Will the data privacy law in Austria take the same turn as the non-smoker protection law?

As most of you know, the new GDPR (General Data Protection Regulation) will become effective on the 25th of May. While this will happen all over Europe, in a small country in its heart the government cannot bring itself to implement the allowed penalty range, just as all other states in this union do. Austria comes up with its own rules, whether that makes sense, or not. Within the new GDPR, the massive penalties that go for the loss of personal data caused by neglect are heavily debated. As owner, shareholder or simple employee of a company that collects, saves or processes personally identifiable information, the new penalties can send cold shivers down ones spine. We’re talking about up to €20 million or 4% of the global annual turnover. And this for each data loss incident. In contrast, the previous fines topped out at a maximum of €25.000. This can easily become survival-threatening, not only for small and medium-sized enterprises.

If you too feel a bit uneasy about your companies stance in all of this, maybe it will put you at ease to learn that Austria has all but disposed of the new penalties before they even come into effect. In Austria there will be no immediate penalties, at most the threat of a penalty. At least not for the first couple of breaches. In fact, article 58, paragraph 2 of GDPR states other corrective actions next to the striking monetary penalty:

1. Warning, that intended processing operations are not conformable to law
2. Reprimand in case of infringement
3. Directive to comply with the request of a concerned subject
4. Directive to bring processing operations into compliance with GDPR in a specified manner and within a specified period
5. Directive to communicate a personal data breach to the data subject
6. Imposition of limitation or ban on processing
7. Order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data have been disclosed

Of course such alternative sanctions make sense, especially for companies that applied the data protection rules to the best of their knowledge and judgment and tried to protect the data entrusted to them according to the standards of their industry. Absolute security can never be achieved, no matter how drastic the fines.

Nevertheless, Austrian politics deals with this topic, as it did with the non-smoker protection law, in an entirely unique way among European countries. The “Data Protection Deregulation Law 2018”, paragraph 11 states the following: “The data protection authorities will apply the provisions of Article 83 paragraphs 2 to 6 respecting the principle of proportionality. In particular in cases of first time infringement the data protection authorities will make use of their corrective power in compliance with Article 58 of GDPR especially through admonishment.” (https://www.parlament.gv.at/PAKT/VHG/XXVI/BNR/BNR_00027/fname_691190.pdf)

It may strike the reader that the Austrian authorities dealt with the data protection law in a similar way they dealt with the non-smoker protection. On January 1st 2009 an extensive non-smoker protection law regarding public spaces such as restaurants, cafes and wineries should have come into effect. Like in other EU countries, this law sparked heated debates, even though it provides clear exceptions, such as designated rooms for smoking and dedicated smoking establishments. So far, so good, one might think. However, if you venture in the Austrian daily reality you will learn quickly that the non-smoker protection law didn’t reach very far in this country. Particularly by comparison with other EU countries.
A not to be underestimated reason for this could be found in the rather favorable attitude on the part of the government towards smokers and bar-owners. If the penalties would have been taken more earnestly by the government, the situation today would be quite different in Austria’s public spaces and gastronomy establishments. After all, the often evoked disappearance of clientele from cafes, bars and restaurants did not occur in any of the EU countries that applied these measures in a substantially stricter manner.
To top it all, on 22nd of March 2018 the Austrian National Council withdrew the amendment to the Tobacco Act, which would have banned smoking in gastronomy establishments altogether.
Considering this trend, one might ask when the next “flexibilization” of the GDPR will take place.

Now there are voices that are frantically looking for meaningful explanations for this approach of the government and they also manage to find them, albeit with difficulty. One potential overarching idea here could be that Austria is trying to preempt any monkey-business through unlawful GDPR warnings asking for compensation. While this may partially represent the reality, it is however, in my opinion, not good enough a reason for the softening of the GDPR.

It is clear that only time and unfortunately the neglectful and large-scale loss of personal data by Austrian companies will show which measures the Austrian Data Protection Authority will be ready to take against the concerned companies or organizations. In Austria, as well as in practically all other countries in and outside of the European Union, even in 2018 companies are still not paying enough attention to information security and data protection. This situation will only change through rigorous regulations and penalties, which will directly affect the wallets of companies and their investors.