IAPP CIPP/E – Introduction to Data Protection Laws

1. European Union Institutions

European Union institutions. Hello, everyone. Welcome to the first lecture of this course. In this lecture we will learn about European Union institutions and how they operate, especially when it comes to data protection laws. First of all, it’s worth mentioning the difference between the European Union and the Council of Europe. The Council of Europe is an international organisation with 437 member states.

The European Union is a political and economic union with 28 member states. Keeping in mind that it is not a prerequisite. All member states of the European Union are also members of the Council of Europe. Another European institution that we should know about for the sake of international data transfers is the European Economic Area.

The EEA is composed of 28 European Union member states and Iceland, Norway and Liechtenstein. We have now discovered which institutions we should be aware of, and in the next step we will dive deeper into the European Union legislative, policymaking and judicial bodies, which is the main subject of this lecture.

We will study the European Parliament. Council of the European Union european Commission european Council and Court of justice of European Union european parliament. The European parliament is the only directly elected parliamentary institution of the European Union. It has four responsibilities legislative development, supervisory of other institutions, democratic representation and development of budget.

The Parliament shares its power with Council of European Union on legislative, development and budget. This mechanism is structured with the following procedures the Ordinary Procedure both the Parliament and Council must assent to legislation. Legislation cannot be adopted if it is opposed by either institutions. The Consultation Procedure the Council must consult the Parliament, but not bound by the Parliament’s opinion. The Consent procedure for important decisions like adding a new member to the EU, the Parliament’s consent is required. The Council of European Union the Council of European Union works on legislative decision making.

However, it shares this power with the European Parliament. Following the Treaty of Lisbon, the Council shall join with the European Parliament exercise legislative and budgetary functions. It shall carry out policymaking and coordinating functions as laid out in the treaties. The European Commission together with the Parliament and the Council of European Union, the founding treaties laid the foundations of the Commission in the 1950s. The commission is the executive body of the European Union.

Even if the Commission’s main responsibility is the execution of the policies and decisions, it has other responsibilities too. The European Commission now comprises 28 commissioners, including its president. It acts in the EU’s general interest with complete independence from national governments and is accountable to the European Parliament. It has the right of initiative to propose laws. This is vitally important because, apart from very few circumstances, union legislative acts may only be adopted on the basis of Commission proposals.

The Commission over it executes the EU’s budget and manages funding programs. It also exercises coordinating executive and management functions as laid down in the treaties. European Council. The Treaty of Lisbon gives the European Council institutional status. Defining its role as the European Council shall provide the Union with necessary impetus for its development and shall define the general political directions and priorities. It shall not exercise legislative functions. Court of justice of European Union based in Luxembourg, the Court of justice of the European Union is the judicial body of the EU that makes decisions on the issues of EU law and enforces EU decisions either in respect of actions taken by the Commission or action taken by an individual to enforce his rights under EU law. Now we know the European institutions and European Union bodies. We go to our next lecture to study the historic context of data protection and privacy and how these institutions played their roles.

2. Historic context of data protection and privacy

Historic context of data protection and privacy. Hello, fellow privacy enthusiasts. Welcome to the second lecture of this course. In this lecture, we will study key European data protection laws and the evolution towards a harmonized legislative framework for data protection in the European Union. Universal Declaration of Human Rights. The universe Universal Declaration of Human Rights was adopted by the United Nations in 1948. General assembly although a nonbinding instrument, the Declaration set forth milestone standards. The Declaration has specific articles for a right to a private life and freedom of expression, but also a balance between these two.

Article Twelve right to Privacy article 19 freedom of Expression article 29 balance of these two the European Convention on Human Rights adopted by the Council of Europe and based on the Human Rights Declaration, the European Convention on Human Rights was entered into force in 1953. It is an international treaty which can be enforced by the European Court of Human Rights in Strasbourg. It is not legally binding because it needs Council of Europe Member States to ratify the Convention. However, all members have done so already.

European Convention on Human Rights has articles very similar to the Declaration we just learned about. Article Eight right to Privacy article Ten freedom of Expression article Ten brackets to balance of these two. OECD Guidelines in 1980, the OECD developed Guidelines on the Protection of Privacy and Trans Border Flows of Personal Data, laying out basic rules that govern transborder data flows and the protection of personal information and privacy.

The aim of these Guidelines was to facilitate the harmonization of data protection law between countries. However, it is not a legally binding instrument and it could not achieve its objective. Because of this, the Guidelines do not have a distinction between the public and private sectors.

They are also neutral with regard to the particular technology used, which means it is applicable to information gathered electronically or manually. 1981 Council of Europe convention. Convention 108, the convention for the protection of individuals with regard to automatic processing of personal data, which is known as Convention 108, was adopted by the Council of Europe. Convention 108 is the first binding international instrument to set standards for the protection of individuals personal data and also seeking to balance those safeguards against free flow of data.

Convention 108 comprises 27 articles and has three main parts basic Principles of Data Protection chapter Two trans border data Flows chapter Three mutual Assistance Provisions chapter Four even if Convention 108 was binding, it was binding for the Governments. Member States of the Council of Europe were expected to adopt the Convention, which failed to reach the objective of having harmonized approach to privacy laws.

3. Current legislation instruments

Cut legislation. Instruments hello, everyone. Welcome to the last lecture of this section. In this lecture, we will study the existing legal framework around privacy and data protection. The objective of Convention 108 and OECD Guidelines was to introduce a harmonized approach to data protection, but the implementation was left to the discretion of the Member States. It was obvious from the earliest days that this approach will fail to harmonize the Member States.

For European Union Member States, this could have serious implications for the fundamental rights of individuals, as well as prevent free trade placed in the Treaty of Rome. European Parliament asked the European Commission to prepare a proposal for a directive to harmonize data protection laws. In 1990, the European Commission proposed the creation of data protection directive.

The work done by the European Commission resulted with Directive 95 Stroke 46 Stroke EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data known as the Data Protection Directive. Or known as the Directive Data Protection Directive.

The Directive has 72 recitals and 34 Articles. The Articles are arranged in the following seven chapters one. General provisions. Two general rules on the lawfulness of the processing of personal data. Three Judicial Remedies Liability and Sanctions. Four. Transfer of personal data to third countries. Five. Codes of conduct. Six.

Supervisory Authority and Working Party Seven. Community implementing measures. Unfortunately, Member States have implemented and applied the Directive with significant differences, making it difficult for businesses to take advantage of free trade in the European Union. A major advance in the Directive over Convention 108 is its applicability to manual data. Under Convention 108, few countries chose to implement it.

The Directive made the processing of manual data held in a filing system subject to the same obligations as the processing of personal Data by automatic means. The Directive also established Article 29, Working Party WP 29 as an independent body composed of national data protection authorities.

WP 29 is responsible to examine the operation of the Directive, provide opinions and advice. Another thing to note down is the scope of the Directive. The Directive applies to those organizations acting as data controllers that are established in an EU Member State or where there is no such establishment, but the organization makes use of data processing equipment on the territory of a Member State. We will study in detail what a controller means in the next section.

The privacy and electronic communications directive. Another instrument that complements the directive is the privacy and electronic communications directive, also known as Eprivacy directive. Eprivacy Directive applies to electronic communications services in public communications network in the EU. This means that communications over a private network, such as a company intranet, are not covered in this Directive.

Eprivacy Directive mainly focused on direct marketing, cookies, internet service providers and telco operators. The Eprivacy Directive contains the following key provisions electronic communications services are required to take appropriate technical and organizational measures to safeguard the security of their services and inform subscribers of any particular risk of their services. Ensure confidentiality of communications and traffic data most forms of digital marketing, like emails, SMS and Faxes is but not persontoperson telephone marketing require prior opting consent. There is a limited exemption for businesses to send marketing. These conditions for this exemption is as follows the email address or phone number is received during a sales or presales transaction. The data subject is given to opt out during the collection of personal data and all the later communications. The marketing is related with the service or product that was part of the first transaction. Another key provision is related with cookies. Storing of information or accessing information already stored in the terminal equipment of a data subject is allowed only on the condition that the user concerned has given their consent. However, no consent is needed for no privacy intrusive cookies. Improving the Internet experience. Practical examples of this are using cookies for shopping cart list for filling in online forms over several pages, login information counting the number of visitors of a web page.

The data retention directive. We will not go to the details of this directive because Court of justice of European Union ruled that this directive was invalid in 2014. So it is not a part of EU law anymore. It was designed to align rules on data retention in order to ensure availability, traffic and location data for serious crime and antiterrorism purposes. The Law Enforcement Data Protection Directive along with the agreement of GDPR, a new EU directive for the police and criminal justice sector was established. The aim of LEDP is to protect citizens ‘fundamental right to data protection whenever personal data is used by criminal law enforcement authorities.

The other main objectives of this directive are better cooperation between law enforcement authorities better protection of citizens ‘data clear rules for international data flows by law enforcement authorities. General Data Protection Regulation the General Data Protection Regulation came live on the 25 May 2018. The Regulation contains familiar concepts and principles to those in the Directive, but the effect will be far greater.

First of all, it is a regulation rather than a directive, which means it will finally harmonize the approach to privacy and data protection in all Member States because, unlike directives, Member States will not be able to make different versions of it in their national laws. We will get into details of GDPR in the next section. Mainly, the differences and the new terms that GDPR is bringing can be summarized as increased territorial scope increased fines greater control for data subjects mandatory breach notification joint responsibility DPO assignment relaxed rules for pseudonymous data such as data breach notification is not mandatory. Profiling can be easier data subject rights can be rejected.

• Category: Uncategorized