Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E - 2023 > Bootcamp Section I - Introduction to European Data Protection > Flashcards

Bootcamp Section I - Introduction to European Data Protection Flashcards

1
Q

What is the only international treaty with binding legal force related to data protection and privacy that is open to signature for every country throughout the world?

A

Convention 108

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

After learning that your personal data appears in the law enforcement database retained by Hans’ police department, you seek to bring a lawsuit for a violation of your right to a private life under the Charter of Fundamental Rights. Which of the following principles are you most likely to argue was violated by the open-ended retention of data by Hans’ police department?

Recently, Hans, a German citizen that is the chief law enforcement officer for a mid-sized German city, has become interested in purchasing some of MyView’s products to be used for law enforcement purposes. His office eventually purchases several cameras that it places in public locations and the facial recognition software from MyView. It keeps a comprehensive, independent database of all individuals appearing on its video recordings. Most of the information contained in this database is obtained by regularly downloading information off of its client portal on MyView’s website. In addition, however, Hans’ police department combines that facial recognition data with the criminal history of each person appearing on camera. Hans believes he has the legal authority to do this under a local German law.

A

The proportionality principle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is Article 94 of the GDPR important?

A

It clarified that prior references to the Data Protection Directive in other legislation should be construed as a reference to the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

All the following are names of procedures that can be used to enact legislation, except:
- Ordinary
- Consultative
- Super majority
- Consent

A

Super Majority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What guidance should Emma provide to Sophia in response to her request to draft implementing legislation for the ePrivacy Regulation?

Emma works as a legislative aide to Sofia, a member of Denmark’s Parliament, the Folketing. In this role, Emma is asked to conduct some research on data protection issues across Europe. In particular, Sofia wants to develop some proposals for local Denmark legislation that would provide greater protections for individual privacy. Emma is asked to find areas within the General Data Protection Regulation that specifically permit member state legislation.

During her research, Emma reviews Article 9(4) of the GDPR, which permits member states to, in some instances, impose further limitations or conditions on the use of special categories of personal data. Emma drafts some proposed legislation based upon this provision.

Emma also discovers that the GDPR permits member states to change the age at which a data subject may provide valid consent. Sofia instructs Emma that any legislation should protect children for as long as possible.

Although Sofia believes that individual privacy should receive high levels of protection, she also believes that its fairness principle is too ambiguous and, perhaps, weighed too heavily in favor of the individual. She wants Emma to investigate ways in which this can be either further defined or restricted.

During her research, Emma has stumbled upon a permissive provision within the ePrivacy Directive that allows, but does not require, member states to adopt legislation applicable to electronic services providers. She sets about drafting legislation related to this provision. Sofia, however, has also recently learned that the European Parliament is set to vote on an ePrivacy Regulation that will supersede and replace the ePrivacy Directive. She asks Emma to develop and draft implementing legislation from scratch for this new European Union law.

A

Implementing legislation is not necessary because European regulations are directly binding on their own terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following best describes why the Data Protection Directive served as an important inflection point for European data protection?

A

Many European countries failed to ratify Convention 108 and the Directive was thus the first time that all E.U. countries were legally obligated to implement data protection legislation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is another name for the Maastricht Treaty?

A

The Treaty on European Union.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The ePrivacy Directive would apply to which of the following?

  • An internet service provider that offers its services to the general public throughout Europe.
  • An internet services provider that offers its services to customers in the U.S. but, through the use of a VPN, is actively used by E.U. residents.
  • An organization that has established an internal intranet network for its headquarters based in Europe.
  • An organization processes personal data of the users of an internal intranet system.
A

An internet service provider that offers its services to the general public throughout Europe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are Chapter Two (2), Three (3) and Four (4) of Convention 108?

A

Chapter 2: Privacy Principles
Chapter 3: Transborder flow of data
Chapter 4: Mutual assistance

Additional Protocl to Convention 108 - Introduced the concept of an “adequacy decision” for transborder data flows to non-member nations; called for the creation of national SAs that should be responsible for enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following institutions does not play a role in data protection?

  • The Court of Auditors.
  • The Court of Justice of the European Union.
  • The European Court of Human Rights.
  • The European Parliament.
A

Court of Auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following best describes the biggest problem with the Data Protection Directive (Directive 95/46/EC) identified by the European Commission in its 2003 report?

  • The enabling legislation in member states resulted in significant cross-border variation in the application of the Data Protection Directive across Europe.
  • The Data Protection Directive only applied to the public sector.
  • The Data Protection Directive did not contain data minimization requirements.
  • The Data Protection Directive only applied to the private sector.
A

The enabling legislation in member states resulted in significant cross-border variation in the application of the Data Protection Directive across Europe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is most accurate?

  • Even though the GDPR is in the form of a regulation, there are still specified instances in which a member state may pass national legislation affecting the processing of personal data.
  • The Data Protection Directive applied upon its own force, until it was replaced by the GDPR.
  • The GDPR replaced the Data Protection Directive, therefore requiring member states to pass new enabling legislation at the national level.
  • Because the GDPR is in the form of a regulation, member states are not permitted to pass any national-level laws affecting the processing of personal information.
A

Even though the GDPR is in the form of a regulation, there are still specified instances in which a member state may pass national legislation affecting the processing of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

National legislation is permitted as a means of complementing the GDPR in what instances,:

A
  • When a member state seeks to impose higher protections on “special” categories of data.
  • When a member state imposes processing requirements that are related to the employer-employee relationship.
  • When a member state seeks to further define when processing is lawful.

Although the GDPR was in the form of a regulation (not a directive), there remain instances in which individual member states have been given the freedom to implement their own data protection rules. Additional national legislation is permitted in cases where:
(1) processing requirements are related to the employer-employee relationship;
(2) a member state seeks to further define when processing is lawful; or
(3) a member state seeks to impose higher protections on “special” categories of data. These are just a few examples. It is important to recognize that, while the GDPR is the starting point for studying modern data protection regulation in the E.U., privacy professionals must also be aware of national legislation impacting privacy rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

All the following are true with respect to the European Court of Human Rights, except:

  • It is also responsible for enforcement of Convention 108.
  • It is an institution of the European Union.
  • It plays an important role in European data protection through the enforcement of the right to privacy.
  • Its primary purpose is to enforce the European Convention on Human Rights.
A

It is an institution of the European Union.

The second oldest European institution is the European Court of Human Rights, which was established in 1959 to enforce the European Convention on Human Rights (“ECHR”). Unlike the other entities discussed in previous Modules, however, the European Court of Human Rights is not identified as an institution of the European Union in Article 13 of the Treaty on European Union. The ECHR sits in Strasbourg, France as a part of the Council of Europe. In addition to enforcing the ECHR, it also is responsible for enforcing Convention 108 and its later amendments.

Created in 1959 to enforce the European Convention on Human Rights; now also enforces Convention 108 (and amendments)
Power is limited by inability to enforce decisions (must rely on Council of Europe to enforce) and may not override national interpretations of laws
Plays an important role in data protection:
* Gaskin v. United Kingdom – Restricting access to a personal file violated Article 8 of the ECHR
* Haralambie v. Romania – Placing obstacles in the way of an applicant seeking access to their secret personal file violates Article 8
* B.B. v. France; Gardel v. France; and M.B. v. France – Automated processing of personal data by the police for purposes of maintaining a sex offender registry does not violate Article 8
* M.M. v. United Kingdom – The indiscriminate and open-ended collection of criminal record data very likely does not comply with Article 8 in the absence of appropriate safeguards
* Copland v. United Kingdom – Monitoring an employee’s email at work violates Article 8 if there is no legal basis permitting monitoring
* Big Brothers Watch v. United Kingdom – Bulk interception of communications violated Arts. 8 and 10 of ECHR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Each Member State of the European Union is allowed to appoint one member (and only one member) to sit on which institution?

A

The Council of the European Union.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What best describes the scope of the E-Commerce Directive?

A

It applies to “information society services” but does not require the exchange of remuneration between the user and the service provider.

  • Intended to strengthen internal market and foster a healthy online economic environment
  • Applies to
    “information society services,” which are any services provided: (1) “at a distance” (i.e., without the parties being simultaneously present); (2) by “electronic means” (i.e., sent over electronic equipment); and (3) “at the individual request of a recipient of services”
  • Although definition also includes phrase “provided for remuneration,” Recitals make clear that it applies to any acts that “represent an economic activity”; ECJ has agreed in Papasavvas case, finding indirect remuneration (e.g., from paid ads) was enough
  • Four primary principles: (1) protection of the single market; (2) no prior authorization is permitted; (3) basic e-commerce requirements; and (4) limitations on liability for certain organizations
  • Does not apply to questions covered by the GDPR and the ePrivacy Directive; still important, however, because the interplay between these laws is not always clear
  • Digital Services Act was proposed in late 2020 as a potential replacement; political agreement has been reached; set to go into effect on January 1, 2024
17
Q

The 2009 amendments to the ePrivacy Directive implemented the following changes:

A

It imposed requirements that certain notices be provided to national authorities and individuals in that event of a data breach likely to adversely affect subscribers.

It requires user consent before a web cookie can be placed on a user’s device, with some limited exceptions.

It provided a private cause of action for parties that receive unsolicited advertisements against the infringer.

The most important, and controversial, change implemented by the 2009 amendments to the ePrivacy Directive related to the use of internet “cookies.” Consent is now required to place cookies on a user’s device or read cookies on a user’s device, with some limited exceptions. Beyond the new rules related to the use of cookies, the 2009 amendments also implemented two other important changes to the ePrivacy Directive. First, service providers must now notify competent national authorities, as well as individual data subjects in the event of a data breach that “is likely to adversely affect the personal data or privacy of a subscriber or individual.” Second, the amendments permit individual data subjects that receive prohibited unsolicited advertisements the right to bring a private right of action against infringers. The ePrivacy Directive expanded its scope, in comparison to its predecessor legislation, by applying to all electronic communication services, rather than just telecommunication services. This, however, occurred with the initial passage of the ePrivacy Directive in 2002, not the 2009 amendments.

    • Adopted in 2002 and expanded its scope in comparison to its predecessor to cover “all electronic communications services,” rather than just “telecommunication services”
  • Applies only to processing of personal data over publicly available services (i.e., does not apply to internal intranet systems), but non-public services may still be subject to GDPR
  • Requires that terminal equipment be constructed in a manner that will protect individual rights, but member states may not require specific types of technology be implemented if it would impede free trade
  • The ePrivacy Directive imposes the following requirements (through implementing legislation):
    (1) Security – Appropriate technical and organizational safeguards must be implemented that are appropriate to the risk
    (2) Confidentiality – Communication and traffic data must remain confidential; interception is prohibited except with consent or where legally authorized
    (3) Traffic Data – Traffic data must be erased or anonymized when no longer needed, except as needed for billing, fraud detection, etc.
    (4) Privacy Enhancing Practices – Specific privacy enhancing practices, such as providing non-itemized billing, must be adopted
    (5) Location Data – Processing location data requires consent of the subscriber or anonymization
    (6) Restrictions on Unsolicited Marketing – Most digital marketing is restricted and requires opt-in consent
    Article 5(3) requires consent before web cookies are used
  • Part of 2009 amendments, called E.U. “Cookie Directive”
  • Only exceptions to consent are when cookies are (1) strictly necessary for the provision of the service requested by the subscriber; or (2) for the sole purpose of carrying out the transmission of a communication
  • The specific means of obtaining consent are not set forth; left to enabling legislation
  • Consent is defined the same as under the GDPR
  • Additional 2009 amendments: (1) notice requirements for data breaches; and (2) private cause of action for those that receive unsolicited advertisements
  • An “ePrivacy Regulation” has been proposed and negotiations are ongoing
18
Q

What document first introduced the concept of an “adequacy decision”?

A

The Additional Protocol to Convention 108.

19
Q

Which Article of the European Convention on Human Rights (ECoHR) specifically protects the right to a private life?

A

Article 8

20
Q

What is the correct chronology, from the earliest adopted document to the latest?

A

Universal Declaration of Human Rights;
European Convention on Human Rights;
Convention 108;
Charter of Fundamental Rights.

Data protection laws and regulations evolved alongside the broader transformations that were occurring across Europe following the Second World War.
The foundation of data privacy in Europe is based in human rights.
The Universal Declaration of Human Rights was the primary document upon which human rights are based. Shortly after its development, the Council of Europe developed the European Convention on Human Rights. Eventually, Convention 108 and then the Charter of Fundamental Rights were also created.

21
Q

Convention 108+ implemented changes

A

Identifies certain “special” categories of personal information that must be treated with additional care.

Defined terms such as “controller” and “data processing.”

There must be a valid legal basis for processing of personal information to be legitimate.

22
Q

What legislation has been proposed to replace the E-Commerce Directive?

A

The Digital Services Act.

23
Q

Who may propose legislation to be voted on by the European Parliament?

A

The European Commission.

24
Q

Many of your colleagues have heard of a term called an “adequacy decision” and want to use that as a basis to transfer personal data of E.U. data subjects to the United States. As you explain this concept to your colleagues you reference the piece of legislation, treaty, convention, or other document where this concept was first implemented. Which of the following did you refer to?

A

The Additional Protocol to Convention 108.

25
Q

Which is the most recent data protection legislation enacted by the E.U.?

A

The Second Network and Information Security Directive.

26
Q

What true with respect to obtaining user consent for purposes of placing a cookie on a user’s device?

A

How consent must be obtained is not defined by E.U. legislation and is therefore left to member state implementing legislation.

27
Q

What did the European Court of Justice hold in the Digital Rights Ireland case?

A

That the Data Retention Directive was invalid because it violated the proportionality principle of the Charter of Fundamental Rights.

  • The Data Retention Directive was enacted in 2006 but was struck down as invalid by the ECJ in 2014
  • In Digital Rights Ireland case the court found that the principle of proportionality was violated because there were no limits placed on the obligation to retain data
  • Article 15(1) of the ePrivacy Directive still permits member state legislation that requires the retention of certain data for national security and public safety
  • Any such legislation must be “necessary, appropriate and proportionate”
  • This is permissive, rather than mandatory; only a handful of states have adopted legislation under this provision
28
Q

Which of the following regarding the Data Governance Act is accurate?

A

The Data Governance Act does not provide an additional basis for lawfully processing personal data under the GDPR.
Where any conflict exists, the GDPR prevails

The Data Governance Act (DGA) aims to increase the availability of public data so that it can be beneficially used by businesses and citizens while providing a framework to enhance the trust in voluntary data sharing.40 It covers both personal and non-personal data. This act entered into force on June 23, 2022, with full effect starting in September 2023.

The Recitals to the DGA state that its terms are “without prejudice” to the application of the GDPR, including in situations “where personal and non-personal data in a data set are inextricably linked.”41 The DGA does not create a new legal basis for processing personal data, nor does it limit the cross-border sharing of data or effect any other rights and obligations under the GDPR.42 Where a conflict between the DGA and the GDPR (or any other Union or national law protecting personal data) exists, “the relevant law . . . on the protection of personal data should prevail.”43

One of the key aspects of the DGA is the development of a market for data intermediary services, through certification mechanisms and an appropriate framework. The DGA makes clear, however, that “[w]here data intermediation services providers process personal data, [the DGA] should not affect the protection of personal data. Where the data intermediation services providers are data controllers or processors as defined in [the GDPR] they are bound by the rules of that Regulation.”44 Throughout the Recitals, the DGA continuously recommends that guidance be sought from competent supervisory authorities when questions related to the handling of personal data arise.

29
Q

From a data protection perspective what was the primary drawback to the 2008 Framework Decision that preceded the LEDP Directive?

A

It was limited in scope because it applied only when personal data was transmitted between member states, not to data processing that happened internally within a member state.

30
Q

What legislation that is still valid permits member states to impose data retention obligations on electronic service providers?

A

Article 15(1) of the ePrivacy Directive

Still permits member state legislation that requires the retention of certain data for national security and public safety
Any such legislation must be “necessary, appropriate and proportionate”
This is permissive, rather than mandatory; only a handful of states have adopted legislation under this provision

CIPP/E - 2023 (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions