Chapter 1 (Origins & Development Of European Data Protection Law)

Question 1

What concept underlies EU data protection laws?

Answer 1

That the right to a private life and associated freedoms is considered a fundamental human right.

Question 2

When and who adopted the Universal Declaration of human rights?

Answer 2

The General Assembly of the United Nations on December 10, 1948.

Question 3

What fundamental rights are enshrined in Articles 12, 19, and 29(2) of the 1948 Human Rights Declaration?

Answer 3

Article 12: right to a private life and associated freedoms.
Article 19: right to freedom of opinion and expression as well as right to seek, receive, and impart info and ideas through any media regardless of frontiers.
Article 29(2): individual rights are not absolute and there will be instances where a balance must be struck.

Question 4

What is the ECHR?

Answer 4

The European Convention on Human Rights, an international treaty to protect human rights and fundamental freedoms enacted on September 3, 1953.

Question 5

What body enforces the ECHR?

Answer 5

The European Court of Human Rights (ECtHR), restructured into the Court of Human Rights in 1988.

Question 6

What fundamental rights are laid out in Articles 8, 10(1), and 10(2) of the ECHR?

Answer 6

Article 8: right to private life and associated freedoms.
Article 10(1): protects the right of freedom of expression and the right to share info and ideas across national boundaries
Article 10(2): clarifies that rights of individuals aren’t unqualified and justifiable interference OK.

Question 7

What 7 countries led in implementing legislation aimed at controlling the use of PI by government agencies and large companies?

Answer 7

1. Austria
2. Denmark
3. France
4. Federal Republic of Germany
5. Luxembourg
6. Norway
7. Sweden

Question 8

What 3 countries incorporated data protection as a fundamental right in their constitutions?

Answer 8

1. Spain
2. Portugal
3. Austria

Question 9

What is the OECD?

Answer 9

The Organization for Economic Co-operation and Development.

Question 10

What is the role of the OECD?

Answer 10

To promote policies designed to achieve the highest:
1. Sustainable economic growth
2. Sustainable employment
3. Rising standard of living

In both OECD member states and nonmember states, while maintaining financial stability.

Question 11

What did the OECD develop in 1980?

Answer 11

The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”)

Question 12

What is the aim of the OECD Guidelines?

Answer 12

To strike a balance between protecting the privacy, rights, and freedoms of individuals w/o creating any barriers to trade and allowing the uninterrupted flow of personal data across national borders.

Question 13

Are the OECD Guidelines legally binding?

Answer 13

No. They are intended to be flexible and serve either as a basis for legislation in countries that have no data protection legislation or as a set of principles that may be built into existing legislation.

Question 14

What are the 8 principles set forth in the OECD Guidelines?

Answer 14

1. Collection Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness Principle
7. Individual Participation
8. Accountability

Question 15

What is the Collection Limitation Principle outlined in the OECD Guidelines?

Answer 15

PI must be collected fairly and lawfully and, where appropriate, with the knowledge or consent of the individual concerned.

Question 16

What is the Data Quality Principle outlined in the OECD Guidelines?

Answer 16

PI must be relevant, complete, accurate, and up to date.

Question 17

What is the Purpose Specification Principle outlined in the OECD Guidelines?

Answer 17

The purpose for which the PI is to be used must be specified no later than at the time of collection, and any use must be compatible with that purpose.

Question 18

What is the Use Limitation Principle outlined in the OECD Guidelines?

Answer 18

Any disclosure of PI must be consistent with the purpose specified unless the individual has given consent or the data controller has lawful authority to do so.

Question 19

What is the Security Safeguards Principle outlined in the OECD Guidelines?

Answer 19

Reasonable security safeguards must be taken against risks, such as loss or unauthorized access, destruction, use, modification, or disclosure of PI.

Question 20

What is the Openness Principle outlined in the OECD Guidelines?

Answer 20

There should be a general policy of openness with respect to the uses of PI, as well as the identity and location of the data controller.

Question 21

What is the Individual Participation Principle outlined in the OECD Guidelines?

Answer 21

Sets out what an individual is entitled to receive from a data controller pursuant to a request for their PI.

Question 22

What is the Accountability Principle outlined in the OECD Guidelines?

Answer 22

A data controller should be accountable for complying with measures that ensure the previously stated principles.

Question 23

Of the 8 OECD Principles, which has become the most important aspect of subsequent data legislation?

Answer 23

The Individual Participation Principle.

Question 24

What are the 5 statements the OECD Guidelines make with regard to transborder data flow?

Answer 24

1. Consider the implications for other member countries of domestic processing and re-export of personal data.
2. Take all reasonable and appropriate steps to ensure transborder data flows of personal data, including transit through a member country, are uninterrupted and secure.
3. Transborder flow of data OK except with countries that don’t observe Guidelines or where re-export would circumvent domestic privacy legislation.
4. A member state may impose restrictions on transborder data flow for categories of personal data protected under its domestic legislation.
5. Should’t develop laws and policies that are unnecessarily restrictive to transborder data flow.

Question 25

What was the first legally binding international instrument in the area of data protection?

Answer 25

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).

Question 26

How to the OECD Guidelines and Convention 108 differ?

Answer 26

Convention 108 differs from the Guidelines in that it requires signatories to take the necessary steps in their domestic legislation to apply the principles it lays down with regard to processing PI.

Question 27

What are the 3 main parts of Convention 108?

Answer 27

1. Substantive law provisions in the form of basic principles (Chapter 2)
2. Special rules on transborder data flow (Chapter 3)
3. Mechanisms for mutual assistance and consultation between the parties (Chapter 4 & 5)

Question 28

Under the substantive law provisions of Convention 108, personal info undergoing automatic processing shall be subject to what 5 conditions?

Answer 28

1. Obtained and processed fairly and lawfully.
2. Stored for specified and legit purposes and not used in a way incompatible with those purposes.
3. Adequate, relevant, and not excessive in relation to the purposes for which they are stored.
4. Accurate and, where necessary, kept up to date
5. Preserved in a form that permits identification of the individuals for no longer than is required for the purpose for which info is stored

Question 29

Under the substantive law provisions of Convention 108 (outside of how to automatically process PI), what other 3 principles are outlined?

Answer 29

1. Appropriate security measures must be taken to protect stored PI.
2. PI that reveals racial origin, political opinions, or religious or other beliefs, as well as personal data that concerns health, sexual life, or criminal convictions may not be processed automatically unless domestic law provides appropriate safeguards.
3. Individuals must have the right of communication, rectification, and erasure of held PI.

Question 30

When implementing Convention 108, when may signatories include an exception to the substantive law provisions?

Answer 30

Only when it is a necessary measure in a democratic society (e.g. state security or criminal investigation).

Question 31

What does Article 12 of Convention 108 provide?

Answer 31

That transfers of PI made between Convention 108 signatories generally shall not be subject to any prohibitions or require any special authorizations.

Question 32

When may a Convention 108 signatory place prohibitions or require special authorizations from another signatory before a data transfer can occur?

Answer 32

When the exporting country has specific rules in its national law for certain categories of data or automated personal data files and the importing country doesn’t provide similar protections.

Question 33

What does the 2001 Additional Protocol to Convention 108 provide?

Answer 33

It was designed to address the fact that Convention 108 didn’t provide any measures for transfers of PI to countries that weren’t signatories to Convention 108.

Question 34

What does the Additional Protocol to Convention 108 provide with regard to data transfers to non-signatory parties?

Answer 34

It introduced the concept of an “adequate” rather than an equivalent level of protection for PI.

Question 35

Under the mutual assistance provision of Convention 108 must a signatory appoint a supervisory authority?

Answer 35

Yes.

Question 36

Under Convention 108, what are the 3 responsibilities of a supervisory authority?

Answer 36

1. To oversee compliance with data protection law.
2. To liaise with supervisory authorities in other jurisdictions for purposes of consultation and mutual assistance re implementation
3. To assist individuals in the exercising their rights.

Question 37

Which international legal instrument remains as the only binding agreement with a worldwide scope of application in the data protection field?

Answer 37

Convention 108

Question 38

What is Convention 108+?

Answer 38

A modernizing protocol to Convention 108 to address challenges resulting from the use of new info and communications technologies.

Question 39

What is the Data Protection Directive?

Answer 39

Directive 95/46/EC undertaken by the European Commission to protect the processing of individuals’ personal data and the free movement of data, as well as harmonize data protection laws.

Question 40

What is the aim of the Data Protection Directive?

Answer 40

To further reconcile protecting individuals’ fundamental privacy rights with the free flow of data from one member state to another, maintaining consistency with Articles 8 and 10 of the ECHR.

Question 41

When was the Charter of Fundamental Rights signed and what is its purpose?

Answer 41

Signed December 7, 2000. It further consolidates fundamental rights applicable within the EU.

Question 42

When was the Charter of Fundamental Rights given binding legal effect?

Answer 42

In December 2009 when the Treaty of Lisbon came into force.

Question 43

Article 8 of the Charter of Fundamental Rights enshrines what 5 core values for the protection of personal data?

Answer 43

1. The processing must be fair.
2. The processing must be carried out for specified purposes.
3. There must be a legit basis for the processing.
4. Individuals must have the right to access and rectify personal data.
5. There must be a supervisory authority to oversee compliance.

Question 44

When was the Treaty of Lisbon signed and effective?

Answer 44

Signed on December 13, 2007. Effective December 1, 2009.

Question 45

What is the main aim of the Treaty of Lisbon?

Answer 45

To strengthen and improve the core structures of the EU to enable it to function more efficiently.

Question 46

Which 2 core treaties of the EU does the Treaty of Lisbon amend?

Answer 46

1. The Treaty on European Union
2. The Treaty Establishing the European Community (renamed the Treaty on the Functioning of the European Union)

Question 47

What are 6 core values the Treaty of Lisbon promotes?

Answer 47

1. Human dignity
2. Freedom
3. Democracy
4. Equality
5. The Rule of Law
6. Respect for Human Rights

Question 48

What is the comprehensive reform of the Directive that the Commission proposed?

Answer 48

The General Data Protection Regulation (GDPR)

Question 49

When was the GDPR signed and fully enforceable?

Answer 49

Signed in May 2016 and became fully enforceable on May 25, 2018.

Question 50

What is the purpose of having the GDPR be a regulation instead of a directive?

Answer 50

To maximize consistency of approach amongst the EU member states.

Question 51

What are 4 examples of instances where member states may make further legislative provisions under the GDPR?

Answer 51

1. Where there are already sector-specific laws in place, for example, in relation to the processing of employee data.
2. Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
3. Processing of special categories of personal data.
4. Processing in compliance with a legal obligation.

Question 52

What are 6 key changes incorporated into the GDPR?

Answer 52

1. Stronger rights for individuals, particularly in the online environment.
2. A requirement that data protection be considered when new technologies are being developed.
3. Introducing concept of accountability whereby orgs must be able to demonstrate compliance with the GDPR
4. Increased powers for supervisory authorities
5. The concept of the one-stop shop
6. Broader applicability of the GDPR to anyone targeting EU consumers

Question 53

How many states signed Convention 108+ and when was it signed?

Answer 53

Signed on October 10, 2018 by 21 states.

Question 54

As amended, what is Convention 108+ intended to do?

Answer 54

Increase standards of data protection whilst maintaining compatibility with established and emergent regulatory frameworks.

Question 55

What is the Law Enforcement Directive (LED)?

Answer 55

A directive introduced by the European Commission to protect natural persons re the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties on the free movement of such data.

Question 56

When did the Law Enforcement Directive enter into force and when must member states have transposed the LED into their national law?

Answer 56

Entered into force on May 5, 2016. Member states had until May 6, 2018.

Question 57

What is the aim of the Law Enforcement Directive?

Answer 57

To harmonize the rules in place across the member states to protect citizens’ fundamental rights whenever personal data are used by criminal law enforcement authorities.

Question 58

Does the Law Enforcement Directive preclude member states from providing higher safeguards in their national laws to protect data subjects’ rights?

Answer 58

No.

Question 59

What does the ePrivacy Directive do?

Answer 59

It sets out rules relating to processing personal data across public electronic communications networks.

Question 60

Is the GDPR intended to impose additional obligations on top of the obligations contained in the ePrivacy Directive?

Answer 60

No.

Question 61

What are the 5 components of the UK’s data protection legal framework after Brexit?

Answer 61

1. The UK GDPR, which is the GDPR, as it forms part of the EU law and as amended by the Data Protection, Privacy and Electronic Communications Amendments.
2. The DPA as amended by the 2019 Regulations (Exit Regulations)
3. The secondary legislation which may be adopted by the Secretary of State to amend the DPA or set out additional rules.
4. The codes of practice and guidance adopted by the ICO
5. International instruments re personal data which the UK adheres to, namely the ECHR and Convention 108.

Question 62

On June 28, 2021, the European Commission adopted 2 adequacy decision for the UK under what laws?

Answer 62

1. The GDPR
2. The Law Enforcement Directive