Austria’s Federal Data Protection Act

1. Overview

The Federal Data Protection Act (Datenschutzgesetz, DSG), a domestic implementation of the EU General Data Protection Regulation (GDPR), is the relevant Austrian domestic law. Although the DSG does not target deepfakes directly, it is a law that governs the processing of personal information that will eventually be used to create and distribute deepfakes. Enforcing the DSG to guarantee that personal data is treated legally, openly, and with purpose is the duty of the Austrian Data Protection Authority (DSB).

2. Application of the Legislation

The DSG regulates the processing of biometric data and personal data in Austria. Private information, such as images or audio recordings, is usually employed by deepfakes to generate artificial content. Processing data without consent or a legitimate reason could be prohibited by the DSG. Since personal data is utilized, the legislation regulates the production and distribution of deepfakes. In certain instances, such as journalistic, artistic, or academic use, where processing aligns with information and expression rights, exemptions are present.

3. Principal Provisions

• Requirements of Consent: According to Article 6 of the GDPR, processing personal data should only have the express data subject consent unless an alternative basis in law exists.
• Minimization of Data: One should process only the necessary data for the purpose.
• Transparency: Data subjects are provided notice about data processing and the use of deepfake technologies. 
• Accountability: Data controllers have controls in place to ensure compliance with data protection principles. 
• Rights of Data Subjects: Data subjects have rights to access, correction, deletion, and objection to their personal data.

4. Fines & Enforcement

Violations of the DSG can lead to serious consequences:

• Fines – € 20 million or 4% of the global turnover of the prior financial year, whichever is larger.
• Enforcement authority – The Austrian Data Protection Authority (DSB) is the enforcement and oversight authority of the DSG.

5. Key Cases

The DSB determined in 2021 that Clearview AI’s application of face recognition was violating the DSG because the business was handling biometric information without consent. The judgment shows how data protection legislation will be enforced on new technologies, such as those used to make deepfakes.

6. Comparison with Global Standards

The GDPR, which offers a comprehensive data protection legal framework, aligns with the DSG in Austria. Deepfakes are not mentioned directly or indirectly in the DSG, but the technology of deepfakes falls into the ambit of the DSG when dealing with personal data. Some other countries have enacted laws specifically targeting deepfakes. California’s AB 730, for instance, criminalizes distributing deepfakes for the purpose of causing harm.

7. Implications of this law

Users can report deepfakes to the DSB with their personal information. Companies that create or use deepfake technology should comply with data privacy legislation, including obtaining necessary approvals and introducing protection around products containing personal information.

8. Future Outlook

As deepfakes evolve, there will be a greater need for specialised legislation to address the challenges around deepfakes. Austria’s participation in EU-level measures, like as the European Democracy Action Plan, suggests that it is willing to pursue broad steps to counteract the exploitation of deepfakes.