Q&A: cloud computing law in Austria

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognized and provided for in your legal system? If so, how?

Austria has a tradition of keeping its laws as technology neutral as possible. Consequently, it has no law regulating cloud computing or any other technology. Rather, the general rules of civil law apply. Owing to the nature of cloud computing and the many parties usually involved in providing a certain service, special attention is given to the rules on liability for third parties employed to fulfill a contractual obligation.

Over the years, many guidelines, such as from the EuroCloud Austria or the Austrian Chamber of Commerce, have helped to establish general recommendations and best practices but also to harmonize the general expectations relating to business-to-business cloud computing contracts.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Austrian law does not provide any specific rules related to cloud computing. The closest any generally applicable legal provision gets to influencing the potential use of cloud offerings are the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), which generally prohibit the transfer of personal data to countries that do not meet the data protection standards applicable in the EU.

The only legal provision, albeit a very specific one, mentioning the use of cloud computing (though not by name) are the Guidelines for the exercise of the legal profession (RL-BA), which, in principle, merely aim to ensure and protect a lawyer’s legal obligation to confidentiality. Due to their amendment, which entered into force on 29 September 2020, lawyers are now also allowed to use clouds for data storage if certain conditions are met. Accordingly, lawyers are entitled to use the services of external service providers if the existing confidentiality obligations and data protection requirements are complied with.

The exact requirements can be found in article 40, paragraph 3. Thus, a lawyer is obliged to protect the interests of his or her clients, to carefully select the external service provider and to contractually oblige him or her to inform him or her immediately in the event of a house search as well as to take technical and organizational measures to guarantee the confidentiality of the data and data security. Furthermore, the lawyer must inform his or her clients about the categories of external service providers used and the services to be provided by them.

In practice, IT service providers providing cloud storage services, as well as other local cloud providers, usually accept the necessary safeguards so that Austrian law firms can usually work with them.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

As in every civil law country, Austria has a large number of laws governing various aspects of business or other activities. As far as cloud computing is concerned, any law providing legal rules or restrictions regarding business activities, including laws on employment relationship, is thus, in principle, able to indirectly affect and govern the use of cloud computing. This is particularly true for special legal rules relating to certain businesses, such as banks or insurance agencies.

The most prominent examples remain the GDPR and the DSG, the Austrian Data Protection Act. However, the Austrian Labor Relations Act (ArbVG) (articles 96, paragraph 3 and 96a) is another prominent legal provision with significant practical influence on the use of cloud computing and any new technology in general. According to this provision, the implementation of any technical system used to control employees requires the consent of the works council if such system affects human dignity. This also applies to the implementation of systems automatically gathering data on the employees ‘that go beyond the general information and prerequisites related to the employee’ as well as evaluation systems requiring the works council’s consent. While consent for the latter two systems may also be obtained directly from the employees, the former rule cannot be circumvented by individual agreements between employer and employee. Rather, such ‘control systems’ are absolutely forbidden should no works council exist. As to which systems are actually covered by these provisions, interpretations can vary widely and usually depend on the point of view of the evaluating person. In practice, however, this has led to employers regularly informing works councils of new technologies, even if only to mention that they do not constitute any control, data gathering or evaluation system according to article 96, paragraph 3 and 96a ArbVG. In turn, works councils regularly make use of their rights to information and consultation in such cases, thus giving them significant practical influence on decisions regarding new IT solutions in general, including cloud computing.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

As no laws specific to cloud computing exist in Austria (if one disregards the RL-BA, regulating the use of cloud computing by lawyers), the consequences of a breach are always those attached to the law itself. As such, in general one can distinguish between criminal, administrative or civil consequences.

Criminal consequences are usually a result of a breach of the Austrian Penal Act (StGB). In relation to technology this is the case, for example, with hacking or identity theft. Depending on the nature and severity of the crime committed, the consequences can range from a fine to imprisonment.

Administrative consequences are usually fines due to a breach of public law. The most prominent example of one such law is the GDPR. But also breach of, for example, the Austrian Banking Act (BWG) can lead to administrative proceedings and fines, in this case by the Financial Markets Authority.

Finally, civil consequences are those related to either tort or a breach of contract, which in turn need to be evaluated against the general civil legal rules. The usual consequence of such a breach is the obligation to compensate financially for any damage caused. In the case of unfair competition, publication of the verdict may be ordered in addition.

Of course, the consequences are not exclusive. Thus any breach of criminal, administrative or civil rules may additionally lead to consequences of another nature. Once again, the GDPR can serve as an example. Article 82 explicitly grants any person the right to claim compensation for damage caused by a breach of the GDPR. This right exists in addition to and independently of the national data protection authority’s (DPA’s) right to impose a fine upon the company in breach of the law. Thus even if the DPA would decide to abstain from a fine and merely issue a reprimand for a minor breach, any affected person may still claim compensation should the breach have caused damage.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Consumer protection rules are mostly stipulated in the Austrian Consumer Protection Act (KSchG). However, for business-to-consumer contracts concluded on the internet, the rules set forth in the Austrian Act on distance and out-of-office selling (FAGG) are the most relevant and have been partially moved over from the KSchG.

In general, the FAGG stipulates very strict and detailed information obligations regarding the identity and contact details of the business, even more so than the generally applicable E-Commerce Act (ECG). In addition to requiring businesses to provide the required information to the consumer before a contract is concluded, businesses are further obliged to transmit that information as well as the contractual terms to the consumer in a way that allows him or her to save all this information and documents. In practice, this is usually effected by sending a confirmation email with attachments to the consumer. In the case of a breach, the law grants the consumer a very long deadline within which to decide to withdraw from the contract without any consequences.

Even after the binding conclusion of a contract, the consumer can still decide to withdraw from the contract without giving any reason and without consequences within 14 days.

As far as digital services are concerned, however, the law provides the possibility to waive this right of withdrawal. Namely, if a service provider starts with the provision of the services upon explicit request of the consumer before the expiration of the 14-day deadline, the consumer thereby waives his or her right of withdrawal. In practice, cloud service providers as well as app stores and providers of digital media require the consumer to explicitly consent to the immediate provision of services, usually by ticking a box, before the expiration of the deadline. Without such consent, the providers simply do not conclude a contract with the consumer in the first place.

In the case of disputes between a business and a consumer, although not in cases of disputes between businesses, the Austrian Alternative Dispute Resolutions Act (AStG) additionally applies.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

With the notable exception of the RL-BA, stipulating rules for lawyers using cloud computing, Austrian law does not contain specific rules relating to cloud computing. As such, sector, industry or profession-specific rules apply to and affect cloud computing insofar as they impose specific rules and requirements on third parties that the relevant regulated business or entity deals with.

In general, such rules can be found, for example, in the Austrian Act on Public Tenders (BVergG) and associated case law as far as rules are set forth on how to evaluate the suitability and qualification of a party providing an offer.

Other rules may be found in the banking, finance, insurance, energy or telecom sectors, where providers are regulated very strictly and care is taken that the strict obligations are not watered down by using, for example, for core services and obligations third parties that do not meet those strict requirements.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

In the absence of specific legal rules on cloud computing in Austria, the general rules of the Austrian Insolvency Act (IO) apply.

Of particular note and importance to cloud computing are articles 21 and 25a IO. According to these provisions, the insolvency administrator has the right to decide whether to continue or end any contracts still in force and not completely fulfilled by the time insolvency proceedings are opened. The contracting partner of the insolvent business, however (in our case: the cloud service provider), is barred from terminating the contract, unless for a good cause, for a period of six months after opening insolvency proceedings, if such termination may endanger the continuation of the insolvent business. In practice, this means that usually no cloud provider, except for very minor and niche services, can terminate the contract and suspend provision of the services upon the opening of insolvency proceedings. Rather, they would need to ask for a declaration of the insolvency administrator as to whether he or she chooses to continue or terminate the contract.

While this provision was created with services such as electricity in mind, it nevertheless affects all other business-critical services, including cloud offerings.


Leave a Comment

News Msuica