As mentioned in the introduction to our blog series on ePrivacy rules in the EU, the EU Council has reached a compromise agreement on its position on the new ePrivacy Regulation.
Compared to other EU countries (eg Spain or France), so far, none of the relevant Austrian stakeholders, such as the Austrian Telecommunications Office (Fernmeldebehörde), the Austrian data protection authority (Datenschutzbehörde) or the competent Austrian ministries, have been playing a very active role by taking a position in relation to ePrivacy and its new legal regime. Austria is, apparently, waiting for the EU legislator to implement the ePrivacy Regulation before taking any action thereto.
New Austrian telecommunications law
In Austria, the provisions of the ePrivacy Directive (ePD) are currently implemented in the Austrian Telecommunications Act (TKG). Due to new EU regulations (such as the European Electronic Communications Code) the Austrian Parliament has published a a proposed new TKG (TKG 2020), which, one passed, will reorganise the legal framework for telecommunications law in Austria.
Yet the provisions relating to the ePD are intended to remain the same as under the current TKG, with one exception: under the TKG, violations of the provisions implementing the ePD are subject to administrative fines of up to €58,000, whereas under the TKG 2020 such administrative fines may rise to €100,000.
Competent authority in relation to ePrivacy
In general, the Austrian Telecommunications Office (not the Austrian DPA) is the competent authority to monitor compliance with the TKG. However, for violations of the ePrivacy rules in the TKG resulting (as well) in a breach of the fundamental right to confidentiality (as set out in section 1 of the Austrian Data Protection Act), the Austrian data protection authority (DPA) regards itself as the competent authority. The same applies to breaches of the EU General Data Protection Regulation (GDPR) that are not supplanted by the ePrivacy Directive (as per Article 95 of the GDPR), such as not including ePrivacy processing activities in the record of processing activities and not informing the data subjects as per Articles 13 and 14 of the GDPR.
Thus, companies can face two fines: one from the Austrian Telecommunications Office (up to €58,000) and one from the Austrian data protection authority (up to either €20m or 4 per cent of global annual turnover, whichever threshold is higher). Currently, both the Austrian Telecommunications Office and the Austrian DPA may initiate (fine) proceedings vis-à-vis a company in parallel (albeit focusing on different aspects of the case).
The current draft of the ePrivacy Regulation states that member states should provide for one or more independent public authorities to be responsible for monitoring compliance with the ePrivacy Regulation. As a subordinate office of the Austrian Ministry of Telecommunications, the Austrian Telecommunications Office is, however, not considered independent, but bound to instructions from the competent Austrian ministry.
Hence, it is likely that the competence to monitor compliance with the ePrivacy provisions will entirely switch to the Austrian DPA, once the ePrivacy Regulation is implemented.
Due to the primacy of EU law, it remains to be seen how the Austrian legislator will amend the TKG 2020 so that it is aligned with the ePrivacy Regulation, once implemented, or if supplementary provisions (like on the relevant public authority) will be included in the Austrian Data Protection Act.
Organisations should closely monitor the scope of the ePrivacy Regulation and its interplay with the GDPR to prepare for its implementation.
Other post in this series include:
- EU's ePrivacy reforms inch forward (introduction)
- EU’s ePrivacy reforms: a UK perspective
- EU’s ePrivacy reforms: a French perspective
- EU’s ePrivacy reforms: a Belgian perspective
- EU’s ePrivacy reforms: a Russian perspective
- EU’s ePrivacy reforms: a Spanish perspective
- EU’s ePrivacy reforms: an Austrian perspective
- EU’s ePrivacy reforms: a Dutch perspective