Chapter 9: International Privacy Flashcards
GDPR Personal Data
Any information that identifies an individual
GDPR applies to…
Anyone physically located in the EU
Who determines the purposes and means of processing personal information?
Data controller
Data Processor
Anyone that processed data on behalf of the controller
Dereferencing
Removing search results
GDPR dereferening only applies to
EU versions of search results
Adequacy decision
EU decides a country has adequate privacy laws and allows data transfers.
GDPR Consent
Written consent required for almost all cases
Clear and accessible
Must be able to revoke consent
GDPR Data subject rights (7)
Erasure/be forgotten
Access (Copy of the data and info about how it was collected)
Rectification
Restriction of processing (without erasure)
Data portability (in machine readable format)
Object (or opt out)
Automated individual decision making (for decisions of significance or legal impact)
GDPR Fines max
Up to €20 million or 4% of annual revenue (whichever is greater)
Countries with adequacy decisions (4)
JP, NZ, Argentina, Canada
US-EU Privacy Shield
Negotiated by the Dept. of commerce and EU
US companies in compliance with privacy framework could transact data with the EU
Basically, an adequacy decision for a company
Privacy shield struck down in…
2020
Alternatives to Privacy Shield (2)
Binding Corporate Rules
Standard Contractual Clauses
Binding Corporate Rules (BCR)
Complex agreements where all parties agree to adhere to GDPR standards
Must be legally binding