On 29.6.2017 the future DPA 2018 was finally decided: The adaptation of the Austrian legal framework to the EU General Data Protection Regulation (GDPR) applicable from 25 May 2018 was not undisputed. Instead of the original plan of a complete revision of the Data Protection Act, a completely new approach was chosen for political reasons:

Because of the lack of a constitutional majority, which would have been necessary to amend the constitutional provisions of the DPA 2000, the Data Protection Act 2000 was not repealed and enacted as originally planned, but merely - in fact comprehensively - amended. All (objectively actually necessary) constitutional changes were deleted from the first draft. In fact, the novella was packed into the old cover of the DSG 2000. However, this does not make the new law any clearer and it is more difficult to read than the originally planned restart.

The law, which has been amended once again in terms of content in a summary procedure compared with the government bill (you can read the full text of the draft adapted by the Constitutional Committee here), indicates that at least the initial comments have been taken into account on a selective basis. Compared to the government's proposal, the following innovations are particularly relevant:

•  Deletion of all previously intended constitutional amendments: Thus, in particular, the basic right to data protection contained in Sec 1 DPA - in open contradiction to the GDPR and thus contrary to EU law - remains unchanged and also covers legal persons ("everyone"). In addition, state data protection laws continue to exist and are still possible due to the lack of a transfer of competence to the federal government.
• Reduction of the consent age of children to 14 years: With the new Sec 4 para 4 DSG, children can now consent to data processing activities in connection with information services from the age of 14. Thus, the age limit of 16 years provided by the GDPR as noncommittal default is lowered in line with actual practice. In any case, this is to be welcomed, as we also called for this in our statement, in the interests of the affinity of young people for services of the information society (think of apps or social media, for example).
• Data protection authority can also check and inspect data processing activities without "justified suspicion": In the new Sec 22 para 1 DPA, a restriction was deleted, according to which the authority only has investigative powers in cases of justified suspicion. Accordingly, the authority's supervisory powers have been extended and strengthened - this is an essential practical point.
• However, the constitutionally critical provisions on the imposition of fines by the new data protection authority in view of the level of the penalties remain unchanged. However, in the explanations to the draft, which were also slightly amended, the liability of the legal person was also given priority. However, this does not really help a sole proprietor and also raises the question of the admissibility and proportionality of the threat of punishment under Austrian constitutional law.
• In addition, practical provisions to facilitate data processing activities in the field of science and research in corresponding material laws are to follow. This announcement has now also been included in the notes. The opening clauses of theGDPR are to be used. Until then, however, the rigid and strict provisions of the previous DPA (now Sec 7 DPA) will remain in force throughout Europe. It remains to be hoped that the regulations that we also demanded and that are important for the industry and the business location of Austria will actually be implemented in the near future.
• It is also unclear whether existing declarations of consent that were valid under the DPA continue to apply. In the recitals, reference is made only to recital 171 of the GDPR, according to which consents are still valid "provided they comply with the GDPR". This does not provide sufficient legal certainty. In our statement, we had suggested that the declarations of consent issued in accordance with the DPA 2000 remain valid in accordance with the German model (without double verification in accordance with the GDPR).
• New provision on the processing of data relevant to criminal law: Article 10 of the GDPR provides in principle that criminal data may be processed "only under official supervision", unless member states state otherwise. This is particularly problematic in practice regarding operating video surveillance systems and whistleblowing hotlines, since these systems are used to identify potential criminals and thus process data relevant under criminal law. Therefore, the now amended provision of Sec 4 para 3 DPA stipulates that criminal law data may also be processed on the basis of overriding legitimate interests of the controller. This means that the established compliance instruments can continue to be operated.

The positive aspect of the DPA's resolution is that it gives Austrian companies at least a national basis for their implementation projects to achieve data protection compliance. The great downer, however, is that political circumstances have led to a technically weaker solution being implemented, instead of creating a new version, which also raises other constitutional issues. The opportunity was also missed to create a truly practical, final legal basis under data protection law from the good initial draft by means of practical input. Thus, in view of the rushed job, there remains the danger that actual and alleged shortcomings will be pushed into material laws instead of in the central DPA and that this will also lead to legal fragmentation.
 

The development history of the draft

On 12 May 2017, the first draft of the new Austrian Data Protection Act was published, which had been long awaited and repeatedly postponed in view of the overdue preparations. The deadline for comments in the legislative process ended on 23 June 2017, but surprisingly the Federal Government forwarded its draft to the National Council as a government proposal on 7 June 2017 - i.e. during the current evaluation period. This procedure is completely unusual, but was still outbid negatively by the further developments:
A total of 110 comments were received during the factually shortened review period. From this the active interest of the public can be derived and nevertheless some open topics. DORDA (as the only law firm) has submitted its own statement based on our many years of data protection expertise in order to point out topics of particular practical relevance.
Only three days after the expiry of the evaluation period, the government bill passed the Constitutional Committee of the National Council on 26 June 2017. Changes were made to
3
the draft at short notice. In a plenary session on 29 June 2017, the National Council actually adopted the last-minute amendment to the Data Protection Act.