(Dieser Artikel ist auch in deutscher Sprache verfügbar)

In Austria the international data protection day on 28 January will pass by widely unrecognised. This year, as already in 2008, the Data Protection Commission (DSK; the Austrian Data Protection Authority) and the Data Protection Council (DSR; a political advisory board) will together organise a meeting for a strictly limited amount of interested persons (max. 100 participants) where they will present European and international developments in data protection. In contrary to 2008, where they were confronted with by far more than 100 registrations, the event was promoted very poorly. On the homepage of the DSK and on the 'Data Protection Day' website on the Council of Europe website it is not even mentioned!

This situation is somewhat symptomatic for Austrian data protection. Data protection here usually is not for the masses, it is an administrative task that rather involves formalised decisions than public debate and open discussions. It's a pity that the organisers of this years event chose to maintain the access restrictions. Opening the event for a broader audience would have given the option for further development towards an annual Austrian Data Protection Conference. For this year the chance is gone but there is another chance next year. We'll keep you informed.

The following paragraphs provide a summary of major developments in the past year with regard to legislative initiatives, surveillance trends and important data breaches. Finally an outlook to the coming years will be presented.

Legislative Initiatives

On 6. December 2007 the Austrian Parliament adopted a reform of the law on security police. Ten minutes before midnight of that day (the last parliamentary session of the year) members of the governing parties (Social Democrats and Conservatives) tabled an amendment that significantly increased the surveillance possibilities for security police, while ignoring the usual parliamentarian workflow of discussing amendments in the relevant committee before voting. Result of this initiative is that mobile telecommunication and Internet providers have to provide location information of mobile phones and IP addresses on request of security police. A court permission is not required! In the first five weeks of 2008 location data of 82 mobile phone users and the identity of 2.766 subscribers were requested. According to an article published in the Austrian newspaper "Die Presse" there are 32 such requests per day. The members of the Parliament who tabled the mentioned amendment received the Austrian Big Brother Award 2008. Several complaints against the law were filed with the Austrian Constitutional Court.

In April 2008 an amendment to the Data Protection Act 2000 was published for comments. Key elements are legal requirements for video surveillance by private operators, new requirements for private businesses with at least 20 employees to create the position of a data protection supervisors and harmonisation of responsibilities (the federal government gets all data protection competences). Currently the Data Protection Commission has to approve video surveillance installations of private operators. According to the proposed amendment video surveillance will be allowed in future if dangerous attacks or criminal offences were committed in that area within the last 10 years, or if expensive objects worth more than 100.000 EUR or of exceptional artistic value need to be protected. Video surveillance needs to be properly announced and will remain prohibited in toilets and changing rooms. Furthermore the amendment proposes a centralised database of all private video surveillance installations. If needed the police will be allowed to access the data of these cameras. In general the retention of video data will be limited to 48 hours, which can be extended on request to the DSK. In future it will not be required to file realtime video-surveillance with the DSK. Police access to highway video surveillance is envisaged and fortunate discoveries may be used for penal action. Due to the premature reelections of the Austrian Parliament in 2008 the amendment to the Data Protection Act 2000 finally did not make its way through the legislative process. It is expected to re-appear in 2009.

On the proposal of the European Commission on the use of Passenger Name Record data, a Social Democrat MPs tabled a motion for resolution with the Austrian Parliament. They proposed to wait for the decision of the European Court on the structural similar data retention directive and on the entering into force of the Lisbon treaty. Furthermore they ask to consider the opinion of Article 29 working group on the Commission proposal, since there are severe data protection concerns.

Data retention - The data retention directive is still not implemented in Austria. There are no known plans to do so in the near future.

On biometric passports the Council of Ministers decided in June 2008, that fingerprints of the two index fingers (if existing) will be stored on an RFID chip on the passport. The data additionally will be stored for up to four months at the Staatsdruckerei, which produces the passports. Currently the parliamentarian decision making process is ongoing: On 21.01.2009 the National Council adopted the respective law with votes of all represented parties except the Greens. The Federal Council will vote on it on 27.01.2009, one day before the International Data Protection Day. It is expected that the law will not be rejected there.

In 2007 the Federal Minister of the Interior and the Federal Minister of Justice agreed on the implementation of hidden uses of remote forensic software (so called federal trojan horses) and established a working group to work on the details of the legal and technical issues. In April 2008 the working group published its final report. The experts claimed that from a constitutional point of view a number of fundamental rights are affected which limit the implementation of such online-searches and constitute warranty deeds for the state.

Surveillance Trends

The major surveillance trends of 2008 all focus on uses of video surveillance. In traffic control we saw the introduction of systems for automated checking of road tax vignettes, automated scanning of vehicle number plates where the collected data is checked against a wanted vehicles list, and the use of video surveillance for the execution of speed limits (section control). In the case of section control Austrian highest courts decided that it only may be used on a case by case order of the competent Minister, including a detailed description of the special setup.

Other examples of increased video surveillance are the pilot-use of video-surveillance in trains of Vienna's underground, where data are stored for 48 hours, video surveillance in trains from the Austrian Railway and video surveillance in residential buildings owned by the City of Vienna where garages, elevators and rooms for dust bin storage will be monitored. The pilot phase of the so called dust bin monitoring was approved by the DSK and will last until end 2009. Aim is the protection against vandalism.

Important data breaches

In 2008 the case of a teenage asylum seeker and her family received lots of media coverage in Austria. When the pressure on the Ministry of the Interior was too intense, personal data on a family member from the police information system EKIS and from the police file index leaked to the public. Pictures from these files together with a corresponding press release were published on the Internet by a senior official of the Ministry. Police investigations on this data leakage are ongoing.

The administration of the residential buildings of the City of Vienna, Wiener Wohnen, sent a questionnaire to all 220 000 renters of their flats asking for their opinion on their flat, their neighbours, the surrounding of the building, the security situation, their administration and the City of Vienna. Wiener Wohnen offered that the questionnaire could be returned anonymously by blacking the Name printed on the form. The responsible City Council said, that the barcode on the second page of the form only would be used as a reference to the administrative district the answer came from. This was in the best case misleading, since the barcode contained the renters complete customer number, which allowed for a personalisation of the answers given on the questionnaire. The director of Wiener Wohnen received the Austrian Big Brother Award 2008.

Outlook

After the premature reelections in 2008 a new government took office last year. Their government programme includes the following topics relevant to data protection: The use of remote forensic software (so called federal trojan horses) by police will be allowed. It will be clarified that the DSK is not competent in cases where the Criminial Investigation Department is active in cases of criminal law. The cooperation with Schengen partners will be intensified, common Visa- and Biometric-Centers will be established, possible cooperation with external service providers (outsourcing) will be analysed. A DNA-Offensive aims for a nationwide collection and analysis of DNA samples and will serve as a basis for new application areas. Electronic health records will gain increased importance.

The implementation of the data retention directive is not mentioned in the government programme. A decision of the Constitutional Court on the complaints against the law on Security Police is expected in 2009.

At this years election of the Austrian Students Union in May 2009 the Federal Government wants to run an e-voting pilot. The Austrian Students Union strongly opposes these plans due to unresolved legal and technical questions. Also the Data Protection Council advised to refrain from this plans. This pilot election is commonly considered to be a test-case for the use of e-voting in elections to the Austrian Parliament.

Data Protection Commission
http://www.dsk.gv.at/

Law on Security Police (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/BNR/BNR_00181/pmh.shtml

Die Presse on access to location information and IP addresses by Security Police (only in German)
http://diepresse.com/home/panorama/oesterreich/370803/index.do

Austrian Big Brother Awards (only in German)
http://www.bigbrotherawards.at/2008

Proposed amendment to the Data Protection Act 2000 (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/ME/ME_00182/pmh.shtml

Motion for a resolution on PNR-data (only in German)
http://www.parlament.gv.at/PG/DE/XXIII/A/A_00651/pmh.shtml

Parliamentary decision on biometric passports (only in German)
http://www.parlament.gv.at/PG/PR/JAHR_2009/PK0023/PK0023.shtml

Final report of the working group on remote forensic software (so called federal trojan horses)(only in German)
http://www.justiz.gv.at/_cms_upload/_docs/AG_OnlineDurchsuchung_Endber...

Government programme of the Austrian Federal Government (only in German)
http://www.oevp.at/Common/Downloads/Regierungsprogramm2008-2013.pdf

Opinion of the Data Protection Council on E-Voting at the elections to the Austrian Students Union (only in German)
http://www.bundeskanzleramt.at/DocView.axd?CobId=31084

(contribution by Michael Hofer and Andreas Krisch - EDRi member VIBE!AT)