EU Privacy Laws

Question 1

What does Article 12 of the Human Rights Declaration (UDHR) state?

Answer 1

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, Nor to attacks upon his honour and reputation: Everyone has the right to the protection of the law against such interference or attacks.

Question 2

What does Article 19 of the Human Rights Declaration (UDHR) state?

Answer 2

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

Question 3

Which UDHR (Human Rights Declaration) provision states that individual rights are not absolute and a balance must be struck?

Answer 3

Article 29(2) - In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.

Question 4

When was the ECHR entered into and whom does it apply too

Answer 4

3 Sept 1953

All Council of Europe member states.

Question 5

What is the system of enforcement for the ECHR?

Answer 5

European Court of Human Rights in Strasbourg

On 1 Nov 1998, restructured as Court of Human Rights

Question 6

What is art 8 of the ECHR

Answer 6

Everyone has the right to respect for his private and family life, his home and correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Question 7

What is Article 10 of the ECHR

Answer 7

Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart info and ideas without interference by public authority and regardless of frontiers.

Also qualified.

Question 8

What do OECD principles have a similarity with?

Answer 8

CoE Convention for The Protection of Individuals with regard to Automatic Processing of Personal Data.

Question 9

Does the OECD principles include both automated and non-automated data?

Answer 9

Yes

Question 10

When did Convention 108 (Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data?

Answer 10

Opened for signature to the member states of the Council of Europe 28 Jan 1981

Question 11

What was the first legally binding international instrument in the area of data protection?

Answer 11

Convention 108

Question 12

How does Convention 108 differ from the OECD Guidelines?

Answer 12

Requires signatories to take necessary steps in their domestic legislation to apply the principles it Lays down with regard to processing personal information.

Question 13

What does Convention 108 consist of?

Answer 13

Substantive law provisions in the form of basic principles (Chap II)

Special rules on trans-border data flows (Chapter III)

Mechanisms for mutual assistance (Chapter IV) and consultation between the parties (Chapter V)

Question 14

What are special categories of data under Convention 108?

Answer 14

Personal information that reveals racial origin, political opinion or religious or other beliefs, as well as personal data that concerns health or sexual life or criminal convictions may not be processed automatically unless domestic law provides appropriate safeguards.

Question 15

When implementing Convention 108, what exception can signatories add?

Answer 15

Only when this is a “necessary measure in a democratic society” (I.e. state security or criminal investigation)

Question 16

What does Article 12 of Convention 108 state?

Answer 16

Where transfers of personal info are made between signatories of Convention 108, those countries shall not impose any prohibitions or require any special authorisation for the purpose of the protection of privacy before such transfers can take place.

Question 17

What is the Additional Protocol?

Answer 17

Opened for signature in 2001. Provided a measure for transfer of personal info to non signatory countries by introducing an “adequate” standard.

Question 18

When is derogation from Convention 108 permitted?

Answer 18

Permitted only where the exporting country has in place specific rules in its national law for certain categories of personal data or of automated personal data files and the importing country does not provide equivalent protection or where the transfer is provided to a non-party

Question 19

When was the Charter of Fundamental Rights signed?

Answer 19

7 Dec 2000, came into binding legal effect December 2009 (when the Treaty of Lisbon came into force)

Question 20

What provisions of this the Charter of Fundamental Rights reflects ECHR Articles 8 and 10?

Answer 20

Articles 7 and 10

Question 21

What is Art 8 of the Charter of Fundamental Rights?

Answer 21

(1) Right to the protection of personal data concerning him or her;
(2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
(3) Compliance with these rules shall be subject to control by an independent authority.

Question 22

What does any limitation to these rights must be in accordance with?

Answer 22

Art 52, which mirrors the limitations based on necessity and proportionality contained in the ECHR

Question 23

When was the Treaty of Lisbon signed?

Answer 23

1 Dec 2009 (same date when the Charter of Fundamental Rights came into effect)

Question 24

When did LEDP come into effect

Answer 24

5 May 2016 - member states have until 6 May 2018 to transpose the LEDP Directive into national law

Question 25

What is the scope of the ePrivacy Directive?

Answer 25

Processing personal data across “public communications networks”

If the electronic communications service is not publicly available, the eprivacy directive does not apply.

Question 26

What principles did the 1973-1974 Resolutions establish?

Answer 26

Principles for the protection of personal data in automated data banks in the private and public sectors, respectively, to set in motion the development of national legislation based on these resolutions.

Question 27

Which two countries were concerned that the Charter of Fundamental Rights would constrain their ability to legislate or force them to change their position on issues governed by the Charter, and signed a protocol regarding the application of the Charter in their national territories?

Answer 27

Poland and UK- Charter will only apply to the extent that the rights or principles that it contains are recognised in the law or practices of Poland or the UK

Question 28

What is one major advance of the data protection directive over convention 108?

Answer 28

A major advance of the data protection directive over convention 108 is its applicability to manual data. Under Convention 108, only Council of Europe member countries have this option, and few chose to implement it. However, the directive changed this, making the processing of mental data held in the filing system subject to the same obligations as the processing of personal data by automatic means.

Question 29

What are key principles in the data protection directive that are central requirements to the lawful processing of personal data?

Answer 29

1. Lawful and fair processing
2. Purpose Limitation
3. Adequacy
4. Accuracy
5. Retention
6. Rights of the individual
7. Protection against accidental unlawful or unauthorised processing
8. Transfer Limitation

LPAARRPT

Let pet animals and raving rabbits pee there.

Question 30

When did the data protection directive apply?

Answer 30

The data protection directive applies to those organisations acting as data controllers that are established in an EU member state.

Or where there is no such Establishment but where organisation makes use of data processing equipment on the territory of a member state (must appoint representative)

Question 31

What are the objectives of the LEDP?

Answer 31

1. Better cooperation between law enforcement of parties
2. Better protection of citizens data
3. Clear rules for international data flows

Question 32

What Directive is the ePrivacy Directive

Answer 32

Directive 2002/58/EC

Question 33

Why was the ePrivacy Directive amended again on 24 Nov 2009 (amendments due to be implemented by end of May 2011)

Answer 33

As part of wider reforms to the EU telecommunications sector affecting five different EU directives.

1. introduction of mandatory notification for personal data breaches by electronic communications service providers- to both the relevant national authority and the relevant individual in cases where the breach is likely to adversely affect the personal data or privacy of a subscriber or individual.
2. Right to bring legal proceedings against unlawful communications.
3. Article 5(3) - cookie only allowed where consent is given, having been provided with clear and comprehensive information

Question 34

Under the ePrivacy Directive, Member states are required to ensure the confidentiality of communications and of the traffic data generated by such communications, subject to specific exceptions. What are the exceptions?

Answer 34

The exceptions include where users of such services give their consent to interception and surveillance or where the interception and surveillance is authorised by law.

Question 35

Under the ePrivacy Directive, how May location data be processed?

Answer 35

Location data may be processed only if that data is made anonymous or, alternatively, if processed with the consent of users and for the duration necessary for the provision of a value added service.

Question 36

What are the exceptions to updating consent for cookies under the ePrivacy Directive?

Answer 36

Where is the technical storage or access is:

(A) for the sole purpose of carrying out the transmission of a communication over an electronic communications network or

(B) strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.

Question 37

What are the key features of the proposed ePrivacy Regulation?

Answer 37

(A) wider application to our providers of electronic communications services

(B) A single set of rules

(C) confidentiality of electronic communications except in exceptional circumstances such as to safeguard public interest

(D) consent is required to process communications content and Metadata (info is needed to be Anonymized or deleted if users have not given their consent, unless the data is required for instance for billing purposes.

(E) New business opportunities for telecoms operators to use data and provide additional services.

(F) No consent required for non-privacy intrusive cookies improving internet experience

(G) Protection against spam

(H) Enforcement of confidentiality rules will be the responsibility of national DPAs

Question 38

What are the consequences for non-compliance of the new ePrivacy Regulation?

Answer 38

(1) Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications as contained in the ePrivacy regulation may be punished with fines of up to €10 million or 2% of the total worldwide annual turnover, which ever is higher
(2) breaches of the rules regarding the confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to €20 million or 4% of the total worldwide turnover whichever is higher

Question 39

In the 60s-80s, which European countries incorporated data protection as a fundamental right in their constitutions?

Answer 39

Spain, Portugal, Austria

Question 40

Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR: Does the mere fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limit the competences, tasks and powers of data protection authorities under the GDPR?

Answer 40

When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinise the data processing operations which are governed by National ePrivacy rules only of national law confers this competence on them, and such scrutiny must happen within the supervisory powers assigned to the authority by the national law transposing the ePrivacy Directive.

Data protection authorities are competent to enforce the GDPR. The mere fact that a subset of the processing falls within the scope of the ePrivacy Directive, does not limit the competence of data protection authorities under the GDPR.

Question 41

Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR: When exercising their competences, should DPAs take into account the ePrivacy Directive?

Answer 41

DPAs remain fully competent as regards any processing operations performed upon personal data which are not subject to one or more specific rules contained in the ePrivacy Directive. The competent authorities appointed as competent by ePrivacy Directive exclusively responsible for enforcing the national provisions that transpose the ePrivacy Directive, including in cases where the processing triggers the material scope of GDPR also.

DPA May take into account that an infringement of GDPR also infringes National ePrivacy rules but the enforcement decision must be justified on the basis of the GDPR, unless the data protection authority has been granted additional competences by member state law.

Question 42

Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR: To what extent is the cooperation and consistency mechanisms applicable in relation to processing that triggers, at least in relation to certain processing operations, the material scope of both the GDPR and the ePrivacy Directive?

Answer 42

The GDPR mechanisms do not apply to the enforcement of the national implementation of the ePrivacy Directive. However they remain fully applicable, insofar as the processing is subject to the general provisions of the GDPR.