Storage media
The reform marks a clear departure from the previously mandatory object-related nature of seizure. Whereas previously all physical objects (such as cell phones or murder weapons) were treated equally and could be seized as such, the Austrian Code of Criminal Procedure now makes an explicit distinction between the seizure of analog objects and the seizure of data carriers and data. The new regulation applies not only to cell phones or laptops, but also to CDs, USB sticks and all other storage media. This affects not only the data on the end device, but also external storage locations (e.g. cloud).
Judicial reservation and restriction of the data to be analyzed
A seizure ordered by the prosecution authority – without prior judicial approval – to evaluate large amounts of data on end devices is no longer permitted under the new legal situation in Austria. The new regulation requires that judicial approval of the prosecution authority order be obtained before the authority to dispose of a data medium is established, if an evaluation of the data is planned. (Sec 115f para 2 of the Austrian Code of Criminal Procedure, “StPO”). Only in cases of imminent danger may the criminal investigation department initially seize and access the data without prior authorization (Sec 115f para 4 StPO).
The court-approved prosecution order must contain the data categories and content to be seized as well as the relevant time periods (Sec 115f para 3 StPO). In this way, the legislator wants to ensure that the prosecution authorities are not allowed to look through the entire database.
Essentially, the material requirements for a measure have not changed. As before, an initial criminal suspicion is sufficient, i.e. certain indications that a criminal offense has been committed (Sec 1 para 3 StPO). A certain severity of the offense is not required. Uninvolved third parties can also be affected by this measure. The only decisive factor is that the seizure appears necessary for reasons of proof and it can be assumed on the basis of certain facts that information can be obtained that is essential for the investigation of a criminal offense (Sec 115f para 1 StPO).
The evaluation process in detail
If the seizure has been authorized by the court, the data carriers are physically seized – usually in the course of a house search. All data available on the data carrier is then first backed up as an “original backup” (“Originalsicherung”, Sec 115g para 1 StPO). A “working copy” is then used to process the data, which is limited to the authorized scope (e.g. with regard to certain time periods or data categories).
The processing of data includes all technical steps, in particular also those for restoring data and limiting it to the scope authorized by the court (Sec 109 no. 2b StPO). After processing has been completed, a separate processing report must be drawn up (Sec 115h para 1 StPO).
The next step is the concrete evaluation of the result of the data processing (Sec 115i para 1 StPO). The result of the data processing, i.e. a data set corresponding to the court decision with regard to the data categories and the time period (Sec 109 no. 2e StPO), must subsequently be evaluated in terms of content.
The prosecution authorities can define search parameters for this purpose, which must be recorded in the file. Accused persons and victims have the option of requesting additional search parameters and the deletion of irrelevant data (Sec 115i para 2 and 5 StPO). In addition, accused and victims have the right to inspect the results of the processing – insofar as they are affected by the seizure. Other persons whose data has been analyzed may inspect the result of the analysis insofar as it concerns their own data (Section 115i para 4 of the Austrian Code of Criminal Procedure).
Usability and chance finds
Sec 115j para 1 StPO stipulates that the results of the analysis may not be used as evidence unless the seizure was lawfully ordered or authorized. A violation of this provision is punishable by nullity.
If, in the course of data evaluation, there are indications of another criminal offense that was not the reason for the seizure of data carriers and data (so-called incidental findings), a separate file must be created – insofar as the use as evidence is permissible (Sec 115j para 2 StPO). The legislator has thus clarified that “chance finds” (Zufallsfunde) generally may continue to be used.
A new order and authorization are permissible in this context (and necessary with regard to Sec 115j para 1 StPO) if it can be assumed on the basis of certain facts or circumstances that further access to the original backup or working copy is necessary and the requirements for the seizure of data carriers and data are met (Sec 115f para 5 StPO).
Role of the commissioner for legal protection
A significant innovation is the extended supervisory and control function of the legal protection officer (Sec 115l StPO). The prosecution authorities must inform the commissioner for legal protection of every authorization for the seizure of data carriers and data. In cases in which the seizure is directed against persons with the right to refuse to testify or persons whose interrogation as a witness is inadmissible, his authorization is also required, which may only be granted for particularly serious reasons that make the associated interference appear proportionate (Sec 115l para 1 StPO).
The legal protection officer has extensive powers for his tasks: He is granted access to relevant files and may monitor their processing and evaluation. For this purpose, he may enter all relevant premises and inspect the relevant documents.
In particular, the commissioner for legal protection must ensure that the order of the public prosecutor and the court authorization are not exceeded when processing and evaluating data. At the suggestion of the public prosecutor’s office, the legal protection officer may carry out the aforementioned checks; the accused, the victim and those affected by the investigative measure are also entitled to make a suggestion. The commissioner for legal protection must state whether he will comply with such a suggestion; this notification must contain a statement of reasons (Sec 115l para 3 StPO).
The legal protection officer is also authorized to file a complaint (Sec 87 StPO) or an objection because of violation of rights (Sec 106 StPO) and to request the destruction of data. After the investigation has been completed, he must be given the opportunity to ensure that the original backup, the working copy and the result of the data processing have been properly destroyed.
Practical relevance outlook
The strict separation between a merely selective securing and the extensive seizure of data is intended to make the massive encroachment on the fundamental rights to data protection (Art 1 Austrian Act on Data Protection) and privacy (Art 8 ECHR) more transparent and controllable. Although it was the declared intention of the legislator to strengthen the rights of those affected, this cannot be considered a completely successful reform.
Although the newly created transparency of the evaluation process is a positive aspect, the creation of a complete “original backup” of the entire database is viewed critically from a fundamental rights perspective. In practice, it has also been shown that data carriers are often seized for weeks or even months, although Sec 115f para 6 StPO expressly provides for data mirroring limited to data categories and time periods when carrying out the seizure.
Not less controversial is the undifferentiated obligation to retain the original backup – i.e. the entire data stock on a seized data carrier – until the final conclusion of the criminal proceedings (Sec 115k StPO). This raises fundamental rights and data protection concerns. It remains to be seen whether the new regulation and all its details will be upheld by the Constitutional Court (VfGH). However, the Constitutional Court has made it clear that particularly strict constitutional requirements must be observed when securing and evaluating extensive data in order not to disproportionately impair the fundamental rights to private and family life and data protection.