Austria: Outsourcing data retention obligations to the US
This article is also available in:
Deutsch: VDS in Österreich: Auslagern der Speicherverpflichtung an die USA
During the ECJ lawsuit against the data retention (DR) directive it became clear that DR obligations may have been outsourced to contractors, maybe even to US-based companies, thereby giving US authorities potentially unrestricted access to all such retained data.
Austria is one example of EU member state with data retention in place. Therefore, the Austrian NGO Initiative für Netzfreiheit asked the national data protection authority (DPA) whether it could rule out that Austrian service providers have outsourced their DR obligations, maybe even to US based contractors and storage locations.
The head of the Austrian DPA answered that they had no way of knowing whether Austrian service providers have outsourced their DR obligations at all, let alone to US based contractors. If DR obligations were outsourced to unsafe third countries, this would have to be registered with them. However, due to the safe harbor provision, US based companies that take part in it are exempted from the registration obligation.
The Austrian DPA has the authority and duty to ensure that appropriate security measures have been established for all DR obligations. For this purpose, the Austrian DPA also has the right to inspect the data centers where data retention occurs in order to be able to assess the effectiveness of the security measures in place. The Austrian DPA stated to the Initiative für Netzfreiheit that in over 15 months of the data retention being required by law they did not assess any data retention security measures at all but that they were planning to do so. Also, when asked if they thought that they could really get access to the datacenter of a US based service contractor, the DPA admitted that they had not thought of such a case yet and that they didn't think they could actually execute their inspection rights at US located data centers.
In summary, it has to be concluded that there is no way for the Austrian DPA to even know about US-based outsourcing of DR data handling. Nobody can rule out that Austrian service providers have outsourced their DR obligations and thus nobody can rule out that Austrian DR data are stored on servers in the US, thereby giving US authorities direct access to the DR data of Austrian citizens.
The Initiative für Netzfreiheit thus demands the immediate repeal of the data retention in Austria as well as the annulment of the safe harbor provision. "It is completely unacceptable that US services might have direct access to the location and connection data of Austrian citizens. This demands immediate action.", says Josef Irnberger for the Initiative für Netzfreiheit.
"Not even the data protection authority can rule out direct access by US authorities to the data retention data of Austrian citizens, nor could they even rightfully demand access to US data centers. Seen alongside the blatant human rights violation created by the very existence of the data retention directive itself, this really takes the biscuit" added Josef.
Original press release (only in German, 11.07.2013)
CEJ Data retention case - live blogging (only in German, 9.07.2013)
(contribution by Josef Irnberger - EDRi member Initiative für Netzfreiheit - Austria)