Bootcamp - Section I

Question 1

If a processing activity is covered by a rule in both GDPR and the ePrivacy Directive, which applies?

Answer 1

ePrivacy Directive - Because it is more specific.

Question 2

What is another name for the
Treaty on European Union?

Answer 2

Maastricht Treaty
1992

Question 3

What did the European Court of Justice hold in Papasavvas v. O Fileleftheros Dimosia Etairia Ltd.?

Answer 3

As long as the company is receiving payment for services they provided, it is an information society service.

That the term “information society service” applies to all economic activities for which the service provider is remunerated, regardless of whether the user is the one that provides the remuneration.

Dienstleistungen der Informationsgesellschaft

Question 4

True or False:
The Treaty on the Functioning of the European Union requires that the protection of personal data be incorporated into all aspects of member state law.

Answer 4

False.
This requirement does not apply to national measures that are not implementing some aspects of E.U. law.

Question 5

What was the Article 29 Working Party (29WP)

Answer 5

An independent advisory panel that provided guidance on questions regarding the Directive.

Question 6

What is the “consultative” procedure of the legislative process in the E.U.?

Answer 6

Where the authority to enact law rests with the Council - not the Parliament.
But the Council is obligated to consult with the Parliament.

Question 7

What does FIPs stand for?

Answer 7

Fair Information Practices or
Fair Information Privacy Practices

Question 8

T or F:
One of the primary shortcomings of the Data Protection Directive was that it only applied to private industry.

Answer 8

False:
The Data Protection Directive applied to both private and public sectors.

Question 9

What right is recognized in Article 8 of the
Charter of Fundamental Rights?

Answer 9

The right to the protection of personal data.

Question 10

What international organization drafted and signed the
European Convention on Human Rights?

Answer 10

Council of Europe
CoE

Question 11

How many institutions are designated official institutions of the European Union?

Answer 11

7

Question 12

What body did the European Data Protection Board replace?

Answer 12

Article 29 Working Party

Question 13

In what way was the 2008 Framework Decision that regulated cooperating criminal authorities limited in scope?

Answer 13

It applied only to cross-border transfers of personal data and did not apply to internal processing within a member state.

Question 14

Under the ePrivacy Directive, when is the interception of electronic communications permitted?

Answer 14

When the users of the system consent,
or where interception is
legally authorized to achieve important public purposes (e.g., national security or criminal prosecution).

Question 15

How are members of the European Parliament elected?

Answer 15

Directly by citizens of the European Union.

Question 16

What does Article 19 of the Universal Declaration of Human Rights seek to protect?

Answer 16

Individual opinions and the communication of ideas.

Question 17

What is the most recent data protection legislation enacted by the E.U.?

Answer 17

The NIS Directive

Question 18

What is the primary difference between a regulation and a directive?

Answer 18

Regulation: Applies upon its own force
Directive: Requires member states enable legislation

Question 19

What treaty created a “single market” in Europe?

Answer 19

The Treaty on European Union
(aka The Maastricht Treaty)

Question 20

What are the two primary components of the Court of Justice of the European Union?

Answer 20

General Court &
European Court of Justice

Question 21

Is the European Court of Human Rights an EU institution.

Answer 21

No.
Its part of the Council of Europe.

Question 22

Which came first: the Universal Declaration of Human Rights or the European Convention on Human Rights?

Answer 22

The Universal Declaration of Human Rights

Question 23

What entity was created by the European Convention of Human Rights ECoHR?

Answer 23

The European Court of Human Rights.

Question 24

What two interests was the Data Protection Directive designed to protect?

Answer 24

Individual rights to privacy and the internal European market.

Question 25

True or False: Unlike the original Convention 108, Convention 108+ is only available for signature to European nations.

Answer 25

False. Both are available to signature to all nations. There are currently 4 non-European signatories to Convention 108+.

Question 26

What institution is charged with setting the political direction of the European Union?

Answer 26

European Council

Question 27

In what year was the GDPR initially proposed?

Answer 27

The year 2012

Question 28

What are the two exceptions permitting the use of web cookies without first obtaining user consent?

Answer 28

(1) When the use of cookies is **"strictly necessary"** for the provision of the service requested; and (2) When cookies are used for the sole purpose of carrying out the **transmission of a communication**.

Question 29

True or False: One of the most important differences between the Data Protection Directive and the GDPR is that the GDPR has an expanded jurisdictional scope.

Answer 29

True

Question 30

Does the **European Convention on Human Rights** consider the right to privacy to be an absolute right?

Answer 30

No. Article 8, which protects individual privacy, provides the right **can be limited** for certain public purposes.

Question 31

What does the **ePrivacy Directive** regulate?

Answer 31

"The **processing** of personal data in connection with the provision of **publicly available electronic communications services** in public communications networks” within the E.U. *Privacy and confidentiality aspects of electronic communications, including rules for electronic marketing, the use of cookies and similar tracking technologies, and the confidentiality of communication data.*

Question 32

What is an **"information society service"?** Dienst der Informationsgesellschaft

Answer 32

“[A]ny service normally provided for payment, at a distance, **by electronic means** and at the individual request of a recipient of services.” Online Dienstleistungen die Informationen über das Internet bereitstellen

Question 33

True or False: Each member of the Council of the European Union is always entitled to one vote.

Answer 33

False. In some cases members get one vote each, but in others each member gets a number of votes proportionate to the number of citizens it represents.

Question 34

How does the E.U. guarantee that member states enact legislation to enact a directive?

Answer 34

The European **Commission** may bring an **infraction** proceeding against a member state that fails to comply.

Question 35

True or False: The ePrivacy Directive applies to electronic communication services that are publicly available and those that are not publicly available, such as internal intranet systems.

Answer 35

False. The ePrivacy Directive applies only to the processing of personal data over publicly available communication networks.

Question 36

What does Article **10** of the **European Convention on Human Rights** seek to protect?

Answer 36

The right to **opinion** and **free expression**.

Question 37

True or False: Like the UDHR and the ECHR, the Charter of Fundamental Rights recognizes that rights must be balanced against one another.

Answer 37

True

Question 38

What two documents were amended by the Treaty of Lisbon?

Answer 38

(1) The Treaty Establishing the European Community; and (2) The Treaty on European Union.

Question 39

In what year was the Universal Declaration of Human Rights **UDoHR** adopted?

Answer 39

1948

Question 40

What is the primary reason that the European Court of Justice struck down the **Data Retention Directive** as invalid?

Answer 40

Because it violated the proportionality principle of the Charter of Fundamental Rights, as **no limits were placed on the obligation to retain data**.

Question 41

Why is Article **94** of the GDPR important?

Answer 41

It clarified that prior references to the Data Protection **Directive** in other legislation **should be construed as a reference to the GDPR**.

Question 42

What did the European Court of Human Rights hold in **Haralambie v. Romania**?

Answer 42

That placing obstacles in the way of an applicant seeking access to their secret personal file violated Article 8 of the ECHR.

Question 43

What is another name for the Treaty Establishing the **European Economic Community** (EEC)?

Answer 43

Treaty of Rome

Question 44

What is the primary responsibility of the **European Court of Human Rights**? **ECoHR**

Answer 44

To **enforce** the European **Convention on Human Rights**, along with Convention **108** and its amendments.

Question 45

What are the primary goals of the **NIS** Directive?

Answer 45

(1) To promote **good risk management** systems; and (2) to facilitate **cooperation** among member states on **digital threats**.

Question 46

Does the **E-Commerce** Directive apply if no remuneration is exchanged between a user and a service provider?

Answer 46

Yes, because an information society service includes all activities that may **“represent an economic activity”** regardless of whether they give rise to online contracting between the provider and recipient.

Question 47

Why was the adoption of the **Data Protection Directive** an important inflection point for European data protection?

Answer 47

Many nations had **failed to ratify Convention 108**. The Directive therefore made each member state **legally obligated to pass data protection legislation.**

Question 48

Was the **Data Protection Directive** designed more to target data controllers or data processors?

Answer 48

Data Controllers

Question 49

In what year was the **Data Protection Directive** enacted?

Answer 49

1995

Question 50

What are the common names of the three legislative procedures under the Treaty on European Union?

Answer 50

**Ordinary** Procedure **Consultative** Procedure **Consent** Procedure

Question 51

What two primary factors led to the creation of data protection laws in Europe?

Answer 51

**Advances in technology**, and an increase in **transborder trade**.

Question 52

What **entities** are subject to regulation under the **ePrivacy** Directive?

Answer 52

All **"electronic communication services,"** which includes telecommunication services and communications made over the internet, email, faxes, etc.

Question 53

The **Digital Services Act** is proposed legislation that would **replace** what other law?

Answer 53

**E-Commerce** Directive

Question 54

What treaty created the **European common market**?

Answer 54

The Treaty Establishing the **European Economic Community** (a/k/a The Treaty of **Rome**).

Question 55

Other than traffic data, in what two instances may **location data be lawfully processed** under the **ePrivacy** directive?

Answer 55

When the user or subscriber has **consented** or when the data is **anonymized**.

Question 56

True or False: Signing Convention 108+ makes it more likely that a non-member state will be found to provide an "adequate" level of privacy protection for purposes of international data transfers.

Answer 56

True

Question 57

What did the **ECJ** hold in the **Tele2 and Watson** case?

Answer 57

That the **ePrivacy** Directive **prohibits the general and indiscriminate retention of data**, even if this is permitted under national legislation for the purposes of fighting crime.

Question 58

On what two conditions does Convention **108 permit** member nations to place **limits** on **transborder data flows** between other member states?

Answer 58

When a country has **specific laws applicable to certain categories of personal information,** or when a member state is used as a **conduit through which to transfer data** from a non-member state.

Question 59

What is the **"ordinary"** procedure of the legislative process in the E.U.?

Answer 59

Where both the **Parliament and the Council agree** to the proposed legislation.

Question 60

What does Article **12** of the Universal Declaration of Human Rights **UDoHR** seek to protect?

Answer 60

The **private life of individuals**, including - Privacy, - Family, - Home, and - Correspondence.

Question 61

What does Article 8 of the European Convention on Human Rights seek to protect? **ECoHR**

Answer 61

The individual right to private life.

Question 62

What institution plays the primary **executive role** in the **EU**.

Answer 62

European **Commission**

Question 63

In what year was the **ePrivacy** Directive adopted?

Answer 63

2002

Question 64

What are Fair Information Practices **FIP**?

Answer 64

A set of **principles and practices** that describe how best to approach the - collection, - storage, and - management of data to properly balance - fairness, - privacy, and - security with respect to that data.

Question 65

What is the current status of the Data Protection **Directive**?

Answer 65

It was **repealed and replaced** by the GDPR in 2016.

Question 66

True or False: The Council of the European Union must conduct all of its business in public.

Answer 66

False. When the Council **votes and debates on legislation**, it must do so in **public**. The treaties silence on other issues suggests the Council may conduct other business privately.

Question 67

What was the primary goal of the E-Commerce Directive?

Answer 67

To **strengthen the internal market** of Europe by fostering a **healthy online economic environment**.

Question 68

What aspect of the Charter of Fundamental Rights was incorporated into the underlying treaties establishing the European Union?

Answer 68

Article 8's right to the protection of personal information was incorporated into the Treaty on the Functioning of the European Union.

Question 69

After the Treaty of Lisbon was signed, what is the new name given to the Treaty Establishing the European Economic Community?

Answer 69

The Treaty on the Functioning of the European Union.

Question 70

Resolution 74/29 set forth principles governing the handling of personal information in automated data banks. Was it addressed toward the public of private sector?

Answer 70

Public sector

Question 72

European Commission

Answer 72

Initiates legislative proposals. Represents the EU on the international stage. Consists of commissioners from each member state.

Question 73

European Parliament

Answer 73

Represents the citizens of the EU. Participates in the legislative process by reviewing and amending proposals. Votes on proposed legislation.

Question 74

Council of the European Union

Answer 74

Represents the member states' governments. Shares legislative power with the Parliament. Approves, amends, or rejects legilative proposals.

Question 75

European Council

Answer 75

Comprises heads of state or government of member states. Sets the general political direction and priorities of the EU. Provides guidance on important issues.

Question 76

Court of Justice of the European Union:

Answer 76

Ensures the uniform application of EU law. Interprets EU law and settles disputes between member states and institutions

Question 77

European Central Bank:

Answer 77

Responsible for the euro currency and monetary policy within the Eurozone.

Question 78

European Court of Auditors

Answer 78

Checks that the EU funds have been correctly spent, efficiently managed, and properly accounted for.

Question 79

What does Article **67(3) of the Treaty on the Functioning of the European Union** call for?

Answer 79

Cooperation and coordination between **police and judicial authorities** across the E.U.

Question 80

Under the E-Commerce Directive, information society services are subject to the local law of what member state?

Answer 80

The law of the member state in **which they are established**; not the laws of members states in which the service is accessible.

Question 81

Other than changes related to the use of web cookies, what two other important amendments were made to the ePrivacy Directive in 2009?

Answer 81

(1) Service providers were required to provide certain **notice** in the event of a data breach; and (2) A **private cause of action** was provided to subscribers receiving unsolicited advertisements.

Question 82

What other piece of legislation was proposed by the Commission at the same time it proposed the General Data Protection Regulation?

Answer 82

The Law Enforcement Data Protection Directive (LEDP Directive).

Question 84

What was the primary reason that the Parliament and the Council expanded the scope of the ePrivacy Directive in comparison to its predecessor?

Answer 84

These bodies recognized that personal data should be protected in a consistent manner no matter what specific form of communication is utilized.

Question 85

At what point must traffic data be erased or anonymized under the ePrivacy Directive?

Answer 85

When the traffic data is no longer needed for the purposes of the transmission, except as needed for billing, marketing, fraud detection, or similar services.

Question 86

A clause in a regulation that permits member states to enact supplemental or more specific legislation is referred to as what?

Answer 86

An "opening clause."

Question 87

What type of consent is required to engage in most digital marketing under the ePrivacy Directive?

Answer 87

Opt-in consent.

Question 88

True or False: All data processed under the Data Governance Act must be done in compliance with the GDPR.

Answer 88

False. The Data Governance Act covers the processing of both personal and non-personal data; only processing of personal data is regulated by the GDPR.

Question 89

In what case did the European Court of Justice hold that certain parts of the Data Protection Directive were "directly applicable" upon their own force and effect?

Answer 89

The Rechnungshof case.

Question 90

Does the EDPB interpret the term "explicit consent" as used in the Payment Services Directive 2 as having the same meaning as that term under the GDPR?

Answer 90

No. The EDPB considers the term "explicit consent" in the PSD2 as imposing an additional requirement of "contractual consent."

Question 91

Who does the E-Commerce Directive apply to?

Answer 91

"Information society services."

Question 92

How many categories of risk-level are set forth in the AI Act?

Answer 92

There are four (4) levels of risk: - minimal risk, - limited risk, - high risk, and - unacceptable risk.

Question 93

True or False: The LEDP Directive is intended to protect only the personal data of criminal victims.

Answer 93

False. The LEDP Directive calls for the protection of personal data of all individuals, regardless of his or her role in the criminal justice system.

Question 94

Why was it necessary to include more than 50 different "opening clauses" into the GDPR?

Answer 94

In order for the Parliament and the Council to reach political agreement during the legislative process.

Question 95

What are the two primary purposes of the LEDP Directive?

Answer 95

(1) It protects the natural rights and freedoms of natural persons; and ( 2) It facilitates the exchange of personal data by competent authorities.

Question 96

True or False: The ePrivacy Directive requires a strict set of security controls be implemented by electronic communication services in all instances.

Answer 96

False. The ePrivacy Directive requires "appropriate technical and organisational" controls be adopted that are "appropriate to the risks presented."

Question 97

What was the first legally binding agreement that addressed "how" privacy should be protected?

Answer 97

Convention 108