[Back]

M. Schafferer, B. Horn, F. Schönbauer, T. Grechenig:
"The Austrian Approach Concerning the European Data Retention Directive´s Translation into National Law and its Technical Implementation";
Talk: 12th European Conference on e-Government (ECEG 2012), Barcelona, Spain; 2012-06-14 - 2012-06-15; in: "Proceedings of the 12th European Conference on e-Government (ECEG 2012)", M. Gasco (ed.); Academic Publishing International Limited Reading, UK (2012), 978‐1‐908272‐41‐6; 642 - 649.

Since March, 15th 2009 it is obligatory for every Member Country of the European Union to implement the European Data Retention Directive 2006/24/EC into national legislation. This Directive is about the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. This paper takes a closer look at the Austrian approach to enforce this Directive. The Austrian implementation has been delayed by nearly 3 years and has brought the corresponding national regulations into force with April, 1st 2012. The major concern was to design and implement a legal and technical system within the conditions given by the Directive, but guaranteeing a maximum protection of the Austrian citizens´ personal data and privacy. Therefore it allows a centrally managed access in conformity with the law to necessary retention data for corresponding responsible authorities. One of the core aspects to ensure citizens privacy is the fact that all retention data may only be stored by the respective telecommunication providers and authorities have to request required data only in entitled cases. Access to retention data has to comply to regulations of the four-eye principle and conforming logging has to be carried out, as well as further authorities must be notified about such a data request. Any communication between the enumerated actors has to be performed via a specifically constructed communication system, called DLS. The DLS is implemented in a way to ensure confidentiality, authenticity, integrity and non-repudiation for all requests and responses as well as to carry out legally required notifications. Therefore, this system on the one hand implements high confidential encryption and authentication techniques and on the other hand automatically performs all the required notifications and logging, all without being able to have insight to the transmitted sensitive data. The article gives a comprehensive overview about the whole system designed to implement the Data Retention Directive regarding both the legal environment and the corresponding technical implementation. Moreover should be shown how this system is able to ensure that data accesses to retention data only happen in conformity with the law and breaches of citizens´ privacy could be prevented.

data retention directive, privacy, DLS, personal data, 2006/24/EC