Chapter 3 (Legislative Framework)

Question 1

What were the 2 main reasons for Convention 108?

Answer 1

1. The member states failure to respond to the Council of Europe’s 1973 and 1974 resolutions re protection of privacy in the private and public sectors.
2. Need to reinforce the principles found in those resolutions by means of a binding international instrument.

Question 2

What are the 3 main reasons that the Convention 108 is noteworthy?

Answer 2

1. It is based on a series of principles that address the main concerns relating to data protection, principles that are still found in the GDPR.
2. It ensures appropriate protections for individual privacy but also recognizes the importance of the free flow of personal data for commerce and the exercise of public functions.
3. It requires signatory states to implement its principles by enacting national legislation.

Question 3

How many articles does Convention 108 have?

Answer 3

It has 27 articles.

Question 4

What are the 3 main parts of Convention 108?

Answer 4

1. Basic principles of data protection (Chp. II, Articles 4-11)
2. Transborder data flows (Chp. III, Article 12)
3. Mutual assistance provisions (Chp. IV, Articles 13-17)

Question 5

What were 2 difficulties with Convention 108?

Answer 5

1. Only a small number of states had ratified it.
2. States national data protection laws took a fragmented approach to its implementation.

Question 6

What marked the starting point of the EU’s leadership in European data protection and relative downgrading of importance for Convention 108?

Answer 6

When the European Commission proposed Directive 95/46/EC or Data Protection Directive in 1990.

Question 7

The Directive is comprised of how many recitals and articles? What do each set out?

Answer 7

72 recitals: provide the theories and interpretations behind the Directive and corresponding obligations

34 articles: set out the obligations of the member states in implementing the requirements of the Directive.

Question 8

Did the Directive set out general principles and leave member states to implement them or prescribe in detail how member states had to transpose the Directive’s principles into national law?

Answer 8

It set out general principles and left member states to implement them.

Question 9

What was a major advance of the Directive over Convention 108?

Answer 9

Unlike Convention 108, the Directive was applicable to manual data. This meant that the processing of manual data held in a filing system was subject to the same obligations as personal data processed by automatic means.

Question 10

What were the 8 key principles of the Directive with regard to personal data?

Answer 10

Personal data shall be:
1. Processed fairly and lawfully
2. Collected for specified and legit purposes and not processed in a manner incompatible with those purposes
3. Be processed in a manner that is adequate, relevant, and not excessive
4. Accurate and, where necessary, kept up to date
5. Kept for no longer than is necessary
6. Processed in accordance with the rights of the individual
7. Protected against accidental, unlawful, or unauthorized processing by the use of appropriate technical and organizational measures
8. Transferred to countries outside the European Economic Area (EEA) only if those countries ensure adequate levels of data protection

Question 11

What factors led the Commission’s efforts to reform the Directive?

Answer 11

1. Divergence of national measures and practices implementing the Directive
2. The divergent measures impact on businesses and individuals.
3. Development in tech since the Directive was drafted.

Question 12

What were the 9 key changes the Commission proposed to reform the Directive?

Answer 12

1. A single set of rules on data protection valid across the EU.
2. Increased responsibility and accountability for those processing personal data.
3. Enabling orgs to deal with a single DPA in the EU country where they have their main establishment in some instances.
4. Giving individuals greater control over their data (e.g. explicit consent rather than implicit).
5. Individuals having easier access to their own data and ability to transfer personal data from one service provider to another.
6. A right to be forgotten to help people better manage data protection risks online.
7. Ensuring EU rules apply if personal data are handled abroad by companies that are active in the EU market.
8. Strengthening the powers of independent national DPAs so they can better enforce EU rules at home.
9. General data protection principles and rules for police and judicial cooperation in criminal matters as contained in the LED and applicable to both domestic and cross-border transfers of data.

Question 13

How many recitals and articles does the GDPR have?

Answer 13

It has 173 recitals and 99 articles.

Question 14

The GPDR’s articles are divided into 11 chapters. What are these chapters?

Answer 14

1. General provisions
2. Principles
3. Rights of the data subject
4. Controller and processor
5. Transfers of personal data to third countries or international orgs
6. Independent supervisory authorities
7. Cooperation and consistency
8. Remedies, liability, and penalties
9. Provisions relating to specific processing situations
10. Delegate acts and implementing acts
11. Final provisions

Question 15

What are 3 ways the GDPR differs from the Directive re application of the law?

Answer 15

The GDPR
1. Is directly applicable across all EU member states without any further intervention from national parliaments.
2. Applies to data controllers AND processors
3. Applicability to non-EU companies is based on location of data subjects, not processing equipment.

Question 16

In what 4 ways did the GDPR strengthen the concept of consent?

Answer 16

1. Consent can’t be bundled with terms and conditions
2. It can be withdrawn at any time
3. Freely given consent can’t be packaged in a take it or leave it manner in return for good and services
4. Parental consent may be required, and such requirements are at the discretion of individual member states for children under 16.

Question 17

Under the GDPR, individuals are afforded a lot more control over their data through significantly enforced rights, what are these rights?

Answer 17

1. Much more detailed transparency obligations.
2. New rights of data portability,restriction of processing, the right to be forgotten, and in relation to profiling.
3. The retention of existing rights, such as subject access, rectification, erasure, and the right to object from the directive.

Question 18

What is the most notable novelty of the GDPR?

Answer 18

The various requirements to make businesses more accountable for their data practices.

Question 19

What are 7 of the new accountability responsibilities under the GDPR?

Answer 19

1. Implementation of data protection policies and measures to ensure an org’s data processing activities comply with the GDPR.
2. Data protection by design and data protection by default
3. Record-keeping obligations by controllers and processors
4. Cooperation with supervisory authorities by controllers and processors
5. Carrying out data protection impact assessments (DPIAs) for operations that present specific risks to individuals due to the nature or scope of the operation
6. Prior consultation with DPAs in high-risk cases
7. Mandatory data protection officers (DPOs) for controllers and processors for the public sector and big data processing activities

Question 20

What is one of the GDPR’s most radical changes with regards to data processors?

Answer 20

The requirement that a processor may not subcontract a service without consent of the controller.

Question 21

What 6 measures does the GDPR provide that expand cross-border data transfers?

Answer 21

1. Binding corporate rules (BCRs)
2. Standard contractual clauses (SCCs) adopted by the Commission
3. SCCs adopted by a DPA and approved by the Commission
4. An approved code of conduct
5. An approved certification method
6. Other contractual clauses authorized by a DPA in accordance with the so-called consistency mechanism

Question 22

The GDPR increases the sanctions for infringements of what 5 provisions?

Answer 22

1. The basic principles for processing, including conditions for consent
2. The data subjects’ rights
3. The conditions for lawful international data transfers
4. Specific obligations under national laws where permitted by the GDPR
5. Orders by DPAs, including suspension of data flows

Question 23

What does the Law Enforcement Directive govern?

Answer 23

Protects citizens’ fundamental right to data protection whenever data are used by criminal law enforcement authorities.

Question 24

What are the 3 main objectives of the Law Enforcement Directive (LED)?

Answer 24

1. Better cooperation between law enforcement authorities
2. Better protection of citizens’ data
3. Clear rules for international data flow

Question 25

When was the Privacy and Electronic Communications Directive (ePrivacy Directive) passed? When was it amended?

Answer 25

Passed July 12, 2002 Amended November 24, 2009

Question 26

What is the scope of the ePrivacy Directive?

Answer 26

It applies to the processing of personal data via publicly available electronic communication services.

Question 27

What are the 6 key provisions of the ePrivacy Directive?

Answer 27

1. Providers of publicly available electronic communications services are required to take appropriate technical and organizational measures to safeguard the security of their services. 2. Member states are required to ensure the confidentiality of communications and the traffic of data generated by such communications 3. Most forms of digital marketing, including Short Message Service, Multimedia Messaging Service, and faxes require prior (opt-in) consent 4. Processing of traffic and billing data is subject to certain restrictions. 5. Location data may be processed only if that data are made anonymous or, alternatively if processes with the consent of users for the duration necessary for the provision of a value-added service. 6. Subscribers may be informed before being included in any directory.

Question 28

In 2011 the amendments to the ePrivacy Directive went into affect. What are 3 of the most notable changes?

Answer 28

1. Introduction of mandatory notification for personal data breaches by electronic communication service providers. 2. Enhanced clarifications in the scope of the amended Directive and enhancements of the right of actions against unsolicited communications. 3. Provisions affecting cookies (gaining access to this stored info requires user consent).

Question 29

Under the ePrivacy Directive, user consent is not needed to access cookies where the technical storage or access is what?

Answer 29

1. For the sole purpose of carrying out the transmission of a communication over an electronic communications network. 2. Strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.

Question 30

What is the ePrivacy Regulation?

Answer 30

A legislative proposal issued by the Commission on January 10, 2017 to replace the existing ePrivacy Directive.

Question 31

What is the high-level aim of the draft ePrivacy Regulation?

Answer 31

To harmonize the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR.

Question 32

What are the 8 key features of the ePrivacy Regulation?

Answer 32

1. Wider application (all electronic communications services not just testimonial telecoms operators) 2. Providing a single set of rules for electronic communications 3. Confidentiality of electronic communications (e.g listen to, tap, scan, or store communications without consent) 4. Unless users have given consent all content and metadata derived from electronic communications (time of call, location, etc.) will need to be anonymized or deleted (unless a special circumstance applies) 5. Creating new business opportunities (once consumer achieved) 6. Creating a more streamlined approach to consent requests for cookies 7. Protection against spam 8. The enforcement of the confidentiality rules in the regulation will be the responsibility of national DPAs

Question 33

Under the ePrivacy Regulations, what breaches may be punished with fines of up to 10 million pounds or 2% of the total worldwide annual turnover?

Answer 33

Breaches of rules regarding: 1. Notice and consent 2. Default privacy settings 3. Publicly available directories 4. Unsolicited communications

Question 34

Under the ePrivacy Regulations, what breaches may be punished with fines of up to 20 million pounds or 4% of the total worldwide annual turnover?

Answer 34

Breaches of rules regarding: 1. Confidentiality of communications 2. Permitted processing of electronic communications data 3. Limits for erasure of data

Question 35

What is the Directive on security network and info systems (NIS Directive) and when was it adopted/put into force?

Answer 35

Adopted July 6, 2016 and effective in August 2106. Is the first piece of EU-wide cybersecurity legislation intended to address the threats posed to network and info systems, therefore, improving the functioning of the digital economy.

Question 36

What are the 3 main objectives of the NIS Directive?

Answer 36

1. Improving national cybersecurity capabilities by requiring each member state to setup a Computer Security Incident Response Team (CSIRT) and a competent national Network Information Systems Authority. 2. Building cooperation at the EU level by setting up a cooperation group across the member states to support and facilitate strategic cooperation and exchange of info. 3. Promoting a culture of risk management and incident reporting amongst key economic actors, notably operators providing essential services (OEDs) and digital service providers (DSPs)

Question 37

What is the NIS 2 Directive?

Answer 37

A Commission proposal that aims to replace and further develop the NIS Directive.

Question 38

What are some of the significant changes proposed by the NIS 2 Directive?

Answer 38

1. Widening the scope of the NIS Directive to additional industry sectors 2. Strengthening the existing rules on security requirements and incident reporting, while increasing the maximum fines that can be applied

Question 39

What was the Data Retention Directive designed to do?

Answer 39

Align the rules of data retention across EU member states to ensue the availability of traffic and location data for serious crime and antiterrorism purposes.

Question 40

What ruling did the CJEU issue re the Data Retention Directive in 2014?

Answer 40

Ruled that it was invalid on the grounds that it was disproportionate in scope and incompatible with the rights to privacy and data protection under the EU Charter or fundamental rights.

Question 41

Can the Commission take action against a member state if a directive isn’t implemented on time or if the implementation contravenes European law?

Answer 41

Yes.

Question 42

What are opening clauses?

Answer 42

Allow member states to put their own national data protection laws in place of a given regulation.

Question 43

How many opening clauses does the GDPR have?

Answer 43

50 opening clauses