Chapter 3 - Legislative Framework Flashcards
What is Convention 108?
-Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
-Opened for signature 28 Jan 1981
Why is Convention 108 significant?
-The first legally binding instrument in DP
-Defining moment in development of European DP law
3 Key reasons:
(1) Based on series of principles address main concerns relating to DP -> including accuracy, security of PD & individual right of access to data (principles that are still found in EU GDPR & the Directive
(2) Ensures appropriate protections for individual privacy but also recognises importance of free flow of PD for commerce & exercise of public functions (which is key component of current EU DP law) / no special authorisation for free flow
(3) Legally binding instrument requires signatory states to implement its principle by enacting national legislation
What were the reasons for Convention 108?
(1) MS failure to respond to the Council’s 1973 &1974 Resolutions (concerned protection of privacy in public/private sectors)
(2) Need for reinforcement of principles resolutions by binding international instrument
When and which countries did determine the general philosophy/ details of draft convention?
-Governmental experts on DP from:
1. Austria
2. Federal Republic of Germany
3. Italy
4. Netherlands
5. Spain
6. Sweden
7. Switzerland
8. UK
What are the key chapters of Convention 108?
-Basic principles of DP - Chapter II / Articles 4-11
-Transborder data flows - Chapter III / Article 12
-Mutual assistance provisions - Chapter IV / Articles 13-17
When was the Data Protection Directive and who introduced it?
-Commission proposed Directive in 1990
-Formally adopted 24 Oct 1995
Why was the Data Protection Directive 1995 significant?
-Marked the starting point of EU’s leadership in European DP/ downgrading of importance of Convention 108.
Why was the DP Directive 1995 introduced?
-As a harmonisation measure under the Treaty of Rome’s internal market provisions:
-Requires no obstacles to free movement of goods, persons, services & capital - which can’t take place without the free movement of PD
-Directive viewed as a HR law that protects principles of internal single market to succeed needs free movement of PD/ protection of privacy).
-Can be seen in Article 1 Directive - MS should protect fundamental rights & freedoms of natural persons (in particular right to privacy with respect to processing PD) / MS shall not restrict or prohibit free flow of PD between MS under para 1 reasons
Content of DP Directive 1995
-72 recitals & 34 articles
-34 articles arranged in 7 chapters:
(1) General provisions
(2) General rules on lawfulness of processing of PD
(3) Judicial remedies, liabilities, sanctinos
(4) Transfer of PD to 3rd countries
(5) Codes of conduct
(6) Supervisory authority & working party on protection of individuals regard to processing of PD
(7) Community implementing measures
-Sets out general principles & left MS to implement them rather than in detail telling them how to add in national law -> differing interpretations/ DP requirements across Europe
-FOR EXAMPLE - the notification obligations set out in Articles 18-20 -> different interpretations implemented by MS
What are some key principles that the Directive set out?
-‘Necessity’ - one key concept - for data processing activity to be lawful the processing must be necessary
-Adequacy - Subject to certain exceptions, prohibited international data transfers to jurisdictions that do not offer adequate level of protection
What does the Directive do that Convention 108 does not really do?
-Major advance is its applicability to manual data
-Under Convention 108 only Council member countries had this option & few chose to implement
-HOWEVER, Directive changed this so processing of manual data held in filing system is subject to the same obligations as processing of PD by automatic means
What are the central requirements to lawful processing of PD in the DP Directive?
- Processsed fairly and lawfully
- Collected for specified & legitimate purposes & not processed in a manner incompatible with this
- Adequate, relevant & not excessive
- Accurate and where necessary up to date
- Kept for no longer than necessary
- Processed in accordance with rights of individual
- Protected against accidental, unlawful, unauthorised processing by use of appropriate technical/organisational measures
- Transferred to countries outside European Economic Area (EEA) -> only if countries ensure adequate levels of protection/ conditions guaranteeing adequate protection
-Is a human-rights based law
-So contains specific provisions that articulate an individuals rights with regard to PD
What type of organisation does the Directive apply to?
-Organisations acting as ‘data controllers’ that were established in an EU member state
-Where there was no establishment but where organisation made use of data processing equipment on territory of MS -> organisation had to appoint representative to act on its behalf in MS
What does the Directive state about organisations with no establishment in EU?
-Where there was no establishment but where organisation made use of data processing equipment on territory of MS -> organisation had to appoint representative to act on its behalf in MS
What foundations did the Directive build upon from Convention 108?
-Identifies special categories of data = personal data revealing ethnic/ racial/ political opinions/ religious or philosophical beliefs/ Trade Union membership etc
What did the DP Directive mandate/ establish?
-The establishment of national data protection authority (DPA)
-& Article 29 Working Party (WP29) -> independent body composed of (1) representatives of national DPAs (2) European Data Protection Supervisors (EDPS) (3) Commission
What does Article 30 of the Directive set out?
-WP29 duties are set out in Article 30
-Required it to examine operation of Directive & to provide opinions/ advice to the Commission
What were the key factors that led the Commission to comprehensively review the Directive/ DP rules in EU?
(1) Divergence of national measures & practices implementing the Directive
(2) Resulting impact on businesses & individuals
(3) Developments in tech since Directive was drafted
What were the aims/ primary goals of the Commission’s reform in 2010 (after Directive)?
-Protecting individuals’ data (also in relation to access to data by law enforcement agencies)
-Reducing red tape for businesses
-Guaranteeing the free circulation of data within EU
What were the Commission’s 8 key changes in the reform after Directive?
-Single set of rules on DP valid across EU / certain admin requirements like the notification requirements for companies contained in Directive were removed as unduly cost to businesses
-Increased responsibility & accountability for those processing PD
-Enabling organisatinos to deal with a single national DPA in EU country where they have their main establishment / Providing individuals with ability to refer matters to DPA in their country (even when their data are processed by a company based outside EU).
-Giving individuals greater control of their own data & ability to transfer PD from one service provider to another more easily (right to data portability). / Aim of this proposal is to improve competition amongst services.
-Right to be forgotten to help people better manage DP risks online. / Commission proposed that individuals should be able to delete their data if there are no legitimate grounds for a business to retain it.
-Ensuring EU rules apply if PD are handled abroad by companies active in EU market & offer services to EU citizens.
-Strengthening powers of independent national DPAs so they can better enforce EU rules at home, including penalties of up to 1m euros / 2% of global annual turnover of company
-General DP principles & rules for police & judicial cooperation in criminal matters as contained in LED & applicable to both domestic & cross-border transfers of data.
What is the trilogue process & how does this relate to the Directive / Commission’s proposal for changes?
-Commission proposals submitted to Parliament / EU MS & Council
-3 Parties needed to reach agreement on draft texts before they became law through trilogue process
-Proposals were thoroughly debated / intensive legislative process of 4 years then compromise reached by Parliament, Council & Commission on 15 Dec 2015
When were the official texts of the GDPR & LED published in Official Journal of EU?
4 May 2016
When did the GDPR enter into force?
24 May 2016
When did the GDPR become enforceable?
25 May 2018
When did the LED enter into force?
5 May 2016
When were member states required to transpose the LED into their national law?
6 May 2018
What is the structure of the GDPR?
-Much longer than Directive
-173 recitals and 99 articles
-Similar to Directive, the recitals provide the theories/ interpretations behind GDPR & its corresponding obligations (recitals include crucial detail about how article should be interpreted)
-Articles set out substantive obligations
How are the articles arranged in the GDPR?
-11 Chapters
1. General Provisions
2. Principles
3. Rights of the data subject
4. Controller and processor
5. Transfers of PD to 3rd countries/ international organisations
6. Independent supervisory authorities
7. Cooperation and consistency
8. Remedies, liability & penalties
9. Provisions relating to specific processing situations
10. Delegated acts and implementing acts
11. Final provisions
What are the similarities and differences of the GDPR and Directive in relation to the application of the law?
Similarities:
-GDPR applies to businesses established in EU
Differences:
-GDPR is directly applicable across all EU MS without any further intervention of national parliaments
-GDPR not limited to data controllers -> many requirements apply equally to processors (new focus on compliance across ALL roles for info life cycles).
What does the GDPR state in relation to applicability for businesses and how is this different to the Directive?
-Removed references found in Directive to EU-based processing equipment
-Applicability of GDPR to organisations not established in EU is determined by LOCATION of DATA SUBJECT.
-GDPR applies wherever use of PD by business relates to offering goods/services to individuals in EU (does not matter whether payment required or monitoring individuals’ behaviour in EU
What does the GDPR say about tracking data subjects on the internet and what does this mean?
-Recital 24 of GDPR clarifies tracking data subjects on internet to analyse/predict their personal prefernces triggers application of GDPR.
-Represents massive widening of application of rules - makes EVERY website that drops tracking cookies/ application to retrieve usage info subject to GDPR
How does the GDPR put individuals in control of their data in relation to consent?
-Emphasised by strengthening consent as compared with Directive:
(1) Consent cannot be bundled within T&Cs without clearly distinguishing between uses of PD & other matters governed by T&Vs
(2) Consent can be withdrawn at any time & in an easy way explained to the individuals before obtained
(3) Consent requested in return for goods and services (take it or leave it manner) may NOT be regarded as freely given.
(4) Parental consent may be required in situatinos where organisations are offering an online service directly to a child. (Under 16 years - but is at discretion of individual MS - organisations take country by country approach)
How does the GDPR allow for a new accountability regime/ what are the measures it has introduced overall?
-Measures to ensure organisation’s data processing activities comply with GDPR
-Record keeping obligations by controllers and processors
-Cooperation with supervisory authorities by controllers & processors
-Carrying out DPIAs for operations that present specific risks to individuals due to nature/ scope of operation
-Prior consultation with DPAs in high risk cases
-Mandatory DPOs for controllers & processors for public sector & big data processing activities
How does the GDPR allow for new and stronger rights for individuals / what does principles/ rights does it introduce?
(1) More detailed transparency obligations -> GDPR adds to categories of info must be provided to individuals at point of data collection/ within reasonable period.
-> Clear and plain language adapted to individual datasubject (e.g., info collected from child)
(2) New rights of detailed portability / Restriction of processing / Right to be forgotten & in relation to profiling.
->Right to portability introduces right for people to receive info they have provided to businesses in structured/ commonly used & machine-readable format when info originally obtained from individual based on consent/ part of contract.
->General right to have that data transmitted from one business to another when technically feasible in certain circumstances.
(3) Retention of existing rights e.g subject access, erause & right to object from Directive.
-Right to charge a feww has been removed unless request is ‘manifestly excessive’
-ICO indicates reasonable fee can be charges for admin costs of complying with manifestly unfounded/ excessive request / or it individual requests FURTHER copies of data
What are the new obligations for Data processors in the GDPR?
-Imposes number of compliance obligations & possible sanctions directly on service providers (data processors)
-> significant change to Directive which only previously applied to data controllers
-Requires prescriptive terms for contracts with controllers
-Most processors required to:
(1) Maintain records of their processing activities
(2) Implement appropriate security measures
(3) Appoint a DPO in certain circumstances
(4) Comply with international data transfer requirements
(5) Cooperate with supervisory authority if requested to do so
What does the GDPR state about international data transfers?
-Restrictions contained in Directive continue to exist under GDPR
-Transfers to jurisdictions officially recognised by Commission as adequate
-Both controllers & processors may only transfer PD outside EU if they put appropriate safeguards in place & condition that enforceable rights and effective legal remedies for individuals are available.
What measures did the GDPR release in relation to international data transfers and organisations?
-GDPR has expanded the range of measures may be used to legitimise such transfers:
Binding Corporate Rules (BCRs): Internal rules adopted by multinational companies to ensure adequate protection of personal data transferred within the organization.
Standard Contractual Clauses (SCCs): Templates provided by the European Commission that companies can use to ensure data protection when transferring personal data to third countries.
SCCs adopted by a DPA & approved by the Commission: Similar to the standard SCCs but created by a Data Protection Authority (DPA) and approved by the European Commission.
Approved Code of Conduct: Codes developed by industry groups that outline data protection practices and are approved by a DPA.
Approved Certification Mechanism: Certifications that organizations can obtain to demonstrate compliance with GDPR requirements.
Other Contractual Clauses: Custom clauses authorized by a DPA, ensuring consistency with GDPR standards.
What does the GDPR state/ require in relation to security & how does this compare with what the Directive says?
-Both data controllers & processors are under an obligation to have in appropriate technical & organisational measures to protect the PD they process.
-Under Directive -> obligations in law imposed on controllers only
-GDPR also introduces requirement to report data breaches to relevant DPA within 72 hours of becoming aware
-> UNLESS breach is ‘unlikely to result in a risk for the rights & freedoms of natural persons’
-IF high risk to individuals = must be notified
What does the GDPR state in relation to enforcement & risk of noncompliance / what rights does it give to individuals ?
-Affords individuals right to compensation for breaches for material & immaterial damage
-Also judicial remedies against decisions of a DPA which concern them
-Individuals compel DPA to act on a complaint & against data controllers & processors that breach their rights by failing to comply with GDPR.
-These rights can be exercised by consumer bodies on behalf of individuals.
What are the financial sanctions for noncompliance stated in GDPR?
-Significant increase in potential severity of sanctions
-Fines of up to 20 million euros OR 4% of total worldwide annual turnover (whichever is higher)
Infringements of which principles can lead to noncompliance risks under GDPR?
- Basic principles for processing, including conditions for consent
- Data subjects’ rights
- Conditions for lawful international data transfers
- Specific obligations under national laws, where permitted by GDPR
- Orders by DPAs, including suspension of data flows
What other legal instrument was complemented by the Directive?
-2008 Framework Decision (specific rules for protection of PD in police & judicial cooperation in criminal matters)
What is the aim of LED & who agreed on it?
-The Commission, Council & Parliament
-Aimed at protecting citizens’ fundamentla right to DP whenever PD used by criminal law enforcement authorities
What are the three key objectives that the rules in the LED based upon?
- Better cooperation between law enforcement authorities -> able to exchange info necessary for investigations more efficiently & effectively
-LED ‘takes account of specific needs of law enforcement, respects legal traditions in MS & is fully in line with CFHR. - Better protection of citizens’ data -> LED aims to ensure individuals’ PD protected when processed for any law enforcement, including crime prevention (e.g., witness, criminal, victim).
-Similar to GDPR - all law enforcement processing in EU must comply with necessity, proportionality & legality with appropriate safeguards for individuals
-Supervision ensured by independent national DPAs & effective judicial remedies must be provided - Clear rules for international dataflows -> LED contains specific rules for transfer of PD by law enforcement authorities outside EU - with aim of ensuring level of protection of individuals guaranteed in EU not undermined.
What is the aim of the ePrivacy Directive and which article reflects this?
-Article 1
-Harmonises provisions of MS to ensure protection of fundamental rights & freefoms
-In particular right to privacy
-With respect to processing of personal data in electronic communication & ensure free movement of such data
When was the ePrivacy Directive introduced?
-July 2002
When was the ePrivacy Directive amended again and why?
24 November 2009
-Part of wider reforms to EU telecommunications sector affecting 5 different EU directives
-Reforms were designed to encourage greater industry competition, consumer choice, protections - including stronger consumer rights to privacy
What does the ePrivacy Directive apply to?
-The processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks
-In EU - if electronic communications services is not publicly available then Directive does not apply
-SO, communications over a private network (company intranet) is not covered but principles of Directive would apply if PD is processed
What does the ePrivacy Directive say about the providers of public electronic comms?
-Required to take appropriate technical & organisational measures
1. to safeguard the security of their services
2. Work with the network provider on which the service is (where appropriate) to ensure security
-Service provider is under general obligation to inform the subscriber of any particular risk of breach of networks security
What are MS required to do according to ePrivacy Directive?
-Required to ensure confidentiality of communications and traffic data generated by such communications
Subject to certain exceptions:
-Including where users of such services give their consent to interception and surveillance
-Where interception & surveillance is authorised by law
What forms of comms does the ePrivacy Directive cover?
-Most forms of digital marketing require prior opt in consent:
1. Emails
2. SMS - Short Messaging Service
3. MMS - Multimedia Messaging Service
4. Faxes
Does NOT include person to person telephone marketing
-Limited exemption for businesses to send marketing to their existing customers for similar products/ services on opt out basis
What does the ePrivacy Directive state in relation to processing of traffic & billing data?
-Subject to certain restrictions
-For example, users of publicly available electronic communication service have certain rights with regard to itemised billing, call-line identification, directories, call forwarding & unsolicited calls
What does the ePrivacy Directive state in relation to location data?
-May only be processed if data made anonymous OR if processed with consent of users & for duration necessary for provision of a value added service
What does the ePrivacy Directive state about subscribers?
-That subscribers must be informed before being included in any directory
How can the relevant measures in the ePrivacy Directive be adopted?
-To ensure that the terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their pesonal data.
-MS should avoid imposing mandatory technical requirements - which could impede the placing of equipment on the market & free circulation of such equipment in/between MS.
What were the amendments to the ePrivacy Directive?
(1) Introduction of mandatory notification for personal data breaches by electronic communications service providers to both relevant national authority & relevant individual (where breach is likely to affect PD/privacy of a subsriber or individual)
(2) Enhanced clarifications on the scope of amended Directive & enhancements of rights of actions against unsolicited communications
-Article 13 (Unsolicited Comms) - Provides right for individuals to individuals/ orgs incl internet service proviers (ISPs) to bring legal proceedings against unlawful communications.
What is the most important/ controversial amendment to the ePrivacy Directive and the exceptions?
-Concerns cookies
-Article 5(3) Directive -> storing of info/ gaining access of info already stored in terminal equipment of a subscriber/user is only allowed once user given consent, CLEAR & comprehensive information in accordance with Directives
Exceptions to this:
-Where technical storage/ access is for the sole purpose of carrying out the transmission of a communication over an electronic communications network
-OR strictly necessary for provision of an info society service explicitly requested by subscriber/user
What are cookies and why are they important?
-Concerns cookies -> small text files sent automatically by many websites to terminal equipment of users of those sites.
-Cookies are vitally important for organisations & individuals - enables organiaitons to personalise websites based on user browsing habits & deliver online advertising to individuals based on preferences -> support revenues generated by online advertising & allows users to easily navigate a site’s page/ facilitate online shopping & retrieve info found in past.
How long did MS have to tranpose the cookie consent requirements under the ePrivacy Directive?
-2 years to transpose into national legislation
-Has been done by most but not all with degree of variation on a country-by-country basis
What is left undefined in relation to cookies consent under ePrivacy Directive?
-The way consent obtained is undefined & since GDPR came into effect, the cookie consent requirements are interpreted by reference to the definition of consent in GDPR
What was the ePrivacy Study?
-A study by the Commission on the effectiveness of the ePrivacy Directive for its reform
-Published July 2015
What was the name of the reformed ePrivacy Directive?
-The ePrivacy Regulation
-10 Jan 2017 Commission released a legislative proposal to replace existing ePrivacy Directive
What is the aim of the ePrivacy Regulation 2017?
-To harmonise the specific privacy framework relating to electronic communications within the EU & Ensure consistency with GDPR
What are the key features of the ePrivacy Regulation?
(1) Wider Application - Commission proposes extending the application of current ePrivacy Directive to all providers of electronic services (e.g., messaging services/ email & voice services - not just traditional telecoms operators)
(2) A single set of rules - Providing all people & businesses in EU with same level of protection for electronic comms
(3) Confidentiality of electronic comms - Under Commission -> listening to, tapping, intercepting, scanning, storing (texts, emails/calls) not allowed without consent of user. Number of exceptional circumstances in which interference is permitted (e.g., safeguard public interest)
(4) New business opportunities - once consent is given for communications data (content and metadata) to be processed -> aim is to enable traditional telecoms operators to have more opportunities to use data & provide additional services (e.g., heat maps indicate presents of individuals to help public authorities & transport companies when developing new infrastructure projects).
(5) Revised rules on cookies -> Allows users to be in more control of their settings/ easy way to accept or refuse tracking of cookies & other identifiers in case of privacy risks. No consent needed for non-privacy intrusive cookies (e.g., improving internet experience/ counting no. of visitors/ remember shopping cart)
(6) Protection against spam -> Commission bans unsolicited electronic communication by any means (phone calls, emails, SMS if user has not given consent) MS may opt for doemstic legislation that gives consumers right to object to reception of voice to voice marketing calls -need to display their phone number/ use special prefix
(7) Enforcement -> Enforcement of confidentiality rules in Regulation will be responsibility of national DPAs.
What are the consequences for non-compliance under ePrivacy Regulation 2017?
- Breaches of rules regarding notice & consent, default privacy settings, publicly available directories & unsolicited communications -> fines of up to 10m euros / 2% of total worldwide annual turnover (whichever higher)
- Breaches of rules regarding confidentiality of communications, permitted processing of electronic communications data & time limits for erasure -> fines up to 20m euros / 4% total worldwide annual turnover (whichever higher)
What concerns were raised by the EDPB in relation to the ePrivacy Regulation in 2021?
-Welcomed the Council’s negotiation mandate for draft of ePrivacy Regulation
-Raised numerous concerns:
(1) effective ways to obtain consent for mobile applications & websites
(2) Processing and retention of electronic communication data for law enforcement & safeguarding national security purposes
(3) General prohibitions with narrow exceptions for PD processing & removal of cooperation & consistency mechanism as provided by GDPR
When was the ePrivacy Regulation intended to come into force?
-In may 2018 alongside GDPR but was seen as an ambitious timescale
When and what was the opinion adopted by the EDPB in relation to ePrivacy Directive & GDPR?
-March 2019
-Opinion on the interplay between ePrivacy Directive & GDPR at request of Belgium DPA
-Aim of opinion to address questions on competence, tasks, powers of European DPAs & applicability of GDPR’s cooperation & consistency mechanisms in situations where both ePrivacy Directive & GDPR apply to processing of PD
-Opinion was issued without prejudice to the outcome of the negotiations on the ePrivacy Regulation, which should address these & other important issues.
Who was involved in the negotiation of the ePrivacy Regulation and when?
-Members of Parliament’s Committee on Civil Liberties, Justice & Home Affairs (LIBE) submitted more than 800 amendments to proposed Regulation including proposal to introduce ‘legitimate interests’
-Parliament adopted its position on ePrivacy Regulation Oct 2017 & started negotiations.
-Since Sep 2017, Council of EU pubilshed several redrafts of its proposal & settled on its final position in Feb 2021.
-March 2021 - EDPR published statement welcoming Council’s negotiation mandate for draft of ePrivacy Regulation
-EDPB also adopted statement urging EU legislators ot finalise their negotiation & issue final draft of new ePrivacy Regulation without further delay.
What is the EDPB?
-The European Data Protection Board
What is the NIS Directive?
-The Directive on security of network & information systems
-The first piece of EU-wide cybersecurity legislation intended to address the threats posed to network & information systems & improve functioning of digital economy.
When was the NIS Directive adopted & entered into force?
-Adopted by European Parliament 6 July 2016, entered into force August 2016
What are the 3 key objectives of the NIS Directive?
- Improving national cybersecurity capabilities by requiriing each MS to set up Computer Security Incident Response Team (CSIRT) & a competent national Network Information Systems Authority
- Building cooperation at EU level by setting up cooperation group across MS to support & facilitate a strategic cooperation & exchange of info. MS required to set up CSIRT network to promote swift/ effective operational cooperation on specific cybersecurity incidents & share info about risks.
- Promoting culture of risk management & incident reporting amongst key economic actors, notably operators providing essential services (OES) - e.g., energy, transport, water, banking, financial market infrastructure, health care, digital infra, digital service providers (DSPs) - search engine, online marketplace, cloud computing etc
-EACH MS responsible for identifying the companies to which NIS Directive will apply & form
When were MS required to transpose NIS Directive?
-9 May 2018
-& Identify operators of essential services by 9 Nov 2018
What is NIS 2 Directive and when was it introduced?
-16 Dec 2020 European Commission presented proposal for high common level of cybersecurity across EU
-Aims to replace & further develop NIS Directive
-To address various criticisms & issues identified with NIS Directive & reflect widespread digitisation of European economy (accelerated further by COVID)
How is NIS 2 Directive different to NIS Directive/ what are the changes?
-Widening scope of NIS Directive to additional industry sectors
-Strengthening existing rules on security requirements & incident reporting
-Increasing maximum fines that can be applied
When was the NIS 2 Directive position agreed?
-Agreed by Council of EU on 3 Dec 2021
Who published proposals for AI regulation?
-European Commission in 21 April 2021
-Due to rapid tech development of AI
-Suggested fines of up to 6% of global turnover, new rules & prohibitions governing high-risk AI systems
What is the Data Retention Directive?
-Directive 2006/24/EC - of Europea Parliament & Council of 15 March 2006
-Retention of data generated or processed in connection with the provision of publicly available electronic communications services or public communications networks.
What were the aims of the Data Retention Directive?
-Designed to align the rules on data retention across EU MS to ensure availability of traffic & location data for serious crime and antiterrorism purposes
-Introduced in the midst of heightened national security concerns about threat of international terrorism
What were the negatives of the Data Retention Directive?
-Faced considerable criticism concerning its scope & whether it was a measured response to percieved threat.
-Number of EU MS courts struck down local implementing law as unconstitutional
-In 2014 CJEU ruled Directive as invalid on grounds it was disproportionate in scope/ incompatible with rights to privacy & data protection under EU Charter of Fundamental Rights
-No longer part of EU law although MS retain competence to adopt their own naitonal data retention laws under Article 15(1) ePrivacy Directive (2002/58/EC) / Must comply with EU law & CJEU ruling principles
Which EU MS introduced draft legislative amendments/ implemented national data retntion laws individually?
-UK, Belgium, Finland
What was the key reason for the passing of the GDPR?
-Differences in constitutional structures, interpretation & implementation - NEED for harmonisation
-GDPR is a single law aimed at reducing fragmentation under existing EU data privacy rules
What are the implementation challenges with EU Directives?
-Directives are not ‘directly aplicable’ to EU MS so must be implemented into their national legislation
-They are binding in terms of final result -> form & methods of implementation left to MS
-MS law varies in approach, structure & content
-ePrivacy Directive is example of EU Directive implemented in some MS using different pieces of legislation rather than one single piece of legislation
-The flexibility in approach creates practical challenges for multinational organisations also who process data in various MS
-Difficult to comply with conflicting compliance obligation in areas such as data retention, international data transfers & direct marketing requirements.
What are the enforcement rules for MS in EU?
-MS discretion to implement EU legislation is not unlimited & can be subject to enforcement action.
-MS have time limit to implement directive & Commission (repsonsible for implementation) can take action against MS if directive not implemented on time/ contradicts EU law
What is Direct effect & how does this relate to the GDPR?
-EU regulations by nature are directly applicable in EU MS & don’t require further implementation into national laws.
-New GDPR applied immediately throughout EU due to its direct effect
-Therefore, national DP acts will cease to be relevant for matters falling within GDPR scope
What are some case examples of failure for implementation/ enforcement action?
- Commission in 2010 said it would take UK to CJEU over failure to properly implement provisions of DP Directive & ePrivacy Directive
- Commission sued 6 MS - (Denmark, France, Germany, Ireland, Luxembourg, Netherlands)
-For failing to implement DP Directive on time - CJEU declared Luxembourg failed to meet all its obligations to implement the Directive & ordered it to pay proceedings costs.
How is the GDPR considered flexible?
-Is interpreted in accordance with national approaches
-More than 50 opening clauses in GDPR allowing MS to put their own national DP laws in place to supplement it.
-Opening clauses necessary to reach political agreement on final GDPR text
-Many MS have now instituted local laws that implement/ align with GDPR -> room for variation in interpretation & enforcement / organisations still face inconsistent regulatory requirements when operate across Europe.
EXAMPLE: Germany passed law which retains threshold & criteria from previous laws on appoitnment of DPO / makes DPO compulsory for companies that constantly employ at least 20 people daling with automated processing & for organisations that required to carry out DPIAs under GDPR
How is the applicaiton of GDPR varied across nations?
-Where online services are provided to a child & consent relied on as basis for lawful processing of child’s data
-Consent must be given or authorised by person with parental responsibility for child
-Under GDPR, requirement applies to children under 16 unless MS provision for lower age limit (no lower than 13)
-Each MS has ability to determine its own age limit - creates variation on country-by-country basis -> difficult for organisations seeking to comply with different age limits across Europe