skip to content
 

Data Protection Laws and Freedom of Expression: AustriaFile:Flag of Austria.svg

 

 

I. First-Generation Statutory Law

On 18 October 1978, the Austrian Parliament adopted Austria’s first data protection law.

Special Expression Derogation
Austria generally exempted the journalistic activities of the mass media from all substantive data protection standards. However, this derogation was expressly stated to be pending the enactment of provisions concerning data protection in future media legislation. It also left unaffected the data subject’s (albeit qualified) constitutional rights to keep private personal data secret, to access information relating to them which was automatically processed, and to ensure the rectification of such data.  These constitutional rights were set out in section one of the Act.  The substantive statutory derogations in favour of professional journalism were nevertheless far-reaching (s. 54).

Broad Expression Derogation
There was no provision.

Personal Exemption
Austria did not initially include an explicit household exemption. Such an exemption was later introduced in 1986 (s. 17(2)).[1]

Knowledge Facilitation Framework
Austria did not include any special provisions for knowledge facilitation.

Parliamentary Debates
Special Expression Derogation
During the second reading debates, Dr. Veselsky (SPÖ, social democrats) highlighted the so-called  ʻmedia privilegeʼ.[2] He explained that the privilege was included after thorough consideration of the conflict between the right to privacy and the freedom of the press and that this issue should be dealt with in a subsequent media law.[3] The exemption should ‘however only apply until the new media law is adopted’ and was only applicable to undertakings performing ‘solely media functions’ (‘die sich ausschliesslich dem Medienzweck widmen’). Otherwise private undertakings could re-incorporate as a publisher and could thus escape the scope of the law.[4]

MP Steinbauer (ÖVP, conservatives) also commented on the necessity of the media exemption. Without such an exemption, a person could ask a newspaper what information it holds and could demand its deletion before an article would be published. This would jeopardise the freedom of the press which is based on working with archives. In this regard, freedom of the press would have to take priority over an individual’s right to data protection. This is particularly so since an abuse of the freedom of the press could be averted relying on libel claims.[5]

Dr. Gardenegger (SPÖ, social democrats) explained that the law was a weighing exercise. The protection of privacy would have to be weighed against the freedom of information and the freedom of the press. Eventually, the new law would have to ensure that neither the sending nor the receiving of news would be restricted.[6] Yet, he also indicated that the current situation would only be temporary as the media exemption would be addressed again in the envisaged media law.[7]

Personal Exemption
The personal or household exception was introduced to the data protection law in 1986.[8] Previous debates mainly focused on card files, notes and notebooks and contrasted the manual processing of data with electronically held data. Dr. Veslesky (SPÖ, social democrats) explained that data protection would be boundless if every ‘card file, note, notebook and diaries’ would need to be formally registered and subjected to the law.[9] Similarly, MP Hauser (ÖVP, conservatives) asked what kind of State would be created if the law would also cover every private collection of personal data.[10]

Knowledge Facilitation Framework
Dr. Veselsky (SPÖ, social democrats) raised the issue of a privilege / exemption for research in the second reading of the original data protection act in 1978. Such an exemption had been carefully considered but rejected as, it was argued, research would usually not need any personalized or individualized data but could use aggregate data. Although individual data might be needed in the context of historical research, such research would at the moment not be pursued electronically so that an exemption would not be needed (yet).[11] Although Dr. Ermacora (ÖVP, conservatives) explained that the issue of a research exemption would be a vexed one, he argued the fundamental right to the freedom of research and its theoretical foundations would be able to cover many potential issues.[12] However, such issues were then not debated in Parliament.

 

II. Second-Generation Statutory Law

In 2000, Austria adopted a new data protection law transposing and implementing Directive 95/46/EC into domestic law.

Special Expression Derogation
Austria exempted the media completely and unconditionally from all substantive data protection provisions, with the exception of all of the data quality principles. The use of data for journalistic activities was also expressly permitted insofar as this was necessary to fulfil the information function of media operators, media services and their employees in exercising the fundamental right to freedom of expression according to Art. 10(1) of the European Convention on Human Rights. Austria’s provisions in this area were limited to institutional media (s. 48).

Broad Expression Derogation
There was no provision.

Personal Exemption
A personal exemption based on the wording of Art. 2(3) of the Directive was transposed. However, the law stipulated that this could only be relied upon by individuals when processing data disclosed to them by the data subject or which they had received in a lawful manner (s. 45).

Knowledge Facilitation Framework
Austrian data protection law partially exempted the processing of personal data for scientific and statistical purposes from the compatibility principle. Personal data could be processed for scientific or statistical purposes if (i) provided for by a special law; (ii) with the consent of the affected data subject; or (iii) if the Data Protection Authority authorized such processing (s. 6(1)(2) and art. 46). Such authorization was to be granted if (i) consent by the affected data subject was impossible to obtain or required disproportionate effort; (ii) there was a public interest in the use of the data; and (iii) the person requesting authorization was professionally competent to carry out the processing for scientific or statistical purposes (s. 46(3)). No exemption was granted from the proactive direct and the reactive transparency rule. With regard to the proactive indirect transparency rule, a disproportionate efforts exemption (s. 24(3)(3)). Sensitive data could be processed for scientific and statistical purposes if (i) justified by a significant public interest; and (ii) the persons handling the data were bound by a statutory obligation of confidentiality (‘gesetzliche Verschwiegenheitspflicht’). The Data Protection Authority could impose further conditions, if deemed necessary for the protection of data subjects’ interests.

Parliamentary Debates
There were no discussions on the above mentioned exemptions in Parliament.[13]

 

III. Third-Generation Statutory Law

Austria implemented the GDPR with the so-called ‘Datenschutz-Anpassungsgesetz 2018’ (the Data Protection Amendment Act 2018) . Although the government initially suggested to repeal the original data protection law adopted in 2000 and pass a new law in its stead, the legislative eventually opted merely for amending the existing data protection law to comply with the new pan-EU requirements.[14]  The amended Act can be viewed here.

Special Expression Derogation
Austria maintains the application of the data protection principles themselves (GDPR, art. 5) and article 28 (processor), 29 (processing under the authority of the controller or processor) and 32 (security of processing) GDPR, but otherwise provides for an exemption ‘[i]f it is necessary to reconcile the right to the protection of personal data with the freedom of information, in particular with regard to the processing of personal data by media undertakings, media services and their employees directly for their journalistic purposes referred to in the Media Actʼ (s. 9).  This provision explicitly establishes the priority of the special expression derogation over the knowledge facilitation framework.

Broad Expression Derogation
Section 9 of the Austrian Data Protection Amendment Act focuses on the special expressive activity of journalistic purposes carried out by media understandings.  However, at it is outer limit it refers to freedom of information as so may have implications for broad expression also.

Personal Exemption – see GDPR, art. 2(2)(c)

Knowledge Facilitation Framework - – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Section 7 broadened the statistical exemption of the 2000 Data Protection Law to include archival, scientific or historic research or statistical purposes in the public interest. Otherwise, no substantive changes were made to the respective provision.

Discussions in the Legislative Process
Special Expression Derogation
In its initial proposal to implement Art. 85 GDPR, the Austrian government suggested that while the Data Protection Law of 2000 only protected the journalistic activities of media companies, media services and their employees the new data protection law should also include the protection of processing for other, artistic purposes and the limitation to such companies and services should be abandoned. The Media Act (‘Mediengesetz’, BGBl. No. 314/1981) would continue to apply for processing which fell within it. Other than these changes it was concluded that the provisions of the Data Protection Law of 2000 largely be retained so as to avoid a lowering of protection standards.[15]

The ‘Forum Informationsfreiheit’ (an Austrian civil society organization for the right to access information) observed with regard to the draft bill that the European Court of Human Rights held that the role of ‘watchdogs’ was not confined to journalists. NGOs, academic researchers, authors and bloggers were fulfilling the same role.[16] The Austrian ‘Rundfunk’ (ORF, Austrian Radio) suggested to change the proposed § 27 by deleting the continued application of Art. 5. It elaborated on the basis of examples that pursuant to Art. 5(1)(c) GDPR, personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed (‘data minimisation’).’ However, particularly the media would often produce data ‘on stock’ (‘auf Vorrat’) as such data might later on be used to produce a TV program. The material not initially used would usually be archived and used if needed at a later stage. It also explained that Art. 5(1)(d), which provides that personal data shall be accurate and, where necessary, kept up to date, would be difficult to comply with. Referring to the allegations levied against former US President Trump, it maintained that if such allegations were later proven to be without basis, media outlets would need to systematically go through and destroy any data that is not accurate anymore. It deemed the reference to Arts. 28, 29 and 32 GDPR similarly problematic. Such a detailed regulation would not allow for the necessary leeway to balance different interests on a case-by-case basis. It moreover advocated for an additional exemption from Chapter 6 of the proposed bill, which concerned the processing of images (‘Bildverarbeitung’).

Knowledge Facilitation Framework
With regard to the derogation for scientific research and statistics, the government held that ‘scientific research’ should – as was already the case for the purpose of DSG 2000 – not be limited in terms of content of the research – i.e. only fundamental research being covered with applied research excluded – but should rather be understood as referring to a method or a procedure – i.e. the methods or procedures applied are scientific and hence the processing is covered by the exception. It thereby did not matter whether such research was carried out by the public or private sector. The term ‘statistics’ was accordingly understood to mean methodologically ‘scientific statistics’.[17] In its Report, the Constitutional Committee further observed that processing for archival, scientific or historic research should be allowed based on specially adopted legal regulations if such research is undertaken for the pursuit of legitimate societal expectations of knowledge growth and accordingly adopted an amendment to Section 7.

The Austrian Academy of Sciences (‘Österreichische Akademie der Wissenschaft’) observed that the derogation for scientific research and statistics has not substantially changed compared to the provision in the Data Protection Law of 2000. According to the Academy, it failed to address crucial areas, even though the GDPR left the national legislator some leeway. On the contrary, the Austrian legislator would restrict the processing of personal data for scientific purposes and statistics to an extent beyond the GDPR.[18] The Austrian Conference of Universities (‘Österreichische Universitätskonferenz’) even complained of an over-regulation which would harm scientific progress.[19] Several industry representatives, such as Bayer Austria, and universities, including the universities of Vienna and  Innsbruck, similarly observed that the scientific exemption clause has been adopted from the old 2000 data protection law without reflection, resulting alongside the new GDPR provisions in an unwarranted increase of the data protection level in the scientific realm.[20]

The parliamentary debate in the National Council (‘Nationalrat’, Lower House of the Austrian Parliament) for the most part centered around the general complaint made by Mag. Albert Steinhauser of the Green Party as well as Dr. Nikolaus Scherak of the NEOS party that the government wanted to push through the entire amending law without there being enough time for the Members of Parliament to substantively discuss the suggested implementation of the GDPR.[21]

Eva-Maria Himmelbauer (BSc, ÖVP) emphasized that the Constitutional Committee, of which she formed part, took particularly seriously the wish of the science and research community to achieve an appropriate balance between data protection and research which serves the good of society. They accordingly adopted the above described amendment. Sigrid Maurer of the Green Party welcomed this amendment, but criticized it for its bad phrasing, observing that it must be clear that personal data can be processed for scientific purposes. He therefore emphasized that an additional law must be passed to ensure that personal data can be processed for scientific purposes in the future.

No further debates took place on these issues.

 


[1] See Bundesgesetzblatt für die Republik Österreich (18 July 1986) https://www.ris.bka.gv.at/Dokumente/BgblPdf/1986_370_0/1986_370_0.pdf last accessed 26 February 2021.

[2] 14th Nationalrat, 18. October 1978 104th Sitzung, page 10230 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012.

[3] Ibid.

[4] Ibid.

[5] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10251 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[6] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10260 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[7] Ibid.

[8] See Bundesgesetzblatt für die Republik Österreich (18 July 1986) https://www.ris.bka.gv.at/Dokumente/BgblPdf/1986_370_0/1986_370_0.pdf last accessed 26 February 2021.

[9] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10229 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[10] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10265 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[11] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10231 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[12] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10234 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).

[14] Republik Österreich Parlament, ‘Datenschutz-Anpassungsgesetz 2018 – Übersicht’ https://www.parlament.gv.at/PAKT/VHG/XXV/I/I_01664/index.shtml#tab-Ueber... (last accessed 14 January 2020).

[15] Harald Troch/ Peter Wittmann, ‘Bericht des Verfassungsausschusses über die Regierungsvorlage (16664 der Beilagen): Bundesgesetz, mit dem das BundesVerfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungsgesetz 2018)’, 1761 der Beilagen zu den Stenographischen Protokollen des Nationalrates XXVV.GP (Vienna, 26 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/I/I_01761/fnameorig_643604.html (last accessed 14 January 2020).

[16] Mathias Huter, ‘Stellungnahme zum Ministerialentwurf 322/ME: Datenschutz-Anspassungsgesetz 2018)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12389/imfname_643342.pdf (last accessed 31 January 2020).

[17] Ibid.

[18] Österreichische Akademie der Wissenschaften, ‘Stellungnahme der Österreichischen Akademie der Wissenschaften (ÖAW) zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert wird, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutzanpassungsgesetz 2018) unter Berücksichtigung der Regierungsvorlage (1664 d.B.)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12396/imfname_643353.pdf (last accessed 31 January 2020).

[19] Oliver Vitouch, ‘Stellungnahme zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anspassungsgesetz 2018)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12390/imfname_643341.pdf (last accessed 31 January 2020).

[20] Martin Hagenlocher/Ludwig Balko (Bayer Austria Ges.m.b.H.), ‘Stellungnahme zum Entwurf des Datenschutz-Anpassungsgesetzes 2018’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12387/imfname_643344.pdf (last accessed 7 February 2020); Heinz W. Engl (Universität Wien), ‘Stellungnahme der Universität Wien zum Entwurf eines Datenschutz-Anpassungsgesetzes 2018’ (Wien, 21 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12335/imfname_642851.pdf (last accessed 7 February 2020); Helga Fritsch (Medizinische Universität Innsbruck), ‘Entwurf eines Bundesgesetzes, mit dem das Bundesverfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungegsetz 2018) – Stellungnahme’ (Innsbruck, 20 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12331/imfname_642849.pdf (last accessed 7 February 2020); Helga Tieben/Jan Oliver Huber, ‘Stellungnahme der Pharmig – Verband der pharmazeutischen Industrie Österreichs zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungsgesetz 2018)’ (Vienna, 16 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12304/imfname_642134.pdf (last accessed 7 February 2020).

[21] Mag. Albert Steinhauser (Grüne), Nationalrat, XXV.GP, Stenographisches Protokoll, 190. Sitzung, p. 120 https://www.parlament.gv.at/PAKT/VHG/XXV/NRSITZ/NRSITZ_00190/SEITE_0120.... (last accessed 14 January 2020).