Legislative Framework Flashcards
Council of Europe Convention for Protection of Individuals With Regard to Automatic Processing of Personal Data of 1981 (CoE Convention 108)
The first international legally binding instrument dealing explicitly with data protection. Convention 108 was, and still remains, the only legally binding international instrument in the data protection field.
EU Data Protection Directive (95/46/EC)
The principal EU legal instrument on data protection is Directive 95/46/EC.
The EU Directive on Privacy and Electronic Communications (2002/58/EC)
the Directive complements the Data Protection Directive and applies to all matters which are not specifically covered by that Directive. In particular, the subject of the Directive is the “right to privacy in the electronic communication sector” and free movement of data, communication equipment and services.
The first general obligation in the Directive is to provide security of services. The addressees are providers of electronic communications services. This obligation also includes the duty to inform the subscribers whenever there is a particular risk, such as a virus or other malware attack. The second general obligation is for the confidentiality of information to be maintained
The EU Directive on Privacy and Electronic Communications 2002/58/EC on Data Retention and Other Issue
The directive obliges the providers of services to erase or anonymize the traffic data processed when no longer needed. Retention is allowed for billing purposes but only as long as the statute of limitations allows the payment to be lawfully pursued. Data may be retained upon a user’s consent for marketing and value-added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
The EU Directive on Privacy and Electronic Communications 2002/58/EC on Unsolicited e-mail and Other Messages
Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes the opt-in regime, where unsolicited emails may be sent only with prior agreement of the recipient.
The EU Directive on Privacy and Electronic Communications 2002/58/EC on Cookies
The Directive provision applicable to cookies is Article 5(3).
The regime so set-up can be described as opt-in, effectively meaning that the consumer must give his or her consent before cookies or any other form of data is stored in their browser.
The Data Retention Directive 2006/24/EC:
The Directive provision applicable to cookies is Article 5(3).
The EU Directive on Electronic Commerce (2000/31/EC)
The E-Commerce Directive made several provisions on the liability of intermediaries.
The Data Retention Directive 2006/24/EC
Required member states to store citizens’ telecommunications data for a minimum of 6 months and at most 24 months.
In 2014, the CJEU invalidated the Data Retention Directive, holding that it provided insufficient safeguards against interferences with the rights to privacy and data protection. This decision triggered considerable activity at both judicial and legislative levels in 2015.
