Austria strengthens the civil rights of both victims and perpetrators as well as witnesses in criminal proceedings. The focus is on a new regulation of the seizure of data, commonly called cell phone searches, even though it is not about cell phones in any way. Since the beginning of the year, these seizures, including the obligation to disclose passwords, have generally been possible only by court order. After this, there has also been a lot of change in what happens to the data and devices.
Advertisement
Until now, mere initial suspicion that a crime has occurred was enough to secure data storage devices such as smartphones from citizens and force them to reveal passwords – even if those affected were not suspicious at all. Secure devices can also be used to access data that is stored elsewhere, usually online. A judge’s order is not necessary; An order from the public prosecutor’s office is sufficient. But just over a year ago, the Austrian Constitutional Court (VfGH) ruled cell phone searches without a court order were unconstitutional.
This made a new regulation necessary, otherwise data storage devices would no longer be secure and traceable from 2025 onwards and the disclosure of passwords would no longer be forced. In mid-December, both houses of parliament vote for the ruling parties ÖVP and the Greens, as well as the opposition parties SPO and NEOS. Amendment to the Code of Criminal Procedure Passed, which generally require court orders and focus on seizing data rather than seizing devices. Only members of the opposition FPÖ voted against it because the protective measures were not sufficient for them.
three exceptions
There are three major exceptions to the requirement of a court order: If the threat is imminent, the criminal police can intervene immediately in some cases. Anyone who has recordings from audio and/or video surveillance of public or publicly accessible places must hand them over without delay and without a court order. And the so-called “selective” data also does not fall under the judge’s reservations. This is “data that provides only a selective picture of the behavior of those affected”. However, there is another exception to this exception: access to “data of message transmissions, geographical locations as well as messages sent, transmitted or received” can only be enforced with a court order, even if the data is only Provides selective information.
Cell phone searches are so explosive in the context of fundamental rights because they provide deep insight into people’s private lives. This is not the case with data related to selective behavior. However, messages exchanged between people are better protected (letter privacy), and even revealing the whereabouts of one person can have a profound impact on privacy. Therefore, an independent judge will also have to give his consent there.
Unusually for Austrian criminal law, there are now restrictions on the use of evidence: the results of the data analysis cannot be used as evidence if the investigative measure has not been legally ordered and approved. However, it does not include restrictions on use if authorities obtain the data in some other way, for example if third parties break into someone else’s system and reveal the data found there, or if foreign authorities obtain the data. Let’s take it forward. There is also no restriction on evidence for incidental findings, i.e. evidence of legal violations that investigators were not looking for and therefore the court did not take into account when making its decision. Even administrative authorities are allowed to request data evaluation, including random findings, from criminal investigations for their own procedures.
There is no restriction on the seriousness of the offense committed. Courts only have to ensure that the data analysis is “proportional”. This is surprising given the statements of the Constitutional Court.
Three stages of preparation
In the standard case, since the beginning of the year, the Public Prosecutor’s Office has submitted a reasoned application to the court responsible for authorization to seize data storage media and data, and has simultaneously informed the Legal Protection Officer of the Judiciary . The application must state what investigative process is involved, the name of the suspect, if known, what crime is involved and what facts show that the authorization of the investigation is likely to be necessary and also proportionate. Finally, the application must describe the data categories and data content that the investigators wish to investigate and indicate the period to which the authorization should apply.
If the court allows, the public prosecutor can instruct the criminal police to conduct the seizure. Those affected will then receive a confirmation and will be informed that they can apply to the court to cancel the permit.
The third step is to create an original backup and a working copy of it. The data on categories covered by the court authority is extracted from the working copy. They are provided in “commonly used file formats in a structured form”. All other data on the data storage medium remains untouched, with the aim of revealing significantly less private information than previous practice. At this point, the data carriers can in many cases be returned to those affected, unless the hardware itself can play a role as evidence or it is not clear who is entitled to the case.
