L3: GDPR Flashcards
(23 cards)
Right to data protection - privacy
Before there was data protection there was Privacy
- Privacy:
□ Physical privacy:
- My house, my body, my property, etc.
□ Non-physical privacy:
- Beyond the physical
- My mind, my feelings, my thoughts,
-> Informational privacy
UN Universal Declaration of HR (1948):
Art. 12:
No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks
European Convention on Fundamental Rights and Freedoms (1950):
Art. 8:
Right to respect for private and family life :
Everyone has the right to respect for his private and family life, his home and his correspondence
Privacy : timeline
1950s:
- People started to notice there were new ways their privacy could be infringed
- New tech interfering w privacy -> worried people and international communities
1980:
- OECD: first international statement on information privacy
1981:
- Council of Europe: Convention 108
□ first legally binding instrument on personal data protection
□ ‘’ The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy with regard to automatic processing of personal data relating to him (‘‘data protection’’)’’
- Personal data protection constructed as special part of privacy protection
1995:
- Data Protection Directive (EU law) - needs to be implemented in national laws
2000:
- The Right to Data Protection becomes enshrined in the EU’s Charter for Fundamental Rights
2016:
- General Data Protection Regulation (GDPR)
□ There was need for uniform laws across MS - Directive was not enough
□ Replaced Data Protection Directive (Directive 95/46/EC)
Material scope (territorial scope) when GDPR applies=
Art. 2(1): material scope
applies to the processing of personal data wholly or partly by automated means
personal data
Art. 4(1): personal data
Components:
1. Any info
2. Relating to
3. An identified or identifiable
4. natural person (data subject)
personal data : ‘‘relating to’’
GDPR Art. 4(1)
Has smth to do w the natural person in relation to context,
CJEU Nowak:
Facts:
Did driving test and failed,
wants to get access to result on why he failed,
driving school declined based on no right to access because it is not personal data but just test results
CJEU:
CJEU found driving test result is personal data
- content (how he did on test), purpose (find out how he did on test)
-> relating to component is satisfied where the info, by reason of its content, purpose or effect, is linked to a particular person
personal data : ‘‘An identified or identifiable’’
Account should be taken of all means likely reasonably to be used either by the controller (…), or by any other person, to identify that person (…) (Recital 26 GDPR)
all means likely reasonably to be used :
What is identified or identifiable person
Case C-582/14 (Breyer) :
Is a dynamic IP address personal data?
Facts:
Breyer would use dynamic IP address when visiting governmental websites,
he claimed gov had no right to store dynamic IP address,
gov argued it is not personal data bc it is not identifiable
Court:
‘‘to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.’’
Gov may not be able to match dynamic IP address to Breyer, but somewhere somehow on internet this data can be linked to him
-> dynamic IP address constitutes personal data under GDPR
- The internet service provider is able to retrieve which individual connected to which dynamic IP address
-> Whenever there is possibility to trace back to individual there is personal data
Personal data: Pseudonymisation
processing of personal data in such manner that the personal data can no longer be attributed to a specific data subject w/o use of any additional info
provided that such additional info is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
– Important security measure
-> Still **constitutes personal data **
Rec. 26 GDPR
Personal data: Anonymous data
does not have link to personal data, very difficult to make once personal data not anonymous data especially because of technological advances
– Nutritional info can be anonymous data - never linked to person
- Anonymous data that has been personal hard to make anonymous
○ Advancing technology can make current anonymization reversible.
○ Linkage attacks (connecting anonymous data with other sources) are increasingly feasible due to AI, making reidentification easier
Rec. 26 GDPR
personal data: Needs to relate to natural person (data subject) - what is not a natural person
NOT natural persons
- Companies
- Deceased persons
– once you’re dead GDPR does not apply to you
has become problematic, for example what happens to dead social media its not considered personal data anymore
processing
Art. 4(2): processing
Any operation/s performed on personal data
special categories of personal data
Art. 9 (1): Processing of special categories of personal data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning natural persons sex life/orientation shall be prohibited
□ GDPR recognises special forms of personal data
- Some subject to stricter protection
Unless: explicit consent, vital interest, legal obligation etc.
(GDPR Art. 9(2))
which ones are personal data and which not:
1. Personal identification number (BSN)
2. The address of a company
3. Someone’s food allergies
4. The birth date of a recently deceased individual
5. A Transparency Consent string
Personal data examples:
1. Personal identification number (BSN)
2. Someone’s food allergies (can even be special)
3. A Transparency Consent string (accepting cookies - demonstrates preferences of natural person)
NOT Personal data examples:
1. The address of a company
2. The birth date of a recently deceased individual
Why is personal data relevant to AI
Training data may include personal data
- And AI models might make decisions abt natural persons
- Personal data is bound to be present somewhere in life cycle of AI system
–> Application of GDPR triggered
GDPR sets rules for controllers and processors and gives rights to data subjects
What AI can do w personal data
GDPR Art. 22(1): Automated individual decision making, including profiling
1. The data subject shall have right to not be subject to a decision solely based on automated processing, incl. profiling, which produces legal effects concerning him/her or similarly significantly affects him/her -> Prohibition
Data protection principles
Article 5 GDPR:
7 principles all need to be adhered to when considering personal data
- Lawfulness, fairness and transparency
□ Personal data processed in a way that is lawful, fair and transparent manner in relation to data subject
E.g. You can get a report of all personal data a social media platform has on you
-> Art. 6: rights of information and access
** 2. Purpose limitation**
□ Most important
□ Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in manner incompatible w those purposes
** 3. Data Minimisation**
□ Only data that is really necessary to fulfil purpose allowed to be processed
□ Personal data shall be adequate, relevant and limited to what’s necessary in relation to purposes for which they’re processed
-> Right to be forgotten
- > Right to restriction of processing
-> Right to rectification
** 4. Accuracy**
□ Data needs to be accurate and up to date
E.g. If you move houses municipality needs to be aware so you can receive bills
E.g. If you get lost job gov data needs to be up to date for housing benefits and stuff so income has to be accurate
-> Right to restriction of processing
-> Right to rectification
5. Storage limitation
□ right to be removed/forgotten stems from this principle
□ Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for purposes for which personal data processed
-> Right to be forgotten
-> Right to restriction of processing
-> Right to rectification
6. Integrity and confidentiality
□ Personal data shall be processed in manner that ensures appropriate security of the personal data
- incl. protection against unauthorised/unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
-> security measures (like pseudonymization)
7. Accountability
Art. 9(2) GDPR
□ The controller shall be responsible for, and able to demonstrate compliance w GDPR principles
Because of this we refer to GDPR as controller based law
◊ it is controller who must ensure adhering to rules
◊ Controller has responsibility to prove they are adhering
◊ If not adhering there is responsibility
Controller and processor
** Art. 4(7): ‘controller’**
Entity that has the responsibility even if the processor is executing tasks
** Art. 4(8): ‘processor’**
Entity that does acc processing, but does not understand why they are doing, the executor - on behalf of controller
Lawfulness principle
Art. 6(1) (a-f) GDPR: Lawfulness of processing
** One of these data protection grounds has to be met for processing to be lawful**
Bryer (dynamic IP):
none of these legal bases for processing to be lawful was met
Consent one of most heavily relied upon basis:
□ Has to be transparent and informed consent and has to be affirmative action
Lawfulness principle + meta
Was doing behavioural targeting (- if you’re not paying for product you are product)
Relying on legal ground of contract:
Art. 6(1)(b) GDPR
in order to fulfil contract they have to process personal data
◊ Cannot be used if it is a requirement to use that service - to make use of service reliant on accepting terms of contract not allowed -> Fined very much
Then said they have legitimate interest:
Art. 6(1)(f) GDPR
legitimate interest to make money commercial interest
◊ Found that yes there is but when balanced you cannot rely on it (balancing w personal data)
Consent only basis that can be used:
* Art. 6(1)(a) GDPR *
◊ Made a pay or consent model:
either you pay or consent to this behavioural marketing
-> Faced lots of scrutiny -> Commission filed findings of the model breaching Digital Markets Act – Very expensive – Average consumer cannot make informed consent decision: pay or get personal info tracked
lawfulness principle + Clearview.AI
NYC-based company offering facial recognition tech
◊ You could submit a pic of a person blurry one or something and it would find who it is
Data base contained over 30 billion pictures, scraped from various sources on internet
Claimed it had a** legitimate interest** to do so
Art. 6(1)(f) GDPR
Dutch Data Protection Authority (and many more):
◊ Clearview no legal basis for processing this personal data (GDPR art. 6)
-> No consent, and stuff
◊ (Therefore) violates Art. 5 GDPR
(also: not fair and transparent)
-> Would not provide individuals info on if they were on their data base
Clearview refusing to pay fine
Risks: The processing of personal data in AI systems
AI systems, particularly machine learning (ML), process personal data at multiple stages, each carrying privacy risks:
2. 1. Training Stage Risks: - If training data is granular enough (e.g. demographic, income, occupation), individuals may be reidentified. - Techniques to protect data include: □ Anonymization/Pseudonymization: - Adding noise or permuting data (e.g. swapping job titles). □ Generalization: - e.g. using age ranges instead of specific ages (k-anonymity, l-diversity). □ Synthetic Data: - Artificial data generated to simulate real datasets; - however, the models used to create it still need real data, posing indirect privacy risks.
- Model Leakage Risks:
Trained models may inadvertently leak personal data through:
□ Model Inversion Attacks: Inferring missing variables using known inputs.
□ Membership Inference Attacks: Determining if someone’s data was used in training.
- Some algorithms (e.g. SVM, k-NN) are more prone to such leaks.
- GDPR may treat trained models as personal data, particularly when they are pseudonymized or shared.
FRA Handbook on European Data Protection: The right to personal data protection
- Person’s right to protection with respect to the processing of personal data falls under art. 8 ECHR
- The right to private life and the right to personal data protection are closely related, but distinct. Right to privacy is incorporated in the UDHR and ECHR. Interference of public authority without justification is prohibited.
- The UDHR and ECHR were developed before computers. Aftyer the technological developments occurred and their effect on human life became visible, there was a need for adaptation. Some states call this ‘informal privacy’ or the ‘right to informational self-determination’
Data protection began in the 1970s with legislation for public authorities and large companies. In EU, data protection is recognised as a fundamental right, separate to the fundamental right to respect for private life.
The right to private life
- General prohibition on interference
The right to date protection
- modern, active right
- system of checks and balances to protect individuals whenever their personal data is processed
- Essential components: independent supervision, respect for the data subject’s rights
Art 8 of the EU Charter for fundamental right spells out core values
1. Fair
2. For specified purposes
3. based on consent of the person concerned or e legitimate legal basis laid down by law
4. Individuals must have the right to access their personal data and have it rectified compliance with this right must be subject to control by an independent authority.
Any processing of personal data is subject to appropriate protection.
Whether or not there has been an interference wirth the private life is dependent on the context and facts of the case.
Right to privacy concerns situations where a private interest, or the ‘private life’ of an individual is compromised by the use of sensitive / confidential / prejudiced information is used against the individual.
Any operation involving the processing of personal data would fall under the scope of data protection.
UN framework
- does not recognise data protection as fundamental right
- art 12 UDHR respect for private and family life
- UN has adopted 2 resolutions on privacy issues “The right to privacy in the digital age”
- Appoint special rapporteur on the right to privacy
- Previous resolutions wre quite negative, yet resolutions from 2016/2017 reaffirm the need to limit the powers of intelligence agencies and condemn mass surveillance.
- Responsibility for state authorities
- Resolutions also point to private sectors responsibility to respect HR and calls for companies to comply with regulations and be transparent to consumers.
ECHR
- All contracting parties of the CoE have to comply with ECHR
- Right to private life is not absolute
- The right to privacy could compromise other rights
- In certain circumstances, the negative obligation not to infringe in private life can become positive: actively secure effective respect for private and family life
A website operated by a company based in Amsterdam sells posters, similar to those sometimes displayed for sale in the main VU building. The company wants your advice on what legal basis for processing personal data they should use under the GDPR.
What would you recommend, and why, for :
Website visitors
✅ Recommended Legal Basis:
Legitimate Interest (Article 6(1)(f) GDPR)
For general website visitors (e.g., those browsing the site),
the most suitable legal basis is likely legitimate interest, under Article 6(1)(f).
This basis allows processing that is necessary for the purposes of the legitimate interests pursued by the controller (the company), provided it does not override the rights and freedoms of the visitor.
💬** Why Legitimate Interest Works Here:**
The company may collect IP addresses, cookie preferences, or basic analytics data to improve site functionality or monitor traffic.
These actions serve a clear business interest (e.g., marketing, security, UX improvements).
If no sensitive or special category data is being processed, and if privacy notices are clear, this basis is lawful, fair, and proportionate (in line with Article 5 GDPR).
🔍 Example: Collecting basic logs or analytics to see which posters are most viewed can qualify as legitimate interest — as long as the data subject’s rights are respected and informed.
⚠️** Key Conditions:**
A balancing test must be done:
the company should assess whether the data subject’s interests override the business interest.
Visitors should be informed about the data processing in a transparent privacy notice (Article 5(1)(a)).
If cookies are used for tracking or marketing, consent may be required under the ePrivacy Directive (not just GDPR).
✍️ Other Possible Bases (Less Likely for Visitors):
Consent (Art. 6(1)(a)) — for non-essential cookies or targeted ads.
Contract (Art. 6(1)(b)) — more relevant when a user places an order (not just visits).
✅ Conclusion:
For general visitors to the website, the best legal basis is Article 6(1)(f): legitimate interest, as long as the processing is proportionate, transparent, and doesn’t intrude on user rights. For things like cookie-based tracking or profiling, explicit consent is needed in line with GDPR and ePrivacy rules.
A website operated by a company based in Amsterdam sells posters, similar to those sometimes displayed for sale in the main VU building. The company wants your advice on what legal basis for processing personal data they should use under the GDPR.
What would you recommend, and why, for :
Customers who purchase a poster
✅ Article 6(1)(b) GDPR — Contract
Processing is lawful if it is necessary for the performance of a contract to which the data subject is a party.
💬** Why this applies:**
When someone places an order, the company needs to process personal data (like name, address, payment info) to:
Confirm the order
Deliver the product
Handle invoicing and customer service
This is all part of fulfilling the purchase agreement between the customer and the company.
✅ So, no additional consent is needed for this processing — it’s necessary to deliver what the customer has asked for.
⚠️** Important:**
If the company wants to use the customer’s data for marketing or future promotions, that goes beyond the contract, so they would need:
Consent (Art. 6(1)(a)), or
Show that they have a legitimate interest (Art. 6(1)(f)), with the right to object clearly communicated.
