Austrian Federal Minister of Finance (BMF) – Violation Found (Austria, 2022)

The Austrian Auditor Oversight Authority (APAB) informed the Austrian DPA by letter dated March 3, 2022 about the planned conclusion of an administrative agreement between the Federal Minister of Finance (BMF) and the US Public Company Accounting Oversight Board (PCAOB) regarding the transmission of personal audit documents by the APAB. The DPA solicited an opinion from the European Data Protection Board (EDPB) per Article 64(2) GDPR on the safeguards for the transfer of personal data to a third country which, in the absence of an adequacy decision, Article 46(1) GDPR required. The EDPB approved by majority vote. The EDPB had previously approved a similar transfer to the PCAOB by French authorities. The DPA pointed out that the previous adequacy decision for personal data transfers to recipients in the US, the so-called "Privacy Shield," had been annulled by the European Court of Justice, adding that it had not applied to data transfers between authorities anyway. In any case, suitable guarantees were required by Article 46(1) GDPR. Per Article 46(3)(b) GDPR, those guarantees could be provided for by provisions inserted into administrative arrangements between public authorities or bodies subject to the approval of the competent supervisory authority. As the administrative agreement submitted by the BMF was essentially identical to a previous EDPB-approved arrangement between French authorities and the PCAOB and because the EDPB through a majority vote issued a positive opinion on the current transfer, the DPA concluded that safeguards were adequate and approved the transfer.