Chapter 1C: Legislative Framework

Question 1

The two primary reasons for Convention 108 were…

Answer 1

• the failure to respond to the Council of Europe’s 73 and 74 resolutions
• the need for reinforcement of principles found in those resolutions by means of a binding international instrument

Question 2

What 3 main reasons made Convention 108 a defining moment of European Data Protection law?

Answer 2

It’s based on a series of principles addressing main concerns re: DP, including accuracy and security and the right of access

It ensures appropriate protections while recognising the importance of the free flow of personal data for commerce/public functions

It’s a legally binding instrument, requiring states to implement its principles by enacting national legislation

Question 3

When was the Convention 108 updated by the Council of Europe and what with?

Answer 3

Late 2018 - to reinforce principles and include additional safeguards for issues re: new technologies

Question 4

When it noticed that data protection law was differing between member states and that this was affecting free flow of data, the European Commission proposed what in 1990?

Answer 4

Data Protection Directive.

Question 5

Why was the proposal of the Data Protection Directive significant?

Answer 5

It marked the starting point of the EU’s leadership in European data protection and the relative downgrading of the importance of Convention 108.

Question 6

When was the Data Protection Directive formally adopted?

Answer 6

24 October 1995.

Question 7

What is the Data Protection Directive built up of?

Answer 7

72 recitals, providing theories and interpretations and corresponding obligations, and 34 articles setting out the obligations of the member states to implement the requirement of the directive.

Question 8

The Data Protection Directive’s 34 articles are arranged into 7 chapters:

Answer 8

• General provisions
• General rules on lawfulness
• Judicial remedies, liability, sanctions
• International transfers
• Codes of conduct
• Supervisory authority and working party
  Community implementing measures

Question 9

What are two of the main general principles/concepts of the Data Protection Directive?

Answer 9

Necessity (to be lawful, the processing must be necessary)

Adequacy (prohibition of international transfers to jurisdictions t hat do not offer adequate protection)

Question 10

The Data Protection Directive is a what based law?

Answer 10

Human rights based.

Question 11

The Data Protection Directive mandated the development of a national…

Answer 11

Data Protection Authority for each state to act with independence in exercising their functions

Question 12

What is WP29?

Answer 12

Article 29 Working Party; an independent body composed of representatives of national DPAs, the European Data Protection Supervisor and the Commission.

Question 13

Where are WP29’s duties set out?

Answer 13

Set out in Article 30 of the Directive; it’s required to examine the operation of the directive and provide opinions and advise to the commission.

Question 14

When did the Commission publish proposals for a comprehensive reform of the Directive?

Answer 14

January 2012.

Question 15

What two legislative proposals were included in the Commission’s proposal for the comprehensive reform of the directive?

Answer 15

• A regulation setting out a general EU framework for data protection
• A directive on protecting personal data for purposes of prevention, detection and investigation or prosecution of criminal offences and related activities (the Law Enforcement Data Protection Directive or LEDP Directive)

Question 16

Key changes in the Data Protection Directive’s reform included…

Answer 16

• Single set of rules valid across the EU
• Increased responsibility/accountability
• Greater individual control of data and access to data
• The right to portability and right to be forgotten
• Stronger powers for DPAs, including fines

Question 17

The GDPR was seen by the Commission as an essential step to…

Answer 17

strengthen citizen’s fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.

Question 18

What is the GDPR comprised of?

Answer 18

173 recitals and 99 articles.

Articles - operative law
Rectials - crucial detail about interpretation

Question 19

The 99 recitals of the GDPR are arranged in 11 chapters…

Answer 19

1. General provisions
2. Principles
3. Data rights
4. Controllers/processors
5. International transfers
6. Suprvisory authorities
7. Cooperation and consistency
8. Remedies, liability and penalties
9. provisions relating to specific processing situations
10. Delegated acts and implementing acts
11. Final provisions

Question 20

How did ‘application of the law’ differ between the Directive and the Regulation?

Answer 20

The regulation is directly applicable across all member states without any further intervention from national parliaments.

Both apply to businesses in the EU but the regulation applies equally to processors, not just controllers as in the directive.

Applicability is determined by location of the data subject in the regulation, not just orgs established in the EU.

The regulation clarifies that tracking individuals on the internet to analyse their preferences triggers application of the regulation.

Question 21

How did ‘individual control of data’ differ between the Directive and the Regulation?

Answer 21

• The regulation strengthens consent in relation to the use of data saying consent can’t be bundled with t&cs without distinguishing the two, can be withdrawn at any time, can’t be requested in return for goods/services and also that parental consent is required for under 16s for online services

Question 22

How did rights for individuals’ differ between the Directive and the Regulation?

Answer 22

GDPR gives individuals a lot more control and stronger rights, and outlines a more detailed transparency obligation for clear concise language

New rights of data portability, restriction, right to be forgotten and profiling

Retained existing rights from the directive but removed the right to charge for access requests unless manifestly excessive

Question 23

The regulation brought in a new accountability regime with various requirements to…

Answer 23

make businesses more accountable for their data practices, demonstrating compliance and being transparent about it

includes policies, data protection by design and default, record keeping obligations, DPIAs and cooperation with supervisory authorities, DPOs and consultations with DPAs on high risk cases

Question 24

The regulation brought in new data processor obligations, imposing…

Answer 24

compliance obligations and possible sanctions directly on processors; a processor may not subcontract a service without the consent of the controller.

Regulation requires respective terms for contract with controllers and processors are required to maintain records of processing activities, implement security measures, appoint a DPO and comply with international data transfer requirements and cooperate with a supervisory authority.

Question 25

The regulation made changes to international data transfers in the form of…

Answer 25

expanding the range of measures that may be used to legitimise such transfers, now including BCRs, SCCs adopted by the commission or DPA, approved code of conduct, certification mechanisms and other contractual clauses authorised by a DPA in accordance with the so-called consistency mechanism.

Question 26

The regulation made changes to international data transfers in the form of…

Answer 26

Both data controllers and processors have an obligation to put in place appropriate technical and organisational measures to protect personal data - unlike directive which said only controllers.

Regulation also introduced a requirement to report data breaches to the DPA within 72 hours unless the breach was unlikely to result in a risk for the rights and freedoms of natural persons. If risk of harm is high, individuals must be notifies as well.

Question 27

The regulation made changes to enforcement/risk of non compliance by…

Answer 27

affording individuals right to compensation for breaches for material and immaterial damage, and judicial remedies against decisions of a DPA which concern them

Individuals can also compel a DPA to act on a complaint

Significant increase in the potential severity of sanctions, including fines of up to 20 million euros or 4 percent of worldwide annual turnover, whichever is higher.

Includes infringements of basic principles, conditions for consent, data rights, conditions for lawful international transfers, orders by DPAs, specific obligations under national laws

Question 28

The rules of the LEDP Directive have three main objectives:

Answer 28

• Better cooperation between law enforcement authorities
• Better protection of citizen’s data
• Clear rules for international data flows

Question 29

In the e-privacy directive, which replaced the 1997 directive to reflect the process of convergence, the EU widened its then existing telecommunication laws to cover…

Answer 29

all electronic comms, including telecomms, faxes, the internet, email and similar methods of communication.

Question 30

The e-privacy directive saw the need for…

Answer 30

consistent and equal protections regardless of technologies used.

Question 31

What was the aim of the e-privacy directive?

Answer 31

To harmonise the provisions of the Member States and ensure an equivalent level of protection of fundamental rights and freedoms, in particular the right to privacy with respet to the processing of personal data in the electronic communication sector and to ensure the free movement of such data

Question 32

When was the e-privacy directive originally proposed?

Answer 32

12 July 2000 - but adoption process took nearly 2 years (last approval hurdles approved 24 June 2002)

Question 33

When was the e-privacy directive published and where? When did it need to be implemented by member states?

Answer 33

Published in the Official Journal of the EU 31 July 2002 - needed to be implemented into national law by no later than 31 October 2003.

Question 34

When and why was the e-privacy Directive amended?

Answer 34

24 November 2009 as part of wider reforms to EU telecommunications sector - it was designed to encourage greater industry competition, consumer choice and protections - including around right to privacy.

Question 35

The directive does not apply to electronic communications if…

Answer 35

the service is not publicly available - this means communications over a private network, such as a company intranet, are generally not covered.

Question 36

E-privacy relating to security…

Answer 36

Appropriate technical and organisational safeguards - the service provider is under a general obligation to inform the subscribe of any particular risk of breach of network’s security.

Question 37

E-privacy relating to confidentiality…

Answer 37

member states are required ensure the confidentiality of comms and of traffic data, including users of such services who give their consent to interception and surveillance

Question 38

E-privacy relating to processing of traffic and billing data…

Answer 38

subject to certain restrictions.

Question 39

E-privacy relating to location data…

Answer 39

only if made anonymous or processed with the consent of users and for the duration necessary for the provision of a value added service.

Question 40

E-privacy relating to subscriber directories…

Answer 40

subscribers must be informed before being included in any directory.

Question 41

Certain provisions of the eprivacy directive have been amended and were due to be implemented by member states by the end of May 2011. What were the most pertinent changes?

Answer 41

Introduction of mandatory notification of personal data breaches by electronic comms service providers - to the national authority and the individual where the breach is likely to adversely affect the privacy of the individual

Question 42

What does Article 13 of the e-privacy directive re unsolicited communication provide?

Answer 42

Rights for individuals and orgs including internet service providers to bring legal proceedings against unlawful communications.

Question 43

What was the most pertinent / arguably controversial amendment made to the eprivacy directive, which concerned cookies?

Answer 43

Article 5(3) - the storing of cookies is only allowed if the user concerned has given consent, having been provided with clear information.

Question 44

What are cookies?

Answer 44

Small text files sent automatically by websites to terminal equipment of the users. They enable organisations to personalise websites based on the users’ browsing habits and deliver preference-based advertising, bolstering revenues but also allowing users to navigate more easily and retrieve information found in the past/facilitate online shopping.

Question 45

What are the exemptions to only being able to store cookies on consent?

Answer 45

For the sole purpose of carrying out the transmission of a communication or strictly necessary cookies for the provision of an information society service explicitly requested by the subscriber or user

Question 46

How long did each EU member state have to transpose cookie consent requirements into national legislation?

Answer 46

2 years.

Question 47

In July 2015, the Commission published a study on…

Answer 47

the effectiveness of the ePrivacy Directive, which proposed recommendations for its reform - launch of public consultation followed in April 2016.

Question 48

On 10th January 2017, the Commission released a legislative proposal for…

Answer 48

a new ePrivacy Regulation to replace the existing directive.

Question 49

What is the aim of the draft of the ePrivacy Regulation?

Answer 49

To harmonise the specific privacy framework re: electronic communications within the EU and ensure consistency with GDPR.

Question 50

What are the key features of the ePrivacy regulation?

Answer 50

• Wider application
• A single set of rules
• Confidentiality of electronic communications
• Consent required to process communications content and metadata
• New business opportunities
• Revised rules on cookies (no consent needed for non-privacy-instrusive cookies)
• Protection against spam
• Enforcement

Question 51

What are the consequences for non-compliance with the e-privacy Regulation?

Answer 51

• Breaches re: notice/consent, default privacy settings, public directories and unsolicited comms may be punished with fines of 10 million euros of 2 percent of total worldwide turnover
• Breaches of rules re: confidentiality of communications, permitted processing and time limits for erasure may be punished with fines of up to 20 million euros or 4% of total worldwide turnover

Question 52

Where is the ePrivacy regulation now?

Answer 52

With European Parliament and the Council of the EU.

Question 53

What was the purpose of Directive 2006/24/EC of the European Parliament and of the Council f 15 March 2006?

Answer 53

To align the rules on data retention across EU member states and ensure the availability of traffic and location data for serious crime and antiterrorism purposes.

Question 54

When was the Data Retention Directive struck off and why?

Answer 54

2014 by the Court of the European Union - invalid on the grounds that it was disproportionate in scope and incompatible with the rights to privacy and data protection under the EU Charter of Fundamental Rights.