VfGH - G 72-74/2019, G 181-182/2019

From GDPRhub
VfGH - G 72-74/2019 G 181-182/2019
Courts logo1.png
Court: VfGH (Austria)
Jurisdiction: Austria
Relevant Law:
Article 8 ECHR
§1 Austrian Data Protection Law (DSG)
Decided: 11.12.2019
Published:
Parties:
National Case Number/Name: G 72-74/2019 G 181-182/2019
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: VfGH (in German)
Initial Contributor: n/a

The Austrian Constitutional Court (VfGH) declared national surveillance law unconstitutional.

English Summary

Facts

Austria introduced § 135a of the criminal procedures act (StPO) to allow the use of spy software on devices ("government hacking") to be able to tap encrypted communication between smartphones. The mandatory data retention via license plate readers was also challenged before the Court.

Dispute

Members of the Parliament (Social Democrats and the Liberal Party) have applied to the Constitutional Court (VfGH) claiming that the law violates citizens' fundamental rights.

Holding

The Court decided that the surveillance law that permits the use of spying software to read encrypted messages contravenes the fundamental rights to private life according to Article 8 ECHR, to data protection as foreseen in § 1 of the Austrian data protection act (Datenschutzgesetz - DSG).

The Court highlighted the difference between traditional wiretapping and modern computer systems which read encrypted messages. The latter provides insight into all areas of life allowing inferences about the user’s thoughts and preferences. Considering the particularities of the surveillance measure, this control mechanism was deemed to be not sufficient. The Court required an effective independent supervision by an institution which affords all appropriate technical means and human resources both at the beginning of the measure and the entire duration of the surveillance.

The Court ruled that the recognition of licence plates, car types and driver pictures in a centralised database of the Ministry of Interior constitutes an indiscriminate data retention.

Comment

Add your comment here!

Further Resources

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the German original for more details.

IN THE NAME OF THE REPUBLIC!

The Constitutional Court has rightly recognised, in accordance with Article 140 of the Federal Constitutional Law:The contested provisions of the Security Police Act (SPG), the Road Traffic Act 1960 (StVO 1960) and the Code of Criminal Procedure 1975(StPO) are essentially repealed as unconstitutional.The repealed provisions relate on the one hand to the covert recording of data for the identification of vehicles and drivers by means of image-processing technical equipment and the processing of data from section control systems by the security authorities and on the other hand to the secret surveillance of encrypted messages for the purposes of the criminal investigation department and the authorisation to enter premises, search containers and overcome specific security measures for the purpose of installing a programme for the surveillance of encrypted messages. The ruling of the ruling reads literally as follows:1 § 54 paragraph 4b and § 57 paragraph 2a of the Federal Act on the Organisation of Security Administration and the Exercise of the Security Police (Security Police Act - SPG), Federal Law Gazette No. 566/1991, as amended by Federal Law Gazette I No. 29/2018 and section 98a subsection 2 first sentence of the Federal Act of 6 July 1960 enacting provisions on the road police (Road Traffic Act 1960 - Road Traffic Ordinance 1960), Federal Law Gazette No. 159/1960, as amended by Federal Law Gazette I No. 29/2018, shall be repealed as unconstitutional. 2.earlier statutory provisions shall not come into force again. 3.section 134(3a) and section 135a of the Code of Criminal Procedure 1975 (StPO), Federal Law Gazette No. 631/1975, as amended by Federal Law Gazette I No. 27/2018, shall be repealed as unconstitutional.4 The Federal Chancellor shall be obliged to announce these pronouncements in the Federal Law Gazette I without delay.5 The remainder of the application of the Members of Parliament to the National Council on G 72-74/2019 shall be rejected.6 The remainder of the application of the Members of the Bundesrat on G 181-182/2019 shall be rejected. Reasons for the decision. The motions submitted for joint deliberation and decision are admissible - except for the challenge of § 98a para. 1 and para. 2, second and third sentence of the StVO 1960.II. For the covert processing of data for the identification of vehicles and drivers by image-processing technical equipment for the purposes of the security policeFor the automatic recording of data:With regard to the type and scope of the data, security authorities are required by § 54 para. 4b first sentence SPG authorises security authorities to record all data that can be determined by means of image-processing technical equipment and which serve to identify vehicles and drivers.  The range of data legitimately generated in accordance with § 54 para. 4b SPG is broadly defined both in terms of the technical possibilities of the means used ("image-processing technical equipment") and in terms of a demonstrative list of the categories of data for identifying vehicles and drivers. "Image-processing technical equipment" does not only include photo and video cameras, but also, for example, facial recognition devices, whereby it is not foreseeable which further types of data can be recorded by "image-processing technical equipment" in the future.the authorization pursuant to § 54, Subsection 4b, First Sentence, DDA is also not subject to any restrictions in terms of space or time. § Section 54 para. 4b SPG permits automatic data collection for the purpose of the search, according to the wording, wherever vehicles are on the road or parked.  As a result, image-processing technical equipment can be used in all road traffic. The interference with the authority of the security authorities to determine personal data in accordance with § 54, Subsection 4b, first sentence, SPG proves to be disproportionate in the light of the objective pursued: In view of its scope with regard to the type and scope of the data as well as the place of use and the conditions of data collection, the authorisation to collect data in accordance with § 54 para. 4b, first sentence, DDA is a serious encroachment on the confidentiality interests in accordance with § 1 para. 1 of the Data Protection Act (DPA) and the right to respect for the private life of the persons concerned in accordance with Article 8 para. 1 of the European Convention on Human Rights (ECHR). The seriousness of the encroachment with regard to the nature of the data determined in accordance with the first sentence of § 54, para. 4b, DDA results not least from the fact that the (image) data recorded - in particular of passengers - allow conclusions to be drawn that go beyond the identification of the vehicle and the driver. The data collection (also) includes location data and information on which persons are travelling together or who, for example, is attending certain events or meetings. In the opinion of the Constitutional Court, the decisive factor with regard to the nature of the data collected pursuant to § 54, Subsection 4b, first sentence, SPG, is that linking them can provide information about the movement behaviour and personal preferences of a person.  With regard to the conditions of data collection pursuant to § 54, Subsection 4b, First Sentence, SPG, the weight of the intervention must be estimated to be automated and concealed.  Automatic image processing devices can be used to record data on a large scale. Due to the concealed use of the image processing technical equipment, there is no possibility for those affected to oversee or control the data collection. The investigation measure in accordance with § 54 Para. 4b SPG covers every vehicle and every driver who moves within the recording area of a concealed (possibly permanently) installed image processing device. Data is thus collected almost exclusively from persons who have not given any reason for the data collection - in the sense that they have taken any action that would require state intervention Such covert, automatic data acquisition from vehicles and drivers can create a "feeling of surveillance" in large parts of the population. This "feeling of surveillance" can in turn have repercussions on the free exercise of other fundamental rights - such as the freedom of assembly or the freedom of expression.54 para. 4b, first sentence, DDA, is disproportionate, if only because the investigative measure may (also) be taken to prosecute and avert intentional acts of the most minor property crimes. Pursuant to § 98a para. 2 first sentence of the StVO 1960, the purposes of the transmission of data to the security authorities include the search for, the defence and investigation of dangerous attacks and the defence of criminal connections (§ 54 para. 4b DDA) as well as the administration of criminal justice. Although the provision thus does justice to the necessary designation of a purpose of data processing, the provision is disproportionate in view of the broad understanding of these purposes: Finally, the referred purposes mentioned in § 54, para. 4b SPG include all personal or material investigations as defined in § 24 SPG, the defence of criminal connections as defined in § 16, para. 2 SPG, as well as the defence and clarification of threats to a legal interest through the illegal implementation of a judicially punishable act that was committed intentionally and is not merely pursued at the request of an injured party. The understanding of the purpose of the "administration of criminal justice" also mentioned in § 98a.2 first sentence of the StVO 1960 goes even further.  Data processing in accordance with § 98a, paragraph 2b, first sentence of the StVO 1960 for the purposes of "criminal justice" ultimately includes the prosecution and prevention of any criminal behaviour (intentional or negligent). Access by security authorities to personal data from section control systems in accordance with § 98a para. 2 first sentence StVO 1960 constitutes an encroachment on the interests of confidentiality in accordance with § 1 DSG and the right to respect for private life in accordance with Art. 8 ECHR of considerable importance. Although the data is determined by means of section control systems that are recognisable to those affected and on a route that is limited in advance, the data is not accessible to the public.  As a result of the new regulations for data processing in accordance with the first sentence of § 98a para. 2 of the StVO, the (image) data are now not deleted immediately after they have been determined in the absence of a speeding offence (§ 98a para. 2, last sentence of the StVO 1960), but are transmitted in their entirety to the competent state police directorate on request before they are evaluated. All vehicles and their occupants that can be identified on the data collected by means of section control systems are therefore affected by the transmission (and thus presupposed storage) of the data to the safety authorities.  This applies regardless of whether they have acted in a way that gives rise to the transfer of personal data to the security authorities. In particular, this constitutes a serious encroachment on the confidentiality interests pursuant to Section 1 of the DPA and the right to respect for the private life of the persons concerned pursuant to Article 8 of the ECHR, because the (image) data collected by means of section control systems (also) includes location data and allows a movement profile to be drawn up and conclusions to be drawn about a person's personal relationships. The proportionality of data processing under the first sentence of Section 98a(2) of the StVO is not ensured simply because the provision does not guarantee that data from section control installations will only be stored and transmitted by the competent authorities if they serve to prosecute and prevent criminal offences which in individual cases pose a serious threat to the right of access to the data referred to in Section 1(2) of the StVO. 2 DSG and Art. 8 para. 2 ECHR and justify such an intervention.§ 98a para. 2 first sentence StVO 1960 therefore violates § 1 DSG and Art. 8 ECHR.  This unconstitutionality also includes the likewise challenged provision of § 57.2a SPG, which is inseparably connected with § 98a.2 StVO 1960.IV. The provision of § 135a para. 1 StPO as amended by Federal Law Gazette I 27/2018, which comes into force on 1 April 2020, permits the covert surveillance of encrypted messages in certain cases by installing a program in a computer system (§ 134 Z 3a StPO as amended by Federal Law Gazette I 27/2018).the confidential use of computer systems and digital intelligence services is an essential component of the right to respect for private life under Article 8 ECHR. Computer-supported technologies are increasingly important means for the development of the personality and private life of the individual.  Data and information on the personal use of computer systems generally provide insight into all areas of life - including the most personal - and allow conclusions to be drawn about the thoughts of the user, in particular preferences, inclinations, orientation and attitudes. The covert surveillance of the use of computer systems constitutes a serious encroachment on the privacy protected by Article 8 ECHR and, according to the Constitutional Court, is only permissible within extremely narrow limits for the protection of correspondingly important legal interests. Art. 8 ECHR requires that the protection of the personality of all persons affected by a surveillance measure is taken into account accordingly in the design of the measure.  This applies initially at the level of the er-
Power of surveillance: Information concerning the personal life of a person protected by Article 8 ECHR is to be excluded from surveillance, unless it is necessary for the achievement of the objective of the surveillance measure. If it is unavoidable and justified in the light of the weight and importance of the objective pursued by the surveillance measure, the legislator must take measures to protect the right to respect for private life in accordance with Article 8 ECHR at the level of the use of this information. 8 ECHR, because it is not guaranteed that such covert surveillance is only carried out if it serves the prosecution and investigation of criminal offences which in individual cases constitute a serious threat to the objectives mentioned in Art. 8 para. 2 ECHR and which justify such a serious intervention:In the opinion of the Constitutional Court, the investigative measure created by § 135a of the Code of Criminal Procedure has a special intensity - not to be equated with the other surveillance measures of the Code of Criminal Procedure - with regard to the nature and scope of the surveillance.  § 135a (in conjunction with § 134 Z 3a) CCP allows the covert infiltration of a computer system with software that interferes with the functioning of the computer system and accesses all (already as well as continuously) sent, transmitted and received (previously) encrypted messages and related data.  The investigative measure of installing a program in a computer system "to overcome encryption when sending, transmitting or receiving messages and information" allows, on the one hand, access to all data present in a computer system, as far as they are conceivable content of a sent, transmitted or received message. On the other hand, § 135a StPO allows the continuous monitoring of all user-controlled inputs on devices of a computer system. Monitoring as defined by § 135a StPO therefore includes access to (content) data before encryption or after a decryption. § 135a StPO thus enables the mapping of all (user-controlled) communication processes that are carried out via a specific computer system. 134 Z 3a StPO by installing a program in a "computer system" as defined in § 74 para. 1 Z 8 StGB.  By definition, such a computer system is "both individual and combined devices used for automated data processing". The term covers the associated hardware and the network in which the devices are integrated.  With regard to the means used in accordance with Section 135a of the Code of Criminal Procedure for monitoring encrypted messages and the information obtained, special protection of privacy is therefore appropriate under Article 8 ECHR.  This applies in particular to contents and information relating to persons who are not urgently suspected of any of the offences mentioned in § 135a para. 1 of the Code of Criminal Procedure, but who are nevertheless - as a consequence of their use of the computer system infiltrated by a program - affected by the covert surveillance The Constitutional Court does not fail to recognise that other surveillance measures (such as surveillance in accordance with § 130 of the Code of Criminal Procedure, the optical and acoustic surveillance of persons in accordance with § 136 of the Code of Criminal Procedure or telephone surveillance in accordance with § 135 of the Code of Criminal Procedure) can inevitably also (co-)affect uninvolved third parties.  The covert and continuous monitoring of a computer system made possible by § 135a para. 1 and para. 2 CCP, however, achieves a significantly increased (scatter) width in this respect. The investigative measure according to § 135a in connection with § 134 Z 3a StPO finally affects all users (of devices) of this computer system and thus a multitude of also uninvolved persons.  The surveillance measure in question also proves to be particularly intensive, especially with regard to the information obtained compared to the previous surveillance measures.  § Section 135a in conjunction with Section 134 Z 3a of the German Code of Criminal Procedure provides the investigating authorities with extensive insights into the privacy of the user or users of a computer system.  This is to be seen above all against the background that the (summary of the) data collected in the course of the surveillance measure allows conclusions to be drawn about the personal preferences, inclinations, orientation and attitudes as well as lifestyle of a person. The authority to continuously covertly monitor encrypted messages pursuant to § 135a in conjunction with § 134 Z 3a StPO represents a serious encroachment on the right to respect for private life pursuant to Article 8 ECHR in view of the range of computer systems and the extent of the (personal) data on them.in view of the authority to monitor encrypted messages pursuant to § 135a para. 1 no. 2 of the Code of Criminal Procedure, the Constitutional Court is already unable to recognise the existence of a serious public interest that could justify the encroachment on the privacy of the person concerned:According to § 135a para. 1 no. 2 of the Code of Criminal Procedure, the surveillance of encrypted messages is already permissible if it can be expected that this will lead to the clarification of an intentionally committed offence punishable by imprisonment of more than six months, and (further) the owner or the person entitled to dispose of the computer system in which a program for monitoring encrypted messages is to be installed agrees to the monitoring. With this comprehensive scope of application, the provision includes a large part of the intentional crimes standardized in the Criminal Code and in the other penal provisions and thus also those in which the interest in prosecution does not outweigh the interest in the privacy of the persons concerned. The fact that the owner of the monitored computer system must consent to this measure can only justify the monitoring of the privacy of the person giving consent, but not the encroachment on the legal sphere of third parties who are affected by the monitoring and who trust in the integrity of communication with others. Similarly, the authorisation to monitor encrypted messages pursuant to § 135a.1 no. 3 of the Code of Criminal Procedure is unconstitutional insofar as this provision refers to the investigation or prevention of crimes (§ 17.1 of the Criminal Code) committed or planned within the framework of a criminal organisation (§ 278a of the Criminal Code) or terrorist organisation (§ 278b of the Criminal Code). In order for a crime to be considered a criminal offence, it is important according to § 17 para. 1 StGB that the intentional offence - taking into account any circumstances that may change the penal sentence - is punishable by life imprisonment or a prison sentence of more than three years. The criminal offence catalogue of § 135a.1 no. 3 first case of the Code of Criminal Procedure thus also includes qualified property offences planned within the framework of a criminal organisation (such as theft under § 129.2 and § 131 of the Criminal Code) Irrespective of the unconstitutionality of § 135a.1 no. 2 and no. 3 of the Code of Criminal Procedure, the surveillance measure under § 135a.1 proves to be unconstitutional. 1 CCP also proves to be unconstitutional as such because the design of the authorisation to monitor encrypted messages by secretly installing a program in a computer system pursuant to § 135a CCP does not sufficiently ensure the protection of the privacy of the persons affected by such monitoring: Under Section 135a of the Code of Criminal Procedure, the installation of the program for the surveillance of encrypted messages on a specific computer system requires the judicial authorisation of the order by the public prosecutor's office under Section 137(1) and Section 138(1) of the Code of Criminal Procedure. In view of the specifics of the means used and the covert surveillance of all messages sent, transmitted or received via a specific computer system over a longer period of time, the Constitutional Court considers that there is a need for an accompanying, effective supervision - equipped with appropriate technical and human resources - of the ongoing implementation of this measure by the court (or a supervision with  
The Domestic Security Act 1862 stipulates that house searches carried out without the knowledge of the person concerned must be reported to the latter within the next 24 hours at the latest, and that "monitoring of encrypted messages" within the meaning of Section 135a of the German Code of Criminal Procedure (StPO) means the monitoring of messages and information sent, transmitted or received in encrypted form [...] by installing a program in a computer system "without the knowledge of its owner or other persons entitled to dispose of it, in order to overcome encryption when sending, transmitting or receiving the messages and information". Accordingly, § 135a StPO in conjunction with § 134 Z 3a StPO presupposes that the investigative measure of "monitoring encrypted messages" as well as the measures - preparatory to this investigation - as defined in § 135a para. 3 StPO are taken without the knowledge of the owner or other party entitled to dispose of the computer system. § 135a.3 StPO therefore proves to be unconstitutional on account of a violation of the constitutionally guaranteed right to inviolability of the right of the household in accordance with Article 9 StGG in conjunction with the Law on the Protection of Domestic Legislation 1862. VI. the detailed reasons for this decision shall be reserved for written form, which shall be issued as soon as possible.