Chapter 1 - Intro to European Data Protection Flashcards
What was the rationale for data protection?
-During early 1970s there was increase in use of computers to process individual’s information
-Transborder trade encouraged by European Economic Community (EEC) encouraged rise in information sharing
-Automated storage of PI required new standards for individual control balanced with transborder flow of info.
What was the early challenges to create data protection standards?
-To maintain a balance between national level concerns for personal freedom and privacy with the ability to support free trade at the EEC level (European Economic Community).
What underlines EU data protection laws?
-That in the European Union, right to a private life and associated freedoms is considered fundamental human right.
When was the Universal Declaration of Human Rights adopted?
Adopted by General Assembly of United Nations on 10 December 1948
What is the Universal Declaration of Human Rights?
-Starting point for framing standards of protection for individuals.
-Was born after atrocities during WW2
-Contains specific provisions about right to private and family life and freedom of expression (basis for European data protection laws).
What are the key articles of the Universal Declaration of Human Rights?
-Article 12 -> Right to a private life and family and correspondence
-Article 19 -> Right to freedom of expression without interference (including media)
-Article 29(2) -> Individual rights are not absolute and there will be instances where balance must be struck.
When was the ECHR signed?
Rome 1950 - Council of Europe invited individual states to sign the ECHR
What is the European Convention of Human Rights (ECHR)
-International treaty to protect human rights and fundamental freedoms
-Applies only to member states
-All Council of Europe member states are party to ECHR & new members must ratify asap.
When did the ECHR enter into effect?
3 Sep 1953
Why is the ECHR important?
-Powerful instrument that protects a large scope of fundamental rights and freedoms (e.g., right to life/ prohibition of torture/ right to marry)
Who enforces the ECHR?
-European Court of Human Rights (ECtHR) in Strasbourg
-All rulings are binding on states concerned / can lead to amendment in legislation or change in government practice
-At request of Committee of Ministers of Council of Europe -> ECtHR may give advisory opinions concerning interpretation of ECHR
When and what was the ECtHR restructuring?
-1 Nov 1998
-Court system was restructured into a single full time Court of Human Rights
What are the key articles of the ECHR?
-Article 8 -> (not absolute right) Right to a private and family life and correspondence & no interference from public authority unless interests of national security/ public safety or economic well-being of country/ prevention of crime etc
-Article 10(1) - Right to freedom of expression (opinions etc) without interference of public authority
-Article 10(2) - Qualified right - so subject to conditions/ restritions / penalties necessary in democratic society & in interests of national security
What do both the UDHR and ECHR recognise?
The need for balance between the rights of individuals and the justifiable interference with these rights (recurring theme in data protection law).
Which countries took the lead in implementing early legislation aimed at controlling PI use by government agencies & large companies?
-7 countries
1. Austria
2. Denmark
3. France
4. Federal Republic of Germany
5. Norway
6. Sweden
7. Luxembourg
Which countries was data protection incorporated as a fundamental right in their constitutions?
- Spain
- Portugal
- Austria
What did the Council of Europe establish in the 1960s and why? (early regulations)
-Recommendation 509 on human rights and modern scientific developments
-From concern that national legislation did not adequately protect Article 8 ECHR right.
What were Resolutions 72/22 and 74/29?
-Built on Recommendation 509 by Council of Europe
-In 1973 and 1974
-Established principles for the protection of personal data in automated databanks in private & public sectors
What is the OECD and their role?
-The Organisation for Economic Co-operation and Development
-To achieve sustainable economic growth, sustainable employment & rising standard of living in both OECD members & nonmembers
What are the OECD Guidelines and when was it introduced?
-Published 23 Sep 1980
-Guidelines on Protection of Pirvacy and Transborder Flows of Personal Data
-Govern transborder data flows, protection of PI, harmonisation of DP law between countries.
-Do NOT draw distinction between public & private sectors.
-Neutral towards type of tech used/ no distinciton between manually or electronically gathered data
-Not legally binding but basis for countries with no legislation/ can be built into existing legislation
What is the significance of the OECD guidelines?
-Guidelines have far-reaching effect as OECD membership extends Europe
-To strike balance between protecting privacy and the rights/ freedoms of individuals without creating barriers to trade & allowing uninterrupted flow of personal data across national borders.
-Not legally binding but basis for countries with no legislation/ can be built into existing legislation
What are the important principles in the OECD guidelines?
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
What is the Collection Limitation Principle? (OECD Guidelines)
PI must be collected fairfully and lawfully & where appropriate with individual consent
What is the Data Quality Principle? (OECD Guidelines)
PI must be relevant, complete, accurate & up to date
What is the Purpose Specification Principle (OECD Guidelines)
Purpose for use of PI must be specified no later than time of collection & use must be compatible with purpose
What is the Limitation Principle? (OECD Guideliens)
Disclosure of PI must be consistent with specified purposes unless individual consented or data controller has lawful authority
What is the Security Safeguards Principle? (OECD Guidelines)
Reasonable security safeguards must be taken against risks e.g., loss, destruction, unauthorised use, destruction, modification, disclosure of PI
What is the Openness Principle? (OECD Guidelines)
General policy of openness with respect to uses of PI & identity/location of data controller
What is the Individual Participation Principle? (OECD Guidelines)
Sets out what individual is entitled to receive from data controller following request of PI (one of most important aspects)
What is the Accountability Principle? (OECD Guidelines)
Data controller responsbile for complying with measures stated before in principles
What do the OECD Guidelines state in terms of MS?
-Should take into consideration implications for other member countries
-Should take all reasonable steps to ensure transborder flow of personal data
-May engage in transborder flows of personal data between themselves except countries do not substantially observe Guidelines / circumvent legislation
-May impose restrictions on transfer of info to another country of categories of PI
-Avoid developing laws etc that would create obstacles to transborder data flow.
What type of data processing do the OECD guidelines recognise?
-Both automated and nonautomated systems
-Recognises that focusing only on automated may lead to loopholes (focus on nonautomated processing)
-Emphasis on safeguarding PI
Who created Convention 108?
-Adopted by Council of Europe
What is Convention 108?
-The Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data
-Consolidates/ reaffirms content of 1973 & 1974 resolutions
When did Convention 108 open for signature?
opened for MS to sign 28 Jan 1981 (also open to signature outside countries)
What is the significance of Convention 108?
The first legally binding international instrument in DP
-Requires signatories to take necessary steps/ apply principles in their domestic legislation
-Council of Europe took view that those holding/using PI in computer form have social responsibility to safeguard
-Remains only binding international legal instrument with worldwide scope of application in DP that is open to any country including non-members of Council of Europe
What is the aim of Convention 108?
-To achieve greater unity between its members & extend the safeguards for everyon’s rights/ fundamental freedoms considering increased transfer of PI between borders
-To set standards for protection of PI whilst balancing with free flow of personal data for international trade
What are the key chapters of Convention 108?
-Chapter 2 -> Substantive law provisions
-Chapter 3 -> Special rules on transborder data flows
-Chapter 4 -> Mechanisms for mutual assistance
-Chapter 5 -> Consultation between parties
Chapter II - Substantive law provisions (Convention 108)
-Similar to Guidelines & 1973/1974 Resolutions
-PI should be:
(1) obtained & processed fairly
(2) Stored for specific & legitimate purposes
(3) Adequate, relevant & not excessive in relation to purpose
(4) Accurate
(5) Kept in form that allows for identifiication of individuals for no longer than required
-Appropriate security measures, special category PD may not be processed unless domestic law provides safeguards
-Individuals must have right of communication, rectification & erasure of PI
Chapter III - Transborder data flows
-Article 12 of Convention 108 -> signatories should NOT impose any prohibitions/ special requirements for protection of privacy before data transfers take place
-Exceptions only when exporting country has specific rules in place in national law for special category PD / or transfer to country not party to Convention 108 / country does not provide equivalent protection
-Mentions introduction of additional protocol
What is the Additional Protocol?
-Opened for signature 2001
-Designed to address that Convention 108 did not provide measures for transfers to countries not party to Convention 108
-Introduction of adequacy concept (imported from EU 1995 DP Directive)
Chapter IV - Mutual Assistance
-Parties to Convention 108 must designate supervisory authority to oversee compliance with DP law & liaise with supervisory in other jurisidiction for mutual implementation
-Supervisory authorities required to assist individuals in exercise of rights
-These requirements further reinforced in Additional Protocol
What is Convention 108+?
-Jan 2011 - Convention 108 advisory committee laid foundations for modernisation
-May 2018 - Final version of a Protocol amending Convention 108 approved by Council of Europe’s Committee of Minisisters
-Signed Oct 2018 by 21 states
What was the object of Convention 108 and the Guidelines? What was there still a need for?
-The collective object was to introduce a harmonised approach to DP with implementation left to MS discretion.
-Issue was that discretion was resulting in different implementations of principles into national law.
-Lack of cohesive approach within MS -> serious implications for fundamental rights of individuals & impede free trade enshrined in Treaty of Rome.
Data Protection Directive 1995
-By the European Commission
-The protection of individuals in regard to processing of personal data & free movement of such data
What was the aim of the Data Protection Directive 1995?
-To further reinforce the protection of individuals’ fundamental privacy rights with the free flow of data from one MS to another / maintaining consistency with Articles 8 & Article 10 of ECHR
-Directives are bidning upon MS but leave natinoal authorities to figure out implementation
What were the cons of the DP Directive 1995?
-Significant differences in the ways MS implemented/applied Directive which made it difficult for businesses to take full advantage of internal market benefits.
-Incorrect implementation
-Inconsistencies e.g., MS differed their requirements to notify data protection authorities - led to substantial costs for businessess & those transferring PI out of EU
-1st report of European Commission on Directive in 2003 confirmed this problem.
When was the Charter of Fundamental Rights introduced?
Signed & announced by European Parliament, the Council & Comission on 7 Dec 2000 in Nice
What was the Charter of Fundamental Rights
-Further consolidates fundamental rights applicable in EU
-General principles set out in ECHR but specifically refers to protection of PD
-When Treaty of Lisbon came into force 2009. Charter was given binding legal effect
What are the key articles of the Charter of Fundamental Rights
-Articles 7 and 11 of the Charter reflect Articles 8 and 10 of ECHR
-Article 8 of the Charter is the right to protection of DP, fairly processed, specific purpose, individual right to access & rectify, supervisory authority to oversee compliance
-Limitations must be in accordance with Article 52 - mirrors limitations based on necessity & proportionality in ECHR
When was the Treaty of Lisbon signed & who?
-13 Dec 2007 / signed by MS
What is the aim of Treaty of Lisbon?
-To strengthen & improve the core structures of EU for efficient function
-To promote human dignity, freedom, democracy, equality, rule of law & respect
What is the Treaty of Lisbon?
-Amends the EU’s 2 core treaties -> the Treaty on EU & Treaty Establishing European Communty (now known as TFEU)
-Ensures all institutions of EU must protect individuals when processing PD.
-European DP Supervisor to regulate DP law compliance in EU institutions
Why was the General Data Protection Regulation (GDPR) introduced?
-Lack of harmonisation across MS towards DP
-The DP Directive 1995 was not keeping pace with tech advancements that was changing way PD collected/used/ accessed
When did the GDPR come into effect?
-Entered into force May 2016 but FULLY ENFORCEABLE by 25 May 2018
What is the significance of the GDPR?
-Regulations binding & apply directly to all MS without need to be implemented in national law.
-Regulation rather than Directive to maximise consistency of approach across MS.
What are the elements which can cause divergence of approach in relation to GDPR?
(1) When there are already sector specific laws in place (employee data etc)
(2) Archiving purposes in public interest/ scientific or historic research/ statistical purposes
(3) Processing of special categories of PD
(4) Processing in compliance with a legal obligation
What does the GDPR acknowledge?
-The objectives & principles in the Directive remain sound but it has resulted in fragmented implementation of DP across EU which is a risk to protection of PD
What were the key changes incorporated into the GDPR?
-Stronger rights for individuals (particularly online)
-Requirement that DP considered when new tech developed
-Introduction of accountability concept for organisations
-Increased powers for supervisory authorities
-Concept of the ‘one stop shop’
-Broader applicability to anyone targeting EU customers
Similarities of GDPR and Convention 108+
-Central definitions e.g., processor
-Need for a specific legal basis for processing data e.g., consent
-Inclusion of genetic data, biometric data etc as Special Categories of data
-Enhanced security requirements & obligation to declare data breaches
-Transparency
-Requirements to demonstrate compliance to supervisory authority / minimise risk of interference with processing etc
What were the new elements of Convention 108+?
-Close with Recital 105 of GDPR - taking into account adequate level of DP between countries data flow
-Broader role for Convention Committee to monitor MS treaty implementation
-Furthers global DP principles & influence of European legislation
When did the Law Enforcement Directive (LED) enter into force?
5 May 2016
What are the aims of the LED?
-To harmonise rules across MS to protect fundamental rights whenever PD used by criminal law enforcement authorities
-MS can provide higher safeguards in natinoal law to protect rights (LED doesn’t stop this)
When was the ePrivacy Directive introduced?
2002
What are the aims of the ePrivacy Directive?
-Sets out rules relating to processing PD across public communications networks
The Application of EU DP Law in UK after Brexit
-Domestic position remained unchanges aside from small differences e.g., national replacements for EU insitution roles
-UK GDPR is EU GDPR but accomodated e.g., Supervisory authority is ICO, replacing EU/ MS with UK, DPA amended by Exit Regulations / Still adhere to ECHR & Convention 108
-Still unknown if changes in future but must be compared to risk of free flow of data between EU and UK
Adequacy Post Brexit
-UK now seen as ‘third country
-Data flows from EU to UK will be restricted UNLESS UK regarded as adequate juridiction for EU purposes
-June 2021 - European Commission adopted 2 adequacy decisions for uk -> free flow could continue
What does EU adequacy depend on for the UK?
-Set out in GDPR Article 46(2)
(1) UK legislation maintains rule of law/ respects fundamental rights & freedoms
(2) UK provides effective & enforceable data subject rights / judicial procedures for data subjects
(3) UK effective independent supervisory authorities
(4) UK entered into international commitments/ participates in multilateral systems
-Sunset clause -> decision expires in 4 years & European Commission will need to review
