Austrian Parliament Publishes Draft Data Protection Adjustment Act
The Austrian legislature has commenced a six-week consultation process for a draft Data Protection Adjustment Act 2018 (Datenschutz-Anpassungsgesetz 2018), which is intended to adapt current Austrian data protection laws to align with the EU General Data Protection Regulation (GDPR).
One of the primary goals of the GDPR is to harmonize data protection laws across the EU. However, under the GDPR, member states are allowed flexibility in certain areas to pass local laws that further specify, complement, or modify the GDPR’s provisions.
Among other things, the draft addresses:
• Violation of the GDPR carries fines as high as €20 million or 4% of annual turnover, and it is generally understood that these fines would be levied on the legal entity itself. However, this concept of the legal entity being directly responsible is uncommon under Austrian law. Under current Austrian law, such sanctions would normally be imposed on the management of a company, unless a responsible representative has been appointed.
Therefore, in an effort to adapt to the GDPR, the draft specifies that GDPR fines can be levied on the legal entity if the underlying offense was caused by the entity’s management or representative.
The draft also confirms the Austrian Data Protection Authority’s (DPA’s) power to levy these fines, thus adapting to the GDPR’s provisions on the role of supervisory authorities.
• While the GDPR does not explicitly mention CCTV or other types of surveillance, it does address the risk associated with such activities that involve “systematic monitoring of a publicly accessible area.” The draft seeks to build on this concept as it includes an entire section applying to “images,” but with a broad exception for images not intending to include “uninvolved” individuals (i.e. family and vacation photos).
• The Right to Complain. In addition to potential fines under the GDPR, individuals also have the right to lodge complaints with supervisory authorities. The draft incorporates these provisions in a way that fits within Austria’s administrative structure. For example, an individual can appeal a DPA’s decision to the Austrian Federal Administrative Court (Bundesverwaltungsgericht), or complain to the Court if the DPA does not respond to the individual’s complaint in a timely manner.
• To create consistency with the GDPR’s requirement for controllers and processors to maintain detailed records of processing, the draft removes the current obligation on controllers to notify the Austrian Data Processing Register (Datenverarbeitungsregister) of its processing activities.
The draft Data Protection Amendment Act 2018 is currently in a review stage with the National Council until June 23, 2017, at which point it will continue through the Austrian legislative process. Whether it is this draft, or another, it is inevitable that Austria and other member states will adopt their own national laws in response to the GDPR. Therefore, organizations will need to take such member state variations into account, in addition to the GDPR, during their compliance and readiness efforts.