Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E > Ch. 1 > Flashcards

Ch. 1 Flashcards

1
Q

1968 Recommendation CoE

A

Recommendation 509 on human rights and modern scientific and technological developments -> out of worry from the CoE that national legislations did not adequately shield the human right to privacy against technological advancements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

1980 legislation

A

OECD Guidelines on the Protection of Privacy & Trans-border Flows of Personal Data (1980). Not legally binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

OECD Guidelines content

A

Don’t distinguish between public & private sectors or between personal information gathered electronically or otherwise. Number of principles: collection limitation; data quality principle; purpose specification; use limitation; security safeguards; openness; individual participation (data requests); accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

1981 legislation

A

Convention 108 of the CoE. Convention on the Protection of Individuals and the Automatic Processing of Personal Data. Implementation, however, left up to the discretion of states.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

1970s legislation

A

CoE resolutions in 1970s 1970s due to divergent national laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Convention 108 substance

A

Two reasons for Convention 108:
- Failure of signatories to follow through on previous CoE resolutions
- General need for a binding instrument implementing principles of data protection
Open to signatories outside of CoE. Principles proved determinative for European data protection law: still found in e.g. GDPR. Also recognizes importance of free flow of data as a legally binding instrument it required signatories to adopt its legislations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

2001 legislation

A

Additional Protocol to Convention 108 (2001). Recognizes concept of adequate level of protection, and prohibits data transfers to countries who did not meet this threshold. Also introduced a requirement for Supervisory Authorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Global treaty on data protection + successor

A

Convention 108. ‘Convention 108+’ was signed in 2018 (in practice a Protocol). After about 30 years, Convention 108+ furthers the (largely European driven) global convergence in data protection laws. Introduces various concepts, such as ‘processor’, the legal basis for data processing. Recommended by the UN Special Raporteur on the right to privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

1995 legislation

A

Data Protection Directive (1995) of the European Commission. Principles contained in Convention 108 as a benchmark.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Legal basis Data Protection Directive

A

Response to signatories not responding adequately to the Convention 108. The EU could not just draw up human rights law: no foundation within the Charter. Instead it was framed as a harmonization measure, intended to take away obstacles for internal trade between MS.
However, MS still varied widely in their implementation of the Directive, eventually requiring the adoption of the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Substance DPD (1995)

A

A major advance of the Directive over Convention 108 was its applicability to manual data: not only data processed by automatic means.

  • identified special categories of data
  • specific DS rights
  • principles of lawful processing, legitimate purposes, accuracy, storage terms, appropriate technical and organizational measures.
  • identified data controllers, both established in the EU and outside, using processing equipment in a EU MS
  • mandated the establishment of a DPA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Legislation 2000 + privacy article

A

Charter of Fundamental Rights was signed and proclaimed in 2000. Art. 8 specifically names a right to the protection of data. Mentions various basic requirements: fair processing; specific purposes; legitimate basis; right to access and rectification; oversight from a supervisory authority. Limitations must be in accordance with art. 52, which contains the general exemption provision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

2007 legislation + privacy article

A

Treaty of Lisbon, became effective in 2009, amends the TEU and the TFEU. Art. 16 TFEU echoes art. 8 of the Charter and grants everyone with the right to protection of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

2018 legislation + innovations

A

GDPR, introduced:

  • focus on privacy while developing new technologies (privacy by design and by default);
  • accountability for organizations;
  • increased powers for SA’s; the one-stop-shop.
  • not limited to data controllers anymore
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Reach of GDPR outside of EU

A

The applicability of the Regulation to organisations not established in the EU is determined by the location of the data subject. The GDPR applies when:

  • personal data are processed relating to the offering of goods or services to individuals in the EU, irrespective of whether a payment is required,
  • or to the behavior of individuals located in the EU is monitored.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

GDPR includes tracking DS?

A

Yes, tracking data subjects on the internet to analyse or predict their personal preferences triggers the application of the Regulation (Recital 24). Massive widening of the application of the rules, as it makes almost every website that drops tracking cookies or app that retrieves usage information subject to the Regulation.

17
Q

7 new responsibilities for controllers under GDPR

A

The new responsibilities include:

  • Implementation of data protection policies and measures to ensure compliance
  • Data protection by design and data protection by default
  • Record-keeping obligations by controllers and processors
  • Cooperation with supervisory authorities by controllers and processors
  • Carrying out data protection impact assessments (DPIAs) for operations that present specific risks to individuals due to the nature or scope of the operation
  • Prior consultation with DPAs in high-risk cases
  • Mandatory data protection officers (DPOs) for controllers and processors for the public sector and big data processing activities
18
Q

2 new responsibilities under GDPR to processor

A
  • existence of direct obligations on processors

- processor may not subcontract a service without the consent of the controller

19
Q

2016 legislation + reach

A

Law Enforcement Data Protection Directive (2016) -> fundamental rights when personal data are used by criminal law enforcement agencies.

20
Q

ePrivacy Directive reach + goals

A

Sets out rules regarding the processing of data across public communications networks. 3 objectives:

  • Better cooperation between law enforcement authorities
  • Better protection of citizens’ data
  • Clear rules for international data flows
21
Q

Key provisions ePrivacy Directive

A

Sets out rules relating to processing personal data across ‘public communications networks’.

  • Providers should take appropriate technical & org measures and inform users of risks/breaches
  • Communications are confidential, with certain exceptions (consent/exceptions provided by law)
  • Most forms of digital marketing require opt-in consent.
  • Limited exceptions for marketing of services which are very similar to what customers have previously bought/opted in.
  • Location data is anonymized
  • Subscribers must be informed before being included in any directory
22
Q

ePrivacy cookie rule + exception

A

The storing of information (or the gaining of access to information already stored) in the terminal equipment of a subscriber or user is allowed only on the condition that the user concerned has given their consent, having been provided with clear and comprehensive information.

2 exceptions, when cookie is:

  • For the sole purpose of carrying out the transmission of a communication over an electronic communications network.
  • Strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.
23
Q

Innovations ePrivacy regulation

A
  • Wider application: applies to all providers of electronic communications services (e.g., messaging services on mobile phones, email and voice services, and not just traditional telecoms operators).
  • Consent is required to process communications content and metadata: Under the proposed rules content and metadata derived from electronic communications (e.g., time of a call, location, duration, websites visited) will need to be anonymised or deleted if users have not given their consent.
  • Revised rules on cookies: The Commission is of the view that the cookie rules contained in the ePrivacy Directive have resulted in an overload of consent requests. The new rules proposed in the ePrivacy Regulation seek to allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks

CIPP/E (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions