Current Size: 100%

Study on Data Security within the Transposition of Data Retention Directive in Austria

In July 2011 the BIM finished a study about data security in the transposition of Data Retention Directive 2006/24/EC into Austrian law. The conclusion of the study contains a concrete suggestion to a regulation on data security based on §§ 94 para 4 and 102c Telecomunications Act (TKG).

The Directive 2006/24/EC requires the retention of all telecommunications traffic- and accessdata by all providers of public electronic communications networks and services within the EU. The provision of such services regularly includes the processing of personal data of users. In order to comply with the Data Protection Act and the secrecy of telecommunications and the directives of the European Convention on Human Rights, particularly Article 8 concerning the private life and correspondence, this data must be kept secret. In this regard, there are in particular measures at the technical level necessary. The requirement for effective protection of fundamental rights of all users requires establishing a system of tamper-proof logging and thus ensuring adequate accountability for the legal protection.

From November 2009 until January 2010 there was a draft of the Federal Ministry for Transport, Innovation and Technology (BMVIT) for a corresponding amendment to the Telecommunications Act (TKG) in public examination. The draft law was elaborated on behalf of the BMVIT by the Ludwig Boltzmann Institute for Human Rights (BIM) and seeks for a way of transposition which interferes with fundamental rights as little as possible. The draft was subsequently amended in the political debate in some parts, but remained largely preserved, and especially in its essential structure. The amended version was finally approved in Parliament and on 18 May 2011 promulgated in Federal Law Gazette (BGBl I No. 27/2011). Hence, the storage requirement for the supplier will enter into force until 01.04.2012.

The Act contains relatively crude specifications regarding data security standards. Data security standards will be included in a detailed design in a regulation to § § 94 para 4 and 102c TKG. In March 2010, the BIM submitted to the BMVIT one concept for a data security survey, which led to the release of the necessary research resources.

The objective of this study is to evaluate technical solutions based on the legal requirements, providing a high level of data security and protection of fundamental rights. The results of the study lead into a concrete proposal for a regulation of data security. The study addresses both the issues of data security for the provider internally, as well as the transfer of personal data and information in context of requests for disclosure by security and law enforcement authorities. However, the focus of the practical problems of data security rests with the secure transmission of data. For this reason, the heart of the study is the concept of a central "data hub" the so-called "Durchlaufstelle" (DLS). Basically this concept had been developed by the author as a reference model. Personal related content is encrypted and exchanged between sender and receiver in a way not accessible to the DLS itself. In addition to the theoretical background, an intensive empirical part with the documentation of 6 large stakeholder-roundtables tried to find a workable solution for all involved. The draft regulation is therefore based on a broad professional consensus and is characterized by an unusually high level of technical determination, but by using a technology-neutral wording. The draft regulation was in public review over the summer of 2011 until 20. September 2011. After a possible revision by the BMVIT in agreement with the Ministry of Interior (BMI) and Justice (BMJ), the regulation is likely going to be adopted in late autumn 2011.