Chapter 1A: Origins and Historical Context of Data Protection Law Flashcards
(112 cards)
1
Q
What happened in the 1970s that encouraged a rise in information sharing?
A
Increase in the use of computers to process information about individuals, trans border trade, telecommunications
2
Q
When was the Universal Declaration of Human Rights adopted? By who?
A
10 December 1948 by the General Assembly of the United Nations
3
Q
What major event did the Universal Declaration of Human Rights follow?
A
World War II
4
Q
Universal Declaration of Human Rights: “the inherent dignity…”
A
“…and the equal and unalienable rights of all members of the human race in the foundation of freedom, justice and peace in the world”.
5
Q
The principles enshrined in the Universal Declaration of Human Rights set the basis for European data protection laws and standards. These principles related to…
A
Right to a private and family life and freedom of expression.
6
Q
Article 12 of the Universal Declaration of Human Rights relates to the right to…
A
a private life and associated freedoms.
7
Q
Article 19 of the Universal Declaration of Human Rights relates to the right to…
A
Freedom of expression.
8
Q
The conflict between article 12 and article 19 of the Universal Declaration of Human rights is reconciled in article… what? What does it determine?
A
29(2) - individual rights are not absolute and balances must be struck
9
Q
When and where did the Council of Europe invite individual states to sign the European Convention on Human Rights?
A
Rome, 1950.
10
Q
What was the European Convention on Human Rights?
A
An international treaty to protect human rights and fundamental freedoms.
11
Q
The European Convention of Human Rights applies to…
A
Council of Europe Member States - new members are expected to ratify ASAP.
12
Q
The European Convention of Human Rights is enforced by a system of enforcement called… what? Where was it established?
A
European Court of Human Rights, established in Strasbourg,
13
Q
What does the European Court of Human Rights do?
A
Examines breaches of the European Convention of Human Rights and ensures that stages comply with their obligations under ECHR Their rulings are binding on the states concerned and can lead to change of legislation or practice.
14
Q
When was the European Court of Human Rights restructured into a single full time Court of Human Rights?
A
1st November 1998.
15
Q
What does Article 8 of the European Convention of Human Rights protect?
A
The rights of individuals for their personal information to remain private (not absolute).
16
Q
What does article 10 of the European Convention of Human Rights protect?
A
The freedom of expression and the right to share information and ideas across national boundaries.
17
Q
The Council of Europe established a framework of specific principles and standards to prevent unfair collecting and processing of personal information as a result of concerns relating to emerging technology. What was this framework and when was it published?
A
Recommendation 509 on human rights and modern scientific and technological developments.
18
Q
In 1973 the Council of Europe built on Recommendation 509 with…
A
Resolutions 73/22 and 74/29 which established principles for the protection of personal data in automated databanks in private and public sectors
19
Q
What does OECD stand for?
A
Organisation for Economic Co-operation and Development
20
Q
What is the role of the OECD?
A
To promote policies for high sustainable economic growth/employment and a rising standard of living. Contributing to the development of the world economy.
21
Q
Where does OECD membership extend to?
A
Beyond Europe.
22
Q
When did the OECD develop guidelines re: data protection?
A
1980.
23
Q
What is the full name of the OECD ‘guidelines’?
A
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
24
Q
What do the OECD’s guidelines do?
A
Lay out basic rules to govern transborder data flows and the protection of personal data/privacy to help the harmonisation of data protection law between countries.
Not legally binding; intended to flex to serve as a basis for legislation for countries that don’t have it or a set of principles to be built into existing legislation.
25
Who cooperated with the OECD to devise the OECD guidelines?
Council of Europe and the European Community.
26
When were the OECD guidelines published?
23 September 1980.
27
When did the OECD reaffirm its commitment to the guidelines?
1985 and 1998 via declarations.
28
What is the aim of the guidelines?
Strike a balance between protecting privacy/rights and freedoms of individuals without creating any barriers to trade and allowing the uninterrupted flow of personal data across national borders.
29
Is any distinction drawn between public and private sectors in the guidelines?
No. They are neutral, and also don't make distinction between data collected electronically or otherwise.
30
What are the eight principles of the OECD guidelines?
- Collection limitation
- Data quality
- Purpose specification
- Use limitation
- Security safeguards
- Openness
- Individual participation
- Accountability principle
31
What is the collection limitation principle of the OECD guidelines?
Personal information must be collected fairly and lawfully and where appropriate with the knowledge or consent of the individual concerned.
32
What is the data quality principle of the OECD guidelines?
Personsal information must be relevant, complete, accurate and up to date.
33
What is the purpose specification principle of the OECD guidelines?
There must be a specified purpose for using the data and this must be specified no later than the point of collection and any further use should be within that purpose.
34
What is the use limitation principle of the OECD guidelines?
Any disclosure of personal information must be consistent with the purposes specified unless the individual has given consent or the data controller has lawful authority to do so.
35
What is the security safeguards principle of the OECD guidelines?
Reasonable security safeguards must be taken against risks such as loss, unauthorised access, destruction, use, modification or disclosure of personal data
36
What is the openness principle of the OECD guidelines?
There should be a general policy of openness with respect to uses of personal data, and the identity and location of the controller.
37
What is the individual participation principle of the OECD guidelines?
What an individual is entitled to receive from a controller re: a request for their personal information.
38
What is the accountability principle of the OECD guidelines?
A data controller should be accountable for complying with measures that ensure the principles stated in the guidelines.
39
OECD members should take into consideration implications for other member countries relating to...
Domestic processing and re-export of personal data
40
What is Convention 108's full title?
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
41
Who adopted Convention 108?
The Council of Europe.
42
When was Convention 108 opened for signature to the member states of the Council of Europe?
28 January 1981.
43
Why was Convention 108 not named the European Convention?
To signify that it's open for signature to countries outside of Europe.
44
Which resolutions does Convention 108 consolidate and reaffirm?
1973 and 1974 resolutions
45
Is Convention 108 legally binding?
Yes - and it's the first legally binding international instrument in data protection.
46
How does Convention 108 differ from the OECD guidelines in practice?
Convention 108 requires signatories to take the necessary steps in their legislation to apply the principles it lays down re: processing personal info.
47
Under Convention 108, the Council of Europe views that those holding and using personal info in a computerised form had a social responsibility to...
safeguard such personal information.
48
What is Convention 108's aim?
To achieve greater unity between its members and extend safeguards for everyone's rights and freedoms (in particular, the right to respect for privacy, with increasing transfer and automatic processing).
49
What three parts make up Convention 108?
- Substantive law provisions in the form of basic principles (Chapter 2)
- Special rules re: transborder data flows (Chapter 3)
- Mechanisms for mutual assistance and consultation between parties (Chapter 4 + 5)
50
Chapter 2 of Convention 108 relates to substantive law provisions in the form of basic principles. The principles re automatic processing dictate..
- Personal info undergoing automatic processing shall be obtained and processed: fairly and lawfully,
stored for specified and legitimate purposes and not used in a way incompatible with those processes,
adequate and relevant and not excessive,
accurate and up to date,
preserved in identifiable format for no longer than is required
51
Chapter 3 of Convention 108 relates to transborder data flows. What does it outline:
Article 12 of Convention 108:
- Transfers of personal info between signatories of Convention 108, countries shall not impose any prohibitions or require special auithorisations before transfers take place
i. e. they already offer adequate protection as signatories
52
The provisions of Chapter 3 of Convention 108 (transborder data flows) were further developed in what protocol?
The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of personal data.
53
Chapter 4 of Convention 108 relates to mutual assistance - what does it dictate?
Parties to Convention 108 must designate a supervisory authority to oversee compliance with DP law and liaise with supervisory authorities in other jurisdictions for purposes of consultation and mutual assistance regarding implementations.
SAs are required to also assist individuals to exercise their rights.
54
Convention 108 is a binding legal instrument open to...
Any country, not just members of the Council of Europe.
55
Who was the most recent country to join Convention 108?
Argentina (25 February 2019)
56
In January 2011, 30 years after original Convention 108 was opened for signature, the advisory committee laid the principles for a modernisational protocol to address...
Challenges resulting from the use of new information and communications technologies.
57
On May 2018, the final version of an amendment to Convention 108 was published - what's it officially called?
Protocol amending the Convention of the Protection of Individuals with regard to Authomated Processing of personal data (Convention 108+)
58
When was Convention 108+ signed? By how many states?
10 October 2018 by 21 states
59
What was the main issue that underpinned the need for a harmonised European approach?
The implementation of Convention 108 and the Guidelines into national law resulted in the development of a diverse set of data protection regimes. The lack of cohesive approach within the states adopting these principles could have serious implications for rights of individuals and impede free trade enshrined in the treaty of rome.
60
In 1976 the European Commission had been called upon by the European Parliament to prepare ____
A proposal for a directive harmonising data protection laws. Growing concerns re: differences in approaches led to the Proposal for a Council Directive Concerning the Protection of Individuals in Relation to the Processing of Personal Data.
61
What is a directive?
They're a form of legislation binding on member states but allow national authorities to choose the form and methods of implementation.
62
What was considered for the proposal pulled together by the European Commission which led to the Data Protection Directive?
Supplemented the principles in Convention 108 for a high level of equivalent protection
Proposals wide in scope to extend to both automated and non automated means and all sectors
63
The Data Protection Directive is also known as...
Directive 95/46/EC on the protection of individuals on the protection of personal data and on the free movement of such data (or 'directive')
64
What was the aim of directive 95/46/EC?
To further reconcile protecting individuals fundamental privacy rights with the free flow of data between member states and to maintain consistency with Articles 8 and 10 of the ECHR
65
What issue with the Directive has led to it being difficult for businesses to take full advantage of the benefits of the internal market? Where was this problem confirmed?
Member states have implemented the directive and its derogations differently - the first report of the European Commission on the Directive, published in 2003, confirmed this.
66
What were the main problems with the varying implementations of the directive by EU member states?
Incorrect implementation with the result that the law required rectification or the member state faced infraction proceedings by the European Commission.
In other cases, the differences were within the margin of manoeuvrability but gave rise to more inconsistencies (e.g. notification of DPAs of processing details - this need varied considerably, resulting in substantial bureaucracy and cost for businesses, particularly those that transfer data outside the EU also).
67
Who signed the Charter of Fundamental Rights?
Presidents of the European Parliament, the Council and of Europe and the European Commission.
68
When and where was the Charter of Fundamental Rights signed and proclaimed?
7th December 2000 in Nice.
69
What did the Charter of Fundamental Rights stem from?
The EU treaty, the Court of Justice of the European Union case law, the EU member states constitutional traditions and the European Convention on Human Rights.
70
What is the aim of the Charter of Fundamental Rights?
To consolidate fundamental rights applicable within the EU. It includes the general principles set out in the European Convention of Human Rights, but specifically refers to protection of personal data.
71
The Charter of Fundamental Rights was given binding legal affect when...
the Treaty of Lisbon came into force in December 2009.
72
Articles 7 and 10 of the Charter of Fundamental Rights reflect what articles of the European Convention of Human Rights?
8 and 10
73
Article 8 of the Charter of Fundamental Rights deals specifically with...
Data protection.
74
What does article 8 of the Charter of Fundamental Rights say about data protection?
- Right to the protection of personal data concerning someone
- Data must be processed fairly for specified process, and all have right of access/rectification
- Compliance with these rules shall be subject to the control of an independent authority
Fair, specific, legitimate, access, rectification, SA
75
Any limitation of the rights outlined in the Charter of Fundamental Rights must be in accordance with what article of the Charter?
Article 52 which mirrors the limitations based on necessity and proportionality contained in the European Convention of Human Rights.
76
When was the Treaty of Lisbon signed by EU member states?
13 December 2007
77
When did the Treaty of Lisbon become effective?
1 December 2009
78
What is the main aim of the Treaty of Lisbon?
To strengthen and improve the core structures of the EU to enable it to function more efficiently.
79
The Treaty of Lisbon amends the following two EU core treaties:
The Treaty on European Union
| The Treaty Establishing the European Community (renamed the Treaty on the Functioning of the European Union/TFEU).
80
The Functioning of the European Union (TFEU) echoes Article 8 of the Charter with Article 16(1) which provides...
And article 16(2) which provides...
That everyone has a right to the protection of personal data concerning them 16(1)
The European Parliament and Council shall lay down rules relating to this protection - compliance shall we subject to the control of independent authorities 16(2)
81
The provisions 16(1) and 16(2) of the Functioning of the European Union ensure that...
All institutions of the EU protect individuals when processing personal data and there is a European Data Protection supervisor who regulates compliance within the institution of the EU.
82
One of the main objectives of the Treaty of Lisbon is to promote core values, including...
Human dignity, freedom, democracy, equality, law and respect for human rights - all member states must respect them.
83
High priorities of the Treaty of Lisbon are...
Justice, freedom and security.
84
A significant change from the Treaty of Lisbon is...
One common legal framework for all EU activities, comprising one system through which the EU can govern.
85
What concerns about the directive led to the Commission launching a review of the current legal framework on data protection in 2009 and in 2010 led to a strategy to strengthen data protection rules?
The directive could not keep pace with the rapid technological developments which changed the way that personal data was collected, accessed and used despite being technology neutral.
86
The European Commission put forward a proposal in January 2012 for a comprehensive reform of the Directive in the form of...
a General Data Protection Regulation (GDPR) to impose a single set of rules across the EU.
87
Negotiation (trilogue) of the text of the GDPR took place between...
the European Commission, the European Parlimanet and the Council of the EU
88
Where was the GDPR published?
The Official Journal of the European Union
89
When was the GDPR entered into force?
May 2016
90
When did the GDPR become fully enforceable by DPAs?
25 May 2018
91
Is the GDPR entirely binding?
Yes.
92
At what point does the GDPR apply to a member state?
Point of entry without the need to be transposed into national law
93
Why a regulation rather than a directive?
Maximise consistency of approach among member states - however, the GDPR does allow member states to enact more specific rules in some situations.
94
When might member states make further legislative provisions from the GDPR?
When there are already sector specific laws in place (e.g. re: processing of employee data)
Archiving purposes in public interest/researches
Processing special categories
Processing in compliance with legal obligation
95
What negative results has the directive resulted in?
Fragmented implementation of data protection across the EU
Legal uncertainty
Widespread public perception that there are significant risks to the protection of personal data, particularly re: online activity
96
The regulation is designed to tackle the negative results put in place by the directive by...
Bringing about a strong and more coherent data protection framework, backed by strong and coherent enforcement in order to create trust that will allow the digital economy to develop across the internal market.
97
Key changes incorporated into the Regulation include...
Stronger rights for individuals
A requirement that data protection is taken into account for new technologies (by design and by default)
Accountability where orgs must be able to demonstrate compliance
Increased powers for supervisory authorities
The concept of the one stop shop
Broader applicability of the Regulation to anyone targeting EU consumers
98
Similarities between Convention 108+ and GDPR include...
Central definitions and concepts
Legal basis for processing
Special category data including genetic/biometric/ethnic/trade union
Enhanced security and data breach obligations
Transparency
Demonstration of compliance to a supervisory authority
99
What is the Law Enforcement Data Protection Directive (LEDP)?
A directive for the protection of natural persons re: the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties and on the free movement vof such data
100
When did the LEDP enter into force?
5 May 2016; member states had until 6 May 2018 to transpose the directive into national law.
101
What is the aim of the LEDP?
To harmonise the rules in place across the member states to protect citizens' fundamental rights whenever personal data is used by criminal law enforcement authorities.
102
What is the ePrivacy Directive?
A directive to set out rules relating to processing personal data across public communications networks.
103
The ePrivacy Directive needs review and amendment to ensure consistency with the GDPR; there is currently a proposed regulation called...
Regulation on Privacy and Electronic Communications (ePrivacy regulation)
104
OECD members should take reasonable and proportionate steps to ensure that transborder flows of personal data are...
Uninterrupted and secure.
105
OECD countries may engage in transborder flows of personal data except where...
A country does not substantially observe the guidelines.
106
OECD countries should avoid developing...
Laws, policies and practices that could create obstacles to transborder trade.
107
Chapter 2 of Convention 108 relates to substantive law provisions in the form of basic principles. The principles re security dictate...
there should be adequate security measures to protect data.
108
Chapter 2 of Convention 108 relates to substantive law provisions in the form of basic principles. The principles re special category data dictate...
Special category data should not be processed automatically unless domestic laws provide appropriate safeguards.
109
Chapter 2 of Convention 108 relates to substantive law provisions in the form of basic principles. The principles re data rights give the right to...
Communication, rectification and erasure.
110
When was the the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of personal data (Convention 108 - re transborder flows) opened for signature?
2001.
111
The Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of personal data (Convention 108 - re transborder flows) was designed to address the fact that Convention 108 did not...
Provide measures for transfers for those outside the convention; it introduced an adequate rather than equivalent level of protection
112
What were the exceptions to the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of personal data (Convention 108 - re transborder flows)?
Legitimate interests, public interests, contractual clauses.
