Chapter 17 - Internet Technology & Communications Flashcards
What is cloud computing?
-Refers to the provision of information technology services over the internet.
-These services may be provided by a company for its users in a private cloud or by third-party suppliers.
-The services can include software, infrastructure (i.e., servers), hosting, and platforms (i.e., operating systems).
-Cloud computing has numerous applications, from personal webmail to corporate data storage, and can be subdivided into different types of service models: Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS)
What are the applicable laws for cloud computing under the GDPR?
-Under Article 3, the GDPR applies where either the processing relates to the activities of an EU establishment of the controller or the processing relates to offering goods or services to individuals in the European Union or monitoring their behaviour, even when the controller or processor is not established in the European Union.
-The first test is retained from the Data Protection Directive 95/46/EC, and the second test represents a significant expansion in the applicability of European data protection law
What are the controllership issues in cloud computing?
-A controller is a natural or legal person, public authority, agency, or any other body which determines the purposes and means of processing.
-A processor is a natural or legal person, public authority, agency, or any other body that processes data on behalf of a controller, acting on the instructions of the controller.
-In most supply of services situations, the customer is typically a controller, and the supplier is a processor.
-However, cloud service suppliers may exercise discretion regarding the technical and organisational means of processing without becoming a controller, provided they do not process customer data for their own purposes
What are the requirements for cloud service contracts under the GDPR?
-GDPR sets out a detailed list of obligations on the processor that must be included in cloud service contracts, including:
- the subject matter
-duration - nature,
-purpose of the processing,
-documented instructions,
-confidentiality,
-prescriptive security measures,
-notice of subprocessors,
-appropriate measures to ensure the data controller can meet its obligations,
-deletion or return of personal data once services are completed, and
-availability of information for audits
What are the applicable laws for cookies and similar technologies?
-ePrivacy Directive requires member states to ensure the storing of information or gaining access to information already stored in the terminal equipment of a subscriber or user is allowed only with the user’s consent, provided with clear and comprehensive information.
-Exemptions apply for cookies used for the sole purpose of carrying out the transmission of a communication or strictly necessary for the provider of an information society service explicitly requested by the subscriber or user
What are the conditions for international data transfers under the GDPR?
-GDPR imposes conditions on the transfer of personal data outside the EEA. Controllers must show evidence of appropriate safeguards for the protection of personal data transferred.
-Methods include geographically limiting the cloud, using:
-standard contractual clauses (SCCs),
-tailored data transfer agreements,
-processor binding corporate rules (BCRs),
-codes of conduct and certification,
-and reliance upon a derogation under Article 49 of the GDPR
What is the EU Cloud Code of Conduct?
-EU Cloud Code of Conduct, approved in May 2021, contains requirements applicable to cloud services for businesses (B2B cloud services) where the cloud provider is acting as a processor.
-Cloud providers that sign up to the Code must adhere to these requirements, and their compliance is verified by an independent monitoring body.
-The Code is designed to ensure cloud services can be used by business customers in compliance with the GDPR
What are cookies and similar technologies?
-A cookie is a small text file placed onto a user’s device when they visit a website, either by the website operator or by a third party.
-Cookies store information about the user’s visit, such as content viewed, language preference, time and duration of each visit, or advertisements accessed.
-Cookies can be used to track and create profiles of users’ online movements to serve them with targeted online advertising.
-Other tracking technologies include device fingerprinting, tags, pixels, web beacons, embedded scripts, and social plugin
What are the controllership issues for cookies?
-First-party cookies are placed and read by the operator of the website visited, making the website operator the controller of the personal data gathered by its own cookies.
-Third-party cookies are placed and read by an entity other than the website operator.
-Where the third party determines the means and purposes of processing the personal data gathered from third-party cookies, it is a controller and must comply with the GDPR
What are the applicable laws for IP addresses?
-IP addresses can be used to construct user profiles and are likely to be personal data subject to the GDPR.
-Both static and dynamic IP addresses will be personal data in the hands of ISPs because the ISP can link the IP address back to a particular customer.
-The CJEU ruled dynamic IP addresses would be personal data in the hands of the German state because German law allowed the state to obtain additional identifying information from ISPs
What are the legal bases for processing personal data obtained via cookies?
-Consent is required to place and read cookies under the ePrivacy Directive.
-The EDPB has expressed the view that consent will generally be the most adequate legal basis to cover subsequent processing.
-However, it is possible to obtain consent for these operations but rely on legitimate interest for subsequent processing carried out on personal data collected via cookies.
-The CJEU in the Fashion ID case accepted it is possible to rely on legitimate interest as the lawful basis for processing personal data initially collected via cookies
What are the controllership issues for search engines?
-Search engines determine the purposes and means of processing data about their users and are controllers of that personal data.
-The CJEU ruled search engines process the personal data contained in third-party webpages they crawl as controllers because they play a decisive role in the overall dissemination of the personal data and significantly affect the fundamental right to privacy of individuals
What are the applicable laws for search engines?
-If a search engine is established in the EEA, the processing activities carried out by that establishment will be subject to the GDPR.
-Search engines outside the EEA offering services to individuals inside the EEA will be subject to the GDPR by virtue of Article 3(2)(a).
-User log files are likely to be subject to the GDPR by virtue of Article 3(2)(b).
-The CJEU ruled in Google v. Spain that search engines process the personal data contained in third-party webpages they count as controllers
What are the controllership issues for SMPs?
-SMP providers determine the purposes and means of processing and are controllers.
-Providers of third-party services offered through SMPs may also be controllers.
-The CJEU ruled in Wirtschaftsakademie that an entity administering a fan page on an SMP was a joint controller with the SMP in respect of the personal data collected by the SMP about visitors to the fan page.
-Advertisers and other parties targeting SMP users are likely to be joint controllers with the SMP
What are the applicable laws for social media platforms (SMPs)?
-SMP providers process personal data provided directly by users, generated by observing users’ actions, obtained from other sources, and inferred or predicted based on existing information.
-The processing of personal data is subject to the GDPR.
-SMP providers also make use of cookies and similar technologies, engaging the notice and consent requirements in the ePrivacy Directive
What are the transparency requirements for SMPs?
-SMP providers must provide all the information required under the GDPR.
-Users should be informed about the types of processing carried out, whether a profile based on their online behaviour will be built and used for targeted advertising, and what types of personal data will be used to build profiles.
-The essence of the arrangement between joint controllers must be made available to the data subject
What are the legal bases for processing personal data on SMPs?
-All processing of personal data under the GDPR must have a legal basis under Article 6.
-SMP providers must not process special categories of personal data unless one of the conditions set out in Article 9(2) applies.
-Special category data may be processed if it has been manifestly made public by the data subject or with explicit consent
What are the data subject rights for SMPs?
-Controllers must fulfil all valid requests by data subjects to exercise their rights under the GDPR.
-Recital 63 notes controllers should allow data subjects with direct access to their personal data by means of remote access to a secure system.
-Data subjects can exercise their rights against either controller in joint controllership situations
What are the applicable laws for targeted online advertising?
-Targeted online advertising involves displaying advertisements to individuals based on known or predicted information about them, involving processing their personal data subject to the GDPR.
-Much of the personal data used to target individuals is derived from cookies or similar technology, engaging the notice and consent requirements in the ePrivacy Directive
What are the transparency requirements for targeted online advertising?
-Controllers must provide information to data subjects about how their personal data are processed.
-Adtech companies may face difficulties in discharging their notification obligations due to the lack of direct relationships with data subjects and the impracticality of identifying each recipient and source of personal data.
-The GDPR allows for the notification of categories of recipients and general information about the source of personal data
What are the controllership issues for targeted online advertising?
-Adtech companies generally determine the purposes and means by which personal data are collected, analysed, and processed to target online advertising, making them controllers.
- The CJEU ruled in Wirtschaftsakademie that advertisers using SMPs to target users are joint controllers with the SMP.
- The EDPB guidelines suggest these principles apply to advertisers using other adtech services
What are the legal bases for processing personal data for targeted online advertising?
-The two likely potential bases for processing carried out by adtech companies are consent and legitimate interest.
-Consent must be demonstrable and as easy to withdraw as to give.
-Legitimate interest involves a balancing test weighing the interest of the controller or third party against any detriment to the data subject.
-Legitimate interest may be the basis most likely to support the profiling activities of adtech companies
What are the transparency requirements for applications on mobile devices?
-The requirement to adequately inform users about how their information is used deserves particular attention due to the limited screen space available on mobile devices.
-Icons, visual signifiers, and layered notices can be useful tools.
-Notice may need to be provided before an app is downloaded, through a privacy notice displayed in the app store
What are the controllership issues for applications on mobile devices?
-Where an app collects personal data and sends it back to the app developer’s servers, the app developer is likely to be a data controller.
-Where an app processes personal data only on a user’s mobile device and does not send it back to the app developer’s servers, the situation is less clear.
-The question is whether the app developer or another entity is determining the purposes and means of processing personal data by the application
