Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-E > Chapter 3 (Legislative Framework) > Flashcards

Chapter 3 (Legislative Framework) Flashcards

1
Q

What were the 2 main reasons for Convention 108?

A
  1. The member states failure to respond to the Council of Europe’s 1973 and 1974 resolutions re protection of privacy in the private and public sectors.
  2. Need to reinforce the principles found in those resolutions by means of a binding international instrument.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 3 main reasons that the Convention 108 is noteworthy?

A
  1. It is based on a series of principles that address the main concerns relating to data protection, principles that are still found in the GDPR.
  2. It ensures appropriate protections for individual privacy but also recognizes the importance of the free flow of personal data for commerce and the exercise of public functions.
  3. It requires signatory states to implement its principles by enacting national legislation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How many articles does Convention 108 have?

A

It has 27 articles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 3 main parts of Convention 108?

A
  1. Basic principles of data protection (Chp. II, Articles 4-11)
  2. Transborder data flows (Chp. III, Article 12)
  3. Mutual assistance provisions (Chp. IV, Articles 13-17)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What were 2 difficulties with Convention 108?

A
  1. Only a small number of states had ratified it.
  2. States national data protection laws took a fragmented approach to its implementation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What marked the starting point of the EU’s leadership in European data protection and relative downgrading of importance for Convention 108?

A

When the European Commission proposed Directive 95/46/EC or Data Protection Directive in 1990.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The Directive is comprised of how many recitals and articles? What do each set out?

A

72 recitals: provide the theories and interpretations behind the Directive and corresponding obligations

34 articles: set out the obligations of the member states in implementing the requirements of the Directive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Did the Directive set out general principles and leave member states to implement them or prescribe in detail how member states had to transpose the Directive’s principles into national law?

A

It set out general principles and left member states to implement them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What was a major advance of the Directive over Convention 108?

A

Unlike Convention 108, the Directive was applicable to manual data. This meant that the processing of manual data held in a filing system was subject to the same obligations as personal data processed by automatic means.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What were the 8 key principles of the Directive with regard to personal data?

A

Personal data shall be:
1. Processed fairly and lawfully
2. Collected for specified and legit purposes and not processed in a manner incompatible with those purposes
3. Be processed in a manner that is adequate, relevant, and not excessive
4. Accurate and, where necessary, kept up to date
5. Kept for no longer than is necessary
6. Processed in accordance with the rights of the individual
7. Protected against accidental, unlawful, or unauthorized processing by the use of appropriate technical and organizational measures
8. Transferred to countries outside the European Economic Area (EEA) only if those countries ensure adequate levels of data protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What factors led the Commission’s efforts to reform the Directive?

A
  1. Divergence of national measures and practices implementing the Directive
  2. The divergent measures impact on businesses and individuals.
  3. Development in tech since the Directive was drafted.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What were the 9 key changes the Commission proposed to reform the Directive?

A
  1. A single set of rules on data protection valid across the EU.
  2. Increased responsibility and accountability for those processing personal data.
  3. Enabling orgs to deal with a single DPA in the EU country where they have their main establishment in some instances.
  4. Giving individuals greater control over their data (e.g. explicit consent rather than implicit).
  5. Individuals having easier access to their own data and ability to transfer personal data from one service provider to another.
  6. A right to be forgotten to help people better manage data protection risks online.
  7. Ensuring EU rules apply if personal data are handled abroad by companies that are active in the EU market.
  8. Strengthening the powers of independent national DPAs so they can better enforce EU rules at home.
  9. General data protection principles and rules for police and judicial cooperation in criminal matters as contained in the LED and applicable to both domestic and cross-border transfers of data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How many recitals and articles does the GDPR have?

A

It has 173 recitals and 99 articles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The GPDR’s articles are divided into 11 chapters. What are these chapters?

A
  1. General provisions
  2. Principles
  3. Rights of the data subject
  4. Controller and processor
  5. Transfers of personal data to third countries or international orgs
  6. Independent supervisory authorities
  7. Cooperation and consistency
  8. Remedies, liability, and penalties
  9. Provisions relating to specific processing situations
  10. Delegate acts and implementing acts
  11. Final provisions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are 3 ways the GDPR differs from the Directive re application of the law?

A

The GDPR
1. Is directly applicable across all EU member states without any further intervention from national parliaments.
2. Applies to data controllers AND processors
3. Applicability to non-EU companies is based on location of data subjects, not processing equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In what 4 ways did the GDPR strengthen the concept of consent?

A
  1. Consent can’t be bundled with terms and conditions
  2. It can be withdrawn at any time
  3. Freely given consent can’t be packaged in a take it or leave it manner in return for good and services
  4. Parental consent may be required, and such requirements are at the discretion of individual member states for children under 16.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Under the GDPR, individuals are afforded a lot more control over their data through significantly enforced rights, what are these rights?

A
  1. Much more detailed transparency obligations.
  2. New rights of data portability,restriction of processing, the right to be forgotten, and in relation to profiling.
  3. The retention of existing rights, such as subject access, rectification, erasure, and the right to object from the directive.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the most notable novelty of the GDPR?

A

The various requirements to make businesses more accountable for their data practices.

19
Q

What are 7 of the new accountability responsibilities under the GDPR?

A
  1. Implementation of data protection policies and measures to ensure an org’s data processing activities comply with the GDPR.
  2. Data protection by design and data protection by default
  3. Record-keeping obligations by controllers and processors
  4. Cooperation with supervisory authorities by controllers and processors
  5. Carrying out data protection impact assessments (DPIAs) for operations that present specific risks to individuals due to the nature or scope of the operation
  6. Prior consultation with DPAs in high-risk cases
  7. Mandatory data protection officers (DPOs) for controllers and processors for the public sector and big data processing activities
20
Q

What is one of the GDPR’s most radical changes with regards to data processors?

A

The requirement that a processor may not subcontract a service without consent of the controller.

21
Q

What 6 measures does the GDPR provide that expand cross-border data transfers?

A
  1. Binding corporate rules (BCRs)
  2. Standard contractual clauses (SCCs) adopted by the Commission
  3. SCCs adopted by a DPA and approved by the Commission
  4. An approved code of conduct
  5. An approved certification method
  6. Other contractual clauses authorized by a DPA in accordance with the so-called consistency mechanism
22
Q

The GDPR increases the sanctions for infringements of what 5 provisions?

A
  1. The basic principles for processing, including conditions for consent
  2. The data subjects’ rights
  3. The conditions for lawful international data transfers
  4. Specific obligations under national laws where permitted by the GDPR
  5. Orders by DPAs, including suspension of data flows
23
Q

What does the Law Enforcement Directive govern?

A

Protects citizens’ fundamental right to data protection whenever data are used by criminal law enforcement authorities.

24
Q

What are the 3 main objectives of the Law Enforcement Directive (LED)?

A
  1. Better cooperation between law enforcement authorities
  2. Better protection of citizens’ data
  3. Clear rules for international data flow
25
Q

When was the Privacy and Electronic Communications Directive (ePrivacy Directive) passed? When was it amended?

A

Passed July 12, 2002

Amended November 24, 2009

26
Q

What is the scope of the ePrivacy Directive?

A

It applies to the processing of personal data via publicly available electronic communication services.

27
Q

What are the 6 key provisions of the ePrivacy Directive?

A
  1. Providers of publicly available electronic communications services are required to take appropriate technical and organizational measures to safeguard the security of their services.
  2. Member states are required to ensure the confidentiality of communications and the traffic of data generated by such communications
  3. Most forms of digital marketing, including Short Message Service, Multimedia Messaging Service, and faxes require prior (opt-in) consent
  4. Processing of traffic and billing data is subject to certain restrictions.
  5. Location data may be processed only if that data are made anonymous or, alternatively if processes with the consent of users for the duration necessary for the provision of a value-added service.
  6. Subscribers may be informed before being included in any directory.
28
Q

In 2011 the amendments to the ePrivacy Directive went into affect. What are 3 of the most notable changes?

A
  1. Introduction of mandatory notification for personal data breaches by electronic communication service providers.
  2. Enhanced clarifications in the scope of the amended Directive and enhancements of the right of actions against unsolicited communications.
  3. Provisions affecting cookies (gaining access to this stored info requires user consent).
29
Q

Under the ePrivacy Directive, user consent is not needed to access cookies where the technical storage or access is what?

A
  1. For the sole purpose of carrying out the transmission of a communication over an electronic communications network.
  2. Strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.
30
Q

What is the ePrivacy Regulation?

A

A legislative proposal issued by the Commission on January 10, 2017 to replace the existing ePrivacy Directive.

31
Q

What is the high-level aim of the draft ePrivacy Regulation?

A

To harmonize the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR.

32
Q

What are the 8 key features of the ePrivacy Regulation?

A
  1. Wider application (all electronic communications services not just testimonial telecoms operators)
  2. Providing a single set of rules for electronic communications
  3. Confidentiality of electronic communications (e.g listen to, tap, scan, or store communications without consent)
  4. Unless users have given consent all content and metadata derived from electronic communications (time of call, location, etc.) will need to be anonymized or deleted (unless a special circumstance applies)
  5. Creating new business opportunities (once consumer achieved)
  6. Creating a more streamlined approach to consent requests for cookies
  7. Protection against spam
  8. The enforcement of the confidentiality rules in the regulation will be the responsibility of national DPAs
33
Q

Under the ePrivacy Regulations, what breaches may be punished with fines of up to 10 million pounds or 2% of the total worldwide annual turnover?

A

Breaches of rules regarding:
1. Notice and consent
2. Default privacy settings
3. Publicly available directories
4. Unsolicited communications

34
Q

Under the ePrivacy Regulations, what breaches may be punished with fines of up to 20 million pounds or 4% of the total worldwide annual turnover?

A

Breaches of rules regarding:
1. Confidentiality of communications
2. Permitted processing of electronic communications data
3. Limits for erasure of data

35
Q

What is the Directive on security network and info systems (NIS Directive) and when was it adopted/put into force?

A

Adopted July 6, 2016 and effective in August 2106.

Is the first piece of EU-wide cybersecurity legislation intended to address the threats posed to network and info systems, therefore, improving the functioning of the digital economy.

36
Q

What are the 3 main objectives of the NIS Directive?

A
  1. Improving national cybersecurity capabilities by requiring each member state to setup a Computer Security Incident Response Team (CSIRT) and a competent national Network Information Systems Authority.
  2. Building cooperation at the EU level by setting up a cooperation group across the member states to support and facilitate strategic cooperation and exchange of info.
  3. Promoting a culture of risk management and incident reporting amongst key economic actors, notably operators providing essential services (OEDs) and digital service providers (DSPs)
37
Q

What is the NIS 2 Directive?

A

A Commission proposal that aims to replace and further develop the NIS Directive.

38
Q

What are some of the significant changes proposed by the NIS 2 Directive?

A
  1. Widening the scope of the NIS Directive to additional industry sectors
  2. Strengthening the existing rules on security requirements and incident reporting, while increasing the maximum fines that can be applied
39
Q

What was the Data Retention Directive designed to do?

A

Align the rules of data retention across EU member states to ensue the availability of traffic and location data for serious crime and antiterrorism purposes.

40
Q

What ruling did the CJEU issue re the Data Retention Directive in 2014?

A

Ruled that it was invalid on the grounds that it was disproportionate in scope and incompatible with the rights to privacy and data protection under the EU Charter or fundamental rights.

41
Q

Can the Commission take action against a member state if a directive isn’t implemented on time or if the implementation contravenes European law?

A

Yes.

42
Q

What are opening clauses?

A

Allow member states to put their own national data protection laws in place of a given regulation.

43
Q

How many opening clauses does the GDPR have?

A

50 opening clauses

CIPP-E (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions