Austrian Data Protection Authority (Österreichische Datenschutzbehörde, DSB).
No guidance exists for the practical implementation of Austria’s cookie law. However, a lot can be learned from the narrow implementation of the law.
In Austria, consent only has to be given for the storing or access to personal data on user’s devices. Compared to the implementation in other Member States and to the ePrivacy Directive, this significantly narrows the scope of the provision. In Austrian data protection law, pseudonymous data are not considered as personal data.
If one is not sure whether the data one is processing is considered personal data in Austria or not, the safest option is to make use of cookie banners which link to a detailed cookie page, using the further browsing model of providing consent. It needs to mention what cookies are being used for, and that continuing to browse the website indicates consent. The processing of information is only permissible upon receiving consent, so cookies need to be dropped only after the user has decided to browse further.
On the comprehensive information page, detailed technical details must be given about the cookies used, such as the length of time they remain on computers, and an option to opt-out must be given.
Article 96 (3) of the Telecommunications Act implements the cookie provision into Austrian law. The wording of the Article differs a bit from the Directive’s, starting from the point of view that operators of public communications services and providers of information society services are obliged to inform users about the personal data they collect, process, and transmit. Additionally, they are obliged to inform users about the legal basis of the activities, the purposes of processing, and the period of time data is stored. The Article creates the consent rule by stating that the collection of these data is only permissible upon receiving consent from the user.
The fact that the Article only covers the processing of personal data raises the question about the definition of personal data. It may be tempting to presume that it does not apply to the processing of pseudonymous or pseudonymised data. However, in lieu of clarity on this issue, the safest option is to use cookie banners for consent if one is not sure if the data collected from cookies is considered personal data or not.
Personal data, as defined in the Article 4 (1) of the Data Protection Act, is any information relating to identified or identifiable persons. In the definition, it also provides that data is indirectly personal when a processor, controller or recipient of a transmission cannot establish the identity of the data subject by legal means. As this does not provide a sufficient degree of clarity as to whether the cookie provision is applicable, is advisable to err on the side of caution and to use a cookie banner.
Consent is defined under Article 4 (14) of the Data Protection Act as a valid declaration of intention given without constraint. The legislator’s explanatory remarks indicate that consent for cookies has to be given prior to processing.