UNIT 1 FOUNDATIONS OF DATA PROTECTION

Question 1

Data breach

Answer 1

A data breach occurs
when unauthorized parties gain access to private
information

Question 2

Protection of both enterprise and personal data has two essential dimensions

Answer 2

:ensuring
data integrity by protecting it from corruption or errors, and safeguarding data confidentiality by limiting access exclusively to authorized individuals.

Question 2

behavioral advertising

Answer 2

For example, imagine that after browsing for a new pair of shoes online, you start to see
ads for shoes from several brands on social media or other websites.

Question 3

Universal Declaration of Human Rights

Answer 3

is an international document adopted by the United Nations General Assembly that enshrines the rights and freedoms of all human beings. In 1950

Question 4

Data protection

Answer 4

is a personal right that is a subset of the fundamental human right to privacy, and it is given force by privacy laws and regulations that govern the collection, storage, processing, or dissemination of personal information.

Question 5

What does the term “twin-right” refer to in the context of data protection and privacy?

Answer 5

Twin-right” refers to the concept in early data protection frameworks where the right to data protection was viewed either as a subset of privacy interests or as a closely linked, complementary right to privacy. This relationship highlights the interconnectedness and mutual reinforcement between privacy and data protection.

Question 6

Which EU documents recognize the personal right to data privacy and provide it with legal force?

Answer 6

The personal right to data privacy is acknowledged at the EU level by Article 8 of the European Charter of Fundamental Rights (EUCFR) and Article 16 of the Treaty on the Functioning of the European Union (TFEU). Legal force is provided through various directives and regulations, most prominently the General Data Protection Regulation (GDPR).

Question 7

Data

Answer 7

Data are a collection of facts, recorded observations, statistics, or other raw elements that
are gathered and organized for analysis or planning purposes (Zins, 2007). Data can take
various forms, such as text, numbers, or images, and serve as a basis for decision-making,
insight generation, and strategic planning.

Question 8

Personal Data

Answer 8

Personal data refers to any data that relate to an identified or identifiable individual (a
data subject; Directive 2016/680). Examples of personal data include names, email
addresses, ethnicity, gender, biometric data, web cookies, and political opinions. Even
pseudonymous information, which does not directly identify an individual, may still be
considered personal data if it enables positive identification of the individual

Question 9

Sensitive Data

Answer 9

Sensitive data (or special category data in the GDPR) includes data about a data subject’s
racial or ethnic origin, political opinions, religious beliefs, trade union membership,
health, sexual orientation, and genetic or biometric data (Directive 2016/680). Sensitive
data are a subset of personal data and requires special protection because there is a
greater risk that it can be used to harm or discriminate against an individual.

Question 10

Data Processing

Answer 10

Data processing refers to any action performed on a given set of data, whether carried out
manually or through automated means (Directive 2016/680). This broad definition
includes activities such as collecting, recording, organizing, storing, structuring, editing,
deleting, and otherwise manipulating data throughout its life cycle.

Question 11

Data Subject

Answer 11

Data subject refers to any living individual whose data are being processed (European
Union, 2018). Protecting the rights and privacy of data subjects is of utmost importance.
Organizations should respect the rights of data subjects throughout the data processing
activities.

Question 12

term Data controller

Answer 12

A data controller can be a
“natural or legal person,
public authority, agency
or other body”

Question 13

Data controller

Answer 13

The data controller is the individual or entity that decides how data will be processed
(Directive 2016/680). The data controller bears the responsibility for complying with data
protection laws, implementing appropriate security measures, and ensuring that data
processing activities align with legal requirements

Question 14

Data Processor

Answer 14

A data processor refers to any party, internal or external to an organization, that engages
in processing data on behalf of the data controller (Directive 2016/680). Third party (external) processors may include service providers such as email or cloud service providers.
Data processors have a contractual obligation to process data in accordance with the
instructions provided by the data controller, ensuring the same level of protection and
compliance. The data controller and the data processor may be the same entity.

Question 15

Data Protection Officer

Answer 15

The data protection officer (DPO) is the entity responsible for identifying compliance
issues, conducting internal audits, and handling complaints related to privacy regulations
(Directive 2016/680, p. 56). The DPO serves as a point of contact for individuals to address
privacy concerns and ensures that the organization adheres to data protection laws.

Question 16

What is the significance of including privacy as a human right in international declarations?

Answer 16

The inclusion of privacy as a fundamental human right in documents like the European Convention for Human Rights and the EU Charter for Fundamental Rights helps emphasize and legally protect individuals’ privacy rights.

Question 17

What does Article 8.1 of the European Convention for Human Rights protect?

Answer 17

Article 8.1 protects the individual’s privacy rights including respect for private and family life, home, and correspondence.

Question 18

How does the EU Charter for Fundamental Rights (EUCFR) contribute to privacy protection?

Answer 18

The EUCFR upholds privacy by highlighting rights related to private and family life, home, and correspondence, establishing a solid foundation for privacy laws within the EU.

Question 19

What common principle about personal data is established in privacy laws?

Answer 19

Privacy laws generally establish the principle that empowers individuals to control how their personal information is shared.

Question 20

The term of Fair Information
Practices

Answer 20

These are a set of internationally recognized practices that govern the collection and use of personal
data. They form the foundation of most contemporary privacy laws and policies

Question 21

What were the FIPs and when were they introduced?

Answer 21

The Fair Information Practices (FIPs), introduced in a 1973 report by the U.S. Department of Health, Education, and Welfare, were principles that responded to the inadequacy of privacy rights in the age of large-scale automated data processing.

Question 22

How did international organizations influence data protection laws?

Answer 22

International organizations like the OECD and the Council of Europe played significant roles, with the OECD creating guidelines based on the US FIPs in 1980 and the Council of Europe establishing the first binding international legislation on data protection with Convention 108 in 1981.

Question 23

What are some key laws and directives that have shaped data protection in the EU?

Answer 23

The EU’s 1995 Data Protection Directive and the 2005 APEC Privacy Framework significantly shaped data protection by emphasizing individual choice and rights over personal data.

Question 24

What challenge does the value individuals place on their personal data pose to data privacy?

Answer 24

The challenge is that many individuals do not value their personal data highly, which complicates efforts to provide effective data privacy protections.

Question 25

What is the primary data protection law in the EU?

Answer 25

The General Data Protection Regulation (GDPR) is the primary law, focusing on balancing individual privacy rights with data usage for commercial or public interests.

Question 26

What are the focuses of the GDPR?

Answer 26

The GDPR focuses on both the privacy and the integrity of data, ensuring data is accessible only to authorized users and protected from corruption or errors.

Question 27

What other legislations complement the GDPR?

Answer 27

The GDPR is complemented by the ePrivacy Directive, which deals with privacy in electronic communications, and the Law Enforcement Directive, which protects personal data in the criminal justice context.

Question 28

How do EU data protection laws empower individuals regarding their personal data?

Answer 28

EU laws grant individuals increased authority over their personal data, addressing the power imbalance between individuals and large online platforms.

Question 29

Can you provide an example of enforcement action taken under GDPR?

Answer 29

In 2019, the French data protection authority (CNIL) fined Google €50 million for GDPR violations, citing issues with transparency and lack of proper consent concerning data use for personalized ads.

Question 30

What is the fundamental notion at the core of EU data protection laws?

Answer 30

The core notion is that personal data is inseparable from an individual’s identity, thus its protection is essential for safeguarding individuals in all areas of life, including online interactions.

Question 31

Why is international cooperation important in data protection?

Answer 31

International cooperation and general adherence to data privacy principles are crucial for effectively protecting privacy and maintaining trust in today’s data-driven world.

Question 32

What inspired the foundation of the GDPR?

Answer 32

The GDPR is rooted in the European Convention on Human Rights (ECHR), which underlined the right to privacy as a fundamental right for all European citizens, especially in the context of rising digital interactions.

Question 33

What significant regulation did the EU introduce in 1995 to address online privacy?

Answer 33

In 1995, the EU introduced the Data Protection Directive to set minimum standards and rules for safeguarding privacy online, though its implementation varied across member states.

Question 34

What prompted the replacement of the Data Protection Directive with the GDPR?

Answer 34

The rapid growth of industries based on the collection and sharing of personal data highlighted the need for a harmonized regulation across all member states, leading to the enactment of the GDPR.

Question 35

When did the GDPR come into effect?

Answer 35

The GDPR came into effect on May 25, 2018.

Question 36

What are some major impacts of the GDPR since its implementation?

Answer 36

Since its implementation, the GDPR has led to over 1,700 enforcement actions, more than four billion euros in fines, and influenced 32 rulings by the Court of Justice of the EU, significantly shaping global privacy practices and data protection measures.

Question 37

Describe the scope of the GDPR.

Answer 37

The GDPR applies broadly to any processing of personal data, affecting entities outside the EU if they handle the personal data of EU citizens, as seen in its application to an American SaaS provider processing data from EU citizens.

Question 38

What does the Health Insurance Portability and Accountability Act (HIPAA) protect?

Answer 38

HIPAA mandates the security and privacy of health records by covered entities like medical and health insurance providers.

Question 39

What rights does the Children’s Online Privacy Protection Act (COPPA) grant to parents?

Answer 39

COPPA provides parents control over the online information collected from children under 13 and sets requirements for website operators.

Question 40

What is the purpose of the Gramm-Leach-Bliley Act (GLBA)?

Answer 40

GLBA covers financial institutions, setting measures to safeguard consumer financial information through information security and privacy protocols.

Question 41

What does the Fair Credit Reporting Act (FCRA) ensure?

Answer 41

FCRA ensures fair treatment, accuracy, and confidentiality in consumer credit reporting.

Question 42

What is prohibited by the Electronic Communications Privacy Act (ECPA)?

Answer 42

The ECPA prohibits unauthorized interception of wire and electronic communications and extends privacy protections to electronic communication.

Question 43

How does Section 5 of the Federal Trade Commission Act (FTC Act) protect consumers?

Answer 43

It prohibits unfair and deceptive commercial practices, including the improper processing of personal data that misaligns with consumer expectations.

Question 44

What was the outcome of the FTC’s 2023 complaint against Amazon?

Answer 44

Amazon was required to pay $25 million in civil penalties for excessively retaining children’s voice recordings and not deleting geolocation data promptly as requested.

Question 45

What are COPRA and ADPPA, and what do they aim to achieve?

Answer 45

COPRA and ADPPA are proposed legislations aiming to create uniform, GDPR-like data protection across the U.S., though they have not yet been implemented.