Austria

Overview

Austria’s privacy landscape is shaped by a tension between strong constitutional data protection guarantees and structural intelligence vulnerabilities. The Datenschutzgesetz (DSG), whose Section 1 has constitutional status and provides a fundamental right to data protection, is enforced by the independent Datenschutzbehoerde (DSB). Austria’s DSB issued the first EU ruling that Google Analytics violated GDPR by transferring data to the United States — a decision that cascaded across Europe. The country is also home to noyb (None Of Your Business), Max Schrems’s privacy advocacy organization whose litigation produced the Schrems I and Schrems II CJEU rulings that invalidated two successive EU-US data transfer frameworks.^[1]

On the surveillance side, Austria’s Direktion Staatsschutz und Nachrichtendienst (DSN) — formed in 2021 after its predecessor the BVT was raided by police in 2018 and subsequently failed a Club de Berne security audit — received authority to deploy state spyware (Bundestrojaner) in July 2025 despite the Constitutional Court having struck down an identical law in 2019. Austria is an NSA Tier B partner under “Focused Cooperation” and participates in the CROSSHAIR direction-finding network. As a landlocked country, all of Austria’s international internet traffic transits through neighboring states — primarily through DE-CIX Frankfurt, where the BND conducts cable interception.^[2][3]

Data Protection Authority: DSB

The Datenschutzbehoerde (DSB) is Austria’s independent supervisory authority established under Section 18 DSG in accordance with GDPR Article 51. It replaced the former Datenschutzkommission (DSK) on January 1, 2014. The DSB is based in Vienna and handles complaints, conducts investigations, issues binding orders, and imposes administrative fines.^[1]

Notable Decisions

The DSB has faced criticism regarding resourcing. noyb filed a complaint with the European Commission alleging the DSB lacks sufficient staff and budget for effective GDPR enforcement, citing backlogs and slow case processing.^[6]

Key Legislation

Datenschutzgesetz (DSG)

Austria’s primary data protection law. Section 1 DSG has constitutional status (Verfassungsbestimmung) and establishes a fundamental right to data protection — a provision dating to the DSG 1978, predating the GDPR by four decades. The current DSG 2000, substantially amended in 2018 for GDPR implementation, supplements the GDPR with national provisions on public sector processing, employer data handling, and criminal data protection. The DSG does not replace the GDPR but provides supplementary national rules where the GDPR permits member state derogation.^[1]

Strafprozessordnung (StPO) — Code of Criminal Procedure

Sections 134ff StPO govern lawful interception of telecommunications for criminal investigations. Surveillance requires a judicial order and is limited to offenses carrying a maximum penalty of more than one year. The Ueberwachungsverordnung (UeVO) implements technical requirements for telecom providers’ interception obligations.^[7]

Sicherheitspolizeigesetz (SPG) — Security Police Act

Sections 53(3a) and 53(3b) SPG authorize the police to access traffic data (not content) for security purposes. These provisions were amended multiple times and subject to ongoing constitutional scrutiny.^[7]

Staatsschutz- und Nachrichtendienst-Gesetz (SNG) — State Protection and Intelligence Service Act

Enacted December 2021, replacing the Polizeiliches Staatsschutzgesetz (PStSG) 2016. Section 11(1) SNG provides the legal basis for the DSN’s surveillance operations. The SNG was adopted following the BVT scandal and restructured Austria’s domestic intelligence from the discredited BVT into the new DSN.^[8]

Bundestrojaner Law (2025)

On July 9, 2025, the Austrian parliament passed legislation authorizing the DSN to deploy state-sponsored spyware (Bundestrojaner) to intercept encrypted communications on services such as WhatsApp and Signal. The vote was 105 in favor, 71 opposed. The law permits deployment even against individuals not suspected of any crime, provided all other investigative methods have been exhausted. Surveillance requests require approval by the Federal Administrative Court (panel of judges). Annual deployments are capped at 25–30 cases. The government plans to issue a tender for monitoring technology, with deployment expected to begin in 2027. Civil society organizations have promised legal challenges.^[9]

This is Austria’s second attempt at a Bundestrojaner law. On December 11, 2019, the Constitutional Court struck down an earlier version, ruling it violated Article 8 ECHR (right to privacy), Section 1 DSG (fundamental right to data protection), and Article 9 of the Staatsgrundgesetz (prohibition on unreasonable searches). The court held that infiltrating a computer system to read encrypted messages differs fundamentally from traditional wiretapping because it provides insight into all areas of life. The court also criticized that the law permitted spyware for property offenses with low maximum penalties, such as burglary. One-third of parliament’s members had challenged the law’s constitutionality.^[10]

Surveillance and Intelligence

Intelligence Agencies

The Direktion Staatsschutz und Nachrichtendienst (DSN) is Austria’s domestic intelligence and state protection agency, formed in December 2021 under the SNG to replace the discredited BVT. The DSN operates within the Ministry of the Interior. The Heeresnachrichtenamt (HNA) is the military intelligence service within the Ministry of Defence, responsible for foreign military intelligence. The HNA operates the Koenigswarte SIGINT station, a listening post in Lower Austria. Austria has no foreign civilian intelligence service — foreign intelligence functions are split between the HNA (military) and the DSN (security-related).^[11]

BVT Scandal (2018–2021)

On February 28, 2018, the Austrian police’s anti-corruption unit raided the headquarters of the BVT (Bundesamt fuer Verfassungsschutz und Terrorismusbekaempfung), Austria’s domestic intelligence agency, seizing files and hard drives. The raid was ordered by a prosecutor investigating allegations of document shredding and unauthorized intelligence sharing. The operation shocked European partners because it potentially exposed shared intelligence materials. In February 2019, the Club de Berne dispatched its “Soteria” internal security assessment group to audit the BVT’s Vienna headquarters. The resulting classified report — subsequently leaked to Austrian media on November 11, 2019 — found severe cybersecurity deficiencies and concluded that even moderately talented hackers could use the BVT’s internal network to penetrate “Poseidon,” the Club de Berne’s shared IT network. The leak itself became the biggest breach in the Club de Berne’s history.^[12][13]

Russian Intelligence Penetration

Austria has been identified as a target of Russian intelligence operations. In November 2018, a retired Austrian military officer, Colonel Martin M., was arrested on suspicion of spying for Russia’s GRU military intelligence for approximately 20 years. The case further strained Austria’s relationships with European intelligence partners and contributed to the decision to dissolve the BVT and create the DSN.^[14]

NSA Tier B Cooperation

According to documents disclosed by Edward Snowden and published by the Spanish newspaper El Mundo on October 30, 2013, Austria is classified as an NSA Tier B partner under “Focused Cooperation.” Austria participates in the CROSSHAIR program, a worldwide network of antennas for High Frequency Direction-Finding (HFDF). Austria is listed among 16 Third Party countries participating in CROSSHAIR. Unlike Five Eyes (Second Party) members, Third Party partners can be and are targeted by NSA collection.^[3]

Internet Infrastructure and Transit Exposure

Vienna Internet Exchange (VIX)

The Vienna Internet Exchange (VIX) is Austria’s primary internet exchange point, operated by the Vienna University Computer Center. VIX provides neutral peering infrastructure for Austrian and international networks.^[15]

Transit Exposure

As a landlocked country, Austria has no submarine cable landings. All international internet traffic must transit through neighboring states. Austrian traffic flows primarily westward through Germany, with A1 Telekom Austria’s international infrastructure routing through Frankfurt, Stuttgart, and Munich. DE-CIX Frankfurt — the world’s largest internet exchange by throughput — serves as Austria’s primary gateway to global connectivity.^[16]

This creates a structural surveillance exposure. The BND has intercepted DE-CIX traffic since 2009, inserting prism devices into fiber-optic cables that divert copies of all transmitted data onto BND servers. Austrian politician Peter Pilz accused the BND and Deutsche Telekom of intercepting internet traffic to Austria, with evidence that a telecommunications line between Luxembourg and Vienna had been tapped, and that lines between Amsterdam, Stockholm, Dublin, Moscow, and Vienna were likely intercepted. Austrian data also transits through Swiss exchange points where the NDB conducts cable reconnaissance (Kabelaufklaerung).^[16][17]

Data Retention

On June 27, 2014, the Austrian Constitutional Court struck down the country’s data retention law (implementing the EU Data Retention Directive), ruling it disproportionate and unconstitutional. Austria has not enacted replacement data retention legislation. Law enforcement access to existing telecom metadata requires a judicial order under the StPO.^[18]

The absence of mandatory data retention means Austrian telecom providers retain traffic data only as long as necessary for billing and service provision, typically shorter periods than in countries with mandatory retention. However, law enforcement can still obtain real-time interception orders and access subscriber data.

International Data Sharing Agreements

Club de Berne and Counter-Terrorism Group

Austria is a member of the Club de Berne, the intelligence-sharing forum of all EU member states’ domestic security services plus Norway and Switzerland, founded in 1969. Austria also participates in the Counter-Terrorism Group (CTG), the post-9/11 operational counterterrorism offshoot of the Club de Berne. The BVT scandal and the subsequent Poseidon network vulnerability raised concerns among partner services about the security of shared intelligence materials held in Austria.^[12]

NSA Tier B Cooperation

Austria maintains a formal Third Party SIGINT cooperation agreement with the NSA under Tier B “Focused Cooperation.” This includes participation in the CROSSHAIR direction-finding network. Austria’s HNA operates the Koenigswarte listening station as part of this cooperation framework.^[3]

EU Law Enforcement Cooperation

Austria participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Pruem Convention for automated DNA/fingerprint/vehicle data exchange, and Europol/Eurojust cooperation. Austria was one of seven initiating member states that proposed the EIO directive in April 2010.^[19]

US-Austria MLAT

The US-Austria MLAT on Mutual Legal Assistance in Criminal Matters was signed on February 23, 1995 and entered into force on August 1, 1998. It provides for mutual assistance in criminal investigations including taking testimony, executing searches, and transferring evidence.^[20]

Neutrality and NATO

Austria is constitutionally neutral (Federal Constitutional Law on Neutrality, 1955) and is not a NATO member. Austria participates in NATO’s Partnership for Peace (PfP) program but does not have access to NATO intelligence-sharing structures. This neutrality creates a paradox: Austria cooperates with the NSA bilaterally as a Tier B partner while remaining outside the NATO intelligence framework that most of its EU neighbors participate in.^[11]

Cross-Border Cooperation

Austria has bilateral police cooperation agreements with Germany, Switzerland, and Liechtenstein. The trilateral Austria-Switzerland-Liechtenstein framework covers cross-border law enforcement including joint patrols and information sharing. Austria’s position as the country through which Liechtenstein’s internet traffic transits onward (after Switzerland) places it in the data flow chain described on the Liechtenstein page of this directory.^[21]

The Privacy Backdoor Effect

Despite Austria’s constitutional protections and DSB GDPR enforcement, intelligence sharing frameworks and transit infrastructure create alternative pathways for accessing Austrian person data — while Austrian intelligence law applies without nationality limitation to communications passing through Austrian territory:

• DE-CIX Transit / BND: Austrian internet traffic routinely transits DE-CIX Frankfurt, where the BND conducted bulk cable interception under the NSA RAMPART-A program. Austrian data loses domestic legal protection once it crosses the German border.
• NSA Tier B Cooperation: Austria’s bilateral SIGINT relationship with the NSA enables intelligence sharing about Austrian persons outside GDPR-compatible frameworks.
• Club de Berne / EU INTCEN: Austrian DSN intelligence informs EU INTCEN and is shared among 31 European intelligence services, outside any GDPR framework.
• EU Framework Sharing: Austrian person data entered into SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI.
• MLAT Bypass: US authorities can obtain Austrian data via the US-Austria MLAT, potentially at lower evidentiary thresholds than domestic judicial warrants under StPO.
• SWIFT/PNR Dragnet: All international financial transactions and international air travel are subject to US access.

For Austrian persons, data nominally protected by the DSG and GDPR can be accessed through Tier B SIGINT sharing, BND-DE-CIX transit interception, EU law enforcement frameworks, or MLAT channels. Conversely, foreign nationals whose communications transit Austrian networks — including VIX and Austrian-hosted infrastructure — are subject to collection by the DSN under the SNG without GDPR protection. GDPR Article 2(2) explicitly excludes national security processing from its scope; the DSG applies to data controllers, not to Austrian intelligence agencies operating under national security law.

Recent Developments

Bundestrojaner Law Passed (July 2025)

Parliament authorized DSN deployment of state spyware by 105–71 vote, despite the Constitutional Court having struck down an identical law in 2019. Deployment expected 2027; legal challenges promised.^[9]

Constitutional Court Struck Down Previous Bundestrojaner (December 2019)

The 2019 ruling found the earlier spyware law violated Article 8 ECHR, Section 1 DSG, and Article 9 Staatsgrundgesetz. The court held that computer infiltration differs fundamentally from traditional wiretapping.^[10]

DSN Replaces BVT (December 2021)

Austria’s domestic intelligence was restructured from the scandal-plagued BVT into the new Direktion Staatsschutz und Nachrichtendienst under the SNG.^[8]

Google Analytics GDPR Ruling (January 2022)

The DSB’s decision that Google Analytics EU-US data transfers violate GDPR was the first ruling among 101 model complaints filed by noyb following Schrems II. Parallel decisions by CNIL and Garante followed.^[4]

BVT Raid and Club de Berne Audit (2018–2019)

The February 2018 police raid on BVT headquarters and the subsequent February 2019 Club de Berne security audit — which found the Poseidon network could be penetrated by moderately skilled hackers — represented the worst intelligence security crisis in Austrian history.^[12]

Russian Espionage Case (November 2018)

Retired Colonel Martin M. arrested for approximately 20 years of espionage for Russian GRU military intelligence.^[14]

Sources