05/09/2023, 02:56 RINGLER v.

AUSTRIA

My Research Folder

FIFTH SECTION

DECISION
Application no. 2309/10
Marie RINGLER
against Austria

The European Court of Human Rights (Fifth Section), sitting on 12 May 2020 as a Committee
composed of:
Mārtiņš Mits, President,
Gabriele Kucsko-Stadlmayer,
Anja Seibert-Fohr, judges,
and Victor Soloveytchik, Deputy Section Registrar,
Having regard to the above application lodged on 12 January 2010,
Having regard to the observations submitted by the respondent Government and the
observations in reply submitted by the applicant,
Having regard to the comments submitted by Privacy International, which had been given leave
to intervene in the written procedure (Article 36 § 2 of the Convention and Rule 44 § 3 of the Rules
of Court),
Having deliberated, decides as follows:

THE FACTS
1. The applicant, Ms Marie Ringler, is an Austrian national who was born in 1975 and lives in
Vienna. She was represented before the Court by Ms M. Windhager, a lawyer practising in Vienna.
2. The Austrian Government (“the Government”) were represented by their Agent, Ambassador
H. Tichy, Head of the International Law Department at the Federal Ministry for Europe, Integration
and Foreign Affairs.

A. The circumstances of the case

3. The facts of the case, as submitted by the parties, may be summarised as follows.
4. On 1 January 2008 Federal Law no. 114/2007 containing an amendment to the Security
Police Act (Sicherheitspolizeigesetz; hereinafter: “SPA”) entered into force. Among other
measures, its section 53(3a) and (3b) extended the powers of the police authorities to request
personal data of telephone/mobile phone and internet users from telecommunications providers
(see paragraphs 20-21 below).
5. The applicant was a member of the Vienna Regional Parliament and lodged a complaint
under Article 140 of the Federal Constitution (Bundesverfassungsgesetz) with the Constitutional
Court requesting it to review the constitutionality of section 53(3a) and (3b) of the SPA.
6. She did not allege that any of these measures had in fact been ordered or implemented
against her, nor that she had been affected by measures directed against other persons. However,
she contended that she hosted a website and was as such considered a provider of
telecommunications services and might therefore be required to give information under 53(3a) of
the SPA Moreover as an internet and mobile phone user she might be subjected to measures
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 1/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
the SPA. Moreover, as an internet and mobile phone user, she might be subjected to measures
under section 53(3a) and (3b) at any point in time and without having any effective remedy at her
disposal. My Research Folder
7. On 1 July 2009 the Constitutional Court rejected the applicant’s complaint as inadmissible. It
noted that only persons with whose rights a law interfered directly, without being applied through a
decision of a court or an administrative authority, had the right to lodge a complaint under
Article 140 of the Federal Constitution.
8. In so far as the applicant alleged that she was required to give certain information as a
telecommunications provider, the Constitutional Court held that, although section 53(3a) of the
SPA did not contain any new obligations to retain data, it contained an obligation to provide certain
types of information. It accepted that in so far as section 53(3a) obliged the applicant, as a provider
of telecommunications services, to give information, it interfered with her rights. However, if such
information were actually requested she had a remedy, namely a complaint to the Independent
Administrative Panel under section 88 of the SPA at her disposal. She was therefore not directly
affected.
9. In so far as she had asserted that she was a mobile phone and internet user and was
therefore likely to be affected by section 53(3a) and (3b) of the SPA, the Constitutional Court
referred to its decision of 1 July 2009 (G 147,148/08-14) in a similar case.
10. In that case also, the applicants had not alleged that the police authorities had requested
any information about them or taken any measures against them under the contested provisions.
They had merely asserted that they were likely to be affected by these provisions as they were
mobile phone and internet users and exercised certain professions. In the Constitutional Court’s
view this was not sufficient to show that they were directly affected by the said provisions.
11. Referring to the case-law of the European Court of Human Rights (Klass and Others v.
Germany, 6 September 1978, Series A no. 28, and Weber and Saravia v. Germany (dec.),
no. 54934/00, ECHR 2006‑XI), the Constitutional Court observed that section 53(3a) and (3b) of
the SPA did not regulate secret surveillance of communications but merely empowered the police
authorities to obtain specific information about telephone or internet users from providers of
telecommunications services. Since the circumstances at issue were therefore distinct from those
in the Court’s case-law, the applicants’ complaint in respect of these provisions was inadmissible
on that ground alone.
12. If the applicants had reason to believe that their data had been requested or processed by
the police authorities on the basis of the contested provisions, they had remedies under the Data
Protection Act 2000 at their disposal, in particular the right to obtain information and the right to
request the destruction of data under sections 26 and 27 of that Act.
13. Finally, the Constitutional Court observed, inter alia, that a system of safeguards was in
place: pursuant to section 91c of the SPA the police authorities had to inform the Legal Protection
Commissioner (Rechtsschutzbeauftragter) of requests for information about telephone or internet
users under section 53(3a) and (3b); in cases in which the Legal Protection Commissioner
considered that an individual’s right had been violated by the use of personal data he was entitled
to inform the person concerned or, where that was not possible pursuant to section 26(2) of the
Data Protection Act 2000, he or she was entitled to lodge a complaint with the Data Protection
Commission.

B. Relevant domestic law

(a) The Security Police Act (“SPA”)

(i) General tasks of the police authorities
14. The SPA regulates the tasks and powers of the police authorities for providing assistance in
case of immediate threat to life, health, security or property of persons (erste allgemeine
Hilfeleistungspflicht) and for maintaining public peace, order and security (Aufrechterhaltung der
öffentlichen Ruhe, Ordnung und Sicherheit) (section 3).
15. In the context of the task of maintaining public security, the police authorities have, inter
alia, to assess and avert dangers emanating from criminal organisations or from intentional
criminal offences (section 21(1) read in conjunction with section 16). Further tasks include the
protection of the constitutional institutions of the Republic, the protection of representatives of
foreign states or international organisations, the protection of vulnerable persons, in particular of
persons who may give information about criminal organisations or about the commission of
criminal offences (section 22) A further task is the search for wanted or helpless persons
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 2/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
criminal offences (section 22). A further task is the search for wanted or helpless persons
(section 24). My Research Folder
16. Introduced by a later amendment to the SPA, the police authorities also have the task of
protecting facilities for providing basic public utilities such as energy, communications, water and
so on (section 22).

(ii) Police authorities

17. In 2010, the police authorities were the Federal Minister for the Interior, the Regional
Security Authorities (Sicherheitsdirektionen), the subordinated Federal Police Authorities
(Bundespolizeidirektionen) and District Administrative Authorities (Bezirksverwaltungsbehörden).
18. After reorganisation measures in 2012, the police authorities are now the Federal Minister
for the Interior, the Regional Police Authorities (Landespolizeidirektionen) and the subordinated
District Administrative Authorities.

(b) Powers to request data from telecommunications providers

19. Sections 51 to 54 of the SPA regulate the police authorities’ powers to collect, process and
transmit personal data (personenbezogene Daten). Section 53(3a) and (3b) which entered into
force on 1 January 2008 regulate specifically the power to request personal data of
telephone/mobile phone and internet users from telecommunications providers.
20. Section 53(3a) allows the police authorities to request the providers to disclose the name,
address and number of a specific telephone line, to disclose the IP-address relating to a specific
message and the time of its transmission and to disclose the name and address of the user to
whom an IP-address was attributed at a specific point in time.
21. Section 53(3b) allows the police authorities to request from telecommunications providers
the location data and the international mobile phone user code (IMSI) of the mobile phone or other
terminal carried by that person and to use technical devices to locate it.
22. The law, as in force at the time of the Constitutional Court’s decision of 1 July 2009,
required for requests under section 53(3a) specific facts that gave reason to believe that there was
a situation of danger and that the data was required for the fulfilment of the police authorities’
tasks. For requests under Section 53(3b) specific facts were required that gave reason to believe
that there was an immediate danger for the life or health of a person.
23. Further amendments to section 53 were introduced on 1 April 2012, on 1 July 2014, on 1
July 2016 and on 25 May 2018: inter alia, requests under section 53(3a) to disclose the name,
address and number of a specific telephone line no longer require a situation of danger; for
requests under section 53(3a) concerning IP-addresses, the prerequisites of having a ‘situation of
danger’ and ‘required for the fulfilment of their tasks’ were replaced by the wording “to avert a
situation of danger for the life, health and liberty of a person in the context of the general obligation
to provide assistance (erste allgemeine Hilfeleistungspflicht); to avert an intentional criminal
offence (gefährlicher Angriff) or to avert a criminal association (kriminelle Vereinigung)”; requests
under section 53(3b) are additionally possible if there is an immediate danger for the liberty of a
person and it is allowed to locate the mobile phone or terminal also of the companion of the person
who is in danger, and the person posing a threat.

(c) Legal Protection

(i) General principles for the protection of personal data
24. Both, the SPA and the Data Protection Act 2000, which was replaced by the new Data
Protection Act on 25 May 2018, contain safeguard and remedy provisions. While the Data
Protection Act 2000 implemented the EU Data Protection Directive 95/46/EC, the new Data
Protection Act 2018 followed the new General Data Protection Regulation (EU) 2016/679. In the
context of the security police, it also implemented the Directive (EU) 2016/680 on the protection of
natural persons with regard to the processing of personal data by competent authorities for the
purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data. The provisions of the Data
Protection Act apply unless explicitly provided otherwise (section 51(2) of the SPA).
25. The police authorities are responsible for the lawfulness of requests for personal data under
section 53 (3a) and (3b) of the SPA. They may only use personal data in so far as is necessary for
the fulfilment of their tasks and have to respect the general principle of proportionality (sections 29
and 52 of the SPA)
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 3/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
and 52 of the SPA).
My Research Folder
(ii) Legal Protection Commissioner
26. The Legal Protection Commissioner (Rechtsschutzbeauftragter) was created by an
amendment to the Federal Constitution in 1997 as an independent organ for the protection of
human rights in the security police. He is not bound by any instructions (section 91a of the SPA).
27. The police authorities must generally give the Legal Protection Commissioner access to
their documents and recordings and provide him with any information necessary for the fulfilment
of his tasks (section 91d of the SPA).
28. The Legal Protection Commissioner supervises, inter alia, the police authorities’
implementation of data requests and their compliance with the rules on correction and deletion of
data (section 91d of the SPA).

(iii) Data Protection Authority (former: Data Protection Commission)

29. The former Data Protection Commission consisted of six members who had legal
experience in data protection. They were appointed for a term of five years by the Federal
President of the Republic of Austria on the basis of a proposal by the Federal Government and
were independent in the performance of their duties (section 36 of the Data Protection Act 2000).
30. An amendment to the Data Protection Act 2014 replaced the Data Protection Commission
with the Data Protection Authority, which is also independent in the performance of its duties. The
head of the Data Protection Authority and the deputy are appointed for a term of five years by the
Federal President of the Republic of Austria on the basis of a proposal by the Federal Government.
Re‑appointment is permitted. They must, inter alia, have specific knowledge of data protection law
and at least five years’ experience in the legal profession (section 20 of the Data Protection Act).
31. Like section 40 (4) of the Data Protection Act 2000, its main task is to ensure compliance
with the rules for data protection and to rectify infringements of these rules (sections 31 to 34 of the
Data Protection Act; see also Article 28 of the EU Data Protection Directive 95/46/EC and
Article 51 of the General Data Protection Regulation (EU) 2016/679).

(iv) Notification
32. The SPA and the Data Protection Act 2000/new Data Protection Act contain rules on
notification.
33. Pursuant to section 24 of the Data Protection Act 2000, as in force on 1 July 2009, anyone
who requested the processing of personal data, including the police authorities, had the duty to
provide information for the data subject (Betroffener). The new Data Protection Act introduced, in
particular, the duty for the police authorities to notify the data subject additionally on data protection
rights and remedies (section 43 of the Data Protection Act).
34. However, like section 24 of the Data Protection Act 2000, section 43 of the new Data
Protection Act does not require a notification if data is obtained by transmission from another entity
and the processing is provided for by law. Notifications may also be delayed, restricted or omitted
to the extent necessary, and as long as it proves necessary and proportionate, to avoid prejudicing
the prevention and combating of crime; to protect public and national security; to protect the
institutions of the Republic; to protect the military facilities and to protect the rights and freedoms of
others.
35. Pursuant to section 91c of the SPA, the police authorities must notify the Legal Protection
Commissioner, inter alia, on requests made under section 53(3a) of the SPA, which concerned IP-
addresses (see paragraph 20 above) and about requests made under section 53(3b) of the SPA
(see paragraph 21 above).
36. If the Legal Protection Commissioner perceives that a right of a data subject, who has no
knowledge of the data collection, has been violated by the use of personal data, he must notify him
or her. If a notification is not possible pursuant to the exceptions of the Data Protection Act (see
paragraph 34 above), he must lodge a complaint with the Data Protection Authority (section 91d of
the SPA). The obligation was introduced on 1 April 2012 by an amendment to the SPA and
replaced the initial wording that the Legal Protection Commissioner was ‘entitled’ to notify and
lodge a complaint.
37. On 1 April 2012 an obligation was also introduced for the police authorities to notify the data
subject if retained data (Vorratsdaten) were required to answer a request under section 53(3a) and
(3b) of the SPA (section 53(3c) of the SPA)
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 4/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
(3b) of the SPA (section 53(3c) of the SPA).
My Research Folder
(v) Information rights
38. Pursuant to section 26 of the Data Protection Act 2000, as in force on 1 July 2009,
everyone had the right to obtain information (nature of the data, its source, transmission to third
persons, the purpose and legal basis of the processing) from anyone who requested the
processing of personal data, including the police authorities. The new Data Protection Act
introduced, in particular, a duty for the police authorities to inform the data subject also on the
period of retention, on the rights for rectification, restrictions or deletion and on the data protection
rights and remedies (section 44 of the Data Protection Act).
39. However, like section 26 of the Data Protection Act 2000, section 44 of the new Data
Protection Act restricts the information rights by referring to section 43 of the Data Protection Act
(see paragraph 34 above). In the event of such restrictions, the authorities have to inform the data
subject about the restriction and to provide him or her with the reasons for it. If no data exists or if
the disclosure of the restriction would jeopardise the measure, the police authorities can respond
with a standard reply (“no data, which is subject to the duty of disclosure and concerning the
person requesting the information, is used” [“Keine der Auskunftspflicht unterliegenden Daten über
den Auskunftswerber werden verwendet”]). The reasons for the restrictions must be documented
and made available to the Data Protection Authority.

(vi) Rectification, restriction or deletion

40. Like section 27 of the Data Protection Act 2000, the new Data Protection Act contains rules
on rectification, restriction or deletion of data which is no longer needed or was unlawfully
processed (section 45 of the Data Protection Act and section 63 of the SPA).

(vii) Remedies
41. Like sections 30 and 31 of the Data Protection Act 2000, the new Data Protection Act gives
everyone who considers that the processing of personal data has infringed his data protection
rights the right to lodge a complaint with the Data Protection Authority (sections 32(1 no. 4), 34(5)
and 24 of the Data Protection Act).
42. The right to complain applies also to restrictions on notifications (see paragraph 34 above)
and to applicants who did not receive the requested information (see paragraph 39 above) or
whose request for rectification, restriction or deletion was refused (sections 32(1) and 42(8) of the
Data Protection Act).
43. If a data subject has no knowledge of a violation of his rights, the Legal Protection
Commissioner is obliged to lodge such a complaint (see paragraph 36 above).
44. Pursuant to section 40 (2) of the Data Protection Act 2000 a data subject had a right to
appeal against a decision of the Data Protection Commission to the Administrative Court
(Verwaltungsgerichtshof). The new Data Protection Act contains the right to complain to the
Federal Administrative Court (Bundesverwaltungsgericht) against a decision of the Data Protection
Authority or its failure to act in time (sections 34 (5), 27 and 42 (9) of the Data Protection Act).
45. Under Article 140 § 1 of the Austrian Federal Constitution, every person can challenge the
constitutionality of a law if he/she alleges that the law has infringed his/her rights and become
immediately effective for him/her without a court´s or administrative authority´s decision. In its
well‑established case-law, the Constitutional Court requires “direct interference” by the contested
law with the person´s rights and the unavailability of remedies against its application.

COMPLAINTS
46. The applicant complained under Article 8 of the Convention that the powers provided to the
police authorities under section 53(3a) and (3b) of the Security Police Act (“SPA”) entailed by their
very existence an interference with her right to respect for her private life.
47. The applicant further complained under Article 13 of the Convention that she did not have
any effective remedy in respect of the alleged violation of Article 8 of the Convention.

THE LAW
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 5/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
A. Complaint under Article 8 of the Convention
My Research Folder
48. The applicant relied on Article 8 of the Convention, which reads as follows:
“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right, except such as is in
accordance with the law and is necessary in a democratic society in the interests of national security, public safety
or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.”

(a) The Government

49. The Government were of the view that the applicant had no right to challenge the impugned
legislation in abstracto and that she had failed to exhaust domestic remedies. The applicant had
not alleged that she had been subjected to any measures, nor were there any indications that she
belonged to a group which had an increased risk of being affected by such requests to
telecommunications providers.
50. The present case must also be distinguished from cases concerning secret surveillance
because the impugned provisions did not give powers to collect the content of the communication,
but only communications data.
51. Moreover, the Austrian legal system provided effective and adequate protection against
abuse. As well as being able to notify the data subject, the police authorities had an obligation to
do so if retained data had been used. Furthermore, a data subject had the right to request
information under the Data Protection Act.
52. In cases where statutory restrictions on notification and information applied, which was
foremost applicable in the present case, the review by the Legal Protection Commissioner
compensated for the data subject’s inability to challenge the legality of a measure. This
commissioner was obliged to notify the data subject or to lodge a complaint with the Data
Protection Commission. Changing the wording from ‘being entitled’ to ‘being obliged’ was only a
clarification because it had been common understanding that the Legal Protection Commissioner
had always had the obligation to guarantee efficient legal protection.
53. The right to lodge a complaint with the Data Protection Commission for failure to act or to
challenge the reply of the police authorities was an effective legal remedy. The police authorities
were obliged to implement the commission’s decisions, which were further subject to judicial
review.
54. Finally, anyone who suspected an infringement of his data protection rights had the right to
apply to the Data Protection Commission. It was then obliged to investigate whether there had
been any data compilation, to review the legality of the measures and to notify the applicant as to
how his or her application had been dealt with.

(b) The applicant

55. The applicant argued that she had victim status because it was impossible or an
unreasonable burden for her to prove that she had been the subject of measures under
section 53(3a) and (3b) of the SPA.
56. She contested the Government’s submission that the data subject was notified of such
measures. The domestic legislation neither stipulated such an obligation nor had there been any
notifications in practice, even if there was no longer an interest in secrecy. Notification by the police
authorities was only on a voluntary basis.
57. Likewise, the legal protection by the Legal Protection Commissioner was not effective
because there was no notification obligation. In the past, the Legal Protection Commissioner had
only notified the data subjects in a small number of cases and had never complained to the Data
Protection Commission.
58. Finally, the opportunity to seek information from the police authorities under section 26 of
the Data Protection Act 2000 did not constitute an effective legal remedy. She could not be
expected to make requests to a multitude of police authorities on a regular basis in order to verify
the existence of measures foreseen under the contested legislation.

(c) The third party

59. Privacy International pointed out that access to non-content data or more specific
i ti d t ld l b hi hl i
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} i d ll d h i i i t 6/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
communications data could also be highly invasive and allowed a comprehensive view into a
person’s private life. Laws providingMyfor Research
State access to such data as well as requests to
Folder
telecommunications providers continued to proliferate. A distinction between communications and
content data became increasingly insignificant.

(d) The Court’s assessment

(i) Preliminary observations
60. The Court observes that the applicant has not alleged that she was subjected to any of the
measures foreseen in the SPA, but she has been affected by the mere existence of the legislation.
Even though such measures do not concern surveillance of communication content, requesting
communications data also raises privacy issues capable of engaging the protection of Article 8 of
the Convention. In the context of personal data, the Court has found that the term ‘private life’ must
not be interpreted restrictively (Benedik v. Slovenia, no. 62357/14, §§ 102‑104, 24 April 2018 with
further references, and Ben Faiza v. France, no. 31446/12, § 66, 8 February 2018 concerning, inter
alia, the numbers dialled, the date and duration of telephone calls).
61. The applicant does not complain about her obligations under the SPA as a
telecommunications provider (unlike before the Constitutional Court, see paragraphs 6 and 8
above), but about measures affecting mobile phone and internet users under section 53(3a)
and (3b) of the SPA (in particular in respect of IP-addresses and location data).
62. The present case does not concern retained data (Vorratsdaten) because the impugned
provisions of the SPA, as in force at the time of the Constitutional Court’s judgment on 1 July 2009
(see paragraph 8 above) and as they stand at the time of the present examination, did not
introduce a specific obligation for telecommunications providers to retain data for the purpose of
the investigation, detection and prosecution of crime. Thus, the notification obligation under section
53 (3c) of the SPA (see paragraphs 37 and 51 above) is not relevant for the present examination.
63. The Court does not need to examine whether the applicant complied with the rule of
exhaustion of domestic remedies as her application is in any event inadmissible for the reasons set
out below.

(ii) Victim status

(α) General principles
64. As to the applicant´s victim status, the Court has constantly held that its task is not normally
to review the relevant law and practice in abstracto, but to determine whether the manner in which
they were applied to, or affected, the applicant gave rise to a violation of the Convention (see, inter
alia, Klass and Others v. Germany, 6 September 1978, § 33, Series A no. 28, and more recently
Szabó and Vissy v. Hungary, no. 37138/14, § 32, 12 January 2016, Kosaité-Cypiené and Others
v. Lithuania, no. 69489/12, § 67, 4 June 2019).
65. However, in recognition of the particular features of secret surveillance measures, the Court
has accepted that, under certain circumstances, an individual may claim to be a victim on account
of the mere existence of legislation (Szabó and Vissy, cited above, § 33). By contrast, if the
national system provides for effective remedies, a widespread suspicion of abuse is more difficult
to justify. In such cases, the individual may claim to be a victim of a violation occasioned by the
mere existence of secret measures or of legislation permitting secret measures only if he is able to
show that, due to his personal situation, he is potentially at risk of being subjected to such
measures (Roman Zakharov v. Russia ([GC], no. 47143/06, § 171, ECHR 2015 which concerned
covert interception of mobile telephone communications). The Court will also apply those
conditions for victim status to the circumstances of the present case, which did not concern content
data, but communications data.
66. Turning to the first condition, that is the scope of the legislation, the applicant may possibly
be affected by measures foreseen under section 53(3a) and (3b) of the SPA because all users of
communication services are potentially affected (Roman Zakharov, cited above, § 171).
67. As to the second condition, the Court has identified the availability of an effective domestic
remedy as decisive in determining whether there is greater need for scrutiny by the Court and an
exception to the rule denying individuals the right to challenge a law in abstracto is justified
(Roman Zakharov, cited above, § 171).
68. In this context, the Court will also assess the domestic law on notification and information
for data subjects. The Court has linked limitations on notification and information with the
effectiveness of the remedies (see for example Klass and others cited above §§ 58 59;
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 7/10
05/09/2023, 02:56 RINGLER v. AUSTRIA
effectiveness of the remedies (see, for example, Klass and others, cited above, §§ 58‑59;
Roman Zakharov, cited above, §§ 286‑87, and SzabóFolder
My Research and Vissy, cited above, § 86). There is, in
principle, little scope for recourse to the courts by the individual concerned unless he is advised of
the measures taken without his knowledge and thus able retrospectively to challenge their legality
(Klass and Others, cited above § 57).

(β) Notification
69. The Court agrees with the applicant that the notification obligations under section 24 of the
former Data Protection Act 2000 as well as under section 43 of the new Data Protection Act (see
paragraph 33 above), lack practical significance. As the Government has admitted (see
paragraph 52 above), the statutory exceptions from notification (see paragraph 34) apply foremost
to the contested measures.
70. Nevertheless, the police authorities are obliged to notify the Legal Protection Commissioner
of all requests made under section 53(3a) and (3b) of the SPA which concerned IP-addresses or
location data (see paragraph 35 above). Vested with independence and the necessary powers
(see paragraphs 26‑28 above), the commissioner is obliged either to inform the data subject of any
unlawful measures or to lodge a complaint with the independent Data Protection Commission (see
paragraph 36 above).
71. However, an enforceable right to such a notification or complaint exists only in the event of
a violation of the data subject’s privacy rights. It does not result in a general notification obligation.
The relevant provision, as in force at the time of the Constitutional Court’s decision, did also not
explicitly stipulate an obligation for the commissioner to notify the data subject or to complain to the
Data Protection Commission. Even though the Government submitted (see paragraph 52 above)
that the subsequent law amendment (see paragraph 36 above) was solely a clarification, there
remains lack of clarity, as to whether there had always been such an obligation.

(γ) Information rights

72. The Court takes note of the information rights towards the police authorities (see
paragraph 38 above) and furthermore, of the individual’s possibility to apply directly to the Data
Protection Authority under section 24 of the Data Protection Act (see paragraph 41 above). Such
an application had also been possible to the former Data Protection Commission under sections 30
and 31 of the Data Protection Act 2000 and it has never depended on a prior notification of the
applicant. Uncontested by the applicant, the Government argued that everyone had the right to file
such an application on the basis of mere suspicion of an infringement of his data protection rights.
Such a complaint did thus not require a description of the facts, which could only be given after an
applicant had concrete information about any measures (see, mutatis mutandis, Kennedy v. the
United Kingdom, no. 26839/05, § 167, 18 May 2010). On the contrary, the Data Protection
Commission/Data Protection Authority was and is obliged to investigate whether there had been
any data compilation (see paragraph 54 above).
73. While the Court shares the applicant’s view that it is burdensome to seek information from a
multitude of police authorities at regular intervals, an application to the former Data Protection
Commission or to the Data Protection Authority (see paragraph 72 above) were, and remain, easily
accessible alternatives. The applicant did not allege that she had not been able to lodge such a
complaint by herself because of burdensome or too high formal requirements (see paragraph 57
above).

(δ) Remedies
74. A complaint by any person who suspected an infringement of his data protection right, to
the Data Protection Commission/Data Protection Authority triggered an examination of the legality
of a measure (see paragraphs 41, 43 and 54 above) or a review of the police authorities’
compliance with their notification and information obligations (see paragraph 42 above).
75. Further, everybody was and is able to request a rectification, restriction or deletion of data
which is no longer needed or was unlawfully processed (see paragraph 40 above). The decision of
the police authorities on such a request could and can be challenged before the Data Protection
Commission/ Data Protection Authority (see paragraph 42 above).
76. Moreover, the decisions of the Data Protection Commission/Data Protection Authority were
and are further subject to judicial control (see paragraph 44 above).
77 The remedy system was further complemented by the Legal Protection Commissioner8/10
https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]}
05/09/2023, 02:56 RINGLER v. AUSTRIA
77. The remedy system was further complemented by the Legal Protection Commissioner,
whose access and review rights (see My paragraphs
Research26‑28 above) ensured that the data protection
Folder
provisions were observed and applied correctly. Ultimately, this review could result in a notification
of the data subject or in a complaint to the Data Protection Commission/Data Protection Authority
(see paragraph 36 above).
78. The Court finds therefore that the Legal Protection Commissioner and the Data Protection
Authority provide a supervisory system which was accessible for the applicant for any claim
against abuse. This system of effective remedies was already in place at the time of the decision of
the Constitutional Court in 2009 and the Constitutional Court found therefore that the applicant had
to exhaust these remedies before challenging the allegedly unconstitutional law before it (see
paragraphs 8‑13 above).

(ε) Conclusion
79. The Court finds that, although the notification obligations lacked practical significance, a
system of effective remedies with access to judicial control existed. The applicant in the present
case did not demonstrate that she had tried to seek any information under section 26 of the Data
Protection Act 2000 or had lodged a complaint with the Data Protection Commission under
sections 30 and 31 of the Data Protection Act 2000. In such a situation, a widespread suspicion of
abuse and thus a review of legislation in abstracto is more difficult to justify (see, mutatis mutandis,
Kennedy, cited above, § 124).
80. The applicant alleged neither at the domestic level nor in her application to the Court that
her personal or professional situation was of the kind that might normally attract the application of
measures under section 53(3a) and (3b) of the SPA. She had only asserted in her constitutional
complaint (see paragraph 6 above) that she was likely to be affected by such measures, as a
mobile phone and internet user. She did not, therefore, demonstrate that, due to her personal
situation, she was potentially at risk of being subjected to those measures (see Roman Zakharov,
cited above, § 171). The Constitutional Court therefore rejected this complaint as inadmissible.
81. Accordingly, the facts of the present case were never such as to permit the applicant to
claim to be a victim of a violation of her rights under Article 8 of the Convention. Accordingly, this
complaint is incompatible ratione personae with the provisions of the Convention within the
meaning of Article 35 § 3 (a) and must be rejected in accordance with Article 35 § 4.

B. Complaint under Article 13 of the Convention

82. The applicant relied on Article 13 of the Convention which, insofar as relevant, reads as
follows:
“Everyone whose rights and freedoms as set forth in [the] Convention are violated shall have an effective
remedy before a national authority ...”
83. Having declared the complaint under Article 8 of the Convention inadmissible, the Court
concludes that the applicant has no arguable claim for the purposes of Article 13 of the Convention
(see, for the same approach, Valeriy Fuklev v. Ukraine, no. 6318/03, § 98, 16 January 2014, and
Lolova and Popova (dec.), no. 68053/10, § 52, 20 January 2015).
84. It follows that this complaint must be rejected as being incompatible ratione materiae with
the provisions of the Convention, pursuant to Article 35 §§ 3 (a) and 4 of the Convention.

For these reasons, the Court, unanimously,

Declares the application inadmissible.

Done in English and notified in writing on 4 June 2020.

Victor Soloveytchik Mārtiņš Mits

Deputy Section Registrar President

https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 9/10
05/09/2023, 02:56 RINGLER v. AUSTRIA

My Research Folder

https://hudoc.echr.coe.int/fre#{"tabview":["document"],"itemid":["001-203068"]} 10/10