The Austrian constitutional court decided on 11.12.2019 that the surveillance law that permits the use of spying software to read encrypted messages violates the fundamental right to respect for private life (article 8 ECHR), the fundamental right to data protection (§ 1 Austrian data protection law) and the constitutionally granted right that prohibits unreasonable searches (Art 9 Austrian bill of rights – Staatsgrundgesetz).
This judgement comes after the legalisation of government spyware in Austria was prevented two times already. In 2016 a draft bill was withdrawn by the justice minister after heavy criticism from civil society, technical experts and academics. In a second attempt in 2017 the legalisation of government spyware was included in a broader surveillance package. The draft bill was already in committee stage in the parliament, but was withdrawn after a record number of consultation responses from many individuals and high profile institutions, like the chamber of economics, the high court and the data protection board. In 2018 the far-right government adopted the contested surveillance package, including government spyware and indiscriminate licence plate recognition Austria’s streets. The constitutionality of this law was subsequently challenged by the a third of the Members of Parliament.
The court pointed out, that the there is a huge difference between traditional wiretapping and the infiltration of a computer system in order to read encrypted messages. Information about the personal use of computer systems provides insight into all areas of life and allows conclusions to be drawn about the user's thoughts, preferences, views and disposition. The court criticized especially that the law allowed to use the spying software for prosecuting offences against property which have a low maximum penalty, like burglary (maximum penalty of five years).
Further, the court empathized that the control mechanisms were insufficient. The law required a judicial approval at the beginning of the measure and during the measure the control of the legal protection officer. The legal protection officer is a special Austrian institution that is supposed to protect the rights of those affected by secret investigations. Given the peculiarities and sensitivity of the surveillance measure these control mechanism were not enough for the constitutional court. The court required an effective independent supervision by an institution, that is equipped with the appropriate technical means and human resources, not only at the beginning of the measure, but also for the duration of the surveillance.
For the time being, these requirements will not be met by the Austrian legislator. If another attempt is made to take such a measure, there is a very good chance that it will be revoked as unconstitutional.
The other provision that was challenged in front of the constitutional court was a mandatory data retention of car movements on Austrias streets. The recognition of of licence plates, car types and driver pictures in a centralised data base of the interior ministry was struck down as a form of indiscriminate data retention. A similar type of mass-surveillance of telecommunication meta data was lifted in 2014. Austria is now one of very few EU countries without telecommunication data retention and government spyware. Uniquely, the debate in Austria was focused on the security risks that are inherent with government spyware. Through years of campaigning most people have understood that the vulnerabilities required to infect a target device are a risk for everybody with the same operating system or application. We are happy that we could contribute to this awareness with our 3,5 year long campaigning work.
- by Alina Hanel and Thomas Lohninger