data protection standards. However, this derogation was expressly stated to be pending the enactment of provisions concerning data protection in future media legislation. It also left unaffected the data subject’s (albeit qualified) constitutional rights to keep private personal data secret, to access information relating to them which was automatically processed, and to ensure the rectification of such data.  These constitutional rights were set out in section one of the Act.  The substantive statutory derogations in favour of professional journalism were nevertheless far-reaching (s. 54).

Broad Expression Derogation
There was no provision.

Personal Exemption
Austria did not initially include an explicit household exemption. Such an exemption was later introduced in 1986 (s. 17(2)).[1]

Knowledge Facilitation Framework
Austria did not include any special provisions for knowledge facilitation.

Parliamentary Debates
Special Expression Derogation
During the second reading debates, Dr. Veselsky (SPÖ, social democrats) highlighted the so-called  ʻmedia privilegeʼ.[2] He explained that the privilege was included after thorough consideration of the conflict between the right to privacy and the freedom of the press and that this issue should be dealt with in a subsequent media law.[3] The exemption should ‘however only apply until the new media law is adopted’ and was only applicable to undertakings performing ‘solely media functions’ (‘die sich ausschliesslich dem Medienzweck widmen’). Otherwise private undertakings could re-incorporate as a publisher and could thus escape the scope of the law.[4]

MP Steinbauer (ÖVP, conservatives) also commented on the necessity of the media exemption. Without such an exemption, a person could ask a newspaper what information it holds and could demand its deletion before an article would be published. This would jeopardise the freedom of the press which is based on working with archives. In this regard, freedom of the press would have to take priority over an individual’s right to data protection. This is particularly so since an abuse of the freedom of the press could be averted relying on libel claims.[5]

Dr. Gardenegger (SPÖ, social democrats) explained that the law was a weighing exercise. The protection of privacy would have to be weighed against the freedom of information and the freedom of the press. Eventually, the new law would have to ensure that neither the sending nor the receiving of news would be restricted.[6] Yet, he also indicated that the current situation would only be temporary as the media exemption would be addressed again in the envisaged media law.[7]

Personal Exemption
The personal or household exception was introduced to the data protection law in 1986.[8] Previous debates mainly focused on card files, notes and notebooks and contrasted the manual processing of data with electronically held data. Dr. Veslesky (SPÖ, social democrats) explained that data protection would be boundless if every ‘card file, note, notebook and diaries’ would need to be formally registered and subjected to the law.[9] Similarly, MP Hauser (ÖVP, conservatives) asked what kind of State would be created if the law would also cover every private collection of personal data.[10]

Knowledge Facilitation Framework
Dr. Veselsky (SPÖ, social democrats) raised the issue of a privilege / exemption for research in the second reading of the original data protection act in 1978. Such an exemption had been carefully considered but rejected as, it was argued, research would usually not need any personalized or individualized data but could use aggregate data. Although individual data might be needed in the context of historical research, such research would at the moment not be pursued electronically so that an exemption would not be needed (yet).[11] Although Dr. Ermacora (ÖVP, conservatives) explained that the issue of a research exemption would be a vexed one, he argued the fundamental right to the freedom of research and its theoretical foundations would be able to cover many potential issues.[12] However, such issues were then not debated in Parliament.

 

Second-Generation Statutory Law

In 2000, Austria adopted a new data protection law transposing and implementing Directive 95/46/EC into domestic law.

Special Expression Derogation
Austria exempted the media completely and unconditionally from all substantive data protection provisions, with the exception of all of the data quality principles. The use of data for journalistic activities was also expressly permitted insofar as this was necessary to fulfil the information function of media operators, media services and their employees in exercising the fundamental right to freedom of expression according to Art. 10(1) of the European Convention on Human Rights. Austria’s provisions in this area were limited to institutional media (s. 48).

Broad Expression Derogation
There was no provision.

Personal Exemption
A personal exemption based on the wording of Art. 2(3) of the Directive was transposed. However, the law stipulated that this could only be relied upon by individuals when processing data disclosed to them by the data subject or which they had received in a lawful manner (s. 45).

Knowledge Facilitation Framework
Austrian data protection law partially exempted the processing of personal data for scientific and statistical purposes from the compatibility principle. Personal data could be processed for scientific or statistical purposes if (i) provided for by a special law; (ii) with the consent of the affected data subject; or (iii) if the Data Protection Authority authorized such processing (s. 6(1)(2) and art. 46). Such authorization was to be granted if (i) consent by the affected data subject was impossible to obtain or required disproportionate effort; (ii) there was a public interest in the use of the data; and (iii) the person requesting authorization was professionally competent to carry out the processing for scientific or statistical purposes (s. 46(3)). No exemption was granted from the proactive direct and the reactive transparency rule. With regard to the proactive indirect transparency rule, a disproportionate efforts exemption (s. 24(3)(3)). Sensitive data could be processed for scientific and statistical purposes if (i) justified by a significant public interest; and (ii) the persons handling the data were bound by a statutory obligation of confidentiality (‘gesetzliche Verschwiegenheitspflicht’). The Data Protection Authority could impose further conditions, if deemed necessary for the protection of data subjects’ interests.

Parliamentary Debates
There were no discussions on the above mentioned exemptions in Parliament.[13]

 

Third-Generation Statutory Law

Austria implemented the GDPR with the so-called ‘Datenschutz-Anpassungsgesetz 2018’ (the Data Protection Amendment Act 2018) . Although the government initially suggested to repeal the original data protection law adopted in 2000 and pass a new law in its stead, the legislative eventually opted merely for amending the existing data protection law to comply with the new pan-EU requirements.[14]  Subsequent amendments have been made including an important one expanding providing an absolute exemption for journalistic activities governed by the Media Act and also expanded the scope of the special expression derogation. The amended Act can be viewed here.

Special Expression Derogation
Through s. 9(2) of its federal law, Austria provides that academic, artistic or literary expression is fully subject to the provisions on joint controller arrangements, requirements for the control of processing under the authority of the controller or processor and security of processing (arts. 28, 29 and 32 of the GDPR) as well as the confidentiality provision in the federal law (s. 6) and otherwise establishes that exemption from this law, all of the substantive provisions in the GDPR and the provisions on data protection authorities is possible if this is necessary to reconcile the right to the protection of personal data with the freedom of expression and information. 

Section 9(1) of the federal law initially established unconditionally exempted "media owners, editors, copy editors and employees of a media undertaking or a media service as defined in the Media Act, Federal Law Gazette No 314/1981, for journalistic purposes of the media undertaking or media service" from this law and also all of the substantive provisions in the GDPR and the provisions on data protection authorities.   However, on 14 December 2022 the Austrian Constitutional Court found this exemption to be unconstitutional, declared it void from 30 June 2024 and required the legislature to craft an appropriately balanced regime by this date. 

On 12 June 2024 the National Council adopted a complex series of amending provisions applicable to the journalistic activities of entities governed by the Media Law which came into force on 1 July 2024.  The new law provides for a complete exemption from:
-    the prohibition on processing sensitive or criminal-related data (with the exception of a comprehensive register of criminal convictions) (GDPR, arts 9-10),
-    the requirement for proactive transparency notices (GDPR, art 13-14),
-    the right to objection (GDPR, art 21) and the right to rectification, right to erasure and right to restriction of processing (GDPR, arts 16-18) insofar as this relates to personal data the media has already been published, insofar as there is a competing basis for a claim based on violation of personal rights under civil law and potentially to personal data on the basis of which no publication has taken place (although this may be subject to qualification as per below),
-    the right of subject access (GDPR, art 15) insofar as this relates to personal data on the basis of which no publication has yet taken place and the right to a copy of personal data (GDPR, art. 15(3)) in all cases.

Editorial secrecy as protected in the Media Act is also unconditionally protected including vis-à-vis the Data Protection Authority.  In addition, the law sets out qualified exemptions from the following provisions which are broadly dependent on it being shown that this would otherwise disproportionately impair freedom of expression and information:
-    the principle of transparency (GDPR, art 5(1)(a)),
-    the right to subject access (GDPR, art 15) concerning personal data which has been the basis for publication which also attracts a €9 fee,
-    any remaining rights to rectification, erasure or restriction (GDPR, arts 16-18),
-    the right of a data protection officer (GDPR, art 38) to access personal data processed for journalistic purposes.

Furthermore:
-    the general provisions on international data transfer (GDPR, Ch. V) are disapplied but the media is still obliged to take appropriate measures to ensure that rights and freedoms of the data subject are not disproportionately impaired by any transfer,
-    notification of a data breach to data subjects (GDPR, art 34) only applies when ordered by the Data Protection Authority which also has to ensure that editorial confidentiality is not thereby compromised,
-    in response to a complaint concerning a refusal of subject access, rectification or restriction, the data protection authority is to carry out necessary checks itself and then to inform the data subject of this as well as their right to lodge a complaint with the Federal Administrative Court.

Broad Expression Derogation
There is no specific provision in this area..

Personal Exemption – see GDPR, art. 2(2)(c)

Knowledge Facilitation Framework - – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Section 7 broadened the statistical exemption of the 2000 Data Protection Law to include archival, scientific or historic research or statistical purposes in the public interest. Otherwise, no substantive changes were made to the respective provision.

Discussions in the Legislative Process
Special Expression Derogation
In its initial proposal to implement Art. 85 GDPR, the Austrian government suggested that while the Data Protection Law of 2000 only protected the journalistic activities of media companies, media services and their employees the new data protection law should also include the protection of processing for other, artistic purposes and the limitation to such companies and services should be abandoned. The Media Act (‘Mediengesetz’, BGBl. No. 314/1981) would continue to apply for processing which fell within it. Other than these changes it was concluded that the provisions of the Data Protection Law of 2000 largely be retained so as to avoid a lowering of protection standards.[15]

The ‘Forum Informationsfreiheit’ (an Austrian civil society organization for the right to access information) observed with regard to the draft bill that the European Court of Human Rights held that the role of ‘watchdogs’ was not confined to journalists. NGOs, academic researchers, authors and bloggers were fulfilling the same role.[16] The Austrian ‘Rundfunk’ (ORF, Austrian Radio) suggested to change the proposed § 27 by deleting the continued application of Art. 5. It elaborated on the basis of examples that pursuant to Art. 5(1)(c) GDPR, personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed (‘data minimisation’).’ However, particularly the media would often produce data ‘on stock’ (‘auf Vorrat’) as such data might later on be used to produce a TV program. The material not initially used would usually be archived and used if needed at a later stage. It also explained that Art. 5(1)(d), which provides that personal data shall be accurate and, where necessary, kept up to date, would be difficult to comply with. Referring to the allegations levied against former US President Trump, it maintained that if such allegations were later proven to be without basis, media outlets would need to systematically go through and destroy any data that is not accurate anymore. It deemed the reference to Arts. 28, 29 and 32 GDPR similarly problematic. Such a detailed regulation would not allow for the necessary leeway to balance different interests on a case-by-case basis. It moreover advocated for an additional exemption from Chapter 6 of the proposed bill, which concerned the processing of images (‘Bildverarbeitung’).

Section 9 of original GDPR implementation Act which was adopted on 31 July 2017 only provided an exemption for the journalistic activities by entities governed by the Media Act and made this subject to the same limitations and qualifications now set out in s. 9(2).  However, as result of amendments adopted on 14 May 2018 this exemption was applied to academic, artistic or literary expression (s. 9(2)) and the exemption for journalistic activities by entities governed by the Media Act was made absolute (s. 9(1)).  However, on 14 December 2022 the Austrian Constitutional Court found this exemption to be unconstitutional, declared it void from 30 June 2024 and required the legislature to craft an appropriately balanced regime by this date.  On 12 June 2024 the National Council adopted a complex serires of amending provisions which came into force on 1 July 2024.  These are summarised above.

 

Knowledge Facilitation Framework
With regard to the derogation for scientific research and statistics, the government held that ‘scientific research’ should – as was already the case for the purpose of DSG 2000 – not be limited in terms of content of the research – i.e. only fundamental research being covered with applied research excluded – but should rather be understood as referring to a method or a procedure – i.e. the methods or procedures applied are scientific and hence the processing is covered by the exception. It thereby did not matter whether such research was carried out by the public or private sector. The term ‘statistics’ was accordingly understood to mean methodologically ‘scientific statistics’.[17] In its Report, the Constitutional Committee further observed that processing for archival, scientific or historic research should be allowed based on specially adopted legal regulations if such research is undertaken for the pursuit of legitimate societal expectations of knowledge growth and accordingly adopted an amendment to Section 7.

The Austrian Academy of Sciences (‘Österreichische Akademie der Wissenschaft’) observed that the derogation for scientific research and statistics has not substantially changed compared to the provision in the Data Protection Law of 2000. According to the Academy, it failed to address crucial areas, even though the GDPR left the national legislator some leeway. On the contrary, the Austrian legislator would restrict the processing of personal data for scientific purposes and statistics to an extent beyond the GDPR.[18] The Austrian Conference of Universities (‘Österreichische Universitätskonferenz’) even complained of an over-regulation which would harm scientific progress.[19] Several industry representatives, such as Bayer Austria, and universities, including the universities of Vienna and  Innsbruck, similarly observed that the scientific exemption clause has been adopted from the old 2000 data protection law without reflection, resulting alongside the new GDPR provisions in an unwarranted increase of the data protection level in the scientific realm.[20]

The parliamentary debate in the National Council (‘Nationalrat’, Lower House of the Austrian Parliament) for the most part centered around the general complaint made by Mag. Albert Steinhauser of the Green Party as well as Dr. Nikolaus Scherak of the NEOS party that the government wanted to push through the entire amending law without there being enough time for the Members of Parliament to substantively discuss the suggested implementation of the GDPR.[21]

Eva-Maria Himmelbauer (BSc, ÖVP) emphasized that the Constitutional Committee, of which she formed part, took particularly seriously the wish of the science and research community to achieve an appropriate balance between data protection and research which serves the good of society. They accordingly adopted the above described amendment. Sigrid Maurer of the Green Party welcomed this amendment, but criticized it for its bad phrasing, observing that it must be clear that personal data can be processed for scientific purposes. He therefore emphasized that an additional law must be passed to ensure that personal data can be processed for scientific purposes in the future.

No further debates took place on these issues.

 


[1] See Bundesgesetzblatt für die Republik Österreich (18 July 1986) https://www.ris.bka.gv.at/Dokumente/BgblPdf/1986_370_0/1986_370_0.pdf last accessed 26 February 2021.

[2] 14th Nationalrat, 18. October 1978 104th Sitzung, page 10230 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012.

[3] Ibid.

[4] Ibid.

[5] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10251 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[6] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10260 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[7] Ibid.

[8] See Bundesgesetzblatt für die Republik Österreich (18 July 1986) https://www.ris.bka.gv.at/Dokumente/BgblPdf/1986_370_0/1986_370_0.pdf last accessed 26 February 2021.

[9] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10229 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[10] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10265 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[11] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10231 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[12] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10234 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[14] Republik Österreich Parlament, ‘Datenschutz-Anpassungsgesetz 2018 – Übersicht’ https://www.parlament.gv.at/PAKT/VHG/XXV/I/I_01664/index.shtml#tab-Ueber... (last accessed 14 January 2020).

[15] Harald Troch/ Peter Wittmann, ‘Bericht des Verfassungsausschusses über die Regierungsvorlage (16664 der Beilagen): Bundesgesetz, mit dem das BundesVerfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungsgesetz 2018)’, 1761 der Beilagen zu den Stenographischen Protokollen des Nationalrates XXVV.GP (Vienna, 26 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/I/I_01761/fnameorig_643604.html (last accessed 14 January 2020).

[16] Mathias Huter, ‘Stellungnahme zum Ministerialentwurf 322/ME: Datenschutz-Anspassungsgesetz 2018)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12389/imfname_643342.pdf (last accessed 31 January 2020).

[17] Ibid.

[18] Österreichische Akademie der Wissenschaften, ‘Stellungnahme der Österreichischen Akademie der Wissenschaften (ÖAW) zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert wird, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutzanpassungsgesetz 2018) unter Berücksichtigung der Regierungsvorlage (1664 d.B.)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12396/imfname_643353.pdf (last accessed 31 January 2020).

[19] Oliver Vitouch, ‘Stellungnahme zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anspassungsgesetz 2018)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12390/imfname_643341.pdf (last accessed 31 January 2020).

[20] Martin Hagenlocher/Ludwig Balko (Bayer Austria Ges.m.b.H.), ‘Stellungnahme zum Entwurf des Datenschutz-Anpassungsgesetzes 2018’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12387/imfname_643344.pdf (last accessed 7 February 2020); Heinz W. Engl (Universität Wien), ‘Stellungnahme der Universität Wien zum Entwurf eines Datenschutz-Anpassungsgesetzes 2018’ (Wien, 21 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12335/imfname_642851.pdf (last accessed 7 February 2020); Helga Fritsch (Medizinische Universität Innsbruck), ‘Entwurf eines Bundesgesetzes, mit dem das Bundesverfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungegsetz 2018) – Stellungnahme’ (Innsbruck, 20 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12331/imfname_642849.pdf (last accessed 7 February 2020); Helga Tieben/Jan Oliver Huber, ‘Stellungnahme der Pharmig – Verband der pharmazeutischen Industrie Österreichs zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungsgesetz 2018)’ (Vienna, 16 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12304/imfname_642134.pdf (last accessed 7 February 2020).

[21] Mag. Albert Steinhauser (Grüne), Nationalrat, XXV.GP, Stenographisches Protokoll, 190. Sitzung, p. 120 https://www.parlament.gv.at/PAKT/VHG/XXV/NRSITZ/NRSITZ_00190/SEITE_0120.... (last accessed 14 January 2020).