Data Protection Laws (1) Flashcards
What is the Council of Europe and how many members does it have?
International organization
46 member states
What are the 2 privacy laws under the Council of Europe?
- European Convention on Human Rights (ECHR)
- Convention 108 (first legally binding international instrument in data protection)
What is the European Union?
Economic and Political union
27 member states
(not Switzerland or UK)
What are the 6 privacy laws under the EU?
- Charter of Fundamental Rights of the EU
- Treaty on the Functioning of the EU
- Lisbon Treaty (improved the TFEU)
- General Data Protection Regulation (GDPR)
- ePrivacy Directive (communications)
- national data protection laws across Europe
What is the European Economic Area (EEA)?
EU countries (27)
+
3 (Iceland, Norway, Liechtenstein)
What is the European Free Trade Association (EFTA)?
trade agreement
all EU + EEA + Switzerland
Which countries does the GDPR apply to?
All EU countries (27)
not UK or Switzerland
What is the Court of Justice of the EU?
Judicial body of the EU
Decides and enforces EU law
Which court hears cases on data protection as brought by national courts and the EU Commission against member states?
Court of Justice of the EU (CJEU)
Does the European Court of Human Rights hear data protection cases?
Yes
if they related to Article 8 of the European Convention on Human Rights (ECHR)
What was the ruling in the Google Spain v. AEPD and Mario Costeja Gonzalez case?
Google Spain must remove links to the Vanguardia articles reporting the bankruptcy
- information was not up to date and
- the right to be forgotten
What was the intention of the OECD Guidelines?
Principles around the protection of data
Facilitate free transfer of data with common data protection guidelines
What are the 7 data protection principles under the OECD Guidelines?
- Openness
- Individual Participation
- Security
- Accountability
- Collection and Use Limitation
- Purpose Specification
- Data Quality
What is the Convention 108, and why was it created?
First legally binding international instrument in the field of data protection
Created to achieve greater unity and extend privacy protection across borders
What is the EU Data Protection Directive?
A directive to add data protection to national legislation for EU member states
What is the e-commerce directive?
Legal issues particularly in electronic commerce (digital marketing)
Why was the ePrivacy Directive created?
to protect personal data and privacy given advancements in digital technologies introduced in public communication networks
need for consistent and equal protections regardless of technology
What was the purpose of the Treaty of Lisbon?
2007
Strengthen the structures of the European Union
Made the Charter of Fundamental Rights binding
What is the GDPR?
A regulation that directly applies to all EU member states
What are the EU legislative institutions?
- European Commission - implements EU decisions and policies, propose legislation
- Council of the EU - legislative decision-making (represent their own countries)
- European Parliament - legislative development (directly elected)
What is the co-legislation procedure for EU governance?
- European Commission proposes legislation
- Council of the EU and European Parliament agree on legislation to turn into EU law
Which body implements EU decisions and policies?
European Commission
Which body defines EU priorities and sets political direction?
EU Council
Which bodies are engaged in legislative decision-making?
Council of the EU
European Parliament
What are the four responsibilities of the European Parliament?
- legislative development
- supervisory oversight of other institutions
- democratic representation
- development of the budget
What is the difference between the Data Protection Directive and GDPR?
Directive: ordered member states to implement data protection into local law
GDPR: applicable and enforceable as law in every EU member state, allows for local clarifications or exceptions
Does the ePrivacy Directive apply to private communication channels such as company intranet?
No
(although principles of Directive still apply if personal data are processed)
The European Convention on Human Rights is a product of which institution?
The Council of Europe
What is the role of the European Parliament?
engaged in legislative development
What is the difference between the European Council and the Council of the EU?
European Council: heads of state of EU countries and EC presidents and High Representative. Defines EU’s priorities and sets political direction
Council of the EU: one minister from each member state based on policy issue to be discussed. Conducts legislative decision-making with Parliament
What is the name of the first legally binding international instrument in data protection in the EU?
Convention 108
Two reasons:
1. member states failure to respond to previous resolutions concerning protection of privacy and
2. need for binding international instrument to reinforce principles in previous resolutions
What are 3 reasons Convention 108 is noteworthy?
- Based on principles
- Recognizes importance of free flow of information
- Requires member states to enact national legislation
Why did the European Commission propose a Data Protection Directive following Convention 108?
member states were taking a fragmented approach to implementation and privacy protection was inconsistent
In GDPR, what are articles versus recitals?
articles = operative law
recitals = detail about how to interpret article
How does GDPR differ from the Directive?
- directly applicable across all member states without further intervention
- strengthens consent in relation to data use
- provides new and stronger rights to data subjects
- introduces accountability responsibilities
- imposes compliance obligations on processors
- expands range of measures to legitimize transfers
- places security obligations on both controllers and processors
- affords individuals right to compensation and judicial remedies
What are the 3 objectives of the new rules in the LED (Law Enforcement Directive)?
- better cooperation between law enforcement authorities
- better protection of citizen data
- clear rules for international data flows
What is the scope of the ePrivacy Directive?
processing of personal data in connection with the provision of publicly available electronic communication services in public communication networks in the EU
What are the 6 key provisions of the ePrivacy Directive?
- appropriate technical and organizational measures to safeguard security
- ensure confidentiality of communications and traffic data
- most forms of digital marketing require opt-in consent
- processing of traffic and billing data subject to restrictions
- location data may only be processed if anonymous or with consent
- subscribers must be informed before being included in a directory
What was the most relevant update to the ePrivacy Directive regarding breaches?
mandatory notification for personal data breaches by electronic communication service providers to authority and individual
How was the ePrivacy Directive amended regarding cookies?
storing of information or the gaining of access of information already stored in the terminal equipment of a user is only allowed if user has given consent having been provided with clear and comprehensive information
Are EU Directives binding?
only in terms of final result to be achieved
forms and methods of implementation are left to member states
What were the first rules to balance personal freedom with restrictions of rights?
The Universal Declaration of Human Rights of the United Nations
The European Convention on Human Rights (ECHR)
What are the 3 mechanisms that data can be transferred out of the European Economic Area (EEA)?
1) adequacy findings,
2) appropriate safeguards,
3) under specific derogations
What was the goal of the Convention 108, OECD Guidelines and Data Protection Directive?
harmonize the approach to data protection
agree on principles and leave implementation to member states
