Data Protection Laws and the Origins of Privacy

Question 1

What is the difference between a treaty and a declaration?

Answer 1

A declaration is not legally binding

Question 2

What is the main difference between the Declaration on Human Rights and the European Convention on Human Rights?

Answer 2

The Declaration on Human Rights was between UN countries

The European Convention on Human Rights was among the Council of Europe member countries and it required member state ratification

Question 3

What is the Universal Declaration on Human Rights (date, governing body, important articles)?

Answer 3

December 10, 1948

Adopted by UN General Assembly

Non-binding instrument that set milestone standards for the treatment of all people

Article 12: right to a private life
Article 19: right to free speech
Article 29(2): Addresses that rights are not absolute and a balance should be struck

Question 4

What is the European Convention on Human Rights (ECHR) (date, governing body, important articles)?

Answer 4

1953

Drawn up by the Council of Europe and must be ratified by all Council of Europe member states

International treaty to protect human rights and fundamental freedoms and can be enforced by the European Court of Human Rights in Strasbourg

Article 8: Protects the rights of individuals
Article 10: Protects the rights of freedom of expression and sharing information and ideas across national boundaries
Article 10(2) promotes balance between Articles 8 and 10

Question 5

Articles 12, 19, and 29(2) of the Universal Declaration of Human Rights

Answer 5

Article 12: Right to a private life
Article 19: Right to freedom of expression (free speech)
Article 29(2): Addresses that rights are not absolute and a balance should be struck

Question 6

Articles 8, 10, 10(2) of the European Convention on Human Rights

Answer 6

Article 8: Protects the rights of individuals
Article 10: Protects the rights of freedom of expression and sharing information and ideas across national boundaries
Article 10(2): promotes balance between Articles 8 and 10

Question 7

1960s

Answer 7

Marked by economic and technological advancements, including increasing international trade and the use of computers and telecommunications

Question 8

1970s

Answer 8

Conflict between national privacy rights and international free trade increased in the 1970s and 1980s. The time was marked by the development of communication technologies, including the establishment of extensive banks of personal data and new opportunities for international data processing

Question 9

OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data (include date)

Answer 9

OECD Guidelines

Created in 1980 and updated in 2013

Aimed to facilitate data flows and protect personal data in a global economy

Question 10

Council of Europe Convention (include date and aka)

Answer 10

AKA Convention 108

1981

Council of Europe member states, but open to more than just Europe

First legally binding data protection instrument for several Council of Europe member states. Differs from the OECD guidelines by requiring signatories to apply the principles of Convention 108 in their domestic legislation.

Question 11

EU Data Protection Directive (date and aka)

Answer 11

1995 aka 95/46/EC

European Commission

Based on the CoE Convention 108

Directive set out general data protection principles and obligations, requiring EU member states to transpose and implement them

Question 12

Charter of Fundamental Rights of the EU (include date)

Answer 12

2000

European Commission–applies to EU institutions

A comprehensive collection of individuals’ rights, including the fundamental right to protect personal data

Question 13

E-Commerce Directive (include date and aka)

Answer 13

2000 aka Directive 2000/31/EC

European Commission

States that issues related to the processing of personal data are outside its scope

Question 14

EU Directive on Privacy and Electronic Communications (date and aka)

Answer 14

Adopted in 2002 and amended in 2009

aka ePrivacy Directive

Legally binding on EU member states and requires local implementation

Applies to processing of personal data through electronic communication services and networks in the EU

Question 15

EU Data Retention Directive (include date and aka)

Answer 15

Adopted in 2006 and annulled in 2014 by the Court of Justice of the EU

aka 2006/24/EC

Data retention is addressed by national laws across the EU

Question 16

Treaty of Lisbon

Answer 16

2009

Aim is to strengthen and improve the core structure of the EU and to help it function more efficiently.

It amends the Maastricht Treaty (1992), known in updated form as the Treaty on European Union (2007) or TEU, as well as the Treaty of Rome (1957), known in updated form as the Treaty on the Functioning of the European Union (2007) or TFEU

Gave the Charter of Fundamental Rights of the EU full legal effect in the EU.

Question 17

GDPR (include dates)

Answer 17

2016

Replaced Data Protection Directive and became enforceable on May 25, 2018

Question 18

Convention 108+ (include date)

Answer 18

Overhauled Convention 108 to align with the GDPR in October 2018

Signed by 20 states of the Council of Europe, including the UK and now more states have followed.

According to the Commission, it serves as a means for third countries (outside the EU) to adopt the basic tenets of the GDPR.

Question 19

European Court of Human Rights (ECHR)

Answer 19

In Strasbourg

Upholds privacy and data protection laws through its enforcement of the European Convention on Human Rights and Convention 108

It is NOT part of the European Union

Question 20

Council of Europe

Answer 20

International organization founded in the wake of WWII (1949) to uphold human rights, democracy, and the rule of law in Europe

47 member states

Cannot make laws, but does have the ability to push for the enforcement of international agreements reached by member states on various topics.

Best known body is the European Court of Human Rights, which functions on the basis of the European Convention on Human Rights

Question 21

European Union

Answer 21

Economic and political union

27 member states

Every EU member state belongs to the Council of Europe, but this is not a prerequisite for EU membership

Question 22

European Economic Area (EEA)

Answer 22

Agreement of the European Economic Area

EU Member States, Iceland, Liechtenstein, and Norway

Based on Agreement of the European Economic Area of 1994-allows members of the European Free Trade Association (EFTA) to participate fully in the EU’s internal market

Question 23

Agreement of the European Economic Area of 1994

Answer 23

Allows members of the European Free Trade Association (EFTA) to participate fully in the EU’s internal market

Question 24

Bodies of the European Union

Answer 24

European Parliament

European Council

Council of the EU

European Commission

Court of Justice of the EU

Question 25

European Parliament

Answer 25

Only EU institution whose members are directly elected

3 primary responsibilities:

• legislative development
• supervisory oversight of the other institutions
• development of the budget

Greatest impact on data protection and privacy issues through its role in the legislative process of the EU. Has been a vocal advocate of the right to data protection, often taking a more protective stance on privacy than other institutions.

Question 26

European Council

Answer 26

Defines the EU’s priorities and sets the political direction for the EU

Composed of the heads of state or government of all EU countries, the European Council President, the European Commission President, and the High Representative for Foreign Affairs and Security Policy

Question 27

Council of the EU

Answer 27

Along with the Parliament, the Council of the EU focuses on legislative decision-making. Its meetings are attended by one minister from each member state that changes based on the policy issue to be discussed.

Shares its legislative power with the European Parliament.

Legislation is generally proposed by the Commission before it is examined by the Council of the EU and Parliament.

Question 28

European Commission

Answer 28

Implements the EU’s decisions and policies

Has other broad functions, including exclusive competence to propose legislation

Been the most active EU institution in the area of data protection

Composed of one commissioner per member state who pledges to respect EU treaties

Question 29

Court of Justice of the EU

Answer 29

Based in Luxembourg

Judicial body of the EU

Makes decisions on issues of EU law and enforces decisions, either in respect of actions taken by the Commission against a member state or by an individual or organization to enforce their rights under EU law

Comprises the European Court of Justice (ECJ) and the General Court

Provides clarification of EU law to national courts to assist the national courts in upholding EU law

Question 30

How the GDPR went through the legislative process

Answer 30

In 2012, the European Commission proposed draft legislation of the GDPR and sent a version to the European Parliament and the Council of the EU.

The Parliament reviewed the draft within committee meetings. Collected thousands of amendments and that became the Parliament’s position on the GDPR.

Meanwhile, the Council of the EU had their own committees that reviewed the draft legislation. That became the Council’s official position on the new draft.

Then, the Parliament and Council got together and tried to jointly agree on the legislation. The European Commission adjudicated the proceedings. This process was called the Trilogue procedure. Meanwhile, other groups such as national parliaments, consumer advocates, industry advocates, etc. expressed their views.

In December 2016, the council and Parliament finally agreed upon the EU GDPR, first proposed in 2012. It went into effect on May 25, 2018.

Question 31

Directive vs. Regulation

Answer 31

Directive: Places obligations on member states and then the member states implement it in their local law

Regulation: directly applicable and enforceable as law on every member state; there is no need for local implementation.

Question 32

Differences between the Data Protection Directive and the GDPR

Answer 32

Directive:
Placed obligations on member states whose governments then implement the directive into their local law
Transposed into 28 national laws in the EU
Implementation could differ across member states
Formed the Article 29 Working Party

GDPR:
Directly applicable and enforceable as law in every EU member state; there is no need for local implementation
Aim is to provide one set of data protection rules for all EU member states
Allows some degree of implementation as well.
50 provisions in the GDPR allow for local law clarification or exception,
EDPB replaced Article 29 Working Party. EDPB is an independent European body which contributes to consistent interpretations of EU data protection law and promotes cooperation between the EU’s data protection authorities.

Question 33

Interplay between the ePrivacy Directive and GDPR

Answer 33

ePrivacy Directive: Storing or accessing data on a device
GDPR: Processing of “personal data”

EDPB opinion:
“When the processing of personal data triggers the material scope of both the ePrivacy Directive and GDPR, data protection authorities are competent to scrutinize the data processing operations which are governed by national ePrivacy rules only if national law confers this competence on them.

‘To Particularise’
‘To Complement’
Article 95 of the GDPR
Co-Existence

Question 34

‘To Particularise’ (lex specialis principle)

Answer 34

Interplay between ePrivacy Directive and GDPR

Special provisions prevail over general rules

Question 35

‘To complement’

Answer 35

Interplay between the ePrivacy Directive and GDPR

Several ePrivacy Directive provisions complement GDPR provisions

Question 36

Article 95 of GDPR

Answer 36

Interplay between ePrivacy Directive and GDPR

Aim is to ‘avoid the imposition of unnecessary administrative burdens upon controllers who would otherwise be subject to similar, but not quite identical administrative burdens’

Question 37

Co-Existence (lex generalis)

Answer 37

Interplay between ePrivacy Directive and GDPR

In cases where lex specialis does not apply, the general rule will apply (lex generalis)