Chapter 1 Origins and Development of European Data Protection Law Flashcards
What gave rise to the need for European data protection law
although rules and legal frameworks existed to protect individual personal information in privacy, tort, secrecy and confidentiality existed. Additional controls were needed to regulate the automated storage of PI and cross-border trade.
What is the UDHR?
Universal Declaration of Human Rights.
When and by whom was the UDHR adopted?
10 December 1948, by the General Assembly of the UN.
What does Article 12 of the UDHR enshrine?
the right to privacy and the protection of the law from interference of said right:
no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence no attacks upon his honour and reputation. everyone has the right to the protection of the law against such interference or attacks.
What dos Article 19 of the UDHR enshrine?
the right to freedom of expression through any media frontiers:
everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.
What does Article 29(2) of the UDHR enshrine?
A reconciliation of Articles 12 and 19:
in the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and general welfare in a democratic society.
What is the ECHR?
European Convention on Human Rights
What is the ECtHR?
European Court of Human Rights, later restructured into the Court of Human Rights
When was the ECHR adopted?
3 September 1953 by member states of the Council of Europe.
What does Article 8 of the ECHR enshrine?
right to privacy, family life, home and correspondence:
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others
What does Article 10(1) of the ECHR enshrine?
the right to freedom of expression:
Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers
What does Article 10(2) of the ECHR enshrine?
qualifies the right to freedom of expression:
The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or the rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.
Which seven countries led the charge in implementing legislation aimed at controlling the use of PI by government agencies and large companies?
Austria, Denmark, France, Germany, Luxembourg, Norway, and Sweden
What is PI?
Personal Information.
What is Recommendation 509 on human rights and modern scientific and technological developments?
published with the intent to protect the right to privacy enshrined in article 8 of the ECHR in light of emerging technology
Resolutions 73/22 and 74/29
establishment of principles for the protection of personal data in automated databanks in pvt and public sectors. emerged due to diverging national legislation.
Who created the OECD guidelines on the protection of privacy and transborder flows of personal data?
Council of Europe
who created the CoE convention for the protection of individuals with regard to automated processing of personal data?
Council of Europe
when were the OECD guidelines established
23 September 1980
What is the other name for the ‘Council of Europe convention for the protection of individuals with regard to automated processing of personal data’?
Convention 108
what are the OECD Guidelines?
intended to govern the transborder flow of data and the protection of PI and privacy, with an aim to balance protection of rights to privacy and freedoms of expression without hindering trade and the free flow of data across borders.
What principles are outlined in the OECD Guidelines
Collection Limitation
Data Quality
Purpose specification
Use limitation
security safeguards
openness
individual participation
accountability
What is the OECD Guideline approach to private and public sectors
does not differentiate between the two
Does the OECD Guidelines differentiate between how the PI was gathered?
No, both electronic and other means are covered by the OECD.
Describe the collection limitation principle
Pi must be collected fairly and lawfully and where appropriate with the consent of the individual
Describe data quality principle
PI must be relevant, complete, accurate and up to date
Describe purpose specification principle
purpose for collecting PI must be specified no late than at the time of collection and must be compatible with that purpose.
Describe use limitation principle
disclosure of PI must be consistent with the purposes specified, UNLESS consent is given or the data controller has the lawful authority to do so.
Describe security safeguards principle
reasonable security safeguards must be taken against risks such as loss, unauthorised access, destruction, modification and disclosure of PI
Describe openness principle
general policy of openness with respect to uses of PI and the location & identity of DC (transparency)
Describe individual participation prinicple
what an individual is entitled to rceive from a DC pursuant to an request for their PI.
Describe accountability principle
a DC should be accountable to comply with the OECD Guideline principles
what do the guidelines say on transborder data flow?
- members should consider implications for domestic processing and the re-export of personal data
- ensure that transborder data flows are secure and uninterrupted.
- transborder flows may occur between member states unless the member is not ready to observe the guidelines.
- members may impose restrictions on transfer if the receiving country has no equivalent protections
-members should avoid creating privacy laws that hinder transborder flow of data
What is convention 108
The Convention for the Protection of Individuals with regard to automatic processing of Personal Data
When was Convention 108 adopted?
28 January 1981
What was the value of Convention 108
consolidates resolutions of 1973 and 1974.
was the first legally binding international instrument in the area of data protection, requiring signatories to take necessary steps in domestic legislation to apply the principles it lays down.
What are the three parts of Convention 108
- substantive law provisions in the form of basic principles
- special rules on transborder data flows
- mechanisms for mutual assistance and consultations between the parties.
What does Convention 108 say on how information undergoing automatic processing should be treated?
must be:
1. obtained and processed fairly
2. stored for specified and legitimate purposes and use for those purposes
3. adequate, relevant and not excessive in relation to the purposes
4. accurate and up to date
5. doesn’t unnecessarily identify individuals for longer than required for purpose
what principles regarding to PI are enshrined in Convention 108
- how PI should be treated (5)
- security measures to be taken to protect such information
- PI revealing racial, political, religious, health, sexual orientation, criminal convictions should be safeguarded
- individuals must have the right of communication, rectification, and erasure of PI held.
can signatories to Convention 108 make exception to provisions?
yes, only when necessary for the maintenance of a democratic society (i.e. state security & criminal investigation).
Do signatories of Convention 108 have to place restrictions on trans-border flows to other signatory states?
No, because it is assumed that they offer certain minimum protections enshrined in the Convention.
When is derogation from trans-border flow of data under Convention 108 allowed
- if importing signatory does not provide for equivalent protection detailing originating signatory state in its national legislation
- if the importing country is not a signatory
what did the Additional Protocol to Convention 108.
to allow for trans-border flow of data to non-signatories to Convention 108.
what did the additional protocol to Conveiton 108 introduce
the concept of “adequacy” compared to “equivalence” of protection
What is unique about Convention 108?
the only piece of data protection instrument that is international and allows for any state to be a signatory.
what is the Data Protection Directive
Directive 95/46/EC on the protection of individuals with regard to processing of personal data and on the free movement of such data.
what challenges were experienced with the Data Protection Directive
implementation by states vastly differed, which had the unintended consequence of hindering business.
what was the source of the Charter of fundamental rights
in 7 deember 2000, consolidated:
1. the EU treaty,
2. CJEU (court of justice of the european union) case law,
3. eu member state constitutional traditions,
4. European convention on human rights and
5. fundamental rights applicable within the EU.
which articles of the charter of fundamental rights enshrine art 8 and 10 of the ECHR?
Article 7 and 11.
what are the core values of art 8 of the charter of fundamental rights?
- fair processing
- carried out for specific purposes
- legitimate basis for processing
- individual right to access and rectification
- supervisory authority to oversee compliance.
when did the treaty of lisbon become effective
1 december 2009
what was the impact of the treaty of lisbon
amended treaty of EU and treaty establishing the European community (treaty on the functioning of the european union ‘TFEU’)
what does article 16 (1) of the TFEU
enshrines article 8 of the charter on fundamental rights.
when can member states make further legislative provisions to the GDPR?
- when there are sector-specific laws in place
- archiving purposes in the public interest
- processing special categories of personal data
- compliance with a legal obligation
how does GDPR apply?
all provisions apply entirely and directly upon entry to force without need to be localised into national law.
what key changes were incorporated into GDPR?
- stronger rights for individuals
- data protection by design and default
- introduction of accountability
- increased powers of supervisory authorities
- one stop shop
- applicability to anyone targeting EU consumers.
what is ‘data protection by design and by default’?
data protection must be considered when new technologies are being developed.
what is the law enforcement directive?
directive for the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes for the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
what is the objective of the law enforcement directive?
harmonising the rules to protect citizens fundamental rights whenever personal data are used by criminal enforcement authorities
what does the ePrivacy directive set out to do?
make rules on processing of personal data across public communication networks
what challenges were experienced with the e Privacy Directive
not covered by the GDPR, and not reviewed because of the complexity of privacy public policy
what is the current position regarding privacy law in the UK post Brexit?
GDPR was implemented mutatis mutandis.
what is the current privacy regulatory framework in the UK
- UK GDPR (as amended by the Data Protection, Privacy and Electronic Communications (Amednments)
- EU Exit regulations to accomodate Brexit
- DPA
- secondary legislation adopted by secretary of state to amend of DPA.
- codes of practice and guidance adopted by ICO
- international instruments regarding personal data which UK adheres to (ECHR and Convention 108)
what decision has been made post-Brexit regarding adequacy?
European Commission has determined that the UK privacy law regulatory regime is adequate for both the GDPR and LED.
what criterion was used to determine the adequacy of UK privacy law?
The UK:
1. maintains the rule of law, respecting human rights and fundamental freedoms
2. provides effective and enforceable subject rights
3. has independent supervisory authorities
4. has entered into international commitment and participates in multilateral or regional systems
describe the sunset clause in the adequacy decision for the UK?
the adequacy decision automatically expires in 4 years.
