Chapter 3 Legislative Framework Flashcards
What is Convention 108?
C. for the Protection of Individuals with regard to Automatic Processing of PD.
First legally binding international instrument in the field of PD
Why is Convention 108 important?
3 reasons:
- it is based on a series of principles (accuracy, security, access to PD), similar to GDPR
- protects privacy but also recognizes the importance of the free flow of PD for commercial and public functions
- legally binding - member states must implement its principles in national law
What is the purpose of Convention 108?
achieve grater unity between member states
extend the safeguards for individuals’ rights and fundamental freedoms in respect of automatic processing and flowing across national boarders
When and why was Convention 108 updated?
2018; includes additional safeguards to tackle challenges introduced by new technologies and practices
When was Data Protection Directive adopted any why
1995; the differences in data protection laws amongst EU member states were impacting the free flow of data
Advantage of the DPD over Convention 108?
Applicability to manual data - processing of manual data held in filing system is subject to the same obligations as the processing of PD by automatic means
Which Data protection Authority was established under DPD?
Article 29 Working Party - to examine the operation of the Directive and provide opinions and advice to the Commission
Which 2 legislative proposals emerged from the data protection reform led by the Commission?
GDPR and Law Enforcement Directive (LED)
What is a trialogue?
Process to negotiate a new law in EU between the Commission, the Parliament and the Council
When did GDPR and LED enter into force?
GDPR - 24 May 2016; enforceable from 25 May 2018
LED - 5 May 2016; must be transposed to national law by 6 May 2018
How long is GDPR?
173 recitals and 99 Articles, 11 chapters
Difference btw. recitals and articles
Recitals provide the theories and interpretations
Articles set out substantive obligations and contain the operative law
Main difference btw Directive and GDPR
- GDPR is directly applicable across all EU MS and doesn’t need interposing into national law
- GDPR applies to the controllers and processors
- GDPR applies for business outside EU if the use of PD relates to offering of goods or services to individuals in EU, irrespective of whether payment is required OR monitoring of individuals’ behavior in EU (eg. tracking of DS on the internet to analyse or predict their personal preferences triggers the application of GDPR).
Directive applied if the processing equipment was based in the EU - Putting individuals in control of their data. Stricter conditions for consent! Parental consent is at the discretion of individual member states.
- New and stronger rights for individuals - more control over their data
- more detailed transparency obligations
- new rights: portability (consent, contract), restriction of processing, right to be forgotten, in relation to the profiling
- same rights as DPD: subject access, rectification, erasure, to object
- a new accountability regime
- data processor’s new obligations
- International Data Transfers - BCRs, SCCs, approved code of conduct, approved certification mechanism
-
Security - obligations for controllers and processors alike. Notification of data breaches to individuals in case of high risk to harm
Enforcement and risk of noncompliance - individuals have the right to compensation for breaches for material or immaterial damages. High fines!
What is LED?
EU Directive for the police and criminal justice sector aimed at protecting citizens’ fundamental rights to data protection when PD are used by criminal law enforcment authorities
What are LED’s 3 main objectives?
Better cooperation between law enforcement authorities - enables them to exchange information more efficiently, improves cooperation in the fight against serious crime
Better protection of citizens’ data - including for the purpose of crime prevention, regardless if they are a victim, criminal or witness. Principles of necessity, proportionality and legality and appropriate safeguards for individuals.
Clear rules on international data flows - individuals must have the same level of protection as in the EU in case of transfer outside EU
Purpose of ePrivacy Directive?
Contains specific rules for the electronic communications sector; it covers all electronic communications, including telecommunications, faxes, internet, email.
Publicly available ECS in public communications networks - communications over private networks not covered!
- equivalent level of protection of fundamental rights and freedoms with respect to the processing in the electronic communications sector
- free movement of data and EC equipment and services in the community
What are key provisions of ePrivacy Directive?
- T&O measures must be implemented for the security of the ECS
- Confidentiality of communicatios and traffic data generated; exceptions consent to interception & surveillance or I&S is authorized by law
- Most forms of digital marketing (emails, SMS…) require prior opt-in = consent. Exception in case of similar products and services on an opt-out basis
- Restrictions in processing of traffic and billing data
- Location data may be processed only if made anonymous or if processed with the consent and for the duration necessary to provide a value-added service
Important changes to the ePrivacy Directive in 2011
Right for individuals and organisations to bring legal proceedings against unlawful communication
Cookies - the user must give consent for storing the information or gaining access to information already stored in the terminal equipment of the user. Information given to the user must be clear and comprehensive.
When is the consent not needed?
If the technical storage or access is:
- for sole purpose of transmission of communication over the EC network
- strictly necessary for the provision of an information society service explicitly requested by the user
Reform - ePrivacy Regulation
to harmonize specific privacy framework relating to EC within the EU
to ensure consistency with GDPR
What are key features of ePrivacy regulation
wider application - not only telecoms operators but all providers of ECS (eg. messaging services on mobile phones)
a single set of directly applicable rules within EU to ensure the same level of protection to business and individuals
revised rules on cookies
protection against spam
fines similar to GDPR
Directive on security of network and information systems - NIS Directive (2016)
first EU-wide cybersecurity legislation
reform - NIS 2 Directive in force from January 2023, October 2024 is the deadline to transpose its measures into national law
AI Regulation
Data Retention Directive
concerns data generated or processed in connection with the provision of publicly available ECS or public communications networks
is no longer part of the EU law, has been invalidated by CJEU
