Data Protection Laws and Freedom of Expression Report: Austria
Constitutional/Primary Law Background - See also ECHR and EU Charter
Article 149(1) of the Austrian Constitution (as revised 2013) grants constitutional status to the Basic Law on the General Rights of the Citizen which was originally enacted in 1867. Article 13 of this law protects freedom of expression by establishing the right within legal limits to expression of thought and prohibiting press censorship or licenses. Although there is no right to privacy as such, Article 9 protects the inviolability of domicile and article 10 the secrecy of letters. In addition, Article 1 of Data Protection Act, originally passed in 1978, enunciates constitutional data protection rights to data secrecy (insofar as there is an interest in such), to request-based transparency and to the rectification of inaccurate and deletion of illegally collected data. Originally and prior to 2012, the article also protected the data of legal persons (albeit stressing that claims would need to go through the ordinary courts) but this was removed as the general scope of data protection in Austria was also amended.
First-Generation Statutory Law
On 18 October 1978, the Austrian Parliament adopted Austria’s first data protection law. Special Expression Derogation Broad Expression Derogation Personal Exemption Knowledge Facilitation Framework |
Parliamentary Debates
Special Expression Derogation
During the second reading debates, Dr. Veselsky (SPÖ, social democrats) highlighted the so-called ʻmedia privilegeʼ.[2] He explained that the privilege was included after thorough consideration of the conflict between the right to privacy and the freedom of the press and that this issue should be dealt with in a subsequent media law.[3] The exemption should ‘however only apply until the new media law is adopted’ and was only applicable to undertakings performing ‘solely media functions’ (‘die sich ausschliesslich dem Medienzweck widmen’). Otherwise private undertakings could re-incorporate as a publisher and could thus escape the scope of the law.[4]
MP Steinbauer (ÖVP, conservatives) also commented on the necessity of the media exemption. Without such an exemption, a person could ask a newspaper what information it holds and could demand its deletion before an article would be published. This would jeopardise the freedom of the press which is based on working with archives. In this regard, freedom of the press would have to take priority over an individual’s right to data protection. This is particularly so since an abuse of the freedom of the press could be averted relying on libel claims.[5]
Dr. Gardenegger (SPÖ, social democrats) explained that the law was a weighing exercise. The protection of privacy would have to be weighed against the freedom of information and the freedom of the press. Eventually, the new law would have to ensure that neither the sending nor the receiving of news would be restricted.[6] Yet, he also indicated that the current situation would only be temporary as the media exemption would be addressed again in the envisaged media law.[7]
Personal Exemption
The personal or household exception was introduced to the data protection law in 1986.[8] Previous debates mainly focused on card files, notes and notebooks and contrasted the manual processing of data with electronically held data. Dr. Veslesky (SPÖ, social democrats) explained that data protection would be boundless if every ‘card file, note, notebook and diaries’ would need to be formally registered and subjected to the law.[9] Similarly, MP Hauser (ÖVP, conservatives) asked what kind of State would be created if the law would also cover every private collection of personal data.[10]
Knowledge Facilitation Framework
Dr. Veselsky (SPÖ, social democrats) raised the issue of a privilege / exemption for research in the second reading of the original data protection act in 1978. Such an exemption had been carefully considered but rejected as, it was argued, research would usually not need any personalized or individualized data but could use aggregate data. Although individual data might be needed in the context of historical research, such research would at the moment not be pursued electronically so that an exemption would not be needed (yet).[11] Although Dr. Ermacora (ÖVP, conservatives) explained that the issue of a research exemption would be a vexed one, he argued the fundamental right to the freedom of research and its theoretical foundations would be able to cover many potential issues.[12] However, such issues were then not debated in Parliament.
Second-Generation Statutory Law
In 2000, Austria adopted a new data protection law transposing and implementing Directive 95/46/EC into domestic law. Special Expression Derogation Broad Expression Derogation Personal Exemption Knowledge Facilitation Framework |
Parliamentary Debates
There were no discussions on the above mentioned exemptions in Parliament.[13]
Third-Generation Statutory Law
Austria implemented the GDPR with the so-called ‘Datenschutz-Anpassungsgesetz 2018’ (the Data Protection Amendment Act 2018) . Although the government initially suggested to repeal the original data protection law adopted in 2000 and pass a new law in its stead, the legislative eventually opted merely for amending the existing data protection law to comply with the new pan-EU requirements.[14] Subsequent amendments have been made including an important one expanding providing an absolute exemption for journalistic activities governed by the Media Act and also expanded the scope of the special expression derogation. The amended Act can be viewed here. Special Expression Derogation Section 9(1) of the federal law initially established unconditionally exempted "media owners, editors, copy editors and employees of a media undertaking or a media service as defined in the Media Act, Federal Law Gazette No 314/1981, for journalistic purposes of the media undertaking or media service" from this law and also all of the substantive provisions in the GDPR and the provisions on data protection authorities. However, on 14 December 2022 the Austrian Constitutional Court found this exemption to be unconstitutional, declared it void from 30 June 2024 and required the legislature to craft an appropriately balanced regime by this date. On 12 June 2024 the National Council adopted a complex series of amending provisions applicable to the journalistic activities of entities governed by the Media Law which came into force on 1 July 2024. The new law provides for a complete exemption from: Editorial secrecy as protected in the Media Act is also unconditionally protected including vis-à-vis the Data Protection Authority. In addition, the law sets out qualified exemptions from the following provisions which are broadly dependent on it being shown that this would otherwise disproportionately impair freedom of expression and information: Furthermore: Broad Expression Derogation Personal Exemption – see GDPR, art. 2(2)(c) Knowledge Facilitation Framework - – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards) |
Discussions in the Legislative Process
Special Expression Derogation
In its initial proposal to implement Art. 85 GDPR, the Austrian government suggested that while the Data Protection Law of 2000 only protected the journalistic activities of media companies, media services and their employees the new data protection law should also include the protection of processing for other, artistic purposes and the limitation to such companies and services should be abandoned. The Media Act (‘Mediengesetz’, BGBl. No. 314/1981) would continue to apply for processing which fell within it. Other than these changes it was concluded that the provisions of the Data Protection Law of 2000 largely be retained so as to avoid a lowering of protection standards.[15]
The ‘Forum Informationsfreiheit’ (an Austrian civil society organization for the right to access information) observed with regard to the draft bill that the European Court of Human Rights held that the role of ‘watchdogs’ was not confined to journalists. NGOs, academic researchers, authors and bloggers were fulfilling the same role.[16] The Austrian ‘Rundfunk’ (ORF, Austrian Radio) suggested to change the proposed § 27 by deleting the continued application of Art. 5. It elaborated on the basis of examples that pursuant to Art. 5(1)(c) GDPR, personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed (‘data minimisation’).’ However, particularly the media would often produce data ‘on stock’ (‘auf Vorrat’) as such data might later on be used to produce a TV program. The material not initially used would usually be archived and used if needed at a later stage. It also explained that Art. 5(1)(d), which provides that personal data shall be accurate and, where necessary, kept up to date, would be difficult to comply with. Referring to the allegations levied against former US President Trump, it maintained that if such allegations were later proven to be without basis, media outlets would need to systematically go through and destroy any data that is not accurate anymore. It deemed the reference to Arts. 28, 29 and 32 GDPR similarly problematic. Such a detailed regulation would not allow for the necessary leeway to balance different interests on a case-by-case basis. It moreover advocated for an additional exemption from Chapter 6 of the proposed bill, which concerned the processing of images (‘Bildverarbeitung’).
Section 9 of original GDPR implementation Act which was adopted on 31 July 2017 only provided an exemption for the journalistic activities by entities governed by the Media Act and made this subject to the same limitations and qualifications now set out in s. 9(2). However, as result of amendments adopted on 14 May 2018 this exemption was applied to academic, artistic or literary expression (s. 9(2)) and the exemption for journalistic activities by entities governed by the Media Act was made absolute (s. 9(1)). However, on 14 December 2022 the Austrian Constitutional Court found this exemption to be unconstitutional, declared it void from 30 June 2024 and required the legislature to craft an appropriately balanced regime by this date. On 12 June 2024 the National Council adopted a complex serires of amending provisions which came into force on 1 July 2024. These are summarised above.
Knowledge Facilitation Framework
With regard to the derogation for scientific research and statistics, the government held that ‘scientific research’ should – as was already the case for the purpose of DSG 2000 – not be limited in terms of content of the research – i.e. only fundamental research being covered with applied research excluded – but should rather be understood as referring to a method or a procedure – i.e. the methods or procedures applied are scientific and hence the processing is covered by the exception. It thereby did not matter whether such research was carried out by the public or private sector. The term ‘statistics’ was accordingly understood to mean methodologically ‘scientific statistics’.[17] In its Report, the Constitutional Committee further observed that processing for archival, scientific or historic research should be allowed based on specially adopted legal regulations if such research is undertaken for the pursuit of legitimate societal expectations of knowledge growth and accordingly adopted an amendment to Section 7.
The Austrian Academy of Sciences (‘Österreichische Akademie der Wissenschaft’) observed that the derogation for scientific research and statistics has not substantially changed compared to the provision in the Data Protection Law of 2000. According to the Academy, it failed to address crucial areas, even though the GDPR left the national legislator some leeway. On the contrary, the Austrian legislator would restrict the processing of personal data for scientific purposes and statistics to an extent beyond the GDPR.[18] The Austrian Conference of Universities (‘Österreichische Universitätskonferenz’) even complained of an over-regulation which would harm scientific progress.[19] Several industry representatives, such as Bayer Austria, and universities, including the universities of Vienna and Innsbruck, similarly observed that the scientific exemption clause has been adopted from the old 2000 data protection law without reflection, resulting alongside the new GDPR provisions in an unwarranted increase of the data protection level in the scientific realm.[20]
The parliamentary debate in the National Council (‘Nationalrat’, Lower House of the Austrian Parliament) for the most part centered around the general complaint made by Mag. Albert Steinhauser of the Green Party as well as Dr. Nikolaus Scherak of the NEOS party that the government wanted to push through the entire amending law without there being enough time for the Members of Parliament to substantively discuss the suggested implementation of the GDPR.[21]
Eva-Maria Himmelbauer (BSc, ÖVP) emphasized that the Constitutional Committee, of which she formed part, took particularly seriously the wish of the science and research community to achieve an appropriate balance between data protection and research which serves the good of society. They accordingly adopted the above described amendment. Sigrid Maurer of the Green Party welcomed this amendment, but criticized it for its bad phrasing, observing that it must be clear that personal data can be processed for scientific purposes. He therefore emphasized that an additional law must be passed to ensure that personal data can be processed for scientific purposes in the future.
No further debates took place on these issues.
[1] See Bundesgesetzblatt für die Republik Österreich (18 July 1986) https://www.ris.bka.gv.at/Dokumente/BgblPdf/1986_370_0/1986_370_0.pdf last accessed 26 February 2021.
[2] 14th Nationalrat, 18. October 1978 104th Sitzung, page 10230 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012.
[3] Ibid.
[4] Ibid.
[5] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10251 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).
[6] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10260 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).
[7] Ibid.
[8] See Bundesgesetzblatt für die Republik Österreich (18 July 1986) https://www.ris.bka.gv.at/Dokumente/BgblPdf/1986_370_0/1986_370_0.pdf last accessed 26 February 2021.
[9] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10229 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).
[10] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10265 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).
[11] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10231 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).
[12] (14th Nationalrat, 18. October 1978 104th Sitzung, page 10234 http://www.parlament.gv.at/PAKT/VHG/XIV/NRSITZ/NRSITZ_00104/imfname_1017... accessed on 28th Sept 2012).
[13] See https://www.parlament.gv.at/PAKT/VHG/XX/I/I_01613/index.shtml#tab-Parlam... (last accessed 26 February 2021.
[14] Republik Österreich Parlament, ‘Datenschutz-Anpassungsgesetz 2018 – Übersicht’ https://www.parlament.gv.at/PAKT/VHG/XXV/I/I_01664/index.shtml#tab-Ueber... (last accessed 14 January 2020).
[15] Harald Troch/ Peter Wittmann, ‘Bericht des Verfassungsausschusses über die Regierungsvorlage (16664 der Beilagen): Bundesgesetz, mit dem das BundesVerfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungsgesetz 2018)’, 1761 der Beilagen zu den Stenographischen Protokollen des Nationalrates XXVV.GP (Vienna, 26 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/I/I_01761/fnameorig_643604.html (last accessed 14 January 2020).
[16] Mathias Huter, ‘Stellungnahme zum Ministerialentwurf 322/ME: Datenschutz-Anspassungsgesetz 2018)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12389/imfname_643342.pdf (last accessed 31 January 2020).
[17] Ibid.
[18] Österreichische Akademie der Wissenschaften, ‘Stellungnahme der Österreichischen Akademie der Wissenschaften (ÖAW) zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert wird, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutzanpassungsgesetz 2018) unter Berücksichtigung der Regierungsvorlage (1664 d.B.)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12396/imfname_643353.pdf (last accessed 31 January 2020).
[19] Oliver Vitouch, ‘Stellungnahme zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anspassungsgesetz 2018)’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12390/imfname_643341.pdf (last accessed 31 January 2020).
[20] Martin Hagenlocher/Ludwig Balko (Bayer Austria Ges.m.b.H.), ‘Stellungnahme zum Entwurf des Datenschutz-Anpassungsgesetzes 2018’ (Vienna, 23 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12387/imfname_643344.pdf (last accessed 7 February 2020); Heinz W. Engl (Universität Wien), ‘Stellungnahme der Universität Wien zum Entwurf eines Datenschutz-Anpassungsgesetzes 2018’ (Wien, 21 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12335/imfname_642851.pdf (last accessed 7 February 2020); Helga Fritsch (Medizinische Universität Innsbruck), ‘Entwurf eines Bundesgesetzes, mit dem das Bundesverfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungegsetz 2018) – Stellungnahme’ (Innsbruck, 20 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12331/imfname_642849.pdf (last accessed 7 February 2020); Helga Tieben/Jan Oliver Huber, ‘Stellungnahme der Pharmig – Verband der pharmazeutischen Industrie Österreichs zum Entwurf eines Bundesgesetzes, mit dem das Bundes-Verfassungsgesetz geändert, das Datenschutzgesetz erlassen und das Datenschutzgesetz 2000 aufgehoben wird (Datenschutz-Anpassungsgesetz 2018)’ (Vienna, 16 June 2017) https://www.parlament.gv.at/PAKT/VHG/XXV/SNME/SNME_12304/imfname_642134.pdf (last accessed 7 February 2020).
[21] Mag. Albert Steinhauser (Grüne), Nationalrat, XXV.GP, Stenographisches Protokoll, 190. Sitzung, p. 120 https://www.parlament.gv.at/PAKT/VHG/XXV/NRSITZ/NRSITZ_00190/SEITE_0120.... (last accessed 14 January 2020).