Chapter 1C: Legislative Framework Flashcards

1
Q

The two primary reasons for Convention 108 were…

A
  • the failure to respond to the Council of Europe’s 73 and 74 resolutions
  • the need for reinforcement of principles found in those resolutions by means of a binding international instrument
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What 3 main reasons made Convention 108 a defining moment of European Data Protection law?

A

It’s based on a series of principles addressing main concerns re: DP, including accuracy and security and the right of access

It ensures appropriate protections while recognising the importance of the free flow of personal data for commerce/public functions

It’s a legally binding instrument, requiring states to implement its principles by enacting national legislation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When was the Convention 108 updated by the Council of Europe and what with?

A

Late 2018 - to reinforce principles and include additional safeguards for issues re: new technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When it noticed that data protection law was differing between member states and that this was affecting free flow of data, the European Commission proposed what in 1990?

A

Data Protection Directive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why was the proposal of the Data Protection Directive significant?

A

It marked the starting point of the EU’s leadership in European data protection and the relative downgrading of the importance of Convention 108.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When was the Data Protection Directive formally adopted?

A

24 October 1995.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Data Protection Directive built up of?

A

72 recitals, providing theories and interpretations and corresponding obligations, and 34 articles setting out the obligations of the member states to implement the requirement of the directive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The Data Protection Directive’s 34 articles are arranged into 7 chapters:

A
  • General provisions
  • General rules on lawfulness
  • Judicial remedies, liability, sanctions
  • International transfers
  • Codes of conduct
  • Supervisory authority and working party
    Community implementing measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are two of the main general principles/concepts of the Data Protection Directive?

A

Necessity (to be lawful, the processing must be necessary)

Adequacy (prohibition of international transfers to jurisdictions t hat do not offer adequate protection)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Data Protection Directive is a what based law?

A

Human rights based.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The Data Protection Directive mandated the development of a national…

A

Data Protection Authority for each state to act with independence in exercising their functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is WP29?

A

Article 29 Working Party; an independent body composed of representatives of national DPAs, the European Data Protection Supervisor and the Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where are WP29’s duties set out?

A

Set out in Article 30 of the Directive; it’s required to examine the operation of the directive and provide opinions and advise to the commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When did the Commission publish proposals for a comprehensive reform of the Directive?

A

January 2012.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What two legislative proposals were included in the Commission’s proposal for the comprehensive reform of the directive?

A
  • A regulation setting out a general EU framework for data protection
  • A directive on protecting personal data for purposes of prevention, detection and investigation or prosecution of criminal offences and related activities (the Law Enforcement Data Protection Directive or LEDP Directive)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Key changes in the Data Protection Directive’s reform included…

A
  • Single set of rules valid across the EU
  • Increased responsibility/accountability
  • Greater individual control of data and access to data
  • The right to portability and right to be forgotten
  • Stronger powers for DPAs, including fines
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The GDPR was seen by the Commission as an essential step to…

A

strengthen citizen’s fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the GDPR comprised of?

A

99 Articles
173 recitals

Articles - operative law
Rectials - crucial detail about interpretation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The 99 recitals of the GDPR are arranged in 11 chapters…

A
  1. General provisions
  2. Principles
  3. Data rights
  4. Controllers/processors
  5. International transfers
  6. Suprvisory authorities
  7. Cooperation and consistency
  8. Remedies, liability and penalties
  9. provisions relating to specific processing situations
  10. Delegated acts and implementing acts
  11. Final provisions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How did ‘application of the law’ differ between the Directive and the GDPR?

A

Directive only C
GDPR applies to P & C

GDPR - Applicability determined by location of the DS
Directive - only orgs establishment

GDPR - Tracking on the internet to analyse their preferences triggers application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How did ‘individual control of data’ differ between the Directive and the Regulation?

A
  • The regulation strengthens consent in relation to the use of data saying consent can’t be bundled with t&cs without distinguishing the two, can be withdrawn at any time, can’t be requested in return for goods/services and also that parental consent is required for under 16s for online services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How did rights for individuals’ differ between the Directive and the Regulation?

A

GDPR gives individuals a lot more control and stronger rights, and outlines a more detailed transparency obligation for clear concise language

New rights of data portability, restriction, right to be forgotten and profiling

Retained existing rights from the directive but removed the right to charge for access requests unless manifestly excessive

23
Q

The regulation brought in a new accountability regime with various requirements to…

A

make businesses more accountable for their data practices, demonstrating compliance and being transparent about it

includes
Policies,
data protection by design and default,
record keeping obligations,
DPIAs and
cooperation with supervisory authorities,
DPOs and consultations with DPAs on high risk cases

24
Q

The regulation brought in new data processor obligations, imposing…

A

Compliance obligations and possible sanctions on processors
P may not subcontract without consent from C
Contract language
Security measures
DPO appointment
Comply with international data transfer requirements
cooperate with SA

compliance obligations and possible sanctions directly on processors; a processor may not subcontract a service without the consent of the controller.

Regulation requires respective terms for contract with controllers and processors are required to maintain records of processing activities, implement security measures, appoint a DPO and comply with international data transfer requirements and cooperate with a supervisory authority.

25
Q

The regulation made changes to international data transfers in the form of…

A

expanding the range of measures that may be used to legitimise such transfers, now including BCRs, SCCs adopted by the commission or DPA, approved code of conduct, certification mechanisms and other contractual clauses authorised by a DPA in accordance with the so-called consistency mechanism.

26
Q

The GDPR made changes to international data transfers in the form of…

A

Both C& P must put in place appropriate technical and organisational measures to protect personal data unlike directive which said only controllers.

GDPR introduced a requirement to report data breaches to the DPA within 72 hours unless the breach was unlikely to result in a risk for the rights and freedoms of natural persons. If risk of harm is high, individuals must be notifies as well.

27
Q

The regulation made changes to enforcement/risk of non compliance by…

A

affording individuals right to compensation for breaches for material and immaterial damage, and judicial remedies against decisions of a DPA which concern them

Individuals can also compel a DPA to act on a complaint

Significant increase in the potential severity of sanctions, including fines of up to 20 million euros or 4 percent of worldwide annual turnover, whichever is higher.

Includes infringements of basic principles, conditions for consent, data rights, conditions for lawful international transfers, orders by DPAs, specific obligations under national laws

28
Q

The rules of the LEDP Directive have three main objectives:

A
  • Better cooperation between law enforcement authorities
  • Better protection of citizen’s data
  • Clear rules for international data flows
29
Q

In the e-Privacy directive, which replaced the 1997 directive to reflect the process of convergence, the EU widened its then existing telecommunication laws to cover…

A

all electronic comms, including telecomms, faxes, the internet, email and similar methods of communication.

30
Q

The e-privacy directive saw the need for…

A

consistent and equal protections regardless of technologies used.

31
Q

What was the aim of the e-privacy directive?

A

To harmonise the provisions of the Member States and ensure an equivalent level of protection of fundamental rights and freedoms, in particular the right to privacy with respet to the processing of personal data in the electronic communication sector and to ensure the free movement of such data

32
Q

When was the e-Privacy directive originally proposed?

A

12 July 2000
But adoption process took nearly 2 years (last approval hurdles approved 24 June 2002)

33
Q

When was the e-privacy directive published and where? When did it need to be implemented by member states?

A

Published in the Official Journal of the EU 31 July 2002 - needed to be implemented into national law by no later than 31 October 2003.

34
Q

When and why was the e-Privacy Directive amended?

A

24 November 2009 as part of wider reforms to EU telecommunications sector - it was designed to encourage greater industry competition, consumer choice and protections - including around right to privacy.

35
Q

The directive does not apply to electronic communications if…

A

the service is not publicly available - this means communications over a private network, such as a company intranet, are generally not covered.

36
Q

E-privacy relating to security…

A

Appropriate technical and organisational safeguards - the service provider is under a general obligation to inform the subscribe of any particular risk of breach of network’s security.

37
Q

E-privacy relating to confidentiality…

A

member states are required ensure the confidentiality of comms and of traffic data, including users of such services who give their consent to interception and surveillance

38
Q

E-privacy relating to processing of traffic and billing data…

A

subject to certain restrictions.

39
Q

E-privacy relating to location data…

A

only if made anonymous or processed with the consent of users and for the duration necessary for the provision of a value added service.

40
Q

E-privacy relating to subscriber directories…

A

subscribers must be informed before being included in any directory.

41
Q

Certain provisions of the eprivacy directive have been amended and were due to be implemented by member states by the end of May 2011. What were the most pertinent changes?

A

Introduction of mandatory notification of personal data breaches by electronic comms service providers - to the national authority and the individual where the breach is likely to adversely affect the privacy of the individual

42
Q

What does Article 13 of the e-privacy directive re unsolicited communication provide?

A

Rights for individuals and orgs including internet service providers to bring legal proceedings against unlawful communications.

43
Q

What was the most pertinent / arguably controversial amendment made to the e-Privacy directive, which concerned cookies?

A

Article 5(3) - the storing of cookies is only allowed if the user concerned has given consent, having been provided with clear information.

44
Q

What are cookies?

A

Small text files sent automatically by websites to terminal equipment of the users. They enable organisations to personalise websites based on the users’ browsing habits and deliver preference-based advertising, bolstering revenues but also allowing users to navigate more easily and retrieve information found in the past/facilitate online shopping.

45
Q

What are the exemptions to only being able to store cookies on consent?

A

For the sole purpose of carrying out the transmission of a communication or
strictly necessary for the provision of an information society service explicitly requested by the subscriber or user

46
Q

How long did each EU member state have to transpose cookie consent requirements into national legislation?

A

2 years.

47
Q

In July 2015, the Commission published a study on…

A

the effectiveness of the ePrivacy Directive, which proposed recommendations for its reform - launch of public consultation followed in April 2016.

48
Q

On 10th January 2017, the Commission released a legislative proposal for…

A

a new ePrivacy Regulation to replace the existing directive.

49
Q

What is the aim of the draft of the ePrivacy Regulation?

A

To harmonise the specific privacy framework re: electronic communications within the EU and ensure consistency with GDPR.

50
Q

What are the key features of the ePrivacy regulation?

A
  • Wider application
  • A single set of rules
  • Confidentiality of electronic communications
  • Consent required to process communications content and metadata
  • New business opportunities
  • Revised rules on cookies (no consent needed for non-privacy-instrusive cookies)
  • Protection against spam
  • Enforcement
51
Q

What are the consequences for non-compliance with the e-privacy Regulation?

A
  • Breaches re: notice/consent, default privacy settings, public directories and unsolicited comms may be punished with fines of 10 million euros of 2 percent of total worldwide turnover
  • Breaches of rules re: confidentiality of communications, permitted processing and time limits for erasure may be punished with fines of up to 20 million euros or 4% of total worldwide turnover
52
Q

Where is the ePrivacy regulation now?

A

With European Parliament and the Council of the EU.

53
Q

What was the purpose of Directive 2006/24/EC of the European Parliament and of the Council f 15 March 2006?

A

To align the rules on data retention across EU member states and ensure the availability of traffic and location data for serious crime and antiterrorism purposes.

54
Q

When was the Data Retention Directive struck off and why?

A

2014 by the Court of the European Union - invalid on the grounds that it was disproportionate in scope and incompatible with the rights to privacy and data protection under the EU Charter of Fundamental Rights.