Certification Exam Flashcards
Universal Declaration of Human Rights (Human Rights Declaration)
10 December 1948
Adopted by United Nations General Assembly (non-binding)
Specific provisions for the right to a private life and freedom of expression
Influenced European data protection laws/standards
Article 12: Right to a private life
Article 19: Right to freedom of expression
Article 29(2): rights are not absolute and a balance should be struck
European Convention on Human Rights (ECHR)
Council of Europe
based on Human Rights Declaration
1953
International treaty to protect human rights and fundamental freedoms
Enforced by European Court of Human Rights (Strasbourg)
Article 8: rights of individuals
Article 10: rights of freedom of expression and sharing info and ideas across national boundaries
Article 10(2): promotes balance between 8 and 10
OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data
1980
Aimed to facilitate data flows and protect personal data in a global economy
Updated in 2013 - basic data protection principles
Council of Europe Convention (Convention 108)
Opened for signatures in 1981
Treaty among MS of the Council of Europe
First data protection instrument for several Council of Europe member states
Requires signatories to apply the principles in their domestic legislation
Late 1980s, only a small number of states had ratified it, and even those had a fragmented approach
EU Data Protection Directive (95/46/EC)
European Commission
Set out general data protection principles and obligations, requiring EU member states to implement them
Charter of Fundamental Rights of the EU (European Union Institutions)
Comprehensive collection of individuals’ rights, including the fundamental right to the protection of personal data
EU Directive on Privacy and Electronic Communications (ePrivacy Directive) (adopted 2002, amended 2009)
Legally binding on EU member states, requires local implementation
Applies to processing of personal data through public electronic communications services and networks in the EU
Treaty of Lisbon (2009)
Aim is to strengthen and improve the core structures of the EU and help it to functional more efficiently.
Gave the Charter of Fundamental Rights of the EU full legal effect in the EU
European Court of Human Rights (ECHR)
Upholds data protection laws through its enforcement of the ECHR and Convention 108
Not part of the EU
Council of Europe v. European Union
Two separate institutions
Council of Europe - international organization with 47 member states
EU - economic and political union with 27 member states
All member states of the EU belong to the Council of Europe (though not a prerequisite for membership)
European Economic Area (EEA)
Based on the agreement of the EEA of 1994, which allows members of the European Free Trade Association (EFTA) to participate fully in the EU’s internal market
Composed of 27 EU member states and 3 EFTA member states (Iceland, Liechtenstein and Norway - not EU member states)
European Parliament
Only European institution whose members are directly elected
3 primary responsibilities: legislative development, supervisory oversight of other institutions, and development of the budget
European Council
Defines the EU’s priorities and sets political direction
Composed of headd of state or government of all EU countries, the European Council President, the European Commission President and the High Representative for Foreign Affairs and Security Policy
Council of the EU
Along with Parliament, focuses on legislative decision-making
Meetings are attended by one minister from each member state (changes based on issue)
Shares legislative power with Parliament
Legislation is proposed by Commission before it is examined by the Council of the EU and Parliament
European Commission
Implements the EU’s decisions and policies
Exclusive competence to propose legislation
Most active EU institution in the area of data protection
One commissioner per member state who pledges to respect the EU Treaties
Court of Justice of the EU
Luxembourg
Judicial body of the EU
Makes decisions on issues of EU law and enforces decisions
Comprises the European Court of Justice (ECJ) and the General Court
Provides clarification of EU law to national courts to assist in upholding EU law
DP Directive v. GDPR
Directive places obligations on MS whose governments then implement the directive into their local law
Regulation is directly applicable and enforceable as law in every EU member state (no need for local imp)
DP Directive was transposed into 28 national laws
GDPR - one set of data protection rules for all EU MS
Despite harmonization of data protection rules, the GDPR allows member states a degree of tailoring (about 50 provisions)
European Data Protection Board (EDPB)
Established by GDPR, replaced Article 29 WP
Independent European body which contributes to the consistent application of data protection rules throughout the EU and promotes cooperation between the EU’s data protection authorities
Composed of reps of the national DPAs and the European Data Protection Supervisor (EDPS)
ePrivacy Directive and GDPR (Interplay)
EDPB has issued opinion regarding how the ePrivacy Directive works within the context of the GDPR, relating to processing that triggers the material scope of both ePrivacy Directive and GDPR
Co-existence - in cases where lex specialis does not apply, general rue will apply (lex generalis)
To complement - several ePrivacy Directive provisions complement GDPR provisions
Article 95 of GDPR - aims to avoid imposition of unnecessary admin burdens upon controllers who would otherwise be subject to similar but not quite identical admin burdens
To particularise - (lex specialis principe) special provisions prevail over general rules
Personal data
Article 4(1) of GDPR - any information relating to an identified or identifiable natural person
Any information: literal - from a name to a location
Relating to: info’s purpose and impact on someone’s privacy rights
Identified: individual person has been named or singled out; identifiable: indirect identification, taking into account all the “means reasonably likely to be used” to identify a person (Recital 26)
Natural person: real human being, distinguished from a corporation (referred to as “data subject”)
Personal data elements
Pieces of data that happen to be personal information
Examples: gender, age, DOB, marital status, citizenship, languages spoken, veteran status
May relate to an individual’s employment or association with an organization (address, phone number, email, internal ID #, government based ID #, identify verification info)
Aggregation of data elements can make personal data richer and harder to de-identify.
Cookie
Small text file stored on a client machine that may later be retrieved by a web server from the machine
Anonymous data
Not related to an identified or identifiable natural person (rendered unidentifiable and not protected by GDPR)
Pseudonymous data
Not fully anonymous (subject to GDPR)
Undergone a process that has detached aspects of the data attributable to a specific individual (like creating an alias), but the personal data is still retrievable
Security measure to make the use of the data less risky
Special categories of personal data
Article 9(1): racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union memberships; genetic data; biometric data; health data; sex life or orientation
Data related to criminal convictions or offenses
Article 10: processing of such personal data “shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedom of data subjects
Data Processing Roles
Data subject: individual about whom personal data is processed
Data controller: organization or individual that decides how and why personal data is processed
Data processor: organization or individual that processes information on behalf of data controller
Supervisory Authority (SA): data protection authority, entity appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction
Controllers v. Processors
Controller or processor: may be a natural personal, legal entity, public authority, agency or other body
Controllers and processors: have accountability obligations under GDPR, including keep records that can be provided to SAs; share responsibilities for personal data security and must ensure compliance with int’l data transfer rules; subject to large administrative fines if their obligations are not met and can be subject to compensation claims from individuals.
Distinction: Article 4(7) - controller is the individual or body who “alone or jointly with others determines the purposes and means of the processing of personal data.”
Article 4(8): a processor processes personal data on behalf of the controller; activities must be transparent to the controller, and any decisions that determine where personal data is processed or by whom must relay on approval from controller.
Data Processing (defnition)
Article 4(2) of GDPR: any operation performed upon data, and it comprises the many possible actions in the data lifecycle.
Data Processing Principles
OECD - most widely recognized framework for fair info practices
Collection limitation: limits to collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data quality: personal data should be relevant to the purposes for which they are to be used and should be accurate, complete and up to date.
Purpose specification: purpose should be specified no later than at the time of data collection and subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Use limitation: personal data should not be disclosed, made available or otherwise used for purposes other than those specified in according with the purpose specification principle except with consent or authority of law.
Security safeguards: protected by reasonable security safeguards against loss, unauthorized access, destruction, use, modification, disclosure of data
Openness: general policy of openness about developments, practice and policies with respect to personal data.
Individual participation: individual has rights
Accountability: data controller shall be accountable for complying with measures which give effect to the principles stated above
GDPR Principles
Article 5
Lawfulness, fairness and transparency of processing - honest practices relating to processing activities
Purpose limitation - requires collecting and processing for the specified purpose only.
Data minimization - processing only personal data that is relevant and necessary for purpose
Accuracy - processing complete and up to date personal data
Storage limitation - retaining on personal data that is relevant and necessary for purpose
Integrity and confidentiality - ensuring personal data is secure
Accountability - processing personal data responsibly and demonstrating compliance with EU and MS DP laws
Application of GDPR
Territorial and material scope
Territorial scope (Article 3) - one of these criteria must be met for the GDPR to be applicable:
(1) when a controller or processor is established in the EU (regardless of whether the processing takes place in the EU)
(2) processing personal data of data subjects in the EU relating to offering goods or services or monitoring behavior in the EU (where the controller or processor is NOT established in the EU)
(3) processing by a controller not established in the EU but in a place where MS law applies by virtue of public international law.
Material scope (Article 2): data wholly or partly processed by automated means; any processing operation performed with or without or partly without human intervention; not to be confused with automated decision making; also covers processing, other than by automated means, of personal data that forms part of a filing system
EXCLUSIONS to material scope: activities outside the scope of EU law (national security activities); law enforcement and public security; purely personal or household activities.
Lawful Processing
Six lawful grounds for controllers to rely on to process personal data (Article 6):
(1) consent from data subject
(2) performance of a contract (necessary to perform the contract and data subject is party to the contract, or if data subject requests the processing to enter into a contract
(3) compliance with a legal obligation to which the controller is subject
(4) protection of vital interests of the data subject or another natural person (emergency - no other options)
(5) necessity for public interest or in the exercise of official authority of controller (administration of justice, tax collection, census)
(6) as necessary of legitimate interests of the controller or a third party *unless overridden by interests, rights or freedoms of the data subject (child)
Consent
Provides the controller with permission to process the personal data for a specific purpose; must be clearly distinguishable from other matters, intelligible, clear and plain language; must keep records of consent.
FREELY GIVEN; data subjects must be able to choose to have their personal data processed and must be able to withdraw consent at any time (as easily as giving consent)
SPECIFIC: informed of all intended purposes for processing; if another arises, may be required to obtain additional consent
INFORMED: to be legitimate, data subjects must be informed, at least, of the controller’s identity, purpose for processing, and information about how processing may affect data subjects; communicated in understandable language and form
UNAMBIGUOUS: unambiguous indication of wishes (wishes must be absolutely clear); positive, affirmative action (checking opt-in or choosing technical settings); no silence or pre-ticked boxes or inactivity.
CHILDREN: more rigorous; must be given by a parent or guardian when child is under 16 (or under 13 in some MS)
Legitimate Interests
CONTROLLERS: burden is on the controller to show that data subjects’ fundamental rights and freedoms have not been compromised (legitimate interest exists, processing is necessary for legitimate interest, inform data subjects, balance legitimate interest with rights of data subjects, uphold fundamental rights and freedoms of data subjects
CONTROLLER DATA SUBJECT RELATIONSHIP: fraud prevention, direct marketing, sharing personal data within group for internal administrative purposes, information security
Public authorities may NOT rely on legitimate interest as a grounds for processing personal data
Processing Special Categories
General starting point - processing of personal data is prohibited; number of exceptions to the prohibition; controller must ensure it meets one of the six bases for lawfully processing personal data
Explicit consent: required under Article 9 (differs from Article 6), must be explicit. must still be unambiguous, freely given, specific and informed, but it must be a clear affirmative act by the data subject
In the context of employment: applies when processing of special categories is necessary for controller to comply with legal obligation under employment, SS and social protection laws; relevant when data subjects are candidates, employees and contractors
Vital interests of the individual: similar to Article 6, except controller must be able to demonstrate that it is not possible to obtain consent; controller is expected to attempt to seek consent.
Political, philosophical and religious purposes: covers particular foundations, associations, not for profit bodies and any foundation, association or not for profit body with trade union aim; processing of special categories of data about members of the org, former members or those with regular contact with org; appropriate safeguards
Sensitive data manifestly made public by data subject: interviews, social networking sites
Establishment, exercise or defense of legal claims
Substantial public interest: reason for processing special categories of data in the public interest be balanced with the data subject’s rights to data protection; safeguard data
Medicine and social healthcare
Public health: required for public health reasons
Public archives or scientific historical research or statistical purposes: requires further interpretation from MS law; proportionate to the purpose and respect data subject rights; safeguards
Data access and rectification
confirmation of processing (is or was processed); purpose of processing (why); categories of data processed (what); recipients or categories of recipients of data (who); retention period/criteria to determine period (when); information about data subject rights to: rectification, erasure, restriction, object to processing, and lodge complaints; source of personal data (when not collected from data subject); existence of automated decision making (logic, signification and envisaged consequences); appropriate safeguards for data transferred to third country or int’l org
Data portability
Right to obtain and reuse data for own purposes; allow data subjects to receive personal data concerning them that they provided to the controller; structured, commonly used, machine readable format; applies when processing is based on prior consent or performance of the contract to which data subject is a party AND data provided by data subject, not data derived from data provided by him AND transferring data does not adversely affect the rights and freedom of others
Erasure
Right to be forgotten (Article 17)
Data subjects may, in some circumstances, request that personal data be erased and, therefore, no longer processed.
May be requested under these circumstances: no longer necessary for the purpose for which it was collected; data subject has withdrawn consent (when processing was based on consent); if based on controller’s legitimate interests, data subject objects, and controller is unable to demonstrate that its legitimate interest overrides the interests or fundamental rights and freedoms of data subject; if processing is unlawful; if personal data must be erased for compliance with EU or MS law; if consent was given when data subject was a child, consent may be withdrawn even if the individual is no longer a child
Right to be forgotten also applies when data has been made public by the controller; original controller must take reasonable steps to inform other controllers processing personal data to erase any links to or copies or replications of the personal data.
May prove difficult - determine all of the data’s recipients (when posted on internet, for instance); informing all other controllers; objections from controllers based on fundamental right to freedom of expression and information.
Exceptions to Erasure
Compliance with EU or MS law for a task public interest or official authority; public health purposes; archiving in public interest, scientific or historical research, or statistical purposes; establishment, exercise or defense of legal claims.
Restriction of Processing
Defined in Article 4(3): Marking of stored personal data with the aim of limiting their processing in the future
Set out in Article 18 (new) - differs from erasure because it allows for personal data to continue being stored without being further processed
Provides an alternative to erasure in circumstances where storing the personal data is legally required, ensures the protection of another person’s right, or is in the public interest
Possible methods: making personal data temporarily unavailable; noting restriction; moving data to separate system; temporarily blocking website; using data under narrow conditions
Data subjects may request restriction for: accuracy of data is contested and controller needs time to verify accuracy; processing is unlawful, but data subject prefers restriction to erasure; controller no longer needs personal data but data subject needs it to be saved for the establishment, exercise or defense of legal claims; data subject objects to processing, pending the controller’s attempt to verify legitimate grounds.
Right to object
Article 21 - right is not absolute; only available if the grounds for data processing falls into one of three categories:
(1) direct marketing - absolute and should cause the controller to cease processing, including profiling
(2) public interest or legitimate interests: based on grounds related ton the individual’s particular situation; controller then has burden to demonstrate that it has compelling legitimate interests for processing that override the subject’s individual interests rights and freedom
(3) research or statistical purposes: on grounds relating to their particular situation; overridden if processing is necessary for the performance of a task carried out in the public interest.
Automated processing
Article 22: data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects (without human intervention in a way that produces legal or similarly significant effects (strictest for decisions involving children)
Profiling is the automated processing of personal data for the purpose of evaluating, analyzing or predicting personal aspects of a natural person.
Exceptions: authorized by MS or EU law; necessary to enter into or perform a contract between processor and data subject; based on data subject’s explicit consent; certain decisions based on special categories of data.
Transparency provision
Requires data controllers to communicate with data subjects using an intelligible and easily accessible form (Article 12(1)); clear and plain language; concise communication.
Notice and access to personal data must be free of charge, unless the data subject’s request is unfounded or excessive
Privacy notice
Also called privacy statement, fair processing statement or privacy policy
Statement made to a data subject that describes how the organization collects, uses, retains and discloses personal data; must contain certain information.
Creative solutions for making privacy notices more concise and easier to navigate: layered privacy notices, just in time notices, standardized icons.
Layered privacy notice
Contains multiple layers of increasingly detailed notices (up to 3 layers), so long as the sum total meets the legal requirements. Top layer contains the short notice (key elements); second and third layer may contain a condensed notice followed by a full notice, or a full notice followed by FAQs and additional links.
Just in time notice
Delivered at or right before a user accepts a service or product, helping to facilitate meaningful choice; or given when previously collected data is to be used for a new purpose.
Standardized icons
Recital 60 endorses the use of standardized icons with privacy notices to communicate required information; challenge - design icons readable by humans and computers that accurate reflect the meaning of abstract, complex messages. Recital 166 delegates decisions about development of standardized icons to the European Commission.
Direct v. indirect collection
If data is obtained from indirect source (news media or public records), provisions of info (data privacy statement) may happen after collection but prior to processing.
If a controller later wants to process the data for a different purpose, subjects must be provided with all relevant information, including the new purpose, prior to processing
Direct collection requirements
DS must be provided with the identity and contact details of collection and DPO; purpose and legal basis of processing; recipients of personal data; intention to transfer data to third country or int’l org; legal basis for intended int’l transfer; legitimate interests of controller (if used for legal basis); storage period or criteria used to determine length of storage; subjects’ right to withdraw consent, to request access, to rectification or restriction of processing, and to lodge a complaint; statutory or contractual requirement, as well as obligations to provide the data and consequences of failing to do so; info about use of automated decision making.
Indirect collection requirements
Source of data and categories of personal data must be provided to the DS, in addition to all info required for direct collection; should happen within a reasonable period after obtaining data (no more than 1 month) or upon first communication with the data subject when used to communicate.
Info may not have to be provided to the DS whose data was collected indirectly: (1) if DS already has the info; (2) if info provision is impossible or requires disproportionate effort or would render impossible or seriously impair the purpose of the processing; (3) if national or EU laws require obtaining or disclosing data and provide appropriate measures to protect individuals’ interests; or (4) if national or EU laws require that the personal data remain secret.
International Data Transfers
GDPR - ensure the free flow of personal data between MS; also recognizes that transfers from a member state to a third country (outside the EEA) or an int’l org require special considerations. provisions for int’l data transfers also apply to onward transfers from one third country or int’l organization to another outside the EEA. In other words, if personal data is to be transferred outside the EEA, it still must be protected to an adequate standard.
International data transfer options
(1) Adequacy decisions
(2) Appropriate safeguards
(3) Derogations
Adequacy decisions
Based on assessments of third country law; determinations that certain third countries adequately protect EU data; laws have achieved a European level of protection, transferring personal data to these countries does not require additional safeguards.
European Commission makes adequacy decisions; reviewed every four years and may be overturned, repealed, suspended or amended.
Criteria: respect o the rule of law; access to justice; international human rights standards; general and sectoral laws; case law; effective and enforceable rights for individuals, including effective administrative and judicial redress; data protection rules, professional rules and security measures, including specific rules for onward transfers; and other int’l commitments and obligations.
Data Protection Act (replaced Data Protection Act of 1998)
Enacted 23 May 2018
Appropriate Safeguards
In the absence of adequacy decisions, may be used to legally transfer personal data internationally.
Legal tools designed to ensure recipients of personal data who are outside EEA are bound to continue to protect personal data to a European like standard; mechanisms that can be used by recipients to commit to protecting personal data and facilitate ongoing, systematic int’l data transfers.
Intended to provide enforcement and effective rights to individuals; require pre-approval from a SA:
Binding Corporate Rules (BCRs): designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company; if competent SA signs off, company is considered free to transfer personal data with their organization; min reqs: application of GDPR principles; different versions for controllers and processors.
Standard Contractual Clauses: model clauses, adopted by the Commission or adopted by a national supervisory authority and then approved by the Commission; standard form that is non-negotiable; once signed, company outside the EEA is considered safe to receive personal data from the EU; most commonly used tool for appropriate safeguards.
Approved codes of conduct and certification mechanisms: provisions with GDPR encourage industries to create their own codes of conduct and certification mechanisms that will be reviewed by the EDPB, and if approved, companies may adhere to them and be considered safe to receive data transfers from the EU.
Ad Hoc contractual clauses: must have SA authorization; allow for individual tailoring to a company’s needs; provisions may differ at MS level.
Reliance on int’l agreements: two countries may enter into an agreement between themselves to provide for the protection of personal data; eg, passenger name records (airlines) to transfer passenger data between EU and US, for example.
Derogations
No adequacy decision and no appropriate safeguards, derogation is last option
Basically an exemption from the prohibition on transferring personal data outside the EEA; for limited circumstances and under very specific conditions
Processing employee personal data
Article 88 allows for MS to have more specific rules around processing employees’ personal data. Rules must include suitable and specific measures to safeguard the data subject’s: human dignity, legitimate interests, and fundamental rights, with particular regard for: transparency of processing, transfer of personal data within a group of undertakings or group of enterprises engaged in joint economic activity; and monitoring systems.
Mix of EU data protection law with local law can make compliance relating to employment complicated; local employment law varies considerably across the EU.
Legal grounds for processing employee personal data
Fulfillment of employment contract (bank account info to process salaries)
Legal obligation (sharing salary info with tax authorities)
Legitimate interests of the employer (migrating EE info from one system to another; cannot be adverse to EE rights and freedoms, cannot be used as grounds for processing special catagories of data)
Consent (freely given consent is difficult to prove due to unequal distribution of power between EE and employer; processing may be unlawful or unfair under local law, even if the EE has consented
Processing sensitive employee data
Employers must comply with one of the exceptions specified in Article 9 of the GDPR. First, explicit consent, which should be used as a last resort (freely given)
May be necessary for employer to establish, exercise or defend legal claims
May be necessary for controller to carry out obligations and exercise specific rights under employment, SS or social protection laws where authorized by EU or MS
Storage of personnel records
Records that contain personal data should not be kept longer than necessary
Trade unions/works councils
Employers may also be obligated to communicate with a trade union or works councils; in certain jurisdictions, works councils may have considerable power over processing of EE personal data, requiring notification, consultation, and approval from works councils; trade unions and works councils may need to ensure they comply with GDPR, too.
Lawful employee monitoring
MS data protection law may have specific requirements restricting use of employee monitoring systems
EE rights and freedoms must be balanced against the rights of the employer, and alternatives to monitoring should always be considered; prevention may be a better option (block websites)
Includes background checks, which are increasingly used for screening candidates
Another form is data loss prevention (DLP) technology; used to protect IT infrastructure and confidential business information from external and internal threats, but involve processing EE and other third party personal data since they operate on networks and systems used by EE; overriding intention is preventing loss of an org’s data.
Personal data collected through monitoring must be: (1) held securely; (2) accessed only by those within the org with legitimate reason; and (3) deleted when no longer needed (may be business need to retain it).
To monitor EE lawfully, an employer must ensure the monitoring is necessary (may require DPIA, any less intrusive options), proportional (data minimization), transparent (EE clearly informed)and legitimate (lawful grounds, fair processing)
Whistleblowing schemes
Sarbanes Oxley 2002 - companies must have a system in place to receive anonymous complaints about potential wrongdoing, incl fraud, misappropriation of assets and material misstatements in financial reporting.
Under EU law, strongly discourage anonymous reporting; some local DPAs will consider a whistleblower scheme illegal if it mentions the ability to make anonymous reports
Under EU law, once a report is investigated and if it’s unsubstantiated, should be deleted after fairly short period of time (3-6 mos)
Diversion between MS about what can be reported through whistleblowing system - need to understand what may be reported legally in different countries.
If an individual has been the subject of a WB report, you have to tell them they’v been the subject of a report, but you don’t have to tell them immediately. if it’s substantiated, you have to communicate that to them, and they have the ability to have access to the report and to seek any corrections to it that they think are inaccurate (still have to protect reporter’s freedoms and private information
Reports made in EU, transferred to non-EU country, that’s an int’l transfer; may need model clauses or BCRs. if it’s a third party service provider who’s int’l, be sure they have model clauses.
Surveillance
Involves the observation of an individual or group of individuals, may be carried out openly or covertly, conducted in realtime or by access to stored material
Include: social networks analysis and mapping, data mining and profiling, aerial surveillance, satellite imaging, telecommunications surveillance, CCTV cameras, biometric surveillance and geolocation technologies
May need to be conducted in manner that overrides data subject rights, as recognized by Article 23 of GDPR, which permits MS or E law to restrict the rights granted in Chapter 3 (rights of data subject).
Such a restriction must respect the essence of the fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society
May be conducted by public and state agencies for national security or law enforcement purposes (respect individual rights enshrined in Charter of Fundamental Rights, right to private and family life and protection of personal data) or private entities for their purposes (based on legitimate purposes, must comply with GDPR and national laws on confidentiality, privacy, data protection and other civil rights)
Communications Data
Communication surveillance traditionally - interception of postal services and human spies; however, surveillance of electronic communications is more prevalent today
Personal data generated from e-comms is categorized as either the content of a communication or the metadata
Metadata - data about data, information generated or processed as a consequence of a communication’s transmission, also falls within the definition of personal data because it provides context to content and can be used to identify an individual
Content of Communication
convo between parties in a call, words in an SMS message, email subject line, words in body of an email, attachments to an email
Metadata
Traffic data - calling and called numbers in relation to a telephone call
Location data - latitude, longitude and altitude of a user’s equipment; direction of travel; level of accuracy of location info; identification of network cell (Cell ID) in which a user device is located at a certain time; time and location info was recorded
Subscriber data - name, contact details and payment info of a subscriber
ePrivacy Directive (Directive 2002/58)
Also called Cookie Directive and Privacy & Electronic Communications Directive.
Governs processing of location, content and traffic data over public communications network or publicly available communications system - data passing over public telephone or internet carries, or services that use a public communications network
Collection of precise location-based data - requires opt-in consent (with the exception of carriers, who need data to provide service)
Article 5(1) - confidentiality of the comms must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all users
Article 15(1) - MS can introduce some exemptions if necessary for very limited purposes such as national security and law enforcement
Access to traffic data is limited; however, telecom carriers can process traffic data for the purpose of conveying comms and possibly for some limited marketing activities with user’s consent
If data is passing over a private network (corp intranet) - ePrivacy rules do not apply; however, monitoring considerations are relevant
One provision allows for interception of a comm when an org has a lawful business purpose for accessing data going through their public networks. MS may define lawful business purpose
CCTV
Video surveillance of individuals, including CCTV, contains personal data (images) which are considered biometric data under GDPR; when collection such personal data, compliance considerations should include
lawfulness (e.g., legitimate interest, defense of legal claims, public interest, public authority; consent likely not possible)
biometric data is considered a special category of data, so processing can only be carried out if one of the permitted conditions specified in Article 9 applies
data protection impact assessment - required if video surveillance is considered to be high risk or if it involves systematic monitoring of publicly accessible area or if it’s included by the SA on a list of data processing ops that require DPIA
prior checking - notify and in some circumstances seek authorization from local regulator
proportionality - proportional to the purpose
information provision - for overt video surveillance, comply with transparency requirement (sign posted)
individual rights - individual may request copy of CCTV recording, may pose a challenge of protecting others’ privacy
measures to protect personal data and rights of individuals - staff training, CCTV policy, regular reviews to ensure compliance
Location data
Location based services (LBS) utilize information about location to delivery a wide array of applications and services; may be derived from satellite network generated data, cell based mobile network generated data, and chip card generated data
Referred to as an identifier in definition of personal data (GDPR); if it can be used alone or in combination with other info to identify someone, it’s personal data
Biometric data
Biometrics - personal data resulting from specific technical processing relating to the physiological, physical or behavioral characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (DNA, fingerprints, retina and eye patters, voice, gait)
Main uses: Identification (who are you) and authentication (are you who you claim to be)
Direct marketing
A communication, by whatever means of advertising or marketing material, directed toward specific individuals; messages that do not process personal data to communicate the marketing message or those that are purely service related in nature are not considered direct marketing
Most complex area - consent requirements are difficult, but crucial
Not only triggers data protection requirements but also other consumer protection regulatory requirements that vary from country to country; controllers must meet ALL national rules applicable to the direct marketing communications they send
Often involves using data collected from devices (location data and cookies)
No longer limited to postal mail and email, but can now be sent via third party platform messages, push messages and in-app messaging
Direct marketing rules
Governed by GDPR and ePrivacy Directive
GDPR - applies to all direct marketing comms, regardless of channel, incl online advertising targeted at individuals based on browsing history; gives individuals absolute right to object to any form of direct marketing at any time (already there under consent, but also allowed under legitimate interest)
Direct marketers must meet these requirements: (1) lawful basis; (2) provide individuals with fair processing information; (3) appropriate technical and organizational measures to protect personal data; and (4) not exporting personal data outside EEA without adequate protection
Some MS require controllers to amend their contact lists against national opt out registers before sending direct marketing
ePrivacy Directive - applies to digital marketing comms - direct marketing communicated over electronic comm networks (phone, fax, email and message); also specifies rules that impact the use of online behavioral advertising
Different rules for different channels under ePrivacy Directive; most forms of digital marketing require opt-in consent (other than face to face); limited exemption from opt-in - market own similar products and services, ability to opt out at time contact details are collected, and reminded of ability to opt out in each subsequent marketing comm
Online Behavioral Advertising (OBA)
website advertising targeted at individuals based on the observation of their behavior over time; is increasingly occurring through third party advertising networks with relationships with partnering website publishers that enable them to place cookies on individuals’ computers with unique identifiers; clearly defined in GDPR as personal data
ePrivacy Directive will generally apply to OBA regardless of whether or not OBA info collected constitutes personal data; use of cookies to store or access information in an individual’s computer is allowed only on the condition that the individual concerned has given their consent, having been provided with clear and comprehensive information
Cloud computing
Provision of IT services over the internet; may provide infrastructure, platform, or application services, or a combination thereof
Commonalities: (1) infrastructure shared among customers and accessible in numerous countries; (2) customer data transferred around the infrastructure, according to capacity; and (3) supplier determines location, security measures and service standards applicable to processing
Challenging for cloud providers to determine whether GDPR applies; EU has no specific legislation regarding cloud computing, but the technology neutral GDPR set out controller and processor obligation
May be considered a controller when: it determines substantial and essential elements of the means of processing (data retention periods); it processes data for its own purposes; determines aspects of processing outside the controller’s instructions
Web cookies
Text file stored on a individual’s computer by a website for later use; enables authentication of web visitors, personalization of web content and delivery of targeted advertising.
Search engines
Services that find info on the internet; process large volumes of data, including IP addresses, cookies, user log file and third party web pages
Determine the purpose and means of processing data about users - they are controllers, and are controllers of personal data contained in third party web pages.
Search engines outside the EU are also likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities
Social networking services
SNS - create opportunities for various parties and individuals to collect and use personal data; multiple controllers possible. SNS are controllers because they provide platforms for publishing and exchanging personal data as well as determining the use of personal information for advertising services
Authors of apps designed for SNS platforms that provide services in addition to the SNS may also be controllers as well
Users who act on behalf of an organization or knowingly extend access to personal data beyond selected contacts may also be controllers
SNS providers should be open and transparent about processing of personal data by providing: (1) notice if the personal data will be used for marketing purposes; (2) notice if personal data will be shared with specific third parties; (3) explanation of any profiling conducted; (4) info about processing of sensitive personal data; (5) warnings about risks to privacy; and (6) warning that if an individual uploads a third party’s personal data, such as photos, the consent of the third party should be obtained
Special considerations for sensitive personal data, third party personal data and children’s personal data:
Sensitive personal data - explicit consent is required
Third party personal data - if third party individuals’ personal data is published, SNS must have a legal basis for processing that personal data
Children’s data - requires parental consent; processing on the grounds of legitimate interest may not be possible
Artificial Intelligence
The simulation of human intelligence created by machines and computers; AI can replace humans and act on its own to make automated decisions
Provisions within GDPR affect the AI functions of automated decision making (Article 22 highlights subject rights in conjunction with profiling and automated decision making)
Organizations implementing AI tech will want to ensure privacy regulations are being met in conjunction with the technology.
Security of Processing
Security is very important to EU data protection law; often a prerequisite for achieving compliance with data protection principles
Security in practice should take a holistic approach; considerations may include mgmt and worker buy-in, policy framework, physical environment, information technology, and incident detection and response.
Controller and processor obligations
Article 32:
State of the art - most cutting edge technology is not necessarily the best choice for security; reflect upon consensus of security professionals/experts
Cost of implementation - not required to choose the most expensive security controls, but should choose controls that reflect demonstrably good management decisions
Appropriate technical and organizational measures - results that those measures should bring about might include pseudonymisation, encryption, confidentiality, integrity and resilience
Level of security appropriate to risk - risk based approach based on risk assessment to determine controls for entire information lifecycle; controls are tighter and more sophisticated relating to vulnerable and special categories of data being processed
Attributes of security controls (CIAR)
Confidentiality: individuals, entities, systems or applications access data on a need-to-know basis (access controls)
Integrity: controls in place to ensure data is accurate and complete
Availability: data is accessible when needed for a business activity
Resilience: data is able to withstand and recover from errors or threats
Engaging processors
A data processor is a third party that processes data on behalf of a controller; controller shall only use processors providing sufficient guarantees to implement appropriate technical and organization measures in such a manner that processing will meet the requirements of this Regulation and ensure protection of the rights of the data subject
sufficient guarantees - covers assurance mechanisms such as appropriate checking and vetting of processor by supplier through a third party assessment of certification validations
Processor contract due diligence: data protection knowledge; recent high profile breaches; recent and current investigations; accreditations; policy framework; sub-processors; governed by a contract or other legal ct under EU or MS law that is binding on the processor
Contract may be based on SCCs identified by the EC or SA; must set out: subject matter and duration of processing, nature and purpose of processing, type of personal data, categories of data subjects, and obligations and rights of the controller
Data breach notification
Personal data breach (Article 4(12)) - breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
Controller and Processor Obligations for Communicating a Data Breach (Articles 33 and 34)
Processor must inform controller without undue delay after becoming aware
Depending on circumstances, controller must inform the SA and may be required to inform affected data subjects
Data Breach Information Provision to SA
Obligated to report to SA without undue delay (within 72 hours of becoming aware) if breach is likely to result in a risk for the rights and freedoms of natural persons.
Notification should include: categories of affected data subjects, approximate number of data subjects and data records, name and contact details of the DPO or other POC, description of likely consequences of the breach, measures taken or to be taken in response to the breach
Data Breach Information Provision to Data Subject
Should be notified without undue delay and in clear and plain language IF the breach is likely to result in a high risk to the rights and freedoms of those individuals.
Notification may not be necessary if:
(1) there was prior implementation of appropriate technical and organizational measures that rendered the personal data unintelligible or encrypted; (2) post breach actions greatly reduce the risk to the rights and freedoms of data subjects; or (3) individual notice requires disproportionate effort (in such case, equally effective public notification is still required).
SA may still decide the controller needs to notify the data subjects
NIS Directive (Directive on Security of Network and Information Systems
May 2018
first EU wide cybersecurity law
not specifically concerned with personal data, it aligns with GDP/R and indirectly bolsters the security of personal data within orgs that are regulated by the Directive.
Focuses: national capabilities, cross border collaboration and national supervision of critical sectors
Accountability
Article 24(1) mandates that the controller have a data protection program in place based on the nature, scope, context and purpose of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons; implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation; measures shall be reviewed and updated where necessary.
Risk based approach resulting in technical and nontechnical measures that can demonstrate compliance with the GDPR; continuously review and update.
Processors also have obligations (though not named specifically), record keeping and duty to support controller in fulfilling obligations
Steps to Accountability
Implementing data protection by design and data protection by default
Conducting a DPIA
Maintaining data processing records
Possibly appointing a DPO
Auditing privacy programs
DPAs have the following audit rights: audit or inspect premises and processing equipment, data protection written systems, and data protection business operations
DPAs can issue warnings or put a stop to business activity
Regulators have the right to conduct audits
Data protection by Design
More familiar with “by default
Begins prior to processing and incorporates data protection considerations into the planning phase.
Sustains those considerations into the processing phase by limiting the collection, processing, storage and accessibility of personal data
Orgs should build data protection into their products throughout their life cycle (at time of planning); necessary safeguards should be integrated into org’s systems; GDPR highlights data minimization and pseudonymisation; program assesses the risks of a product and takes stems to mitigate those risks to meet the data protection by design requirements
Data protection by default
Where a product or service provides users with multiple setting options, the most data protective settings should be the default.
Users should have to opt into any setting that presents greater risks.
By default, a product or service processes only the necessary personal data
Considerations: purpose of processing, amount of personal data collected, extent of processing, storage period and accessibility
Data Protection Impact Assessment (DPIA)
Main values: (1) help with incorporating data protection considerations into org planning and with demonstrating compliance to SAs
When is a DPIA required? if processing is likely to entail a high risk to the rights and freedoms of natural persons
Risks should be considered from the POV of the data subject and the SA
Considerations: nature, scope, context, purpose, type of processing, and use of new technologies
Use of new technologies whose consequences and risks are less understood may increase the need for DPIA
Ex of processing that would require a DPIA: (1) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing; (2) processing on a large scale of special categories of data or of personal data relating to criminal convictions or offenses; (3) systematic monitoring of a publicly accessible area on a large scale
Should include: (1) description of processing, incl purpose and legitimate interest; (2) necessity of processing, its proportionality and the risks that it poses to data subjects; and (3) measures to address those risks (by design and by default controls)
When must a SA be contacted? high risk to data subjects that is not mitigated. SA will provide advice and can block processing activities within 8 weeks (or add’l 6 weeks for complex situations)
Data Protection Policy
Useful tool to ensure that their EE are properly trained and follow GDPR reqs
Purpose: explain to EE what can and cannot be done with data they are handling and to outline consequences of a policy breach
Falls within the appropriate technical and org measures category and may be included as part of a larger data protection program
Not required for all situations but should be used where proportionate in relation to processing activities
GDPR does not specify contents, best practices - considerations: concise and understandable language; consider how metrics may be used to demonstrate results; ensure tasks are achievable, realistic, relevant and timely
Recording obligation
Important aspect of accountability is being able to demonstrate compliance with the regulation - applies to both controllers and processors
What triggers recording obligation: processing personal data for orgs of 250+ EEs; or regardless of size, if processing is likely to result in a high risk to the rights and freedoms of data subjects, is not occasional, or incl special categories of data or data relating to criminal convictions or offenses
Controller and processor records/obligations
Name/contact info of controller and DPO
Purposes of Processing (not req’d by processor)
Categories of data subjects, personal data and recipients of data (processor - cats of data)
Int’l data transfers and measures put in place to ensure lawfulness
How long the data is retained and timeline for deleting (not req’d by processor)
General description of technical and org security measures
DPO role
Staff member of contractor appointed by the controller or processor to ensure and demonstrate compliance with data protection law; must be an expert in data protection law and practices
Required in certain circumstances (Article 37): (1) controller is public authority; (2) core activities of controller or processor include regular and systematic monitoring of data subjects on a large scale; (3) if core activities of controller or processor consist of large scale processing of special categories of personal data
DPO Guidelines
Large scale - determined based on number of data subjects concerned, the volume or range of data items, the duration of processing and/or the geographical extent of processing
Regular and systematic monitoring - all forms of tracking and profiling on the internet, including for purposes of behavioral advertising; not restricted to the online environment
Tasks and responsibilities: (1) ensure compliance with regulation; (2) advise controller, processors and EEs who carry out processing of their data protection obligations; (3) manage risk; (4) be a point of contact with SA; (5) communicate with data subjects and the SA; provide advice on and monitor DPIA; exercise professional secrecy
Should report to the highest level of management
Controller or processor may not instruct the DPO with regard to their tasks or curtail their action
Obligation to designate a rep in the EU
Process personal data within the territorial scope of the GDPR Article 3(2) - must designate a rep within the MS of the data subjects to whom that processing applies.
Article 3(2) - processing of data subjects in the EU by controllers or processors not established in the EU where the processing activities are related to offering them goods or services or monitoring their behavior that takes place within the EU
Supervisory Authorities (SA)
Also known as data protection authorities, promote, monitor and enforce GDPR
(1) promote awareness by helping orgs understand their obligations in an advisory capacity; (2) conduct investigations; (3) protection fundamental human rights by providing info to individuals; (4) draw up annual reports that explain data protection in their country; facilitate the free flow of personal data within the EU
Three categories of power: (1) Investigate powers; (2) corrective powers; and (3) authorization and advisory
Lead Supervisory Authority
Primary regulator responsible for dealing with the cross-border processing activities of controller or processor, including coordination of operations of all supervisory authorities concerned.
Cross-border processing
Processing of personal data which takes place in the context of the activities of the establishments in more than one MS of a controller or processor in the Union where the controller or processor is established in more than one MS OR processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to affect data subjects in more than one MS
Identifying LSA - place of central administration, unless decisions about purpose, means and implementation of processing occur at a different location; then that one will be the lead.
Cooperation and consistency between SA
Mechanisms to support cooperation and consistency between SAs:
Cooperation; mutual assistance (relevant info passed between SAs); joint operations (joint investigation and enforcement); consistency mechanism (collaborative process for adopting certain measures and ensuring consistent GDPR application); dispute resolution; urgency procedure (immediate adoption of provisional measures within a MS
European Data Protection Board (EDPB)
Replaced Article 29 Working Party
Rep of every MS’s SA (31 member states of EEA); only reps from 27 EU MS may actively participate.
Presided over by a Chair who is elected by the EDPB reps
European Data Protection Supervisor (EDPS) and the Commission participate on the board, but EDPS has limited voting rights and the Commission has none
EDPB must act independently; roles are to monitor for correct application of GDPR and oversee consistency mechanism; issue guidance and advice to Commission; an preside over dispute resolution process
Administrative Fines
20,000,000 Euros or 4% of total turnover (denying fundamental right to privacy) or 10,000,000 Euros or 2% of total turnover (data breaches)
