Austrian ministry could face GDPR penalty after publishing personal data online

The Ministry of Economy under the leadership of Minister Margarete Schramböck (ÖVP) published Austrians' personal data online for years. [EPA-EFE | Angelika Warmuth]

Austrians’ personal data has been publicly accessible on the ministry of economy’s website since 2009. The liberal party NEOS and NGO call it the “biggest data protection scandal of the Second Republic.” NEOS is considering legal action and a GDPR expert told EURACTIV Germany it could be successful.

One could simply go to the website, enter a name in the search field and find a person’s address and date of birth, as well as the date of tax returns.

NEOS and assume about one million people may have been affected. Among them were President Alexander Van der Bellen, eight government members and about one hundred parliamentarians.

It is still unclear who exactly has been registered in the system, but for the most part, they appear to be formerly self-employed people. The ministry has pointed to a 2009 regulation, which mandates publication, but the register was taken offline on 7 May.

To help entrepreneurs find bureaucratic data while registering for coronavirus aid, the Chamber of Commerce recommended looking at the register, which had previously run under the radar.  Suddenly, many Austrians noticed their data was publicly available.

MEPs take stand against UK fingerprint data exchange scheme

Lawmakers in the European Parliament’s Civil Liberties committee have signalled their disapproval at the UK’s participation in a fingerprint data exchange scheme with EU member states after the country’s decision to withdraw from the bloc.

“Real failure of the ministries”

The planned establishment of a government task force is insufficient, Douglas Hoyos, NEOS digital spokesman, told EURACTIV Germany. He saw “a real failure in the ministries when something like this just happens and nobody reacts to it.” NEOS are currently examining legal steps based on the GDPR.

This could be successful, said Christof Tschohl, director of the Research Institute – Digital Human Rights Center, in an interview with EURACTIV Germany. He saw several possible routes of attack.

The handling of the register “may not be a violation of domestic law,” since the 2009 regulation seems to actually require publication, but could violate the GDPR. For Tschohl, this is a “legal framework that has not been adapted accordingly under EU law.”

EU-funded COVID-19 app 'listens to voices and coughs'

A recently launched EU-funded mobile application records users’ breathing and coughing to diagnose cases of COVID-19, scientists involved in the project have said.

Expert sees multiple GDPR breaches

In 2018, the GDPR became national law in Austria. However, the register was not adapted, but simply transferred, fed with data and made available online.

Tschohl suspects that it was not in conformity with GDPR. People were not informed that their data was publicly accessible, which is necessary under the data protection law.

Furthermore, the 2009 regulation did not sufficiently justify why the register should actually be public. This too should have been done by 2018 at the latest, given the GDPR’s stipulation that “as little personal data as possible must be collected, processed or used.”

Furthermore, no data protection impact assessment was carried out, due to the large number of people affected. While GDPR does not consider the data sensitive, publishing home addresses can have serious consequences, on victims of violence for example

Hungarian government suspends EU data protection rights

The Hungarian government has announced plans to suspend its obligation to certain protections laid out in EU data protection law until the current ‘state of emergency’ period has been declared over.

Data protection authority can do pioneering work

The widespread view that Austrian authorities are exempt from the GDPR is wrong, said Tschohl. The basis for the rumour is that Austria is using the GDPR’s opening clause to protect authorities from administrative penalties.

But public actors can still be prosecuted under civil or criminal law, for example, for abuse of authority. However, this requires proven damage, but Tschohl thinks this could easily be the case here.

As a next step, it is “imaginable that the data protection authority could open an investigation procedure,” which would establish the unlawfulness of the publication. While non-binding, it simplifies litigation in civil courts, which often lack data protection expertise.

EU stands by its data privacy rules in response to COVID-19

Europe cannot win the fight against the coronavirus without digital technologies, the European Commission said in a video call with EU-27 health ministers on Monday (27 April). But this must not come at the expense of EU data protection rules, which must remain a “global gold standard”. 

Data collection in the shadows

However, Georg Kainz, president of quintessenz, a civil liberties advocacy group, warned against a too-rapid condemnation of the Ministry of Economy. He told EURACTIV Germany it makes perfect sense that such registers should be publicly accessible.

The problem for Kainz is not the publication, but the data collection itself. As long as the registers are public, citizens know what is being collected.

The current debate could lead the state to hide its data collection, as happened with the register. It is offline, but not deleted, said Kainz, who suggested that one should look to see if there was perhaps a good reason why the publication of the register was decided in 2009.

[Edited by Sarah Lawton/Zoran Radosavljevic]

Subscribe to our newsletters