GDPR, DOI, and Data Leaks

Question 1

What was the purpose of the 1995 Data Protection Directive?

Answer 1

Set the foundation for EU data privacy laws.

Question 2

What was the Safe Harbor Agreement?

Answer 2

2000 U.S.-E.U. agreement allowing data transfers if US companies followed EU-like privacy protections.

Question 3

Why was Safe Harbor invalidated?

Answer 3

Schrems I case following Snowden’s 2013 revelations about NSA surveillance.

Question 4

What replaced Safe Harbor in 2016?

Answer 4

E.U.-U.S. Privacy Shield

Question 5

What happened in Schrems II?

Answer 5

• CJEU ruled Privacy Shield invalid
• SCCs still valid with conditions

Question 6

What is the E.U.-U.S. Data Privacy Framework?

Answer 6

2023 agreement addressing concerns from Schrems II, includes EO 14086.

Question 7

What is EO 14086?

Answer 7

• US EO ensuring surveillance is necessary/proportional
• Creates data protection review court

Question 8

What is a ‘third country’ under EU law?

Answer 8

Country outside EEA without an adequacy decision.

Question 9

What are the three legal bases for EEA data transfers?

Answer 9

• Adequacy decision
• Appropriate safeguards
• Derogation

Question 10

What are Standard Contractual Clauses ?

(SCCs)

Answer 10

Contractual promises by companies to follow EU data protection law.

Question 11

What are Binding Corporate Rules?

(BCRs)

Answer 11

DPA-approved rules allowing intra-group data transfers under strict conditions.

Question 12

What is a derogation under EU data transfer rules?

Answer 12

Legal exception

Examples: explicit consent or legal necessity, for occasional transfers

Question 13

What is the Global CBPR Forum?

Answer 13

Cross-border privacy certification system, based on APEC principles.

Question 14

What does the OECD Declaration on Data Access cover?

Answer 14

Government access to private data.

Examples: legal basis, transparency, oversight, remedies.

Question 15

What is the GDPR?

Answer 15

• General Data Protection Regulation
• EU regulation on information privacy applicable to EU/EEA, effective 2018

Question 16

Which countries are part of the EEA?

Answer 16

EU + Norway, Iceland, Liechtenstein

Question 17

What are key provisions of GDPR?

Answer 17

• Data processing rules
• Individual rights
• Breach notification
• DPO requirement
• Penalties
• Transfer rules

Question 18

What is personal data under GDPR?

Answer 18

Data related to an identified or identifiable person.

Question 19

What is sensitive personal data?

Answer 19

• race
• politics
• religion
• unions
• genetics
• biometrics
• health
• sexuality

Question 20

What is required to process sensitive data?

Answer 20

Explicit consent for specific purpose.

Question 21

Who is a data subject?

Answer 21

The individual whose data is collected.

Question 22

What are the four consent requirements under GDPR?

Answer 22

• Freely given
• Specific
• Informed
• Unambiguous

Question 23

What info must be disclosed by data controller for informed consent?

Answer 23

• Controller identity
• Purpose
• Data collected
• Right to withdraw
• Automation
• Transfer risks

Question 24

What is a Data Protection Authority?

(DPA)

Answer 24

Independent national bodies that enforce GDPR and offer guidance.

Question 25

What is a **Data Protection Officer**? | (DPO)

Answer 25

**EU-based privacy contact** with relevant experience and no conflicts; required in certain cases.

Question 26

What must **non-EU businesses** do under GDPR?

Answer 26

Appoint an **EU representative** if no EU office exists.

Question 27

What are the **seven GDPR principles**?

Answer 27

* Lawfulness, fairness, and transparency * Purpose limitation * Data minimization * Accuracy * Storage limitation * Integrity and confidentiality * Accountability

Question 28

What does **lawfulness, fairness, and transparency** mean in GDPR?

Answer 28

Legal basis for processing, informing data subjects, and clear communications.

Question 29

What is the **purpose limitation** principle?

Answer 29

Data must be collected for specific, explicit, legitimate purposes

Question 30

When is **secondary processing** allowed under GDPR?

Answer 30

If **compatible with original purpose**, data subject expectations, safeguards in place.

Question 31

What does **data minimization** mean?

Answer 31

* Collect only necessary data * Delete when no longer needed

Question 32

What is required by the **accuracy** principle?

Answer 32

Data must be correct, complete; allow for corrections.

Question 33

What does **storage limitation** entail?

Answer 33

Keep data only as long as **necessary**.

Question 34

What does **integrity and confidentiality** mean?

Answer 34

* Authorized access only * Data must be accurate, complete, secure, and available when needed

Question 35

What does **accountability** mean under GDPR?

Answer 35

Controller must **demonstrate compliance** through records, breach logs, DPIAs, user access.

Question 36

What is the **mnemonic for GDPR principles**?

Answer 36

Llamas Paraded Drowsily As Smurfs Imploded Accidentally ## Footnote Lawfulness, Purpose, Data, Accuracy, Storage, Integrity, Accountability

Question 37

What is the **mnemonic** for GDPR data subject rights?

Answer 37

Real adorable pandas eat avocados in overalls. ## Footnote Restrict, ADM, Portability, Erasure, Access, Informed, Objection.

Question 38

When does the **right to restrict processing** apply?

Answer 38

Disputed accuracy, unlawful processing, no longer needed, subject objects.

Question 39

What is **automated decision making**? | (ADM)

Answer 39

* Solely automated processing of data without human involvement, AND * Produces legal effects ## Footnote Allowed with contract, law, or explicit consent.

Question 40

What is **data portability**?

Answer 40

* Right to receive or transfer data in machine-readable format * Applies with consent/contract + automation

Question 41

What is the **right of erasure**?

Answer 41

* Right to be forgotten * Applies when data is no longer needed, consent withdrawn, objection, unlawful, legal obligation, or child’s data

Question 42

What does the **right of access** and **rectification** involve?

Answer 42

Request confirmation, copy, privacy notice, and correct inaccurate data.

Question 43

What types of notices **support the informed right**?

Answer 43

* Layered * Just-in-time * Dashboard

Question 44

What does the **right to object** cover?

Answer 44

Processing for direct marketing, legitimate/public interest (not absolute).

Question 45

What factors are considered in the legitimate interest **balancing test**?

Answer 45

* Data nature * Expectations * Impact * Safeguards * Relationship * Method * Benefits

Question 46

What are **controller obligations** when responding to data subject requests?

Answer 46

* Respond in 1–3 months * Verify identity * No fee/refusal unless burdensome

Question 47

When can a subject **bring a complaint to court**?

Answer 47

If unsatisfied with DPA or no resolution in three months.

Question 48

**Who is liable** under GDPR?

Answer 48

Controllers and processors ## Footnote Both liable for harm caused; joint controllers share liability

Question 49

What are the **high-tier** GDPR fines?

Answer 49

Up to 4% global revenue ## Footnote For consent violations, rights violations, unlawful processing/transfers.

Question 50

What are the **low-tier** GDPR fines?

Answer 50

Up to 2% global revenue ## Footnote For poor recordkeeping, DPA cooperation, DPO designation, security issues

Question 51

What is a GDPR **data breach**?

Answer 51

Breach of security causing loss, destruction, disclosure, or access to personal data.

Question 52

**When** must a controller report a data breach?

Answer 52

Within **72 hours** of **becoming aware**, unless risk is unlikely.

Question 53

When must a processor **notify the controller** of a breach?

Answer 53

Without undue delay.

Question 54

What must be included in a data subject breach **notification**?

Answer 54

* Plain language * DPO contact info * Breach consequences * Mitigations in place

Question 55

When is breach notification to subjects **not required**?

Answer 55

* Low risk * Mitigation taken, or * Public notice used due to burden

Question 56

What is a **Department of Insurance**?

Answer 56

* A **state-level** government regulatory agency * Supervises and **regulates** the insurance industry ## Footnote E.g., homeowners auto health life and disability insurance.

Question 57

Who **heads** each state's Department of Insurance?

Answer 57

An Insurance Commissioner

Question 58

What are the **primary responsibilities** of Departments of Insurance?

Answer 58

* License and monitor insurers agents brokers * Ensure solvency * Set licensing standards * Review market rates and policies * Respond to customer complaints * Investigate fraud

Question 59

What does '**solvency**' mean in the insurance context?

Answer 59

The ability of an insurer to **meet financial obligations** and pay claims.

Question 60

What is the **NAIC**?

Answer 60

* The National Association of Insurance Commissioners * A standard-setting organization that coordinates multi-state regulation

Question 61

What is the significance of the **McCarran-Ferguson Act** of 1945?

Answer 61

It affirmed that **insurance regulation** should be **managed by states** not the federal government.

Question 62

How do Departments of Insurance **intersect with privacy**?

Answer 62

They **enforce privacy and data protection standards** through audits and compliance requirements tied to licensing.

Question 63

What are NAIC '**model laws**'?

Answer 63

**Standardized recommended legal frameworks** designed to guide states in regulating insurance consistently.

Question 64

What is the purpose of the **Data Security Model Law** (#668)?

Answer 64

To establish **cybersecurity** and **data protection standards** for insurers agents and other licensees.

Question 65

What must insurers **implement** under the Data Security Model Law (#668)?

Answer 65

Information security programs risk assessments and third-party risk management.

Question 66

What must licensees do in case of a **cybersecurity incident**?

Answer 66

* Investigate the incident * Notify the state Insurance Commissioner within 72 hours * Notify affected consumers

Question 67

What is **fiduciary duty**?

Answer 67

A legal and ethical obligation requiring one party to **act in the highest good faith** and loyalty **for the benefit of another party** who has placed trust and reliance in them.

Question 68

Who is the **fiduciary** and who is the **beneficiary**?

Answer 68

The fiduciary is the trusted party responsible for **acting in the best interest** of the beneficiary who relies on them. ## Footnote Examples: lawyers, trustees, financial advisors, and corporate directors

Question 69

What is the **duty of loyalty** in fiduciary duty?

Answer 69

The fiduciary must place the **beneficiary's interests above their own** and **avoid conflicts of interest**.

Question 70

What is the **duty of care** in fiduciary duty?

Answer 70

The fiduciary must act **prudently**, **competently** and **diligently** in managing the beneficiary’s interests.

Question 71

What is the **duty of good faith** in fiduciary duty?

Answer 71

The fiduciary must **act honestly** and must **not mislead or deceive** the beneficiary.

Question 72

How does fiduciary duty **apply to privacy**?

Answer 72

It raises the question of whether organizations should **owe fiduciary duties to consumers** regarding personal data use and protection.

Question 73

What **conflict of interest** exists in data privacy under the current U.S. model?

Answer 73

Organizations seek to **monetize personal data** which conflicts with acting in the best interest of consumers.

Question 74

What is the **FADP**?

Answer 74

The Revised Swiss Federal Act on Data Protection ## Footnote Replaced the 1992 version; aligns Switzerland with the EU GDPR.

Question 75

What is the **purpose** of revising the Swiss Federal Act on Data Protection?

Answer 75

* Modernize Swiss privacy law * Align Switzerland with the EU GDPR to maintain adequacy for cross-border data transfers

Question 76

What are the **penalties** for non-compliance under the FADP?

Answer 76

Fines up to **CHF 250,000**.

Question 77

What **unique types** of **sensitive data** are recognized under the FADP?

Answer 77

* The intimate sphere of the data subject * Social security data

Question 78

How does the **FADP** address **extraterritoriality**?

Answer 78

It applies when data processing **has an effect in Switzerland** even if the activity originates abroad.

Question 79

What mechanisms are available for **third-country data transfers** under the **FADP**?

Answer 79

* Swiss-U.S. Data Privacy Framework * Standard contractual clauses * Binding corporate rules

Question 80

What is the **Swiss-U.S. Data Privacy Framework**?

Answer 80

A mechanism allowing compliant U.S. organizations to **receive personal data from Switzerland** in accordance with Swiss privacy standards.

Question 81

What is a **data leak**?

Answer 81

An accidental **exposure of data**. ## Footnote Often caused by poor security handling or misconfigurations and typically without malicious intent.

Question 82

What are **common causes** of data leaks?

Answer 82

* Human error * Improperly configured access controls * Vulnerabilities in third-party systems

Question 83

What are some **key prevention measures** for data leaks and breaches?

Answer 83

* Workforce training * Data loss prevention tools * Robust security policies * Continuous monitoring

Question 84

What role do **data loss prevention tools** play in preventing leaks?

Answer 84

They detect and block **unauthorized transmission** or **storage** of sensitive information.