EC: data protection inadequate in Austria and Germany
The European Commission has started infringement procedures against the governments of Austria and Germany for not creating adequate independence of the Data Protection Authorities.
In Austria, the Commission was alerted by a complaint from the data protection association Arge Daten in October 2003. On 5 July 2005, the Commission responded by instigating official proceedings against the Republic for a faulty implementation of Article 28 (1) second sentence of the data protection directive (95/46/EG) which requires that data protection authorities shall exercise their functions with complete independence.
The Austrian Data Protection Commission is, in terms of organisation and staff, integrated in the Federal Chancellery and its managing member is a senior official of the Chancellery.
In its 2005 activity report the Data Protection Commission (DPC) responds to the European Commission by describing the history of its organisational structures. It claims in 1999 Austria was one of the first states to implement the directive in national law and that it was unclear at the time what standards would develop for "independent protection authorities".
Besides the lamentable lack of independence the Austrian DPC suffers from a chronical shortage of staff. After some increases in the last two years the DPC now employs eight persons plus 10 persons working with the Data Processing Register. This amounts to a proportion of 1 data protection officer per 400.000 inhabitants. In a roughly equally sized country like Sweden this ratio is 1:230.769. Larger countries like the Czech Republic and Hungary still range before Austria, with 1:126.582 and 1:185.185.
This staff shortage results in the disability of the DPC to undertake event-unrelated investigations and in an all time high of formal complaints because of unjustified long processing times. In its activity report the DPC states that while other problems remain at least the long processing times should be a thing of the past. It is to hope that the formal action of the European Commission will do its part to help resolve the remaining problems.
Similarly, in Germany government has been given until 5 September 2005 by the Commission to create full independence of the regional DPAs. This decision was also inspired by a complaint filed in 2003, this time by the legal scientist Patrick Breyer. On the provincial level, members of the local government (Regierungspräsidium) act as data protection authority. While these DPAs have formal independence regarding state data protection, in civil cases they are supervised by the provincial ministries. The e-zine Heise reports that Breyer elaborated on a specific example in the province of Hessen, where the DPA allowed an internet company (T-Online) to store the IP-numbers of a flat-fee service for a period of 80 days. When a user of this service was prosecuted for posting a satirical contribution, but acquitted, he took the data retention practice to court. The provincial DPA said it was perfectly legal, only to be corrected much later by an independent local judge who ordered T-Online to stop collecting detailed traffic data.
According to Breyer, the state-embedded provincial DPAs also respond 'in a lethargic way' to complaints from citizens, while the truly independent provincial DPAs defend civil rights in a very engaged way.
Letter from the Commission to Arge Daten (22.07.2005)
Datenschutzbericht 2005, Report of the Austrian Data Protection
Commission covering 01.01.2002 until 30.06.2005
EU-Kommission pocht auf Unabhängigkeit der Datenschutzbehörden (23.07.2005)
(Contribution about Austria by Andreas Krisch, EDRI-member VIBE!AT)