33/5000 Privacy: authorities except

The Austrian implementation does not provide for punishment for public authorities. Even for affected companies, there are now significant softening.

Vienna. In theory, the new EU Data Protection Regulation provides for far-reaching consumer rights. Data misuse - as in the recent scandal involving 87 million Facebook users whose profiles were used for the US election campaign - is said to be a thing of the past with the entry into force of the regulation on 25 May. But the Austrian interpretation of the regulation suggests: too much optimism is not appropriate. The new rules are in this country namely apply only to private companies; public and private law entities with statutory mandate are totally exempt from fines.

So it is decidedly in the implementation of the Data Protection Act, which passed last Friday with the votes of turquoise blue the National Council. Authorities thus continue to have a free hand in dealing with personal data without having to fear a punishment. What has already been criticized is compatible with EU law, as European lawyer Walter Obwexer explains in an interview with the "press".

In fact, while the EU's General Data Protection Regulation (DSGVO) provides for full harmonization through national law, there are so-called opening clauses that allow Member States certain exceptions. This includes the decision whether or not to impose penalties on public bodies.

"Almost Hungarian audacity"

A softening of the basic data protection regulation provides for the Austrian interpretation but also for private companies that are very much affected. Activists like Max Schrems sharply criticize the amendments by the local government: "That's almost a Hungarian audacity," he said Wednesday in a press release. The amendments benefit above all those collecting companies, whose methods should better protect the consumer with the new EU regulation. The website heise.de, which first reported on the controversial amendment by the Austrian government, summarizes: "Most violations will remain unpunished."

For example, paragraph eleven added in an amendment tabled by the Federal Government states that the DPA should initially only caution in the sense of proportionality "especially in the case of first-time infringements" instead of providing maximum penalties of EUR 20 million or four percent of annual turnover (as appropriate) which value is higher).

A critical point for obWeXers: although the EU regulation allows a Member State to be cautioned in case of minor infringements; in the case of serious violations, however, according to the EU requirement, a fine is in any case due - if the offense was committed by a company and not by an individual.

Exceptions for journalists

In addition, the data protection authority should only be allowed to prosecute a company if no other administrative authority has already imposed fines on this company. "If the administrative penalty is much lower than the regulation foresees in the case in question, that would be inadmissible," argues the Innsbruck European lawyer.

Austria also wants to soften the regulation for the processing of data "for scientific, artistic or literary purposes", as well as for journalists: in these cases too, exceptions should apply.

All of these restrictions threaten to divert attention from the very purpose of the EU regulation, to guide companies and public authorities to more restrictive use of personal information. In addition, each user should in future be granted the right to have their personal data deleted on the Internet - be it private or professional.

("Die Presse", print edition, 27.04.2018)

https://diepresse.com/home/aus…utz_Behoerden-ausgenommen