On 11 December 2019, the Austrian Constitutional Court decided that the surveillance law that permits the use of spying software to read encrypted messages violates the fundamental right to respect for private life (article 8 ECHR), the fundamental right to data protection (§ 1 Austrian data protection law) and the constitutionally granted right that prohibits unreasonable searches (Art 9 Austrian bill of rights – Staatsgrundgesetz).

This judgement comes after the legalisation of government spyware in Austria was prevented already twice. In 2016, a draft bill was withdrawn by the Minister of Justice after heavy criticism from civil society, technical experts and academics. In a second attempt in 2017, the legalisation of government spyware was included in a broader surveillance package. The draft bill was already in committee stage in the Parliament, but was withdrawn after a record number of consultation responses from many individuals and high profile institutions, such as the chamber of economics, the high court and the data protection board. In 2018, the far-right government adopted the contested surveillance package, including government spyware and indiscriminate use of licence plate recognition in Austria.

The constitutionality of this law was subsequently challenged by a third of the Members of Parliament. In the judgement published on 11 December, the court pointed out, that there is a huge difference between traditional wiretapping and the infiltration of a computer system in order to read encrypted messages. Information about the personal use of computer systems provides insight into all areas of life and allows conclusions to be drawn about the user’s thoughts, preferences, views and disposition. The court criticised especially that the law allowed to use the spying software for prosecuting offences against property which have a low maximum penalty, like burglary (maximum penalty of five years).

Further, the court emphasised that the control mechanisms were insufficient. The law required a judicial approval at the beginning of the measure, and the control of the legal protection officer during the measure. The legal protection officer is a special Austrian institution that is supposed to protect the rights of those affected by secret investigations. Given the peculiarities and sensitivity of the surveillance measure this control mechanism was not enough of a safeguard for the Constitutional Court. The court required an effective independent supervision by an institution that is equipped with the appropriate technical means and human resources, not only at the beginning of the measure, but also for the entire duration of the surveillance.

The other provision that was challenged in front of the Constitutional Court was a mandatory data retention of car movements on Austria’s streets. The recognition of licence plates, car types and driver pictures in a centralised database of the Ministry of Interior was struck down as a form of indiscriminate data retention. A similar type of mass surveillance of telecommunication meta data was lifted in 2014. Austria is now one of very few EU countries without telecommunication data retention and government spyware. Uniquely, the debate in Austria was focused on the security risks that are inherent with government spyware. Through years of campaigning, most people have understood that the vulnerabilities required to infect a target device are a risk for everybody with the same operating system or application.

epicenter.works

https://en.epicenter.works

Summary of epicenter.works’ campaign against government spyware

https://en.epicenter.works/thema/state-trojan

Summary of epicenter.works’ campaign against the surveillance package

https://en.epicenter.works/thema/surveillance-package

Judgement of the Austrian Constitutional Court (only in German, 11.12.2019)

https://www.vfgh.gv.at/medien/Kfz-Kennzeichenerfassung_und__Bundestrojaner__verfass.de.php

(Contribution by Alina Hanel and Thomas Lohninger, EDRi member epicenter.works, Austria)