Chapter 3 - Legislative Framework Flashcards
What is Convention 108?
-Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
-Opened for signature 28 Jan 1981
Why is Convention 108 significant?
-The first legally binding instrument in DP
-Defining moment in development of European DP law
3 Key reasons:
(1) Based on series of principles address main concerns relating to DP -> including accuracy, security of PD & individual right of access to data (principles that are still found in EU GDPR & the Directive
(2) Ensures appropriate protections for individual privacy but also recognises importance of free flow of PD for commerce & exercise of public functions (which is key component of current EU DP law) / no special authorisation for free flow
(3) Legally binding instrument requires signatory states to implement its principle by enacting national legislation
What were the reasons for Convention 108?
(1) MS failure to respond to the Council’s 1973 &1974 Resolutions (concerned protection of privacy in public/private sectors)
(2) Need for reinforcement of principles resolutions by binding international instrument
When and which countries did determine the general philosophy/ details of draft convention?
-Governmental experts on DP from:
1. Austria
2. Federal Republic of Germany
3. Italy
4. Netherlands
5. Spain
6. Sweden
7. Switzerland
8. UK
What are the key chapters of Convention 108?
-Basic principles of DP - Chapter II / Articles 4-11
-Transborder data flows - Chapter III / Article 12
-Mutual assistance provisions - Chapter IV / Articles 13-17
When was the Data Protection Directive and who introduced it?
-Commission proposed Directive in 1990
-Formally adopted 24 Oct 1995
Why was the Data Protection Directive 1995 significant?
-Marked the starting point of EU’s leadership in European DP/ downgrading of importance of Convention 108.
Why was the DP Directive 1995 introduced?
-As a harmonisation measure under the Treaty of Rome’s internal market provisions:
-Requires no obstacles to free movement of goods, persons, services & capital - which can’t take place without the free movement of PD
-Directive viewed as a HR law that protects principles of internal single market to succeed needs free movement of PD/ protection of privacy).
-Can be seen in Article 1 Directive - MS should protect fundamental rights & freedoms of natural persons (in particular right to privacy with respect to processing PD) / MS shall not restrict or prohibit free flow of PD between MS under para 1 reasons
Content of DP Directive 1995
-72 recitals & 34 articles
-34 articles arranged in 7 chapters:
(1) General provisions
(2) General rules on lawfulness of processing of PD
(3) Judicial remedies, liabilities, sanctinos
(4) Transfer of PD to 3rd countries
(5) Codes of conduct
(6) Supervisory authority & working party on protection of individuals regard to processing of PD
(7) Community implementing measures
-Sets out general principles & left MS to implement them rather than in detail telling them how to add in national law -> differing interpretations/ DP requirements across Europe
-FOR EXAMPLE - the notification obligations set out in Articles 18-20 -> different interpretations implemented by MS
What are some key principles that the Directive set out?
-‘Necessity’ - one key concept - for data processing activity to be lawful the processing must be necessary
-Adequacy - Subject to certain exceptions, prohibited international data transfers to jurisdictions that do not offer adequate level of protection
What does the Directive do that Convention 108 does not really do?
-Major advance is its applicability to manual data
-Under Convention 108 only Council member countries had this option & few chose to implement
-HOWEVER, Directive changed this so processing of manual data held in filing system is subject to the same obligations as processing of PD by automatic means
What are the central requirements to lawful processing of PD in the DP Directive?
- Processsed fairly and lawfully
- Collected for specified & legitimate purposes & not processed in a manner incompatible with this
- Adequate, relevant & not excessive
- Accurate and where necessary up to date
- Kept for no longer than necessary
- Processed in accordance with rights of individual
- Protected against accidental, unlawful, unauthorised processing by use of appropriate technical/organisational measures
- Transferred to countries outside European Economic Area (EEA) -> only if countries ensure adequate levels of protection/ conditions guaranteeing adequate protection
-Is a human-rights based law
-So contains specific provisions that articulate an individuals rights with regard to PD
What type of organisation does the Directive apply to?
-Organisations acting as ‘data controllers’ that were established in an EU member state
-Where there was no establishment but where organisation made use of data processing equipment on territory of MS -> organisation had to appoint representative to act on its behalf in MS
What does the Directive state about organisations with no establishment in EU?
-Where there was no establishment but where organisation made use of data processing equipment on territory of MS -> organisation had to appoint representative to act on its behalf in MS
What foundations did the Directive build upon from Convention 108?
-Identifies special categories of data = personal data revealing ethnic/ racial/ political opinions/ religious or philosophical beliefs/ Trade Union membership etc
What did the DP Directive mandate/ establish?
-The establishment of national data protection authority (DPA)
-& Article 29 Working Party (WP29) -> independent body composed of (1) representatives of national DPAs (2) European Data Protection Supervisors (EDPS) (3) Commission
What does Article 30 of the Directive set out?
-WP29 duties are set out in Article 30
-Required it to examine operation of Directive & to provide opinions/ advice to the Commission
What were the key factors that led the Commission to comprehensively review the Directive/ DP rules in EU?
(1) Divergence of national measures & practices implementing the Directive
(2) Resulting impact on businesses & individuals
(3) Developments in tech since Directive was drafted
What were the aims/ primary goals of the Commission’s reform in 2010 (after Directive)?
-Protecting individuals’ data (also in relation to access to data by law enforcement agencies)
-Reducing red tape for businesses
-Guaranteeing the free circulation of data within EU
What were the Commission’s 8 key changes in the reform after Directive?
-Single set of rules on DP valid across EU / certain admin requirements like the notification requirements for companies contained in Directive were removed as unduly cost to businesses
-Increased responsibility & accountability for those processing PD
-Enabling organisatinos to deal with a single national DPA in EU country where they have their main establishment / Providing individuals with ability to refer matters to DPA in their country (even when their data are processed by a company based outside EU).
-Giving individuals greater control of their own data & ability to transfer PD from one service provider to another more easily (right to data portability). / Aim of this proposal is to improve competition amongst services.
-Right to be forgotten to help people better manage DP risks online. / Commission proposed that individuals should be able to delete their data if there are no legitimate grounds for a business to retain it.
-Ensuring EU rules apply if PD are handled abroad by companies active in EU market & offer services to EU citizens.
-Strengthening powers of independent national DPAs so they can better enforce EU rules at home, including penalties of up to 1m euros / 2% of global annual turnover of company
-General DP principles & rules for police & judicial cooperation in criminal matters as contained in LED & applicable to both domestic & cross-border transfers of data.
What is the trilogue process & how does this relate to the Directive / Commission’s proposal for changes?
-Commission proposals submitted to Parliament / EU MS & Council
-3 Parties needed to reach agreement on draft texts before they became law through trilogue process
-Proposals were thoroughly debated / intensive legislative process of 4 years then compromise reached by Parliament, Council & Commission on 15 Dec 2015
When were the official texts of the GDPR & LED published in Official Journal of EU?
4 May 2016
When did the GDPR enter into force?
24 May 2016
When did the GDPR become enforceable?
25 May 2018