Chapter 1C: Legislative Framework Flashcards
The two primary reasons for Convention 108 were…
- the failure to respond to the Council of Europe’s 73 and 74 resolutions
- the need for reinforcement of principles found in those resolutions by means of a binding international instrument
What 3 main reasons made Convention 108 a defining moment of European Data Protection law?
It’s based on a series of principles addressing main concerns re: DP, including accuracy and security and the right of access
It ensures appropriate protections while recognising the importance of the free flow of personal data for commerce/public functions
It’s a legally binding instrument, requiring states to implement its principles by enacting national legislation
When was the Convention 108 updated by the Council of Europe and what with?
Late 2018 - to reinforce principles and include additional safeguards for issues re: new technologies
When it noticed that data protection law was differing between member states and that this was affecting free flow of data, the European Commission proposed what in 1990?
Data Protection Directive.
Why was the proposal of the Data Protection Directive significant?
It marked the starting point of the EU’s leadership in European data protection and the relative downgrading of the importance of Convention 108.
When was the Data Protection Directive formally adopted?
24 October 1995.
What is the Data Protection Directive built up of?
72 recitals, providing theories and interpretations and corresponding obligations, and 34 articles setting out the obligations of the member states to implement the requirement of the directive.
The Data Protection Directive’s 34 articles are arranged into 7 chapters:
- General provisions
- General rules on lawfulness
- Judicial remedies, liability, sanctions
- International transfers
- Codes of conduct
- Supervisory authority and working party
Community implementing measures
What are two of the main general principles/concepts of the Data Protection Directive?
Necessity (to be lawful, the processing must be necessary)
Adequacy (prohibition of international transfers to jurisdictions t hat do not offer adequate protection)
The Data Protection Directive is a what based law?
Human rights based.
The Data Protection Directive mandated the development of a national…
Data Protection Authority for each state to act with independence in exercising their functions
What is WP29?
Article 29 Working Party; an independent body composed of representatives of national DPAs, the European Data Protection Supervisor and the Commission.
Where are WP29’s duties set out?
Set out in Article 30 of the Directive; it’s required to examine the operation of the directive and provide opinions and advise to the commission.
When did the Commission publish proposals for a comprehensive reform of the Directive?
January 2012.
What two legislative proposals were included in the Commission’s proposal for the comprehensive reform of the directive?
- A regulation setting out a general EU framework for data protection
- A directive on protecting personal data for purposes of prevention, detection and investigation or prosecution of criminal offences and related activities (the Law Enforcement Data Protection Directive or LEDP Directive)
Key changes in the Data Protection Directive’s reform included…
- Single set of rules valid across the EU
- Increased responsibility/accountability
- Greater individual control of data and access to data
- The right to portability and right to be forgotten
- Stronger powers for DPAs, including fines
The GDPR was seen by the Commission as an essential step to…
strengthen citizen’s fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.
What is the GDPR comprised of?
99 Articles
173 recitals
Articles - operative law
Rectials - crucial detail about interpretation
The 99 recitals of the GDPR are arranged in 11 chapters…
- General provisions
- Principles
- Data rights
- Controllers/processors
- International transfers
- Suprvisory authorities
- Cooperation and consistency
- Remedies, liability and penalties
- provisions relating to specific processing situations
- Delegated acts and implementing acts
- Final provisions
How did ‘application of the law’ differ between the Directive and the GDPR?
Directive only C
GDPR applies to P & C
GDPR - Applicability determined by location of the DS
Directive - only orgs establishment
GDPR - Tracking on the internet to analyse their preferences triggers application
How did ‘individual control of data’ differ between the Directive and the Regulation?
- The regulation strengthens consent in relation to the use of data saying consent can’t be bundled with t&cs without distinguishing the two, can be withdrawn at any time, can’t be requested in return for goods/services and also that parental consent is required for under 16s for online services
How did rights for individuals’ differ between the Directive and the Regulation?
GDPR gives individuals a lot more control and stronger rights, and outlines a more detailed transparency obligation for clear concise language
New rights of data portability, restriction, right to be forgotten and profiling
Retained existing rights from the directive but removed the right to charge for access requests unless manifestly excessive
The regulation brought in a new accountability regime with various requirements to…
make businesses more accountable for their data practices, demonstrating compliance and being transparent about it
includes
Policies,
data protection by design and default,
record keeping obligations,
DPIAs and
cooperation with supervisory authorities,
DPOs and consultations with DPAs on high risk cases
The regulation brought in new data processor obligations, imposing…
Compliance obligations and possible sanctions on processors
P may not subcontract without consent from C
Contract language
Security measures
DPO appointment
Comply with international data transfer requirements
cooperate with SA
compliance obligations and possible sanctions directly on processors; a processor may not subcontract a service without the consent of the controller.
Regulation requires respective terms for contract with controllers and processors are required to maintain records of processing activities, implement security measures, appoint a DPO and comply with international data transfer requirements and cooperate with a supervisory authority.
The regulation made changes to international data transfers in the form of…
expanding the range of measures that may be used to legitimise such transfers, now including BCRs, SCCs adopted by the commission or DPA, approved code of conduct, certification mechanisms and other contractual clauses authorised by a DPA in accordance with the so-called consistency mechanism.
The GDPR made changes to international data transfers in the form of…
Both C& P must put in place appropriate technical and organisational measures to protect personal data unlike directive which said only controllers.
GDPR introduced a requirement to report data breaches to the DPA within 72 hours unless the breach was unlikely to result in a risk for the rights and freedoms of natural persons. If risk of harm is high, individuals must be notifies as well.
The regulation made changes to enforcement/risk of non compliance by…
affording individuals right to compensation for breaches for material and immaterial damage, and judicial remedies against decisions of a DPA which concern them
Individuals can also compel a DPA to act on a complaint
Significant increase in the potential severity of sanctions, including fines of up to 20 million euros or 4 percent of worldwide annual turnover, whichever is higher.
Includes infringements of basic principles, conditions for consent, data rights, conditions for lawful international transfers, orders by DPAs, specific obligations under national laws
The rules of the LEDP Directive have three main objectives:
- Better cooperation between law enforcement authorities
- Better protection of citizen’s data
- Clear rules for international data flows
In the e-Privacy directive, which replaced the 1997 directive to reflect the process of convergence, the EU widened its then existing telecommunication laws to cover…
all electronic comms, including telecomms, faxes, the internet, email and similar methods of communication.
The e-privacy directive saw the need for…
consistent and equal protections regardless of technologies used.
What was the aim of the e-privacy directive?
To harmonise the provisions of the Member States and ensure an equivalent level of protection of fundamental rights and freedoms, in particular the right to privacy with respet to the processing of personal data in the electronic communication sector and to ensure the free movement of such data
When was the e-Privacy directive originally proposed?
12 July 2000
But adoption process took nearly 2 years (last approval hurdles approved 24 June 2002)
When was the e-privacy directive published and where? When did it need to be implemented by member states?
Published in the Official Journal of the EU 31 July 2002 - needed to be implemented into national law by no later than 31 October 2003.
When and why was the e-Privacy Directive amended?
24 November 2009 as part of wider reforms to EU telecommunications sector - it was designed to encourage greater industry competition, consumer choice and protections - including around right to privacy.
The directive does not apply to electronic communications if…
the service is not publicly available - this means communications over a private network, such as a company intranet, are generally not covered.
E-privacy relating to security…
Appropriate technical and organisational safeguards - the service provider is under a general obligation to inform the subscribe of any particular risk of breach of network’s security.
E-privacy relating to confidentiality…
member states are required ensure the confidentiality of comms and of traffic data, including users of such services who give their consent to interception and surveillance
E-privacy relating to processing of traffic and billing data…
subject to certain restrictions.
E-privacy relating to location data…
only if made anonymous or processed with the consent of users and for the duration necessary for the provision of a value added service.
E-privacy relating to subscriber directories…
subscribers must be informed before being included in any directory.
Certain provisions of the eprivacy directive have been amended and were due to be implemented by member states by the end of May 2011. What were the most pertinent changes?
Introduction of mandatory notification of personal data breaches by electronic comms service providers - to the national authority and the individual where the breach is likely to adversely affect the privacy of the individual
What does Article 13 of the e-privacy directive re unsolicited communication provide?
Rights for individuals and orgs including internet service providers to bring legal proceedings against unlawful communications.
What was the most pertinent / arguably controversial amendment made to the e-Privacy directive, which concerned cookies?
Article 5(3) - the storing of cookies is only allowed if the user concerned has given consent, having been provided with clear information.
What are cookies?
Small text files sent automatically by websites to terminal equipment of the users. They enable organisations to personalise websites based on the users’ browsing habits and deliver preference-based advertising, bolstering revenues but also allowing users to navigate more easily and retrieve information found in the past/facilitate online shopping.
What are the exemptions to only being able to store cookies on consent?
For the sole purpose of carrying out the transmission of a communication or
strictly necessary for the provision of an information society service explicitly requested by the subscriber or user
How long did each EU member state have to transpose cookie consent requirements into national legislation?
2 years.
In July 2015, the Commission published a study on…
the effectiveness of the ePrivacy Directive, which proposed recommendations for its reform - launch of public consultation followed in April 2016.
On 10th January 2017, the Commission released a legislative proposal for…
a new ePrivacy Regulation to replace the existing directive.
What is the aim of the draft of the ePrivacy Regulation?
To harmonise the specific privacy framework re: electronic communications within the EU and ensure consistency with GDPR.
What are the key features of the ePrivacy regulation?
- Wider application
- A single set of rules
- Confidentiality of electronic communications
- Consent required to process communications content and metadata
- New business opportunities
- Revised rules on cookies (no consent needed for non-privacy-instrusive cookies)
- Protection against spam
- Enforcement
What are the consequences for non-compliance with the e-privacy Regulation?
- Breaches re: notice/consent, default privacy settings, public directories and unsolicited comms may be punished with fines of 10 million euros of 2 percent of total worldwide turnover
- Breaches of rules re: confidentiality of communications, permitted processing and time limits for erasure may be punished with fines of up to 20 million euros or 4% of total worldwide turnover
Where is the ePrivacy regulation now?
With European Parliament and the Council of the EU.
What was the purpose of Directive 2006/24/EC of the European Parliament and of the Council f 15 March 2006?
To align the rules on data retention across EU member states and ensure the availability of traffic and location data for serious crime and antiterrorism purposes.
When was the Data Retention Directive struck off and why?
2014 by the Court of the European Union - invalid on the grounds that it was disproportionate in scope and incompatible with the rights to privacy and data protection under the EU Charter of Fundamental Rights.
