Jusletter IT

SMART Surveillance and International Data Exchange between Police Authorities

  • Authors: Erich Schweighofer / Max Schrems / Walter Hötzendorfer / Christof Tschohl
  • Category: Short Articles
  • Region: Austria
  • Field of law: SMART-Workshop--Surveillance-Technologies-and-Privacy
  • Collection: Conference proceedings IRIS 2012
  • Citation: Erich Schweighofer / Max Schrems / Walter Hötzendorfer / Christof Tschohl, SMART Surveillance and International Data Exchange between Police Authorities, in: Jusletter IT 29 February 2012
In our globalised world, and especially in Europe, borders do no longer have the same meaning as twenty years ago, even less so considering the “cyberspace”. The benefits thereof are however accompanied by criminal threats which are increasingly met by international police cooperation. In this regard the cross-border exchange of information between security services is one of the central tasks. This paper shall give an overview of existing “smart” surveillance tools, the amount of international use thereof and the necessarily linked question of privacy protection on legal and technical level. The content shows a very brief outline of the research carried out within the collaborative EU Research Project SMART.

Inhaltsverzeichnis

  • 1. Introduction
  • 2. SMART Project
  • 3. Smart Surveillance Technologies
  • 3.1. Definitions
  • 3.2. Public Data Repositories and Applications
  • 3.2.1. General Public Administration Databases
  • 3.2.2. Special Data Repositories for Security Purposes
  • 3.3. Private Data Repositories and Applications
  • 3.4. Potential for “smart” investigation
  • 4. International Police Data Exchange
  • 4.1. Instruments and Treaties
  • 4.2. “Smart” Access and Exchange
  • 4.2.1. Limits and Safeguards
  • 5. Best Practice & New Solutions
  • 5.1. Disclosure of Communication Data in Austria
  • 5.2. E-Government and Sector-specific Personal Identifier in Austria
  • 6. Conclusions

1.

Introduction ^

[1]
An analysis of public surveillance powers needs to consider two basic premises: Firstly, every constitutional democracy guarantees a basic order where everybody shall have equal rights and freedoms that protect every individual’s human dignity and self-determination, whereas these spheres of freedom have to be respected mutually. Secondly, it is implicit within the social contract that the enforcement monopoly1 is allocated to the State, acting through its civil servants, in order to secure these spheres of freedom. Hence a certain amount of control over the people serves a legitimate purpose, as far as such is necessary in a democratic society and in accordance with the law2 . Modern technical development, in particular the Internet, has changed the regulatory role of the State from the strict Westphalian model to the complex system of multilevel governance3 . In general, human beings have more freedom and choice (e.g. exit option). However, States are eager in developing and improving other forms of control in order to secure a sufficient level of enforcement of its rules. Besides increased international co-operation, the use of already existing or newly collected data remains a strong focus of States. Surveillance techniques, e.g. video surveillance, monitoring of communication data, automatic semantic web analysis, repositories of DNA and fingerprints etc., allow a systematic and large scale control monitoring of people on a scale as never before. Whereas a reasonable use for maintaining public order and the social contract should not be challenged a strong danger exists that – at least for a while – these techniques will be used without sufficient regard to human rights, in particular to privacy.

2.

SMART Project ^

[2]
The SMART Project4 (Scalable Measures for Automated Recognition Technologies), funded under the EU's Seventh Framework Programme for Research (FP7)5 with a total amount of € 3.5 Million, addresses the questions of automated decision taking with respect to the “smart surveillance” technologies, taking into account that privacy and data protection are fundamental rights in the EU’s society. The basis of smart surveillance systems is the automated recognition of individuals and/or pre-determined traits or risk factors/criteria. Yet new EU regulations, specifically those on information sharing between police and security forces, explicitly prohibit automated decision-taking regarding individuals unless “authorised by a law which also lays down measures to safeguard the data subject’s legitimate interests”. But which laws are applicable in this context? What measures are envisioned? What else should the law contain? Can the laws be technology-neutral but sector-specific, thus permitting a measured approach to the appropriateness of smart surveillance technologies in key security applications? Can they be extended to all security applications of smart surveillance? The SMART project addresses these and other questions through a comprehensive approach which combines a technical review of key application areas by sector with a review of existing pertinent legislation. The overall objective is to produce a set of guidelines and a model law compliant with data protection rules.
[3]
Four distinct project streams exist: Status quo analysis, citizen attitudes, technology infrastructure and best practice. The research considers both the domestic level and the EU level. The project consortium consists of 20 partner institutions from fifteen countries across the European Union which groups nearly forty researchers, embracing public universities and private research institutions as well as practitioners such as Interpol.6

3.

Smart Surveillance Technologies ^

3.1.

Definitions ^

[4]
Surveillance is an expression of the State’s enforcement monopoly. The policeman carrying out his patrol or a covert police operation is a form of surveillance; it can be done openly or secretly; for the public good or simply for power control of the Government. “Smart” surveillance means any kind of investigation or control carried out by automatic means and providing for a certain use of artificial intelligence beyond techniques of knowledge management (establishment and use of structured or unstructured data repositories etc.). Some ontological structuring of data and (semi)automatic reuse are the keys to “smart” surveillance. In practice, no clear borders exist. Data mining and data matching are well known techniques considered as “smart” by practice. Data mining means a process of discovering particular new patterns and relationships in large volumes of data on the basis of pre-determined criteria where such a process is performed mostly automatically, and combines tools from statistics and artificial intelligence with database management to analyse large digital data sets.7 Data matching means a process of finding entries that refer to the same target across different data sources, cross-linking and/or joining different digital data sets that do not share a common identifier.
[5]
Presently, not much really “smart” surveillance seems to exist. However, many public data repositories and applications exist that are eligible and can be used for “smart techniques”, e.g. information filtering, profiling or connotation analysis. Thus, we have decided to include the potential of “smart” surveillance in this study, too.

3.2.

Public Data Repositories and Applications ^

[6]
It is convenient for the description of (actual or potential) sources of smart surveillance applications to distinguish databases and repositories of the private and the public sector. The latter can furthermore be divided into those established for security and law enforcement purposes and those which serve other (public) purposes but may be interesting and accessible for security services.

3.2.1.

General Public Administration Databases ^

[7]
A number of databases and registers are established in the course of public administration, some of them are just for administration-internal use and others are publicly available. They do not solely serve security and law enforcement purposes. Nonetheless, they are (to a limited extent) available for security services in certain cases. But an interface for a direct conjunction with other databases for data mining purposes is usually8 not provided, if any kind of electronic access does exist at all. According to § 17 para. 1 DPA9 every controller has to notify the Data Protection Commission before commencing a data application for the purpose of registration.10 The most important registers are: Central Residents Register11 , Central Car Register12 , Commercial Register13 , Driving License Register, Identity Documents Register (Central Passport Evidence)14 , Professional Register15 and Land Register16 .
[8]
The sector of e-health (in a wider sense) deserves some special attention due to the high sensitivity of health and social insurance data. Hereof just a single case could be found where security authorities as well as law enforcement agencies are provided with online access. In compliance with the law17 the “Main Association of the Social Insurance Organisations“18 has established a central database containing administrative information regarding the existence of insurance, period of insurance, insurance contribution, the identity and address of the respective person and similar information. The access is granted narrowly along the specific purpose(s) according to the specific legal base19 authorising each authority for access. It has to be pointed out that this access does not provide the possibility for data mining or data matching, neither on the legal nor on the technical level. It should also be mentioned that a major extension – named ELGA – is already planned.20

3.2.2.

Special Data Repositories for Security Purposes ^

[9]
Especially established for security purposes (which includes here also law enforcement purposes) is the Detection Services Evidence (§§ 64, 65, 70 and 75 SPA21 ), whereas this is not a database in the narrow sense but an application that links two databases, the AFIS (= automated fingerprint-system) and DNA Database. Also important are the Missing Objects Data base, Car Tracing-/Information File, the Person Tracing File22 , the Arms Register23 , the Criminal Records24 and the Criminal Police File Index25 . The “smart potential” thereof will be covered below in subsection REF _Ref316550441 \r \h 3.4.

3.3.

Private Data Repositories and Applications ^

[10]
Private collections of data which can be interesting for security purposes could be detected in so many areas that it would go beyond the scope of this paper to cover them extensively. In particular, data that are (free and publicly) available through the internet and – topically – in social media networks are increasingly a source of interest for law enforcement services. It is remarkable that the EU extends research effort on the development of instruments for smart surveillance in this respect, e.g. through the controversial FP7 Project “INDECT26 , dealing with threat detection in both real environments (intelligent cameras) and virtual environments (computer networks, especially the Internet). Moreover, the EU’s negotiations for data exchange with the United States of America and other States regarding the Flight Passenger Name Records27 (PNR) from European Airlines have been controversial, as has the “SWIFT-Agreement28 regarding data from the international associated service provider for electronic financial transactions. Perhaps the most public dispute on data protection issues in Europe was and still is the “Data Retention Directive29 which imposes an obligation for providers of publicly available services for electronic communication to retain certain traffic data for all users throughout the EU, regardless of a probable cause such as a particular criminal suspicion. This directive is under review due to heavy critics from civil rights organisations but also a request for a preliminary ruling by the Irish Supreme Court.

3.4.

Potential for “smart” investigation ^

[11]
From a technical point of view, the “smart” potential depends mainly on the application providing the access and the searching tools. In Austria, the data sets mentioned under subsection REF _Ref316570561 \r \h 3.2.2. above are interlinked by the system EKIS30 , which is an information compound system provided by the Minister of Interior for security and law enforcement authorities. EKIS is not a database but an application specially created for police purposes which embraces and interlinks the most important public data repositories, namely the Car Tracing-/Information File, Property Tracing File, Cultural Assets Tracing File, Person Tracing File, Criminal Record, Criminal Police File Index, Detection Service Evidence and Person Information File31 . EKIS contains some “smart” elements since it provides more than just simple database queries but also possibilities for data matching by similarity criteria. However, the extent to which such “smart” investigations are supported has not thus far been established. The Federal Office for Constitution Protection and Counter Terrorism32 , which can be understood as the Austrian (internal) Intelligence Service, runs a data base called EDIS33 which is – unlike EKIS – little known publicly. Just recently, due to the entry of some student activists into this data base, there has been some public attention for the first time.34 To what extent EDIS can be considered as a “smart” tool is even less known, and public information is not available. Some “smart” elements could go in hand with the electronic record system ELAK („Elektronischer Akt“), a document and workflow management system within the Austrian E-Government concept.35 But in fact the concept of Sector-specific Personal Identifier (see below REF _Ref316574492 \r \h 5.2. aims to avoid abuse of personal data as well as such “smart” use for security or law enforcement purposes.

4.

International Police Data Exchange ^

4.1.

Instruments and Treaties ^

[12]
In the first step, a detailed analysis of existing multilateral, European and bilateral arrangements was done. Presently the other members of the project group are analysing in a similar way the respective treaties of their states. A full list of the treaties and arrangements of Austria can be found in the draft report on Austria. Apart from bilateral treaties the most important instruments of international police data exchange are Interpol, Europol, the Schengen Information System (SIS) and the Prüm Convention. A full description can be found in the draft report on Austria.
[13]
Basically, five different methods of international police cooperation can be distinguished that are relevant for data exchange:36
  1. Direct communication (e.g. via secure telephone or e-mail connections) between the central offices of the States. With some countries, it is still common to exchange information by phone, as thereof faster responses are expected.
  2. Indirect communication via international actors, like Interpol and Europol.
  3. “Small border communication”: Police officials from neighbouring countries communicate directly with each other in adjoining areas. In Austria, there are also specially equipped points of contact (e.g. in Kittsee with Slovakia).
  4. International databases, such as those operated within Interpol and Europol. Such platforms are hubs of data exchange for participating States.
  5. Mutual access to national databases such as foreseen in the Treaty of Prüm.

4.2.

“Smart” Access and Exchange ^

[14]
“Smart” access means any kind of (semi)automated access to databases or to a special system for information exchange between law enforcement and security authorities from different countries or between such authorities and private establishments. Even though such systems may not provide for technology like data mining or data matching, any kind of (semi)automated access forms the basis for further development and, at least potentially, “smart” technology”.37 The starting points for “smart” access within the international instruments of data exchange are the domestic data bases, either for a direct mutual access as established by the Prüm mechanism or as source and target for the international data bases and information exchange systems like established by Interpol, Europol or the Schengen Information System (SIS). In Austria these international exchange systems are largely integrated in the EKIS application.

4.2.1.

Limits and Safeguards ^

[15]
From the technical point of view the above mentioned international data exchange systems can be considered as rather limited regarding their potential for really smart surveillance. Even though these systems are basically automated to a certain degree they are based on secure e-mail technology instead of direct interfaces with data mining capacities. The mechanisms largely use a concept of questions and answers mediated by human verifying, whereas cases of direct access are very few (e.g. in the framework of the Prüm Treaty). The implementation auf automated recording/logging routines shall ensure the traceability of information exchange and the lawful use of personal data.
[16]
The most common safeguard mechanism is the so called “hit/no-hit” process38 . This has to be considered as an effective approach for data protection implemented within the most important international data exchange mechanisms. It consists of two steps: (1) A characteristic (e.g. fingerprint) is directly and automatically compared with the database. If a corresponding entry is found in the database, the requesting entity or person receives an identifier that cannot be assigned directly to a person. (2) With this identification, another request for the name and data of the matched person has to be applied for from a defined unit, e.g. the national Europol Contact Point. After a hit, e.g. according to the Treaty of Prüm, a request for such additional information (fingerprints, DNA profiles) has to be sent usually in the way like foreseen in the so called Swedish initiative.

5.

Best Practice & New Solutions ^

[17]
Smart surveillance can only be justified as interference in the fundamental rights of citizens when clearly foreseen by law, for certain predefined purposes, limited in scope and time, and accompanied by effective safeguards, especially on the technical level. Therefore the law should determine the technical side as precisely as possible but of course remain technologically neutral, a concept known also as “privacy by design”. In Austria, two examples can be duly considered as best practise.

5.1.

Disclosure of Communication Data in Austria ^

[18]
Recently the Data Retention Directive 2006/24/EC (see above REF _Ref316580204 \r \h 3.3. has been transposed into Austrian law.39 The comprehensive retention of telecommunications traffic data is anyway an intrusion which could not yet be proofed as necessary in a democratic society40 . However, the intensity of this interference depends strongly on the manner of technical implementation. If, for instance, a harmonised interface to the databases of all providers enables extensive data mining by the law enforcement services regarding the entity of all data, large scale social and movement profiles can be deduced. Thus, even though the Austrian transposition could not “repair” the core problem of data retention it contains some effective limits in this course. Firstly the legal base determines the system of data exchange as a “push” (from the viewpoint of the provider) instead of a “pull”. Moreover the categories of data are narrowly defined and shall be disclosed in a “comma separated value” (CSV) file format, avoiding more complex XML-interfaces that could enable data mining more easily. Accordingly the fields of such CSV-files are exactly defined by a “Data Security Regulation41 in compliance with the legal provisions in the CPC and the SPA, thus limited to the lawful use cases on technical level. However, the focus of the practical problems regarding data security rests with the secure transmission of data. For this reason the core of the concept is a central “data hub”, the so-called “Durchlaufstelle (DLS). Personal data are encrypted and exchanged between sender and receiver in a way not accessible to the DLS itself but a system of tamper-proof logging catches all transactions and generates statistics automatically. The service providers have to establish correspondingly tamper-proof logging within their systems. The DLS automatically allocates unique ID numbers to every transaction and provides access to the logging data to the Data Protection Commission and the Legal Protection Commissioners. In order to ensure access only for authorised users all parties, service providers as well as public authorities have to be identified and authenticated at the DLS by an “advanced signature 42 that ensures also the validity of data. The system established by the “Data Security Regulation” finally includes “retained data” as well as “billing data”. The latter are stored by the service providers for business purposes and have ever been available for law enforcement purposes independently of the Data Retention Directive.

5.2.

E-Government and Sector-specific Personal Identifier in Austria ^

[19]
In recent years, the Austrian E-Government Strategy turned out to be an example of best practice. In December 2010, Austria was declared the “European Champion in E-Government” for the fourth time in a row in respect of the ninth E-Government Benchmark.43 A crucial part concerns the identification system within the Austrian E-Government concept, which avoids uniform personal identifiers for general use in administrative procedures. The base is a highly encrypted and non-reversible derivation of the number from the Central Register of Residents, the so called source PIN (Personal Identification Number, “Stammzahl”). The Austrian Data Protection Commission (DPC) as Registry Authority for source PINs generates those personal identifiers. When a “Citizen Card” – an ID-token for identifying natural persons by digital means and the use of a qualified electronic signature44 – is ordered, the source PIN is assigned and may only be stored on the card. Furthermore, public authorities are not allowed to store the source PINs of natural persons within their applications. In fact, each process within a specific administrative body needs to create its Sector-specific Personal Identifier (SSPIN), which is technically derived from the source PIN in two steps. This process must be irreversible and it must not be possible to calculate back to the original source PIN. If an authority needs to identify a person by the Sector-specific Personal Identifier from another area without the data subject’s consent, this requires the involvement of the Data Protection Commission in its role as source PIN Registry Authority45 .

6.

Conclusions ^

[20]
As a general finding, the research carried out in the SMART Project until now showed too many open textured clauses in more and more agreements, bearing the risk of too much sharing and no sufficient rules regarding the deletion of data. The existing instruments show that, if any, special data repositories with access control are best practice. The “hit/no-hit” process is by all means an example to be followed. Data should be kept by the various institutions, each within its special area of competence, and limits for sharing information should be installed. Thereto the system of Sector-specific Personal Identifier (SSPIN) can be seen as good practice. Nonetheless, considering the control of data as a basic element for fundamental rights protection, no further access is a good solution for the time being.
  1. 1 This term was particularly formed by Weber, M., Wirtschaft und Gesellschaft. Grundriss der verstehenden Soziologie, § 17 (1922); online available at http://www.textlog.de/weber_wirtschaft.html last accessed 9.2.2012 (2006).
  2. 2 Compare Article 8 para. 2 Convention for the Protection of Human Rights and Fundamental Freedoms, CETS No. 005, Council of Europe, Rome, 4.11.1950, as amended by its Protocol No. 14 (CETS No. 194) as from the date of its entry into force on 1 June 2010 (hereinafter: European Convention on Human Rights or ECHR).
  3. 3 Schweighofer E., A Review of ICANN’s Uniform Dispute Resolution Policy. In: Austrian Review of International and European Law, Kluwer Law International, Vol. 6, pp. 91-122 (2001); Cf. Slaughter, A.-M., A New World Order. Princeton University Press (2004).
  4. 4 See the project website: http://www.smartsurveillance.eu last accessed 7.2.2012.
  5. 5 For more details to this funding line see http://ec.europa.eu/research/fp7/index_en.cfm last accessed 7.2.2012.
  6. 6 The project coordinator is Joseph Cannataci from the University of Malta. Erich Schweighofer leads the team of Vienna University responsible for work package 7 regarding the “review of laws governing interoperability and data exchange between police/security services”.
  7. 7 For a full definition od data mining and further details see e.g. Gupta, G.K., Introduction to Data Mining with Case Studies, Prentice-Hall of India, New Delhi (2006).
  8. 8 If any kind of “smart” access is exceptionally established this will be outlined in subsection REF _Ref316550441 \r \h 3.4. below.
  9. 9 Data Protection Act (Datenschutzgesetz 2000), BGBl. (Federal Gazette) I No.165/1999 as amended BGBl. (Federal Gazette) I No.112/2011; Includes all important definitions, e.g. of the terms „controller“ or „data application“ in § 4 DPA.
  10. 10 More details to the Data Processing Register: http://www.dsk.gv.at/site/6262/default.aspx last accessed 9.2.2012.
  11. 11 Registration Act (Meldegesetz 1991), BGBl. (Federal Gazette) No.9/1992 as amended BGBl. (Federal Gazette) I No.135/2009; Controller: Federal Ministry of Interior (MoI).
  12. 12 Motorvehicle Act (Kraftfahrzeuggesetz, KFG 1967), BGBl. (Federal Gazette) No.267/1967 as amended BGBl. (Federal Gazette) I No.116/2010; Controller: MoI.
  13. 13 Commercial Register Act (Firmenbuchgesetz, FBG), BGBl. (Federal Gazette) No.10/1991 as amended BGBl. (Federal Gazette) I No.53/2011; Controller: Federal Ministry of Justice (MoJ).
  14. 14 Passport Law (Passgesetz, PassG) 1992, BGBl. (Federal Gazette) No.839/1992 idG BGBl. (Federal Gazette) I No.135/2009; Controller: MoI.
  15. 15 Trade, Commerce and Industry Law (Gewerbeordnung 1994), BGBl. (Federal Gazette) No.194/1994 as amended BGBl. (Federal Gazette) I No.6/2012 Controller: Federal Minister for Economy.
  16. 16 Allgemeines Grundbuchsgesetz 1955, BGBl. (Federal Gazette) No.39/1955 as amended BGBl. (Federal Gazette) I No.58/2010; Controller: MoJ.
  17. 17 § 31 para. 4 Nr 3b ASVG (General Social Insurance Act), BGBl. (Federal Gazette) I No.194/1999 as amended BGBl. (Federal Gazette) I No.122/2011.
  18. 18 Hauptverband der Sozialversicherungsträger: http://www.hauptverband.at last accessed 9.2.2012.
  19. 19 For security authorities § 53 para. 3 Security Police Act (SPA), BGBl. (Federal Gazette) No.566/1991 as amended BGBl. (Federal Gazette) I No.33/2011; for law enforcement authorities § 89h Court Organisation Act, BGBl. (Federal Gazette) No.760/1996 as amended BGBl. (Federal Gazette) I No.136/2011.
  20. 20 See the official information by the Federal Ministry of Health: http://www.bmg.gv.at/home/Schwerpunkte/E_Health/ ELGA_Die_Elektronische_Gesundheitsakte/ last accessed 13.2.2012.
  21. 21 Security Police Act (Sicherheitspolizeigesetz), BGBl. (Federal Gazette) No.566/1991 as amended BGBl. (Federal Gazette) I No.33/2011.
  22. 22 The legal base for all of those mentioned until here is each § 57 SPA and § 169 CPC.
  23. 23 Arms Law (Waffengesetz 1996, BGBl. (Federal Gazette) I No.12/1997, BGBl. (Federal Gazette) I No.4/2008.
  24. 24 Criminal Record Law (Strafregistergesetz), BGBl. (Federal Gazette) No.277/1968 as amended BGBl. (Federal Gazette) I No.42/2011, Clearence Law (Tilgungsgesetz), BGBl. (Federal Gazette) No.68/1972 as amended BGBl. (Federal Gazette) I No.122/2009.
  25. 25 Contains information on the final report of the criminal police announcing a criminal offence to the prosecutor, on the legal base of § 57 SPA and § 100 CPC.
  26. 26 Project Website: http://www.indect-project.eu last accessed 9.2.2012; for critics see e.g. http://www.zeit.de/digital/datenschutz/2009-09/indect-ueberwachung (in German), last accessed 9.2.2012.
  27. 27 Instead of many see the European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada, Official Journal of the European Union from 15.3.2011, 2011/C 81 E/12.
  28. 28 Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program, Official Journal of the European Union from 13.1.2010, L 8/11.
  29. 29 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, Official Journal of the European Union from 13.4.2006, L 105/54.
  30. 30 See the website of the MoI: http://www.bmi.gv.at/cms/BMI_Datenschutz/ekis/start.aspx last accessed 9.2.2012.
  31. 31 This is an exemption where one of the databases covered by subsection REF _Ref316571444 \r \h 3.2.1. is directly integrated in the police searching tool.
  32. 32 Bundesamt für Verfassungsschutz und Terrorismusbekämpfung (BVT), mentioned on the website of the MoI: http://www.bmi.gv.at/cms/bmi_verfassungsschutz last accessed 9.2.2012.
  33. 33 Electronically Data Information System (Elektronisches Dateninformationssystem).
  34. 34 See the Parliamentary request 9397/J XXIV. GP, http://www.parlament.gv.at/PAKT/VHG/XXIV/J/J_09397/fname_231964.pdf last accessed 9.2.2012.
  35. 35 Compare http://www.digitales.oesterreich.gv.at/site/6518/default.aspx last accessed 9.2.2012.
  36. 36 SMART, Austrian Country Report WP7, p 10.
  37. 37 SMART, Austrian Country Report WP7, p 8.
  38. 38 SMART, Austrian Country Report WP7, p 12.
  39. 39 By an amendment to the Telecommunications Act (TKG 2003), BGBl I No. 27/2011, flanked from amendments to the SPA and the CPC, BGBl I No. 33/2011.
  40. 40 A recently released independent scientific study produced by the criminological department of the German Max-Planck-Institute for Foreign and International Criminal Law finds that data retention does not increase the security of citizens, https://www.bmj.de/SharedDocs/Downloads/DE/pdfs/20120127_MPI_Gutacht last accessed 7.2.2012.
  41. 41 Datensicherheitsverordnung (TKG-DSVO), BGBl. (Federal Gazette) II Nr. 402/2011; the regulation is based on a study by the Ludwig Boltzmann Institute of Human Rights (BIM) on behalf of the Austrian Federal Ministry of Transport, Innovation and Technology (BMVIT). The final adoption contains some smaller amendments – which have to be criticised in the light of fundamental rights protection – but the substantial suggestions from the BIM have been transposed: http://bim.lbg.ac.at/en/digital-rights/study-data-security-within-transposition-data-retention-directive-austria last accessed 7.2.2012.
  42. 42 „Fortgeschrittene Signatur“, according to § 2 Nr. 3 Signature Act, BGBl. (Federal Gazette) I No.190/1999 as amended BGBl. (Federal Gazette) I No.75/2010.
  43. 43 The results have been presented at the Belgian Conference on E-Government (“Lift-off towards open government”) on 15 December 2010 in Brussels; http://www.digitales.oesterreich.gv.at/site/6573/default.aspx last accessed 7.2.2012.
  44. 44 The term “qualified electronic signature” is legally defined by Art. 2 para. 3a Electronic Signature Act, BGBl. (Federal Gazette) I No.190/1999.
  45. 45 Compare http://www.stammzahlenregister.gv.at/site/5972/default.aspx last accessed 7.2.2012.