Chapter 1C: Legislative Framework Flashcards
The two primary reasons for Convention 108 were…
- the failure to respond to the Council of Europe’s 73 and 74 resolutions
- the need for reinforcement of principles found in those resolutions by means of a binding international instrument
What 3 main reasons made Convention 108 a defining moment of European Data Protection law?
It’s based on a series of principles addressing main concerns re: DP, including accuracy and security and the right of access
It ensures appropriate protections while recognising the importance of the free flow of personal data for commerce/public functions
It’s a legally binding instrument, requiring states to implement its principles by enacting national legislation
When was the Convention 108 updated by the Council of Europe and what with?
Late 2018 - to reinforce principles and include additional safeguards for issues re: new technologies
When it noticed that data protection law was differing between member states and that this was affecting free flow of data, the European Commission proposed what in 1990?
Data Protection Directive.
Why was the proposal of the Data Protection Directive significant?
It marked the starting point of the EU’s leadership in European data protection and the relative downgrading of the importance of Convention 108.
When was the Data Protection Directive formally adopted?
24 October 1995.
What is the Data Protection Directive built up of?
72 recitals, providing theories and interpretations and corresponding obligations, and 34 articles setting out the obligations of the member states to implement the requirement of the directive.
The Data Protection Directive’s 34 articles are arranged into 7 chapters:
- General provisions
- General rules on lawfulness
- Judicial remedies, liability, sanctions
- International transfers
- Codes of conduct
- Supervisory authority and working party
Community implementing measures
What are two of the main general principles/concepts of the Data Protection Directive?
Necessity (to be lawful, the processing must be necessary)
Adequacy (prohibition of international transfers to jurisdictions t hat do not offer adequate protection)
The Data Protection Directive is a what based law?
Human rights based.
The Data Protection Directive mandated the development of a national…
Data Protection Authority for each state to act with independence in exercising their functions
What is WP29?
Article 29 Working Party; an independent body composed of representatives of national DPAs, the European Data Protection Supervisor and the Commission.
Where are WP29’s duties set out?
Set out in Article 30 of the Directive; it’s required to examine the operation of the directive and provide opinions and advise to the commission.
When did the Commission publish proposals for a comprehensive reform of the Directive?
January 2012.
What two legislative proposals were included in the Commission’s proposal for the comprehensive reform of the directive?
- A regulation setting out a general EU framework for data protection
- A directive on protecting personal data for purposes of prevention, detection and investigation or prosecution of criminal offences and related activities (the Law Enforcement Data Protection Directive or LEDP Directive)
Key changes in the Data Protection Directive’s reform included…
- Single set of rules valid across the EU
- Increased responsibility/accountability
- Greater individual control of data and access to data
- The right to portability and right to be forgotten
- Stronger powers for DPAs, including fines
The GDPR was seen by the Commission as an essential step to…
strengthen citizen’s fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.
What is the GDPR comprised of?
99 Articles
173 recitals
Articles - operative law
Rectials - crucial detail about interpretation
The 99 recitals of the GDPR are arranged in 11 chapters…
- General provisions
- Principles
- Data rights
- Controllers/processors
- International transfers
- Suprvisory authorities
- Cooperation and consistency
- Remedies, liability and penalties
- provisions relating to specific processing situations
- Delegated acts and implementing acts
- Final provisions
How did ‘application of the law’ differ between the Directive and the GDPR?
Directive only C
GDPR applies to P & C
GDPR - Applicability determined by location of the DS
Directive - only orgs establishment
GDPR - Tracking on the internet to analyse their preferences triggers application
How did ‘individual control of data’ differ between the Directive and the Regulation?
- The regulation strengthens consent in relation to the use of data saying consent can’t be bundled with t&cs without distinguishing the two, can be withdrawn at any time, can’t be requested in return for goods/services and also that parental consent is required for under 16s for online services