Austrians’ personal data has been publicly accessible on the ministry of economy’s website since 2009. The liberal party NEOS and NGO epicenter.works call it the “biggest data protection scandal of the Second Republic.” NEOS is considering legal action and a GDPR expert told EURACTIV Germany it could be successful.
One could simply go to the website, enter a name in the search field and find a person’s address and date of birth, as well as the date of tax returns.
NEOS and epicenter.works assume about one million people may have been affected. Among them were President Alexander Van der Bellen, eight government members and about one hundred parliamentarians.
It is still unclear who exactly has been registered in the system, but for the most part, they appear to be formerly self-employed people. The ministry has pointed to a 2009 regulation, which mandates publication, but the register was taken offline on 7 May.
To help entrepreneurs find bureaucratic data while registering for coronavirus aid, the Chamber of Commerce recommended looking at the register, which had previously run under the radar. Suddenly, many Austrians noticed their data was publicly available.
“Real failure of the ministries”
The planned establishment of a government task force is insufficient, Douglas Hoyos, NEOS digital spokesman, told EURACTIV Germany. He saw “a real failure in the ministries when something like this just happens and nobody reacts to it.” NEOS are currently examining legal steps based on the GDPR.
This could be successful, said Christof Tschohl, director of the Research Institute – Digital Human Rights Center, in an interview with EURACTIV Germany. He saw several possible routes of attack.
The handling of the register “may not be a violation of domestic law,” since the 2009 regulation seems to actually require publication, but could violate the GDPR. For Tschohl, this is a “legal framework that has not been adapted accordingly under EU law.”
Expert sees multiple GDPR breaches
In 2018, the GDPR became national law in Austria. However, the register was not adapted, but simply transferred, fed with data and made available online.
Tschohl suspects that it was not in conformity with GDPR. People were not informed that their data was publicly accessible, which is necessary under the data protection law.
Furthermore, the 2009 regulation did not sufficiently justify why the register should actually be public. This too should have been done by 2018 at the latest, given the GDPR’s stipulation that “as little personal data as possible must be collected, processed or used.”
Furthermore, no data protection impact assessment was carried out, due to the large number of people affected. While GDPR does not consider the data sensitive, publishing home addresses can have serious consequences, on victims of violence for example
Data protection authority can do pioneering work
The widespread view that Austrian authorities are exempt from the GDPR is wrong, said Tschohl. The basis for the rumour is that Austria is using the GDPR’s opening clause to protect authorities from administrative penalties.
But public actors can still be prosecuted under civil or criminal law, for example, for abuse of authority. However, this requires proven damage, but Tschohl thinks this could easily be the case here.
As a next step, it is “imaginable that the data protection authority could open an investigation procedure,” which would establish the unlawfulness of the publication. While non-binding, it simplifies litigation in civil courts, which often lack data protection expertise.
Data collection in the shadows
However, Georg Kainz, president of quintessenz, a civil liberties advocacy group, warned against a too-rapid condemnation of the Ministry of Economy. He told EURACTIV Germany it makes perfect sense that such registers should be publicly accessible.
The problem for Kainz is not the publication, but the data collection itself. As long as the registers are public, citizens know what is being collected.
The current debate could lead the state to hide its data collection, as happened with the register. It is offline, but not deleted, said Kainz, who suggested that one should look to see if there was perhaps a good reason why the publication of the register was decided in 2009.
[Edited by Sarah Lawton/Zoran Radosavljevic]