The Data Retention Directive[1] imposes obligations on providers to retain traffic and location data. The data in question relate to the use of mobile and fixed telephony as well as to the Internet communication of all users. The main aim is to ensure that data are available for the purposes of investigating, detecting and prosecuting serious crimes, as defined by national law.
This is obviously a paradigm shift. In 2002 there came into force the Directive on Privacy and Electronic Communication[2], whose aim was to ensure user privacy regarding specific risks arising from new technologies. As a general principle, the quantity of personal data necessary should be limited to a strict minimum, and so the existing legal framework explicitly protects citizens' privacy and personal data and provides for the deletion of traffic data once no longer needed for the purposes of conveying communication or billing.
- 59/60 -
This paper will, firstly, give an overview of the current legal status in Austrian law to identify the problems which may arise whilst implementing the Data Retention Directive. Following a short overview of the Data Retention Directive, its implementation will then be discussed in detail.
Whilst implementing the Directive, the constitutional rights laid down in the Austrian legal system must always be kept in mind.[3] The most important of these are:
The fundamental right of respect for private and family life, as laid down Article 8 of the European Convention on Human Rights (ECHR), which is constitutional law in Austria. In relation to privacy, also as established by Article 8 of the ECHR, it is particularly the factors of necessity and proportionality which are affected by the Data Retention Directive. This problem will be discussed later.
In the same context a further important human right is the fundamental right to data protection, which is regulated in the Federal Act concerning the protection of personal data - also constitutional law. §1 states: "Everyone shall have the right to secrecy in respect of the personal data which concern him, and especially with regard to his private and family life, insofar as he has an interest which merits such protection. Such an interest is precluded when data cannot be subject to the right to secrecy due to their general availability or because they cannot be traced back to the data subject."[4]
The data subject in this context is any natural or legal person or group of natural persons whose data is processed, and so personal data includes all the information relating to data subjects who are identified or identifiable. Normally traffic data and location data identify one data subject, and so this rule applies.
The only prerequisite for this protection is that the data subject should have an interest meriting such protection - which is not the case when the data is generally available - such as the name and telephone number published in the public telephone book or when the data cannot be traced back to the data subject.
Everyone also has the right to obtain information as to who processes what data concerning him, the origin of these data, the purposes for which they are used, as well as to whom the data are transmitted. He also has the right to correct inaccurate data and the right to erase illegally processed data.
Restrictions to this fundamental right to data protection are allowed insofar as personal data is used in the vital interest of the data subject or with his consent. Restrictions are also permitted to safeguard the overriding legitimate interests of another person.
In the case of intervention by a public authority, the restriction shall only be permitted based on laws or statutes necessary for the reason stated in Article 8 of the ECHR. Even where restrictions are permitted, any conflict with fundamental rights is to be resolved by use of the least intrusive of all effective methods.
In this context the last fundamental right to be mentioned is "confidentiality of communications", as laid down in the Telecommunications Act.[5] Content data, traffic data and location data are subject to this, and every operator, together with all others involved in the operator's activities, are obliged to observe the confidentiality of the communication. Persons other than the user himself are not permitted to listen, tap, record, intercept or otherwise monitor communications and the related traffic and location data, nor to pass on related information without the consent of all users concerned.
The basic rules for collecting and processing data are also laid down in the Telecommunications Act.[6] This simply states that master data, traffic data, location data and content data may be collected and processed only for the purposes of providing a communications service. These data may only be used for marketing communications services or for providing value-added services or other transmissions with the consent of the data subjects, consent which may be withdrawn at any time. This is the general rule applying to all data.
Definitions of the relevant terms in Austrian law are laid down in the Telecommunications Act[7] where "traffic data" means any data processed for the purpose of the conveyance of a communication on a communications network or for the billing thereof. In fact, it is the same definition as is found in the Directive on Privacy and Electronic Communication. "Traffic data", therefore, includes active and passive user-numbers such as a telephone number, an email address or an IP address "Location data" means any data processes in a communication network indicating the geographical position of the tele-communications terminal equipment of a user of a publicly available communication service.
The last term to be mentioned is "master data". This term covers all those personal data required for establishing, processing, modifying or terminating the legal relations between the user and the provider. This includes, for example, surname and forename residential address, subscriber number, information concerning the type and content of the contractual relationship and financial standing.
The Telecommunications Act also includes special rules regarding traffic data (§ 99). Except for those cases regulated by law, traffic data must not be stored and is to be erased or made anonymous after the termination of the connection. If required for the purpose of subscriber billing, the operator is allowed to store traffic data up to the end of the period during which the bill may be lawfully challenged or payment pursued.
In general, location data other than traffic data may be processed only if they are made anonymous or if users have given their consent, consent which may be withdrawn at any time.
The operator is, therefore, only allowed to process data if a legal obligation in national law exists, and in practice, the most relevant such obligation is found in the Code of Criminal Procedure. Operators are obliged to provide information regarding master data, traffic data and content data, but only under specific preconditions. This obligation exists only as long as the data actually exist. There exists neither an obligation nor any legal opportunity to retain data in advance or to intercept it.
A Jogkódex-előfizetéséhez tartozó felhasználónévvel és jelszóval is be tud jelentkezni.
Az ORAC Kiadó előfizetéses folyóiratainak „valós idejű” (a nyomtatott lapszámok megjelenésével egyidejű) eléréséhez kérjen ajánlatot a Szakcikk Adatbázis Plusz-ra!
Visszaugrás
