The last law on the legalisation of a state trojan was repealed as unconstitutional by the Austrian Constitutional Court (VfGH) in 2019, following a challenge brought by SPÖ and NEOS together with us. This 180° turnaround by two parties who previously took the protection of fundamental rights seriously is very surprising.

Such a demand also contradicts the cyber security that is otherwise so often emphasised as a priority in the programme. We have been warning for years about the massive risks of such state-imposed spyware. In other parts of Europe, we see how frequently and across legal boundaries such state Trojans are utilised. Even journalists, activists and politicians in power regularly fall victim to this malware. The parties also seem to have forgotten that such inherently dangerous software can only be infiltrated through open security loopholes when they reached their agreement. Even if a "constitutionally compliant" regulation were possible, it would fail due to the technical reality. Open security loopholes mean insecurity for all people who own mobile devices - the state must not encourage this.

State Surveillance

The military intelligence services are also being given new hacking competences. They will be able to ‘ infiltrate foreign computer systems abroad’. Attacks on foreign IT systems can easily lead to escalation and are a contradiction Austria's neutrality principle, which can also be found in the coalition agreement. There is no mention of legal protection or questions regarding the authorisation of such aggressive steps against foreign countries in the programme. The use of IMSI catchers for military intelligence services is also to be authorised. These surveillance devices can be used to read communication content and metadata from mobile phones in their immediate vicinity.

The SPÖ seems to have gotten its way when it comes to city centre surveillance. ‘Camera-based automated zone entrance management in particular’ is to ensure effective traffic calming in Austrian municipalities. Why the most expensive and inefficient form is preferred to other alternatives remains a mystery to us. The big question is whether real-time access to these cameras by the police will be excluded, as in the draft from the green climate ministry in 2024. After all, video surveillance in public spaces can have a chilling effect on the local population, pedestrians and participants in demonstrations. This makes it all the more necessary to adopt a ban on facial recognition in public spaces as part of the implementation of the EU's AI Act in Austria. Unfortunately, there is nothing about this in the government programme.

A measure that is not precisely phrased is: "Individualisation obligation (roll-out of IPv6) for public IP addresses for network operators - CG-NAT". Carrier-grade network address translation (CG-NAT) refers to a technology that allows network operators to assign public IP addresses and port numbers to the respective subscribers. It is therefore possible to find out the person behind an IP address in the mobile network. With IPv6, however, this technology will become obsolete. If this measure means a permanent obligation to store an assignment for later information by law enforcement authorities, we are moving towards data retention. We are curious to see what is meant by this.

What the three parties have not been able to agree on, however, despite increased surveillance measures, is an urgently needed overall surveillance assessment to evaluate the constitutionality and effectiveness of existing competences and powers.

(Online) Radicalisation, Hate Speach & Combating Terrorism

We welcome the fact that the future government supports the Digital Services Act (DSA) and is committed to its further development. As a European legal act, the DSA aims, among other things, to combat (online) radicalisation and hate on the internet by holding large platform operators more accountable.

This should be emphasised in particular in view of the fact that the DSA has come under massive fire both in Austria from the FPÖ and internationally from the Trump administration - even though the law is still in its initial phase and many of its hoped-for positive effects will only become visible in the long term.

In this context, it is also positive that support for fact-checking initiatives and trusted flaggers is to be expanded. Trusted flaggers are particularly trustworthy reporting centres that are prioritised due to their expertise and high hit rate in identifying illegal or harmful content on online platforms. It has already been shown that there is a lack of financial resources here in particular. However, adequately resourcing these centres could contribute significantly to the effective enforcement of the DSA.

Digital ID obligation from the Kurz-era

The ÖVP has apparently prevailed with its demand from 2018, a digital ID requirement. Under the premise that "the internet must not be a law-free space", it calls for "individualisation through platform operators (and disclosure above a certain offence severity)". In practice, this probably means that you have to identify yourself to a platform using ID Austria or other means before you can post on social networks, in the forums of derstandard.at or krone.at or on other online services.

In the review of the last draft for a digital ID requirement in 2019, the initiative was heavily criticised by the Supreme Court, the Data Protection Council, the Bar Association, the OSCE and a large number of NGOs. Thanks to the Ibiza video, the law failed together with the turquoise-blue government. Now the new government, which intends to "do the right thing", seems to be taking up this idea from the Kurz-era. The proposal will have to face up to the massive risk of restricting freedom of expression, the exclusion of people without ID Austria and the collection of valuable identity data by big tech platforms. In view of the so far unproven contribution of this measure to the investigation of criminal offences and the alternative ways of spying on Internet users, we strongly doubt its proportionality. We urgently warn against this proposal!

Preventive Detention, Asylum and Migration

Many of the measures from the FPÖVP programme can also be found in the new government programme, subject to review. This includes the point "Examination of further measures restricting freedom against perpetrators". This probably refers to preventive detention, which clearly contradicts the requirements of the rule of law. The introduction of preventive detention without a person having committed even the slightest preparatory acts for a potential criminal offence - not to mention a court conviction of any kind - would be a drastic deviation from the principle of the rule of law, the EU Charter of Fundamental Rights and the European Convention on Human Rights.

The use of "AI-supported speech recognition software in asylum and immigration procedures" is also to be examined. Such software has proven to be prone to errors and could have drastic consequences for those seeking protection, particularly in the case of underrepresented language groups.

As was already the case in the black-blue coalition negotiations, the future government is also showing signs of agreement on the evaluation of asylum seekers' mobile phone data. This represents a massive intrusion into the privacy of refugees. Apparently, the blanket and suspicion-independent evaluation of digital life is seen as a prerequisite for the protection of refugees. In Germany, this approach has already been declared unlawful by the courts due to serious concerns.

Finally, drone surveillance at Austria's borders is also to be expanded. There is a commitment to increasing the EU border protection agency Frontex through - unspecified - technical and legal measures for external border protection.

IT Security & NIS2

As mentioned at the beginning, the government recognises the massive need to catch up in terms of cyber security in Austria and is committed to strengthening the powers and competencies of state institutions. However, this overlooks the fact that the use of a state trojan ultimately leads to a weakening of general IT security, as vulnerabilities in IT software must be created or maintained for its use, which can also be exploited by any third party (criminals, foreign states, etc.).

On a positive note, we should mention the planned implementation of the NIS2 Directive, which was neglected in the previous legislative period. The draft was criticised from many sides at the time and therefore did not receive the necessary 2/3 majority in parliament. One of the key points of criticism was the bundling of competences at the Ministry of Interior. In future, a separate authority is to be created, which is to be welcomed in principle, although care should be taken to ensure that the future new authority is given the necessary independence and the necessary financial and human resources. Otherwise, reference is made to implementing "in accordance with the directive". It is important to note that cyber security is of immense importance for the everyday lives of all people, but also in a geostrategic context - it is therefore important to give this issue the necessary priority; these very brief lines in the programme make us doubt that this is perceived by the government.

Due to the existing shortage of skilled labour, it would be important to activate the existing expertise in Austria, so we are disappointed that issues such as the secure legal framework for IT security research or the involvement of business, research and civil society in strategic IT security issues are not included in the programme. Instead, there is only a vague reference to the fact that the training and recruitment of specialists in the field of IT security is to be strengthened. An "evaluation of the current provisions on cybercrime" could result in the urgently needed legal certainty for security researchers or a tightening of hacking offences.

We urgently recommend that the National Council set up an enquiry into this important topic, as proposed by the opposition parties (at the time), in order to promote an open exchange instead of quickly creating structures that ultimately do not serve the IT security of our country.

Administrative Digitalisation, ID Austria & Right to Analogue Life

A total of 45 measures can be found in the government programme in the area of modernising the administration and expanding eGovernment services. The expansion of electronic acts in all areas of public administration is mentioned in several places. At the same time, the coalition has implemented measures for the inclusion of people without digital skills or without ID Austria in accordance with the "right to analogue life" in the election programmes of the ÖVP and SPÖ.

The coalition has made a clear commitment to "simple, barrier-free, inclusive and non-discriminatory access"’ in analogue form to information and public services. This also includes the rejection of ‘online-only’, which means maintaining personal, written or telephone access to administrative services of general interest. Finally, it is promised that notices or official information will continue to be made available on paper free of charge. However, these measures fall far short of the protection against discrimination provided by the future EU system for digital identities (eIDAS). These also include the private sector and the labour market. We summarised what should be reformed at national level back in November.

When the ID Austria was introduced under Minister Schramböck, there was a promise that its use would remain voluntary for everyone. The government programme apparently wants to move away from this, as it states: "The ID Austria will be issued at birth." This means that legal guardians can already initiate administrative processes for their children. Many parents may not want this for their children. A choice would therefore be important here in order to maintain and strengthen trust among the population.

ID Austria should also be increasingly promoted in the private sector for login and customer identification in future. We have been pointing out the dangers of state identities in the private sector for many years. However, EU regulations mean that the federal government no longer has any room for manoeuvre here. However, we are criminally missing the necessary measures to convert ID Austria to the new EU system of the eIDAS Regulation. This changeover must be completed by November 2026 at the latest and many EU countries are already much further along than Austria. The EU system would be a major step forward for data protection.

Public Health & Register Research

The controversial Austrian Micro Data Centre (AMDC) is to be expanded. Despite massive and cross-party criticism, it was decided in 2021 to open up state register data for research while at the same time weakening data protection. This project is now to be further expanded with the aim of opening up all register data at federal level by 1 July 2026. Without a prior repair of the register, this would be a ticking time bomb, because under the current rules, misuse of the data or re-identification of individuals cannot be ruled out. A clean anonymisation of the data would be possible, but is not provided for in the current law.

The government programme also includes the opening of health registers for the AMDC. This would mean that sensitive health data would also be passed on to researchers without those affected being able to object. The health data for children and adolescents is also to be explicitly enriched to include their "socio-economic background". For example, parents' income, housing conditions, data from the education sector, etc. will be merged with health data at Statistics Austria and then released to research institutions upon request. Austria thus appears to go far beyond the European Health Data Space (EHDS), which does provide for the subsequent use of health data by research, but with better data protection requirements and without linking it to data from other areas of life.

In a subordinate clause, the coalition mentions the "preservation of the opt-out system" for ELGA. The vaccination certificate, which has been available since 2021, is also to be made available as an app in future. There is no mention of a reform of the vaccination register and the restriction to vaccinations against dangerous or infectious diseases.

Artificial Intelligence

The topic of artificial intelligence can be found in 25 places in the government programme, which is appropriate given the rapid developments in this area. The way in which the coalition intends to approach this topic is indicated by the corresponding headings: "Utilising the opportunities of AI" and "Digital and AI location". Instead of creating an independent supervisory authority, as intended by the European AI Act, the future government wants to rename the current AI service centre as an authority and also assign it the task of providing legal advice to organisations and companies on the implementation of AI measures. In our view, this is a clear conflict of interest and also completely misses the aim of the AI Act to create a market supervisory authority. To avoid any misunderstandings, it is certainly to be welcomed if the government wishes to provide independent advice - but this should not be provided by the body that subsequently conducts proceedings and imposes sanctions.

The programme includes plans to examine the establishment of a supervisory authority to ensure the protection of fundamental rights by AI systems. It is not clear to us what the intention of this is. In principle, the AI Act itself provides for the designation of authorities and public bodies with supervisory or enforcement powers for fundamental rights (see Art 77 AI Act). Such bodies have already been designated in Austria, including the Data Protection Authority and the Austrian Trade Union Federation (ÖGB). If other organisations are of the opinion that they should be part of these bodies, this can be suggested informally by e-mail to the BKA. An establishment at a purely national level outside of the AI Act would probably be difficult under European law, as well as being redundant in terms of substance.

We take a critical view of the increased use of AI in public administration.

Large-scale long-eye models (chatbots) are to be created for employees and citizens to reduce their workload. This is also to be used for "routine activities", "streamlining potential" and "checks" (of employees?).The government does not provide any answers as to how known problems of such systems (bias, hallucinations, transfer of decision-making powers, etc.) are to be solved. At the beginning of last year, the SPÖ and NEOS reacted to the disgrace of the AMS chatbot with parliamentary questions and now they seem to be repeating the same mistakes in government without reflection. If a chatbot soon spreads false information on oesterreich.gv.at or a discriminatory AI decides on the allocation of social benefits, the question of political responsibility arises.

In our view, there is currently a lack of awareness or a corresponding strategy to strengthen employee and consumer protection in the context of AI applications. It would be appropriate to consider not only future opportunities but also existing disadvantages. On a positive note, the creation of a department for employee data protection in the data protection authority with corresponding resources is planned. There have been very few decisions by the data protection authority in this area to date, so it is to be welcomed that more attention is being paid to this particularly sensitive area in terms of data protection law.

Education & Protecting Children

There is also a lot of light and shade in the chapter on education and much depends on the specific implementation. A total of 28 planned measures in the education sector revolve around digitalisation and how to deal with it in the education system. Many of these are positive as they primarily aim to take account of technical progress and social challenges. Further developments in the content of teaching and research are planned, as is the expansion of the necessary infrastructure, such as modern workplaces for teachers and digital classrooms.

Building on basic digital education in the lower grades, computer science education should also be strengthened in the upper grades. There are plans to introduce a nationwide regulation banning mobile phones in schools. It remains to be seen how age-appropriate implementation will look in practice. We welcome the measure, not least because targeted use in lessons should still be possible.

We are concerned about the use of AI in the classroom and to promote learning in many measures, where we fear that it will be used too uncritically. The focus here should be on data protection-friendly alternatives and not on software such as ChatGPT , which would perpetuate the known data protection problems with providers such as Microsoft and Google. We lack a clear commitment to the existing alternatives here.

The expansion of learning platforms, digital textbooks, etc. is also to be accelerated. The central school platform "Portal Digitale Schule" for federal schools has recently made a successful transition to a functioning open source platform. This means that taxpayers' money is no longer being invested in US providers that do not adhere to our data protection laws and use children's data for their own purposes, but rather in transparent solutions that we can control and shape. This approach should definitely be continued consistently in the many planned digitalisation projects. To this end, there is a mention of "open source" and the consideration of "digital sovereignty in federal procurement" in the digitisation chapter, as well as a "strategy for the digital sovereignty of young people" in the education chapter.

We are particularly critical of the planned expansion of data collection on the developmental and educational status of nurseries in several places. Most recently, the turquoise-green government decided to extend the storage period of educational documentation from 20 to 80 years. The plan is to link the information on the level of development, learning behaviour and the results of competence measurements with socio-economic data to create a "digital education passport". The aim is to create a treasure trove of data on every child that will arouse the interest of many other organisations in the future.

Broadband Expansion & Network Blocks

The programme includes positive measures for the expansion of fixed-line Internet in Austria. The focus is correctly placed on fibre optic technology. Better maps and the coordination of various players should promote the expansion of the network. Unfortunately, there is no mention of the important concept of net neutrality in the government programme.

We are particularly critical of the introduction of network blocks against illegal gambling. It is unclear what form the "Internet protection filters to prevent pornography and violence" will take. Protection of minors on the device itself is a suitable solution, whereas network-based optional filters violate EU rules on net neutrality. ECJ proceedings from Austria are currently pending on the subject of network blocking and a sensible regulation via the telecoms regulatory authority is being sought in vain in the government programme.