Austria

Overview

EU Member State: Austria is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and Austria’s role in international data sharing.

Austria’s privacy landscape is shaped by a tension between strong constitutional data protection guarantees and structural intelligence vulnerabilities. The Datenschutzgesetz (DSG) provides a constitutional fundamental right to data protection (Section 1), predating the GDPR by four decades. Austria is home to noyb (None Of Your Business), Max Schrems’s organisation whose litigation produced the Schrems I and Schrems II CJEU rulings invalidating two successive EU-US data transfer frameworks.^[1]

On the surveillance side, the Direktion Staatsschutz und Nachrichtendienst (DSN) was formed in 2021 after its predecessor the BVT was raided by police and failed a Club de Berne security audit. In July 2025, parliament authorised DSN deployment of Bundestrojaner (state spyware) despite the Constitutional Court having struck down an identical law in 2019. Austria is an NSA Tier B partner under “Focused Cooperation” and participates in the CROSSHAIR direction-finding network. As a landlocked country, all international internet traffic transits through neighbouring states, primarily through DE-CIX Frankfurt where the BND conducts cable interception.^[2][3]

Privacy Framework

The Datenschutzbehoerde (DSB) is Austria’s independent supervisory authority, replacing the former Datenschutzkommission on January 1, 2014. The DSB issued the first EU ruling that Google Analytics violated GDPR by transferring data to the US (January 2022), triggering parallel rulings across Europe. However, the DSB faces severe resourcing constraints: beginning July 2025, budget pressure (EUR 6.1M in 2025, EUR 5.9M in 2026) forced elimination of ~20 intern positions, restricted ex officio investigations, and curtailed public access — even as new responsibilities (Freedom of Information Act, AI Act, political advertising) were added. noyb filed a complaint with the European Commission about these deficiencies.^[1][4][5]

The DSG supplements the GDPR with national provisions. Section 1 has constitutional status (Verfassungsbestimmung). The StPO (Code of Criminal Procedure, Sections 134ff) governs lawful interception requiring judicial orders for offences over one year. The SPG (Security Police Act) authorises police metadata access. The SNG (State Protection and Intelligence Service Act, December 2021) provides the DSN’s legal basis.^[6][7]

Surveillance and Intelligence

Intelligence Agencies

The DSN (Direktion Staatsschutz und Nachrichtendienst) is Austria’s domestic intelligence and state protection agency, formed December 2021 under the SNG to replace the discredited BVT. The HNA (Heeresnachrichtenamt) is the military intelligence service, operating the Königswarte SIGINT station in Lower Austria. Austria has no foreign civilian intelligence service — foreign intelligence is split between the HNA (military) and DSN (security-related).^[8]

BVT Scandal (2018–2021)

On February 28, 2018, police raided BVT headquarters, seizing files and hard drives, potentially exposing shared European intelligence. In February 2019, the Club de Berne dispatched its “Soteria” team to audit the BVT. The classified report — leaked to Austrian media November 11, 2019 — found that moderately talented hackers could use the BVT’s network to penetrate “Poseidon,” the Club de Berne’s shared IT network. The leak itself became the biggest breach in Club de Berne history. A related Russian espionage case — retired Colonel Martin M., arrested November 2018 for ~20 years of GRU spying — further eroded partner confidence and contributed to the BVT’s dissolution.^[9][10][11]

Bundestrojaner (State Spyware)

On July 9, 2025, parliament authorised DSN deployment of state spyware to intercept encrypted communications (WhatsApp, Signal) by a 105–71 vote. Deployment is permitted even against individuals not suspected of any crime (if other methods are exhausted), requires Federal Administrative Court approval, and is capped at 25–30 annual cases. Deployment expected 2027. This is Austria’s second attempt: on December 11, 2019, the Constitutional Court struck down an identical law, ruling it violated Article 8 ECHR, Section 1 DSG, and Article 9 Staatsgrundgesetz, holding that computer infiltration differs fundamentally from traditional wiretapping because it provides insight into all areas of life. Civil society organisations have promised legal challenges to the new law.^[2][12]

NSA Tier B Cooperation

Austria is classified as an NSA Tier B partner under “Focused Cooperation” (disclosed via Snowden documents, published by El Mundo October 30, 2013). Austria participates in the CROSSHAIR worldwide High Frequency Direction-Finding (HFDF) network, listed among 16 Third Party countries. Unlike Five Eyes members, Third Party partners can be and are targeted by NSA collection.^[3]

Internet Infrastructure and Transit Exposure

The Vienna Internet Exchange (VIX) is Austria’s primary IXP. As a landlocked country with no submarine cable landings, all international traffic transits through neighbouring states, primarily westward through Germany via DE-CIX Frankfurt.^[13]

The BND has intercepted DE-CIX traffic since 2009. Austrian politician Peter Pilz accused the BND and Deutsche Telekom of tapping a telecommunications line between Luxembourg and Vienna, with evidence that lines between Amsterdam, Stockholm, Dublin, Moscow, and Vienna were likely intercepted. Austrian data also transits Swiss exchange points where the NDB conducts cable reconnaissance.^[14][15]

Data Retention

On June 27, 2014, the Constitutional Court struck down Austria’s data retention law as disproportionate and unconstitutional. Austria has not enacted replacement legislation. Telecom providers retain traffic data only as needed for billing/service provision. Law enforcement can still obtain real-time interception orders and access subscriber data under the StPO.^[16]

International Data Sharing Agreements

Despite constitutional neutrality and strong DSG protections, Austria participates in extensive intelligence and law enforcement data sharing, and its internet transit infrastructure creates additional involuntary exposure.

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): The EU Convention on Mutual Assistance in Criminal Matters (2000) and the Schengen Convention provide the primary MLA framework. Austria was one of seven initiating member states that proposed the European Investigation Order (EIO) directive in April 2010, enabling binding cross-border evidence requests across the EU.^[17]

Council of Europe (50 signatory states): Austria is party to the European Convention on Mutual Assistance in Criminal Matters (1959) and its Additional Protocols, providing MLA coverage with all Council of Europe members including Turkey, Israel, and other non-EU states.

Bilateral MLAT with the United States: Signed February 23, 1995, entered into force August 1, 1998. Covers testimony, searches, and evidence transfers. Austria’s Tier B SIGINT relationship with the NSA operates alongside but outside this formal legal assistance framework.^[18]

Intelligence Sharing

Club de Berne and CTG: Austria is a member of the Club de Berne (all EU intelligence services plus Norway and Switzerland) and the Counter-Terrorism Group. The BVT scandal and Poseidon vulnerability raised concerns about the security of shared intelligence held in Austria.^[9]

NSA Tier B: Austria’s bilateral SIGINT relationship includes the CROSSHAIR network and Königswarte listening station cooperation.^[3]

Neutrality Paradox

Austria is constitutionally neutral (1955 Federal Constitutional Law on Neutrality) and not a NATO member, participating only in NATO’s Partnership for Peace. This creates a paradox: Austria cooperates with the NSA bilaterally as a Tier B partner while remaining outside NATO intelligence structures that most EU neighbours use.^[8]

EU Law Enforcement Cooperation

SIS II: Real-time query and alert sharing across Schengen. Prüm: Automated DNA, fingerprint, and vehicle data exchange; Prüm II (2024) adds facial images and police records. Europol/Eurojust: Full participation. EU-US Umbrella Agreement: Judicial redress for Austrian citizens before US courts. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena. PNR: Passenger data shared for US-bound flights.

Cross-Border Police Cooperation

Bilateral police cooperation with Germany and a trilateral agreement with Switzerland and Liechtenstein (2012) covering joint patrols, information exchange, and cross-border hot pursuit. Austria’s position in the data flow chain means Liechtenstein’s internet traffic transits through Austria onward after Switzerland.^[19]

The Privacy Backdoor Effect

Despite constitutional data protection and DSB GDPR enforcement, alternative pathways exist for accessing Austrian person data:

• DE-CIX Transit / BND: Austrian traffic routinely transits DE-CIX Frankfurt where BND conducts bulk cable interception. Data loses domestic legal protection upon crossing the German border
• NSA Tier B: Bilateral SIGINT sharing about Austrian persons outside GDPR-compatible frameworks
• Club de Berne / EU INTCEN: DSN intelligence shared among 31 European services outside any GDPR framework
• EU Framework Sharing: Austrian person data in SIS II, Prüm, or EIO channels accessible to 27 EU states and through Europol to US FBI
• MLAT/CoE Convention: US and 50+ Council of Europe states can request data through MLA channels
• SWIFT/PNR: Financial transactions and air travel data subject to US access

Conversely, foreign nationals whose communications transit Austrian networks are subject to DSN collection under the SNG without GDPR protection (Article 2(2) national security exemption).

Sources