Data Protection Laws and the Origins of Privacy Flashcards
What is the difference between a treaty and a declaration?
A declaration is not legally binding
What is the main difference between the Declaration on Human Rights and the European Convention on Human Rights?
The Declaration on Human Rights was between UN countries
The European Convention on Human Rights was among the Council of Europe member countries and it required member state ratification
What is the Universal Declaration on Human Rights (date, governing body, important articles)?
December 10, 1948
Adopted by UN General Assembly
Non-binding instrument that set milestone standards for the treatment of all people
Article 12: right to a private life
Article 19: right to free speech
Article 29(2): Addresses that rights are not absolute and a balance should be struck
What is the European Convention on Human Rights (ECHR) (date, governing body, important articles)?
1953
Drawn up by the Council of Europe and must be ratified by all Council of Europe member states
International treaty to protect human rights and fundamental freedoms and can be enforced by the European Court of Human Rights in Strasbourg
Article 8: Protects the rights of individuals Article 10: Protects the rights of freedom of expression and sharing information and ideas across national boundaries Article 10(2) promotes balance between Articles 8 and 10
Articles 12, 19, and 29(2) of the Universal Declaration of Human Rights
Article 12: Right to a private life Article 19: Right to freedom of expression (free speech) Article 29(2): Addresses that rights are not absolute and a balance should be struck
Articles 8, 10, 10(2) of the European Convention on Human Rights
Article 8: Protects the rights of individuals Article 10: Protects the rights of freedom of expression and sharing information and ideas across national boundaries Article 10(2): promotes balance between Articles 8 and 10
1960s
Marked by economic and technological advancements, including increasing international trade and the use of computers and telecommunications
1970s
Conflict between national privacy rights and international free trade increased in the 1970s and 1980s. The time was marked by the development of communication technologies, including the establishment of extensive banks of personal data and new opportunities for international data processing
OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (include date)
OECD Guidelines
Created in 1980 and updated in 2013
Aimed to facilitate data flows and protect personal data in a global economy
Council of Europe Convention (include date and aka)
AKA Convention 108
1981
Council of Europe member states, but open to more than just Europe
First legally binding data protection instrument for several Council of Europe member states. Differs from the OECD guidelines by requiring signatories to apply the principles of Convention 108 in their domestic legislation.
EU Data Protection Directive (date and aka)
1995 aka 95/46/EC
European Commission
Based on the CoE Convention 108
Directive set out general data protection principles and obligations, requiring EU member states to transpose and implement them
Charter of Fundamental Rights of the EU (include date)
2000
European Commission–applies to EU institutions
A comprehensive collection of individuals’ rights, including the fundamental right to protect personal data
E-Commerce Directive (include date and aka)
2000 aka Directive 2000/31/EC
European Commission
States that issues related to the processing of personal data are outside its scope
EU Directive on Privacy and Electronic Communications (date and aka)
Adopted in 2002 and amended in 2009
aka ePrivacy Directive
Legally binding on EU member states and requires local implementation
Applies to processing of personal data through electronic communication services and networks in the EU
EU Data Retention Directive (include date and aka)
Adopted in 2006 and annulled in 2014 by the Court of Justice of the EU
aka 2006/24/EC
Data retention is addressed by national laws across the EU
Treaty of Lisbon
2009
Aim is to strengthen and improve the core structure of the EU and to help it function more efficiently.
It amends the Maastricht Treaty (1992), known in updated form as the Treaty on European Union (2007) or TEU, as well as the Treaty of Rome (1957), known in updated form as the Treaty on the Functioning of the European Union (2007) or TFEU
Gave the Charter of Fundamental Rights of the EU full legal effect in the EU.
GDPR (include dates)
2016
Replaced Data Protection Directive and became enforceable on May 25, 2018
Convention 108+ (include date)
Overhauled Convention 108 to align with the GDPR in October 2018
Signed by 20 states of the Council of Europe, including the UK and now more states have followed.
According to the Commission, it serves as a means for third countries (outside the EU) to adopt the basic tenets of the GDPR.
European Court of Human Rights (ECHR)
In Strasbourg
Upholds privacy and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108
It is NOT part of the European Union
Council of Europe
International organization founded in the wake of WWII (1949) to uphold human rights, democracy, and the rule of law in Europe
47 member states
Cannot make laws, but does have the ability to push for the enforcement of international agreements reached by member states on various topics.
Best known body is the European Court of Human Rights, which functions on the basis of the European Convention on Human Rights
European Union
Economic and political union
27 member states
Every EU member state belongs to the Council of Europe, but this is not a prerequisite for EU membership
European Economic Area (EEA)
Agreement of the European Economic Area
EU Member States, Iceland, Liechtenstein, and Norway
Based on Agreement of the European Economic Area of 1994-allows members of the European Free Trade Association (EFTA) to participate fully in the EU’s internal market
Agreement of the European Economic Area of 1994
Allows members of the European Free Trade Association (EFTA) to participate fully in the EU’s internal market
Bodies of the European Union
European Parliament
European Council
Council of the EU
European Commission
Court of Justice of the EU
European Parliament
Only EU institution whose members are directly elected
3 primary responsibilities:
- legislative development
- supervisory oversight of the other institutions
- development of the budget
Greatest impact on data protection and privacy issues through its role in the legislative process of the EU. Has been a vocal advocate of the right to data protection, often taking a more protective stance on privacy than other institutions.
European Council
Defines the EU’s priorities and sets the political direction for the EU
Composed of the heads of state or government of all EU countries, the European Council President, the European Commission President, and the High Representative for Foreign Affairs and Security Policy
Council of the EU
Along with the Parliament, the Council of the EU focuses on legislative decision-making. Its meetings are attended by one minister from each member state that changes based on the policy issue to be discussed.
Shares its legislative power with the European Parliament.
Legislation is generally proposed by the Commission before it is examined by the Council of the EU and Parliament.
European Commission
Implements the EU’s decisions and policies
Has other broad functions, including exclusive competence to propose legislation
Been the most active EU institution in the area of data protection
Composed of one commissioner per member state who pledges to respect EU treaties
Court of Justice of the EU
Based in Luxembourg
Judicial body of the EU
Makes decisions on issues of EU law and enforces decisions, either in respect of actions taken by the Commission against a member state or by an individual or organization to enforce their rights under EU law
Comprises the European Court of Justice (ECJ) and the General Court
Provides clarification of EU law to national courts to assist the national courts in upholding EU law
How the GDPR went through the legislative process
In 2012, the European Commission proposed draft legislation of the GDPR and sent a version to the European Parliament and the Council of the EU.
The Parliament reviewed the draft within committee meetings. Collected thousands of amendments and that became the Parliament’s position on the GDPR.
Meanwhile, the Council of the EU had their own committees that reviewed the draft legislation. That became the Council’s official position on the new draft.
Then, the Parliament and Council got together and tried to jointly agree on the legislation. The European Commission adjudicated the proceedings. This process was called the Trilogue procedure. Meanwhile, other groups such as national parliaments, consumer advocates, industry advocates, etc. expressed their views.
In December 2016, the council and Parliament finally agreed upon the EU GDPR, first proposed in 2012. It went into effect on May 25, 2018.
Directive vs. Regulation
Directive: Places obligations on member states and then the member states implement it in their local law
Regulation: directly applicable and enforceable as law on every member state; there is no need for local implementation.
Differences between the Data Protection Directive and the GDPR
Directive:
Placed obligations on member states whose governments then implement the directive into their local law
Transposed into 28 national laws in the EU
Implementation could differ across member states
Formed the Article 29 Working Party
GDPR:
Directly applicable and enforceable as law in every EU member state; there is no need for local implementation
Aim is to provide one set of data protection rules for all EU member states
Allows some degree of implementation as well.
50 provisions in the GDPR allow for local law clarification or exception,
EDPB replaced Article 29 Working Party. EDPB is an independent European body which contributes to consistent interpretations of EU data protection law and promotes cooperation between the EU’s data protection authorities.
Interplay between the ePrivacy Directive and GDPR
ePrivacy Directive: Storing or accessing data on a device
GDPR: Processing of “personal data”
EDPB opinion:
“When the processing of personal data triggers the material scope of both the ePrivacy Directive and GDPR, data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them.
‘To Particularise’
‘To Complement’
Article 95 of the GDPR
Co-Existence
‘To Particularise’ (lex specialis principle)
Interplay between ePrivacy Directive and GDPR
Special provisions prevail over general rules
‘To complement’
Interplay between the ePrivacy Directive and GDPR
Several ePrivacy Directive provisions complement GDPR provisions
Article 95 of GDPR
Interplay between ePrivacy Directive and GDPR
Aim is to ‘avoid the imposition of unnecessary administrative burdens upon controllers who would otherwise be subject to similar, but not quite identical administrative burdens’
Co-Existence (lex generalis)
Interplay between ePrivacy Directive and GDPR
In cases where lex specialis does not apply, the general rule will apply (lex generalis)
