Chapter 3D: Internet Technology and Communications Flashcards

1
Q

When may a cloud service supplier be considered a controller?

A

When it determined substantial and essential elements of the means of processing

When it processes data for its own purposes

When it determines aspects of the processing outside the controller’s instructions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When might the GDPR be applicable to a cloud provider outside of the EU?

A

When the customer is subject to the GDPR (resident) - in which case the processing contract should contain required controls and obligations set out in the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When are cookies collection and analysis subject to the GDPR under Recital 30 of the GDPR?

A

Where the information collected from them is personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who is the controller in instances of web cookie collection?

A

The website operator is a controller of personal data collected by its own first-party cookies

Where the third party determines the means and purposes of processing of the personal data gathered from its third party cookies, it’s a controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What lawful basis do many organisations now rely on to process personal data in the form of online identifiers?

A

Consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does article 5(3) of the ePrivacy directive say about access to a user’s terminal equipment?

A

Organisations must obtain prior informed consent for storage or access to information stored on a user’s terminal equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What cookies are exempt from the consent requirement of the eprivacy directive?

A

‘Strictly necessary’ cookies used solely for carrying out communication transmission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who is the controller of personal data processed by search engines?

A

Search engines (because they determine the purposes and means of processing data about their users)

Search engine marketers (when web traffic is processed by search engines and provided as analytics, e.g. Google Analytics, to search engine marketers that fall within scope of the GDPR, the organisations conducting the marketing are also controllers)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Examples of cases re: search engines as controllers

A

Google v AEPD (2014)
CJEU ruled that Google remove from its search results linked to a 1998 newspaper article about the plaintiffs foreclosed house

This established that search engines are also controllers of personal data contained in third party webpages.

Search engines outside the EU are likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What steps can search engine marketers take to ensure that aspects of the web traffic analysis process are anonymised?

A

Ensuring that data, including IP addresses, is not stored in Google Analytics even after the user has accepted the placement of cookies

Anonymising IP addresses before storage of processing takes place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is the controller of a social networking service?

A

The social networking service itself because it provides platforms for publishing and exchanging personal info as well as determining the use of personal information for advertising purposes

Authors of applications designed for SNS platforms that provide services in addition to the SNS

Users who act on behalf of an organisations or knowingly extend access to personal data beyond selected contacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Re sensitive personal data and social networks…

A

Explicit consent usually is required to publish data on the internet, unless its published by the data subject.

An SNS requesting personal data must ensure the individual knows that the provision of data is voluntary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Re third-party personal data and social networks…

A

If third-party individuals’ personal data is published (for example, photo tags), the SNS must have a legal basis
for processing that personal data. According to the former Article 29 Working Party, third-party data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Re children’s data and social networks…

A

As discussed in Module 4, processing children’s data
on the basis of consent requires parental consent.

This applies to
children under 16 years old; member States may lower this age limit to
13 years old. Processing on the grounds of legitimate interest may not
be possible (GDPR, Article 6[f]). According to the former Article 29
Working party, a controller should have regard for the best interests of
the child.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In the context of behavioral advertising, what is another name used to refer to website operators?

A

Publishers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Deterministic Tracking

A

A tracking method that allows and organization to track a user’s devices based upon where they log into the services.

17
Q

What is an explicit profile of a consumer?

A

A profile of an individual that is established from personal data that data subjects themselves provide to an information society service, such as when a user creates an account.

18
Q

What data protection law other than the GDPR plays an outsizesd role in the regulation of direct marketing in Europe?

A

ePrivacy Directive

19
Q

What is Probabilistic Tracking?

A

A method of connecting a user to multiple devices based upon an assessment of probabilities and proprietary algorithms drawn from information collected on multiple devices.

20
Q

If it collects information from third parties, an ad network can avoid having to provide individual notice to data subjects of their privacy practices so long as what else is true?

A

Providing notice would prove impossible or
would involve disproportionate effort, and
the information is made publicly available.

21
Q

What two types of companies often act as both and ad network and a publisher?

A

Sociel media companies and search engine companies.

22
Q

How does the ePrivacy Directive define the term “location data”?

A

As “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

23
Q

True or False: Direct marketing can never qualify as a legitimate interest of the controller for purposes of establishing the lawfulness of processing.

A

False. Direct marketing is a legitimate interest for controllers to pursue under European data protection laws.

24
Q

If direct marketing is premised on the legitimate interests of the controller, at what point must the controller notify data subjects of the right to opt-out of this type of processing activity?

A

No later than the first direct marketing communication.

25
Q

Does the ePrivacy Directive apply to the unsolicited sending of direct marketing mailers sent through a national postal service?

A

No. The ePrivacy Directive applies only to communications that are sent over electronic communication networks.

26
Q

How must a controller provide notice to data subjects regarding the right to opt-out of direct marketing under Article 21 of the GDPR?

A

Information regarding the right to opt out must “be presented clearly and separately from other information.”

27
Q

Does Article 5(3) of the ePrivacy Directive apply to all information or only personal data?

A

All information

28
Q

What is the primary exception to the ePrivacy Directive’s prohibition on sending unsolicited direct marketing calls, faxes, and emails?

A

If the direct marketing is done over electronic mail (as defined), the data subject is a pre-existing customer that has provided their contact info, and the marketing relates to the controller’s “own similar products or services.”

29
Q

True or False: Targeted fundraising by political organizations can be considered a form of direct marketing under the GDPR.

A

True

30
Q

What type of direct marketing telephone calls are exempt from the opt-in consent requirement of the ePrivacy Directive?

A

Person-to-person calls. But, member states may still impose opt-in consent requirements under national legislation.

31
Q

True or False: In analyzing the application of data protection rules to behavioral advertising practices, companies should be identified solely as either a data broker, advertising network, advertiser, or publisher.

A

False. Roles in the behavioral advertising context are not mutually exclusive.

32
Q

How is the term “electronic mail” defined under the ePrivacy Directive?

A

“Any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.”

33
Q

True or False: The GDPR expressly includes “online identifiers” as a key identifier for purposes of defining the term “personal data.”

A

True

34
Q

In the view of the WP29, who is more likely to be considered the data controller: an ad network or a company advertising its products through the ad network?

A

Ad network

35
Q

What is a Web Beacon?

A

A clear, one-pixel-by-one-pixel graphic image delivered by a web server whose purpose is to record a consumer’s visit to a web page.

36
Q

True or False: The ePrivacy Directive requires member states to provide the national supervisory authority under the GDPR with enforcement authority over the ePrivacy Directive’s unsolicited direct marketing rules.

A

False. The regulatory body for enforcement under the ePrivacy Directive need not be the DPA appointed under the GDPR.

37
Q

What European data protection law defines the term “location data” based upon the terminal equipment of the user, rather than the location of the data subject?

A

The ePrivacy Directive

38
Q

What law imposes specific rules on the use of “location data” for purposes of direct marketing?

A

ePrivacy Directive