Chapter 3D: Internet Technology and Communications

Question 1

When may a cloud service supplier be considered a controller?

Answer 1

When it determined substantial and essential elements of the means of processing

When it processes data for its own purposes

When it determines aspects of the processing outside the controller’s instructions

Question 2

When might the GDPR be applicable to a cloud provider outside of the EU?

Answer 2

When the customer is subject to the GDPR (resident) - in which case the processing contract should contain required controls and obligations set out in the GDPR.

Question 3

When are cookies collection and analysis subject to the GDPR under Recital 30 of the GDPR?

Answer 3

Where the information collected from them is personal data.

Question 4

Who is the controller in instances of web cookie collection?

Answer 4

The website operator is a controller of personal data collected by its own first-party cookies

Where the third party determines the means and purposes of processing of the personal data gathered from its third party cookies, it’s a controller

Question 5

What lawful basis do many organisations now rely on to process personal data in the form of online identifiers?

Answer 5

Consent.

Question 6

What does article 5(3) of the ePrivacy directive say about access to a user’s terminal equipment?

Answer 6

Organisations must obtain prior informed consent for storage or access to information stored on a user’s terminal equipment.

Question 7

What cookies are exempt from the consent requirement of the eprivacy directive?

Answer 7

‘Strictly necessary’ cookies used solely for carrying out communication transmission.

Question 8

Who is the controller of personal data processed by search engines?

Answer 8

Search engines (because they determine the purposes and means of processing data about their users)

Search engine marketers (when web traffic is processed by search engines and provided as analytics, e.g. Google Analytics, to search engine marketers that fall within scope of the GDPR, the organisations conducting the marketing are also controllers)

Question 9

Examples of cases re: search engines as controllers

Answer 9

Google v AEPD (2014)
CJEU ruled that Google remove from its search results linked to a 1998 newspaper article about the plaintiffs foreclosed house

This established that search engines are also controllers of personal data contained in third party webpages.

Search engines outside the EU are likely subject to the GDPR in respect of their processing of personal data contained in third party web pages if they have an EU establishment whose activities are economically linked to the search engine’s core activities.

Question 10

What steps can search engine marketers take to ensure that aspects of the web traffic analysis process are anonymised?

Answer 10

Ensuring that data, including IP addresses, is not stored in Google Analytics even after the user has accepted the placement of cookies

Anonymising IP addresses before storage of processing takes place

Question 11

Who is the controller of a social networking service?

Answer 11

The social networking service itself because it provides platforms for publishing and exchanging personal info as well as determining the use of personal information for advertising purposes

Authors of applications designed for SNS platforms that provide services in addition to the SNS

Users who act on behalf of an organisations or knowingly extend access to personal data beyond selected contacts

Question 12

Re sensitive personal data and social networks…

Answer 12

Explicit consent usually is required to publish data on the internet, unless its published by the data subject.

An SNS requesting personal data must ensure the individual knows that the provision of data is voluntary.

Question 13

Re third-party personal data and social networks…

Answer 13

If third-party individuals’ personal data is published (for example, photo tags), the SNS must have a legal basis
for processing that personal data. According to the former Article 29 Working Party, third-party data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals.

Question 14

Re children’s data and social networks…

Answer 14

As discussed in Module 4, processing children’s data
on the basis of consent requires parental consent.

This applies to
children under 16 years old; member States may lower this age limit to
13 years old. Processing on the grounds of legitimate interest may not
be possible (GDPR, Article 6[f]). According to the former Article 29
Working party, a controller should have regard for the best interests of
the child.

Question 15

In the context of behavioral advertising, what is another name used to refer to website operators?

Answer 15

Publishers

Question 16

What is Deterministic Tracking

Answer 16

A tracking method that allows and organization to track a user’s devices based upon where they log into the services.

Question 17

What is an explicit profile of a consumer?

Answer 17

A profile of an individual that is established from personal data that data subjects themselves provide to an information society service, such as when a user creates an account.

Question 18

What data protection law other than the GDPR plays an outsizesd role in the regulation of direct marketing in Europe?

Answer 18

ePrivacy Directive

Question 19

What is Probabilistic Tracking?

Answer 19

A method of connecting a user to multiple devices based upon an assessment of probabilities and proprietary algorithms drawn from information collected on multiple devices.

Question 20

If it collects information from third parties, an ad network can avoid having to provide individual notice to data subjects of their privacy practices so long as what else is true?

Answer 20

Providing notice would prove impossible or
would involve disproportionate effort, and
the information is made publicly available.

Question 21

What two types of companies often act as both and ad network and a publisher?

Answer 21

Sociel media companies and search engine companies.

Question 22

How does the ePrivacy Directive define the term “location data”?

Answer 22

As “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

Question 23

True or False: Direct marketing can never qualify as a legitimate interest of the controller for purposes of establishing the lawfulness of processing.

Answer 23

False. Direct marketing is a legitimate interest for controllers to pursue under European data protection laws.

Question 24

If direct marketing is premised on the legitimate interests of the controller, at what point must the controller notify data subjects of the right to opt-out of this type of processing activity?

Answer 24

No later than the first direct marketing communication.

Question 25

Does the ePrivacy Directive apply to the unsolicited sending of direct marketing mailers sent through a national postal service?

Answer 25

No. The ePrivacy Directive applies only to communications that are sent over electronic communication networks.

Question 26

How must a controller provide notice to data subjects regarding the right to opt-out of direct marketing under Article 21 of the GDPR?

Answer 26

Information regarding the right to opt out must “be presented clearly and separately from other information.”

Question 27

Does Article 5(3) of the ePrivacy Directive apply to all information or only personal data?

Answer 27

All information

Question 28

What is the primary exception to the ePrivacy Directive’s prohibition on sending unsolicited direct marketing calls, faxes, and emails?

Answer 28

If the direct marketing is done over electronic mail (as defined), the data subject is a pre-existing customer that has provided their contact info, and the marketing relates to the controller’s “own similar products or services.”

Question 29

True or False: Targeted fundraising by political organizations can be considered a form of direct marketing under the GDPR.

Answer 29

True

Question 30

What type of direct marketing telephone calls are exempt from the opt-in consent requirement of the ePrivacy Directive?

Answer 30

Person-to-person calls. But, member states may still impose opt-in consent requirements under national legislation.

Question 31

True or False: In analyzing the application of data protection rules to behavioral advertising practices, companies should be identified solely as either a data broker, advertising network, advertiser, or publisher.

Answer 31

False. Roles in the behavioral advertising context are not mutually exclusive.

Question 32

How is the term “electronic mail” defined under the ePrivacy Directive?

Answer 32

“Any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.”

Question 33

True or False: The GDPR expressly includes “online identifiers” as a key identifier for purposes of defining the term “personal data.”

Answer 33

True

Question 34

In the view of the WP29, who is more likely to be considered the data controller: an ad network or a company advertising its products through the ad network?

Answer 34

Ad network

Question 35

What is a Web Beacon?

Answer 35

A clear, one-pixel-by-one-pixel graphic image delivered by a web server whose purpose is to record a consumer’s visit to a web page.

Question 36

True or False: The ePrivacy Directive requires member states to provide the national supervisory authority under the GDPR with enforcement authority over the ePrivacy Directive’s unsolicited direct marketing rules.

Answer 36

False. The regulatory body for enforcement under the ePrivacy Directive need not be the DPA appointed under the GDPR.

Question 37

What European data protection law defines the term “location data” based upon the terminal equipment of the user, rather than the location of the data subject?

Answer 37

The ePrivacy Directive

Question 38

What law imposes specific rules on the use of “location data” for purposes of direct marketing?

Answer 38

ePrivacy Directive