Summary

• The newly enacted Informationsfreiheitsgesetz (IFG  AT) gives companies and individuals the right to access information and allows them to access (proactively) published data free of charge and informally. This creates new opportunities for market research, strategic decision-making, and gathering of evidence in legal proceedings.
• Making strategic use of the IFG AT as an information source and implementing internal compliance structures requires specialist expertise to unlock benefits while meeting statutory duties.
• The IFG AT also poses risks to companies: Confidential data, such as business and trade secrets, or personal data submitted to the authorities or other bodies that are legally required to provide information, may be subject to third-party information requests or the proactive duty to provide information, thereby making it more accessible to third parties or the public. This key risk should be mitigated by minimizing and labeling sensitive information already at submission stage.  
• Companies performing public functions or companies under public control may themselves become subject to information requests and will therefore require IFG‑compliance processes.
• A prepared and professional approach is essential to safeguarding sensitive data, avoiding conflicts and anticipating potential legal proceedings relating to information requests.

Austria’s new IFG AT replaces the long‑standing system shaped by the principle of official secrecy. The new law establishes a right of access to official information and imposes a duty of proactive publication on the majority of public bodies. Until recently, Austria was the only EU Member State in which official secrecy was constitutionally entrenched, contributing to its consistently poor performance in international transparency rankings. Across Europe, many constitutions already enshrine a right of access to information, and other states provide for it by statute. At EU level, transparency is guaranteed by Article 15  TFEU, Article  42  of  the Charter of Fundamental Rights, the EU Transparency Directive, and indirectly through the right to freedom of expression under Article 10 ECHR. 

For example, Germany has had a freedom‑of‑information regime, similar to the newly introduced IFG AT, since 2005. Both the Austrian and the German frameworks aim to increase transparency in government by giving citizens the right to request information and by mandating publication of certain data. In Austria, the freedom of information is explicitly constitutionally anchored in Article 22a Federal Constitutional Act (Bundes-Verfassungsgesetz, B‑VG). In Germany, however, it derives only indirectly from the Constitution. Both laws are in conformity with the GDPR but differ in scope: Major Austrian authorities must proactively publish information of public interest such as statistics, studies, and contracts, while the German law generally requires only publication of organizational charts. Both recognize exceptions for legitimate interests such as national security, personal data, or business secrets but Germany’s data‑protection provisions remain more detailed. While the procedures under the IFG  AT and the German IFG are similar in principle, Austria generally provides fixed deadlines and waives fees for applicants. In addition, the IFG  AT contains special rules for so-called public watchdogs, such as media or NGOs requesting information for monitoring purposes: In the case of information requests by public watchdogs, third parties affected by the publication of the requested information are not heard prior to publication, nor are they notified of the publication. In Austria, supervision lies with the Data Protection Authority, in Germany, with the Federal Commissioner for Freedom of Information. It remains to be seen to what extent Austrian authorities and institutions will consult Germany when implementing the IFG  AT and how willing they are to learn from established German practice.

The introduction of the IFG  AT will have significant practical consequences: 

Opportunities for Businesses

The new regime is based on two pillars: the right of access to information, alongside the proactive duty to publish information of general interest. Anyone may submit a request for access to information held by bodies that fall within the scope of the IFG AT. These bodies are not limited to public bodies; they may also include other legal or natural persons that perform public tasks or are under public control. Any record serving official or business purposes within the remit of the body may be requested, regardless of its form. Requests for access to information may be submitted informally and free of charge to the relevant public or private body. If a request is submitted to the incorrect body, that body must forward it to the correct one. The response period is usually four weeks, during which time the requested information must be made available. The second pillar of freedom of information, the proactive duty to provide information, is even more innovative. It requires public bodies to proactively and independently publish information of general interest. Such information includes, among others, organizational rules and structures, official gazettes, official statistics, studies and expert opinions, as well as contracts. This information must be entered into a public database. 

The proactive duty to publish information does not apply to privately organized entities or small municipalities. The obligation to provide information due to a request for information, on the contrary, also applies to companies that perform public functions or are under public control. Companies may therefore be subject to disclosure obligations. If this is the case, they must implement appropriate compliance processes. These include clearly defined responsibilities for handling requests for information, creating a data inventory to facilitate disclosure duties, and drafting internal guidelines on how to conduct the balancing of interests when answering requests. It should be noted that listed companies are generally exempt from the obligations of the IFG  AT, as they are already subject to extensive transparency requirements. Companies should carefully assess whether they are covered by the IFG  AT and, if so, set up internal procedures accordingly.

The newly introduced duties of public authorities enhance transparency and strengthen public trust. They also create legal certainty and predictability in relation to the work of public institutions. The new regime means that companies will have simpler, largely cost-free access to official data, creating new opportunities for market research and strategic decision-making. The IFG  AT will be particularly relevant in fields such as environmental and planning law, where it provides access to expert reports, measurement data and permits. For corporate acquisitions and sales, enhanced transparency may allow more efficient collection of information on public target entities and public shareholdings. Companies should assess which data could benefit them and regularly consult the public database. By leveraging the publicly available database and directly requesting information from public bodies, businesses can strengthen decision‑making and transparency risk assessments. Developing internal guidelines for submitting and managing information requests will make this process efficient and targeted.

Risks for Businesses

The IFG  AT defines several exceptions to the obligation of public and private bodies to disclose information, mainly to protect public interests (such as national security) or private data. The most important aspects are the protection of personal data and trade and business secrets. Banking secrecy, editorial secrecy and intellectual property rights are also safeguarded.

When information requests involve third‑party data, authorities must balance the applicant’s interest in disclosure against the third party’s confidentiality interests. Companies should therefore review the way they submit data to the relevant authorities: Information about your business, trade secrets or personal that you provide to the authorities may be subject to information requests from third parties. Sensitive data should therefore be labelled and minimized at submission stage, accompanied by clear reasoning for its confidentiality. Well‑documented justifications make it easier for the authority to balance competing interests and strengthen protection if an access request arises. 

Normally, affected parties are heard before disclosure. Both applicants and affected third parties should establish protocols for hearings in anticipation of possible information requests. However, the hearing requirement does not apply when information is requested by recognized public watchdogs exercising their role under Article 10 ECHR and Article 11 EU Charter of Fundamental Rights. Public watchdogs are actors who conduct investigative research in the public interest and thereby perform a monitoring function over governmental activities. This exception reflects the law’s intent to safeguard investigative and societal scrutiny of public institutions without obstruction by those affected. Where a typical public watchdog relies on these European fundamental rights, a prior hearing of the affected party is to be omitted, if that is necessary in view of the rights invoked. Companies should therefore be prepared to set out their protective interests in a well-documented and comprehensible manner and be ready to respond.

Finally, it is important to note that third parties affected by the disclosure of information do not have party status in related administrative proceedings. Although third parties are usually consulted before information relating to them is disclosed, they are not given the opportunity to argue against the disclosure in administrative proceedings. This lack of party status poses a particular risk to companies. This emphasizes the importance of labeling and minimizing data, and providing reasons for its confidentiality at the submission stage. 

Legal Remedies

It is essential for companies to understand the available legal remedies. If information is not provided, applicants can request a formal administrative decision that can be appealed in the administrative court. For disputes involving non-state entities, an application for a judicial determination can be submitted to the relevant court. In certain circumstances, it may be possible to take further action with the Austrian Constitutional Court. Third parties whose rights are affected by disclosure can lodge a complaint with the Data Protection Authority and, if they have suffered damage, take legal action against the state. However, it is important to note that these legal remedies are available only after information has already been published. 

The IFG AT as a Measure to Increase Transparency in Public Administration

The IFG  AT fundamentally improves access to information for individuals and companies. Deadlines are shorter, fees largely abolished, and the right of access extends to publicly owned enterprises performing public tasks. The constitutional anchoring of the right to access information and the strengthening of legal protection support the law’s aim of enhancing the transparency of public bodies. The protection of third-party information is ensured through a balancing of interests. 

Ultimately, these provisions support companies in monitoring the market and assessing administrative decision‑making within regulatory frameworks. However, entities performing public functions or under public control must refine their transparency policies and internal processes to manage incoming information requests effectively and safeguard trade secrets. Seeking professional legal guidance can help you to take advantage of the new regime by developing strategies for acquiring information, designing confidentiality and disclosure procedures, and implementing robust internal IFG processes. This is especially critical in regulated sectors where precision in handling official information and communication with authorities is key.

A professional and proactive approach to the IFG AT will allow businesses to harness information advantages, navigate new risks with confidence, and embed transparency compliance into everyday practice. In the years to come, information‑access procedures are likely to become an integral part of both corporate and legal strategy.