Chapter 3 Legislative Framework

Question 1

What is Convention 108?

Answer 1

C. for the Protection of Individuals with regard to Automatic Processing of PD.
First legally binding international instrument in the field of PD

Question 2

Why is Convention 108 important?

Answer 2

3 reasons:
- it is based on a series of principles (accuracy, security, access to PD), similar to GDPR
- protects privacy but also recognizes the importance of the free flow of PD for commercial and public functions
- legally binding - member states must implement its principles in national law

Question 3

What is the purpose of Convention 108?

Answer 3

achieve grater unity between member states
extend the safeguards for individuals’ rights and fundamental freedoms in respect of automatic processing and flowing across national boarders

Question 4

When and why was Convention 108 updated?

Answer 4

2018; includes additional safeguards to tackle challenges introduced by new technologies and practices

Question 5

When was Data Protection Directive adopted any why

Answer 5

1995; the differences in data protection laws amongst EU member states were impacting the free flow of data

Question 6

Advantage of the DPD over Convention 108?

Answer 6

Applicability to manual data - processing of manual data held in filing system is subject to the same obligations as the processing of PD by automatic means

Question 7

Which Data protection Authority was established under DPD?

Answer 7

Article 29 Working Party - to examine the operation of the Directive and provide opinions and advice to the Commission

Question 8

Which 2 legislative proposals emerged from the data protection reform led by the Commission?

Answer 8

GDPR and Law Enforcement Directive (LED)

Question 9

What is a trialogue?

Answer 9

Process to negotiate a new law in EU between the Commission, the Parliament and the Council

Question 10

When did GDPR and LED enter into force?

Answer 10

GDPR - 24 May 2016; enforceable from 25 May 2018
LED - 5 May 2016; must be transposed to national law by 6 May 2018

Question 11

How long is GDPR?

Answer 11

173 recitals and 99 Articles, 11 chapters

Question 12

Difference btw. recitals and articles

Answer 12

Recitals provide the theories and interpretations
Articles set out substantive obligations and contain the operative law

Question 13

Main difference btw Directive and GDPR

Answer 13

• GDPR is directly applicable across all EU MS and doesn’t need interposing into national law
• GDPR applies to the controllers and processors
• GDPR applies for business outside EU if the use of PD relates to offering of goods or services to individuals in EU, irrespective of whether payment is required OR monitoring of individuals’ behavior in EU (eg. tracking of DS on the internet to analyse or predict their personal preferences triggers the application of GDPR).
  Directive applied if the processing equipment was based in the EU
• Putting individuals in control of their data. Stricter conditions for consent! Parental consent is at the discretion of individual member states.
• New and stronger rights for individuals - more control over their data
• • more detailed transparency obligations
• • new rights: portability (consent, contract), restriction of processing, right to be forgotten, in relation to the profiling
• • same rights as DPD: subject access, rectification, erasure, to object
• a new accountability regime
• data processor’s new obligations
• International Data Transfers - BCRs, SCCs, approved code of conduct, approved certification mechanism
• Security - obligations for controllers and processors alike. Notification of data breaches to individuals in case of high risk to harm
  Enforcement and risk of noncompliance - individuals have the right to compensation for breaches for material or immaterial damages. High fines!

Question 14

What is LED?

Answer 14

EU Directive for the police and criminal justice sector aimed at protecting citizens’ fundamental rights to data protection when PD are used by criminal law enforcment authorities

Question 15

What are LED’s 3 main objectives?

Answer 15

Better cooperation between law enforcement authorities - enables them to exchange information more efficiently, improves cooperation in the fight against serious crime

Better protection of citizens’ data - including for the purpose of crime prevention, regardless if they are a victim, criminal or witness. Principles of necessity, proportionality and legality and appropriate safeguards for individuals.

Clear rules on international data flows - individuals must have the same level of protection as in the EU in case of transfer outside EU

Question 16

Purpose of ePrivacy Directive?

Answer 16

Contains specific rules for the electronic communications sector; it covers all electronic communications, including telecommunications, faxes, internet, email.
Publicly available ECS in public communications networks - communications over private networks not covered!
- equivalent level of protection of fundamental rights and freedoms with respect to the processing in the electronic communications sector
- free movement of data and EC equipment and services in the community

Question 17

What are key provisions of ePrivacy Directive?

Answer 17

• T&O measures must be implemented for the security of the ECS
• Confidentiality of communicatios and traffic data generated; exceptions consent to interception & surveillance or I&S is authorized by law
• Most forms of digital marketing (emails, SMS…) require prior opt-in = consent. Exception in case of similar products and services on an opt-out basis
• Restrictions in processing of traffic and billing data
• Location data may be processed only if made anonymous or if processed with the consent and for the duration necessary to provide a value-added service

Question 18

Important changes to the ePrivacy Directive in 2011

Answer 18

Right for individuals and organisations to bring legal proceedings against unlawful communication
Cookies - the user must give consent for storing the information or gaining access to information already stored in the terminal equipment of the user. Information given to the user must be clear and comprehensive.

Question 19

When is the consent not needed?

Answer 19

If the technical storage or access is:
- for sole purpose of transmission of communication over the EC network
- strictly necessary for the provision of an information society service explicitly requested by the user

Question 20

Reform - ePrivacy Regulation

Answer 20

to harmonize specific privacy framework relating to EC within the EU
to ensure consistency with GDPR

Question 21

What are key features of ePrivacy regulation

Answer 21

wider application - not only telecoms operators but all providers of ECS (eg. messaging services on mobile phones)
a single set of directly applicable rules within EU to ensure the same level of protection to business and individuals
revised rules on cookies
protection against spam
fines similar to GDPR

Question 22

Directive on security of network and information systems - NIS Directive (2016)

Answer 22

first EU-wide cybersecurity legislation
reform - NIS 2 Directive in force from January 2023, October 2024 is the deadline to transpose its measures into national law

Question 23

AI Regulation

Question 24

Data Retention Directive

Answer 24

concerns data generated or processed in connection with the provision of publicly available ECS or public communications networks
is no longer part of the EU law, has been invalidated by CJEU