Key Points Module and Chapter 1

10 December 1948 : Universal Declaration of Human Rights (UN members) :

-right to private life 12, freedom of expression and opinion 19, balance exercise.

-Article 12 right to privacy and Article 19 free speech. Balance.

1953 : European convention on human rights ECHR (among council of europe members, all ratified) :

-Right to a private life and freedom of expression, sharing infos and ideas. Balance between 8 privacy
and 10 speech.

-ratified by all council’ members.

1980 : OECD GUIDELINES on Protection of Privacy and Transborder flow of personal data. Updated in
2013. Strike a balance between protecting the privacy and the rights and freedoms of individuals
without creating any barriers to trade and allow uninterrupted flow of personal data across national
borders.

-Principles introduced : Collection limitation principle ; data quality principles ; purpose specification ;
use limitation ; security safeguards ; openess principle ; accountability and individual participation
principle.

1981 Council of europe convention, Convention 108. First data protection instrument for many
several council of europe MS, different from guidelines : members apply principles in their domestic
legislation, binding. First binding international instrument to set standards for the protection of
individuals’personal data while seeking to balance those safeguards against the need to maintain the
free flow of personal data for the purposes of international trade.

3 main parts : substantive law, special rules on transborder data flows, mechanisms for mutual
assistance.

Substantive law :

 personal info undergoing automatic processing : obtained and processed fairly/lawfully ;

purpose specification and storage limitation ; adequate relevant and not excessive ;
accurate ; preserved in a form that permits identification of the individuals for no longer than
is required for the purpose of which the info is stored.
 Implement appropriate security measures. Secure CIA.
 No processing of special PD without appropriate safeguards.
 Right of communication, rectification and erasure.
 Exceptions to convention possible only if necessary in a democratic society.

Transborder data flow :

 No restricitions to transfers between conv members. Derogation only if equivalent level of

protection not ensured.

Mutual assistance :

 Parties must designate a SA to oversee compliance and to liase with other SA of other
jurisdictions.
1995 : difficulties, 108 not ratified by many. EU Data Protection Directive 1995, 108 as a benchmark.

Protection extended to both automated and notautomated personal data and covering both private
and public sector (no distinction in OECD).

A major advance of the Directive over Convention 108 was its applicability to manual data.

Processed fairly and lawfully Collected for specified and legitimate purposes and not processed in a
manner incompatible with those purposes Adequate, relevant, and not excessive Accurate and,
where necessary, kept up to date Kept for no longer than is necessary Processed in accordance with
the rights of the individual Protected against accidental, unlawful, or unauthorised processing by the
use of appropriate technical and organisational measures Transferred to countries outside the
European Economic Area (EEA) only if those countries ensure adequate levels of data protection or
under conditions guaranteeing such adequate protection

2000 : Charter of fundamental rights of EU.

Limitations only if in accordance with article 52.

2002 : EU Directive on privacy and electronic communications (e privacy). Applies to processing of

personal data through public electronic communications services and networks.

applies to ‘the processing of personal data in connection with the provision of publicly available
electronic communications services in public communications networks’ in the European Union. 16 If
the electronic communications service is not publicly available, the Directive does not apply. This
means communications over a private network, such as a company intranet, generally are not
covered – although the principles of the Directive still apply if personal data are processed.

Key provisions :

-The providers of publicly available electronic communications services are required to take
appropriate technical and organisational measures to safeguard the security of their services,
working with the network provider on which the service is based, where appropriate, to ensure such
security. In addition, the service provider is under a general obligation to inform the subscriber of any
particular risk of breach of the network’s security.

-Member states are required to ensure the confidentiality of communications and the traffic data
generated by such communications, subject to specific exceptions, including where users of such
services give their consent to interception and surveillance or where the interception and
surveillance is authorised by law.

-Most forms of digital marketing, including emails, Short Messaging Service (SMS) and Multimedia
Messaging Service (MMS) and faxes, but not person-to-person telephone marketing, require prior
(opt-in) consent. However, there is a limited exemption for businesses to send marketing to their
existing customers for similar products and services on an opt-out basis.

-Processing of traffic and billing data is subject to certain restrictions. For example, users of a publicly
available electronic communication service have certain rights with regard to itemised billing, call-
line identification, directories, call forwarding, and unsolicited calls.

-Location data may be processed only if that data are made anonymous or, alternatively, if processed
with the consent of users and for the duration necessary for the provision of a value-added service.

-Subscribers must be informed before being included in any directory.

Change in 2011 :

-mandatory notification for personal data breaches by electronic communications service providers –
to both the relevant national authority and relevant individual in cases where the breach is likely to
‘adversely affect the personal data or privacy of a subscriber or individual’.

-provisions affecting ‘cookies’ – the small text files sent automatically by many websites to the
terminal equipment of the users of those websites. Despite their simplicity, cookies are vitally
important for organisations and individuals, enabling organisations to personalise websites based on
users’ browsing habits and deliver online advertising to individuals based on their preferences,
thereby supporting the revenues generated by the online advertising industry and also allowing users
to more easily navigate a site’s page, quickly retrieve information found in the past, and facilitate
online shopping. Under the amended ePrivacy Directive, Article 5(3) now says the storing of
information or the gaining of access to information already stored in the terminal equipment of a
subscriber or user is allowed only on the condition that the user concerned has given their consent,
having been provided with clear and comprehensive information, in accordance with the Directive.

Exceptions : technical storage or access is for the sole purpose of carrying out the transmission of a
communication over an electronic communication network or strictly necessary for the provision of
an information society service explicitly requested by the subscriber.

2007/2009 : Treaty of Lisbon. Gave charter of fund rights full strenght and legal effect in the EU.

2016 NIS DIRECTIVE AND 2020 NIS2 DIRECTIVE : e Directive on security of network and information
systems. first piece of EU-wide cybersecurity legislation intended to address the threats posed to
network and information systems and, therefore, improve the functioning of the digital economy.

3 main goals :

-Improving national cybersecurity capabilities by requiring each member state to set up a Computer
Security Incident Response Team (CSIRT) and a competent national Network Information Systems
Authority

-Building cooperation at the EU level by setting up a cooperation group across the member states to
support and facilitate strategic cooperation and the exchange of information.

-Promoting a culture of risk management and incident reporting amongst key economic actors,
notably operators providing essential services (OES), such as energy, transport, water, banking,
financial market infrastructures, health care and digital infrastructure, and digital service providers
(DSPs), such as search engines, cloud computing services, and online marketplaces.

NIS2 :

2018 : GDPR. + Convention 108+. 21 STATES. Aligned the old convention with the GDPR. It serves to
countries outside the EU to align with the GDPR.

The commission wanted to reform the directive, key points to reform :

-A single set of rules on data protection, valid across the European Union. Certain administrative
requirements contained in the Directive, such as the notification requirements for companies, were
removed as unduly costly to businesses.

-Increased responsibility and accountability for those processing personal data.

-Enabling organisations to deal with a single national DPA in the EU country where they have their
‘main establishment’ in some instances. Similarly, providing individuals with the ability to refer
matters to the DPA in their country, even when their data are processed by a company based outside
the European Union.

-Giving individuals greater control of their data, for example, by requiring that wherever consent is
required for data to be processed, it must be ‘explicit’ rather than assumed

-Easier access for individuals to their own data and the ability to transfer personal data from one
service provider to another more easily (the right to data portability).

-A ‘right to be forgotten’ to help people better manage data protection risks online.

-Ensuring that EU rules apply if personal data are handled abroad by companies that are active in the
EU market and offer their services to EU citizens.

-Strengthening the powers of independent national DPAs so they can better enforce the EU rules at
home

-General data protection principles and rules for police and judicial cooperation in criminal matters as
contained in the LED and applicable to both domestic and cross-border transfers of data.

ECtHR : enforces the ECHR and Convention 108. Not part of the EU. Strasbourg. Binding rulings on
the states concerned and can lead to an amendement of the legislation or change in practice by
national governements.

The ECtHR applies the ECHR and ensures contracting states respect the rights and guarantees set out
in it. The ECtHR does this by examining complaints (known as ‘applications’) lodged by individuals or
states. When it finds a state has violated one or more of these rights and guarantees, the ECtHR
delivers a judgment. Judgments are binding, and the countries concerned are obliged to comply with
them. The ECtHR’s judgments are final, and the contracting states undertake to abide by its decisions
in any case to which they are party. The ECtHR must give reasons for a judgment, and if the judgment
does not in whole or in part represent the unanimous opinion of the ECtHR’s judges, any judge may
deliver a separate opinion.

If the ECtHR finds a decision or measure taken by a legal or other authority of a contracting state
conflicts with the obligations arising from the ECHR, and if the internal law of the state allows for
only partial reparation to be made for the consequences of the decision or measure, the decision of
the ECtHR must, if necessary, afford just satisfaction to the injured party.

Jurisdiction, generally interpretation and application of ECHR :

-individual applications lodged by any person, group of individuals, company or NGO ;

-inter state applications brought by a state vs another state

The ECtHR does not have the powers to overrule national decisions or annul national laws. As the
ECtHR has no power of enforcement, responsibility to supervise execution and ensure compensation
is paid passes to the Council after the ECtHR has given judgment.

As previously stated, the ECtHR’s role is to apply the ECHR and ensure the rights and guarantees set
out in the ECHR and its protocols are respected. The ECHR and its protocols protect the following
rights: (1) the right to life; (2) the right to a fair hearing in civil and criminal matters; (3) the right to
respect for private and family life; (4) freedom of expression; (5) freedom of thought, conscience,
and religion; (6) the right to an effective remedy; (7) the right to the peaceful enjoyment of
possessions; and (8) the right to vote and stand for election.

Council of Europe : not EU. It is an international organization. All EU members belong here but it is
not a prerequisite.

EU : Economic political union. 27

EEA : Agreement of the european economic area of 1994. It allows members of the European free
trafe association EFTA to participate in the EU s internal market. 27 EU members and 3 extra EFTA :
iceland, liechtenstein and norway.

EU Parliement : Directly elected. Legislative development, supervisory oversight of other institution

and budget development. Controls also the commission.

European Council : defines EU priorities and political direction, heads of the Givernement of
Members states + European council president and eu commission president.

Council of the EU : legislative decision making, one minister from each MS. Examines the legislative
proposals.

EU Commission : implements eu decisions and policies. Propose legislation. One commissioner per
member states. Executive body of the EU. Ensures the application of the treaties and the measures
adopted. Ensures union external representation. Guardian of the treaties. Can take legal and
administrative action and fine vs MS. Parliament approves the commissioners.

Court of Justice : General Court + ECJ : judicial body. Enforces the law in respect of actions taken by
the commission against a MS or action taken by an individual to enforce their rights under EU law. 27
judges for 6 years and appointed by the MS. One of them elected for 3 years as president. 8 AG.

ECJ has jurisdiction to hear :

-Cases brought by the Commission or a member state against a member state’s failure to fulfil treaty
obligations ;

-Actions brought by member states, an EU institution, or a natural or legal person to review the
legality of acts by an EU institution

-Actions by member states, EU institutions, or a natural or legal person against EU institutions for
failure to act

-Actions begun in national courts from which references are made for a preliminary ruling to the ECJ
on issues of interpretation or validity of EU law

-Opinions on the compatibility of EU international agreements with the treaties

-Appeals on points of law from the CFI

Example of case :

In the Google Spain case on the right to be forgotten, the ECJ held that, where individuals object and
certain circumstances are met, search engines must remove the list of results displayed following a
search made on a person’s name, links to webpages published by third parties, and results that
contain information relating to that person. 15This case also dealt with the applicability of EU data
protection law in respect of controllers that have an establishment in the European Union.
In the Digital Rights Ireland case, the ECJ examined whether the Data Retention Directive was valid in
light of Articles 7, 8, and 11 of the Charter. 16 In determining the Data Retention Directive’s
invalidity, the ECJ laid out arguments later relied upon when examining the specific aspects that led
to invalidating the Commission’s decision regarding Safe Harbor.

In the ANAF case, the ECJ ruled personal data may not be transferred between public administrative
bodies of a member state without individuals being informed of the transfer.

In the joined cases of Tele2 Sverige and Tom Watson of December 2016, the ECJ ruled the general
and indiscriminate retention of data, even under national legislation for the purposes of fighting
crime, was incompatible with the ePrivacy Directive 2002/58/EC when read in the light of the
Charter, particularly Articles 7, 8, 11, and 52(1).

GDPR and the Directive : different applicability. Directive different across 28 national laws, reg is the
same for all. 50 provisions of GDPR allow for national tailoring :

-Where there are already sector specific laws in place, eg employee data ;

-archiving purposes, public interest, scientific or historical research purpose or statistical purpose ;

-Processing of special categories of personal data ;

-Processing in compliance with a legal obligation.

GDPR differences vs Directive :

-GDPR application not limited to controllers but also extends to processors ;

-extraterritorial doctrine ;

-Individuals more in control of their data, consent.

-new rights for individuals, transparency and portability, restriction of processing, forgotten.

-new accountability regime

-international data transfer

-enforcement and risk of non compliance.

New features different from directive : stronger rights for individuals, privacy by design,
accountability concept, increased power for SA, one stop shop concept, territorial scope expanded to
anyone targeting EU consumers.

EDPB : replaces ARTICLE 29 working party. Independent european body which contributes to the
consistent application of data protection rules in EU and foster cooperation between authorities.
Composed by representatives of national dpa and data protection supervisor.

Relationship between the GDPR and Eprivacy : lex specialis, if it doesn apply, lex generalis. E privacy
complements GDPR, lex specialis principle.

LED : ‘protection of natural persons with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, and on the free movement of such data’ (‘Law
Enforcement Directive’, or LED),which entered into force 5 May 2016.
Protect citizens’ fundamental rights whenever personal data are used by criminal law enforcement
authorities, but it does not preclude member states from providing higher safeguards in their
national law to protect the rights of data subjects.

New rules :

-better cooperation between law enforcement authorities

-better protection of citizens data

-clear rules for international data flows.

BREXIT : when UK was in the EU there was the Data Protection Act 2018 (DPA), which supplemented
the GDPR. Now, this is the framework :

Upon brexit, the GDPR was implemented identically and consolidate it with the DPA.

-UK GDPR, is the EU GDPR, amended by the Data protection, privacy and electronic communications
regulations 2019 (exit regulations) to accomodate brexit (eg replacing references to EU w UK or ICO) ;

-The DPA, also amended by the exit regulation

-secondary legislation if adopted by the secretary of state

-codes of practice and guidance by the ICO

-eventual international instruments to which the UK adheres to.