Austria: Illegally seized data may not be used

Contents

Austria is strengthening civil rights in criminal proceedings, both with regard to victims and perpetrators as well as witnesses. At the heart of this is a new regulation on the seizure of data, commonly known as cell phone searches, even if it is by no means just about cell phones. Since the turn of the year, these seizures, including the obligation to disclose passwords, have only been possible with a court order. What happens to data and devices afterwards has also changed significantly.

Previously, the mere initial suspicion that a criminal offense might have been committed was enough to seize data carriers such as smartphones from citizens and force the disclosure of passwords – even if the persons concerned were not even suspects. Data stored elsewhere, usually online, can then also be accessed from seized devices. A judge's order is not required; an order from the public prosecutor's office is sufficient. However, just over a year ago, Austria's Constitutional Court (VfGH) ruled that cell phone searches without a court order were unconstitutional.

This made a new regulation necessary, otherwise data carriers could no longer have been seized and searched at all from 2025, and the disclosure of passwords could no longer be enforced. In mid-December, both chambers of parliament passed an amendment to the Code of Criminal Procedure with the votes of the governing parties ÖVP and Greens as well as the opposition parties SPÖ and NEOS, which generally requires court orders and focuses on the seizure of data instead of the seizure of devices. Only the members of parliament from the opposition FPÖ voted against it because they felt the protective measures fell short.

Three exceptions

There are three major exceptions to the requirement for a court order: If there is imminent danger, the criminal investigation department may take immediate action in certain cases. Anyone who has recordings from audio and/or video surveillance of public or publicly accessible places must hand them over even without imminent danger and without a court order. And so-called "selective" data is also not subject to the judicial reservation. This is "data that merely provides a selective picture of the behavior" of those affected. However, there is another exception to this rule: access to "data from a communication, geographical locations and messages sent, transmitted or received" can only be enforced with a court order, even if the data only provides selective information.

The reason why cell phone searches are so controversial in terms of fundamental rights is that they allow a deep insight into people's private lives. This is not the case with data on specific behavior. However, messages exchanged between individuals are better protected (secrecy of correspondence), and even the disclosure of an individual's whereabouts can encroach deeply on privacy. For this reason, an independent judge must also give his approval.

Unusually for Austrian criminal law, there is now a ban on the use of evidence: the result of a data analysis may not be used as evidence if the investigative measure has not been lawfully ordered and approved. However, this does not include a prohibition of use if the authorities obtain the data by other means, for example if third parties penetrate other systems and reveal data found there, or if foreign authorities provide data. There is also no prohibition of evidence for chance discoveries, i.e. indications of legal violations that the investigators were not even looking for and which were therefore not even taken into account by the court in its decision. Even administrative authorities may request data evaluations including incidental findings from criminal investigations for their own proceedings.

There are no restrictions with regard to the severity of the offense that may have been committed. Courts only have to ensure that the data analysis is "proportionate". This is surprising in view of the Constitutional Court's statements.

Three steps as preparation

In standard cases, since the turn of the year, the public prosecutor's office has submitted a reasoned application to the competent court to authorize the seizure of data carriers and data, and at the same time informs the legal protection officer of the judiciary. The application must state which investigation proceedings are involved, the name of the suspect if known, the crime in question and the facts that indicate that the authorization is likely to be necessary for clarification and is also proportionate. Finally, the application must describe the categories of data and data content that the investigators wish to examine, as well as the period to which the authorization is to relate.

If the court grants permission, the public prosecutor's office can instruct the criminal investigation department to carry out the seizure. Those affected then receive a confirmation and are informed that they can apply to the court to have the authorization revoked.

The third step is the production of an original backup and a working copy of it. Data from the categories covered by the court authorization are extracted from the working copy. They are provided in "a commonly used file format in a structured form". All other data on the data carrier remains untouched, which should reveal significantly less private information compared to previous practice. At this point, the data carrier can be returned to the data subject in many cases, unless the hardware itself could play a role as evidence or it is unclear to whom the item belongs.