Austria

[AT] Council of Ministers Agrees on Data Retention

IRIS 2011-4:1/9

Sebastian Schweda

Institute of European Media Law (EMR), Saarbrücken/Brussels

On 22 February 2011, the Austrian Ministerrat (Council of Ministers) agreed on a series of bills designed to implement the Data Retention Directive 2006/24/EC. In addition to the planned amendment of the 2003 Telekommunikationsgesetz (Telecommunications Act -TKG), a first draft of which was tabled by the Verkehrsministerium (Ministry of Transport) in July 2010 (see IRIS 2010-9/11), the proposals now also concern the Strafprozessordnung (Code of Criminal Procedure - StPO) and the Sicherheitspolizeigesetz (Police Act - SPG). The amendments are designed to regulate access to stored data.

The draft amendment to the 2003 TKG provides for a six-month data retention limit. This proposal is at the lower end of the scale required by the Directive. Regarding data categories, the bill does not go beyond those set out in Article 5 of the Directive. However, only providers who are obliged to contribute to the financing of Rundfunk und Telekom Regulierungs-GmbH (RTR) under Article 10 KommAustriaG are required to retain data. Small providers are therefore exempt from the retention obligation.

The question of cost reimbursement remained controversial right to the end of the inter-ministerial discussions. The cost of purchasing the equipment required to retain data is estimated at EUR 15 to 20 million, with annual operating costs of around EUR 3 million. According to the final draft, 80% of these costs will be covered by the Federal Government, with the rest to be paid by the providers.

The transfer of data to the requesting bodies will be subject to certain security precautions, such as the “four eyes principle” and “technically sophisticated encryption technologies”. The details will be set out in a Ministry of Transport decree, which will be the subject of a report to the Nationalrat (National Assembly).

According to media reports, serious concerns were raised internally about the infringement of basic rights. In particular, an unpublished report by the Bundeskanzleramt (Federal Chancellery) is said to be critical of the provision in the draft amendment of the SPG that data could be used “in order to ward off general dangers”, which would significantly increase access to data. Previously, a “concrete danger” was necessary. The Datenschutzrat (Data Protection Council), which advises the Federal Government and regional governments on data protection issues, has created a working group which is currently examining the bills. Internet service providers have also been critical. The association that represents the interests of the Internet sector, “Internet Service Providers Austria”, is demanding that the State should cover the full costs of a measure that it considers to be exclusively the State’s responsibility. The private data protection organisation “Arge Daten” has expressed fundamental opposition to data retention in Austria on the grounds that it seriously breaches basic rights.

The government bill will now be debated in parliament and is expected to be adopted in May. However, providers will then have nine months in which to adapt their technical equipment and processes accordingly.

The deadline for transposing the Directive was 1 January 2008. In an action brought by the European Commission, the ECJ has already found Austria guilty of infringing the Treaty. Austria is now under pressure if it wishes to avoid being fined a large sum in another procedure. At the same time, however, it is keen to wait until the Commission publishes its evaluation report on the Directive, which is expected to provide a clear idea of the future development of data retention in Europe. After several delays, this report is expected to be published at the end of March.