Week 5 - Privacy and data protection

privacy

• the right to privacy is a human right with global recognition

• countries and individuals often have different standards with regards to the right

data protection

• right to data protection is a fundamental right without global recognition

distinction between data protection and privacy

• EU = there is a distinction between data protection and privacy

• art. 7 CFREU = The Right to Private Life

• art. 8 CFREU = The Right to Control Data

• in other countries there is no distinction between these concepts

The nature of the right to privacy

• the right to privacy is not an absolute right

• it is a vertical right (individual vs state)

US right to privacy

• amendment 4 to the Constitution

• right to privacy against unreasonable searches

• warrants for probable cause searches

EU right to privacy

• art. 8 ECHR

• right to private life

• can be restricted according to law, necessary democratic society, legitimate interest

state obligations for protecting the right to privacy

• prohibition of unlawful interferences with the right

• negative obligation = state should not interfere

• positive obligation = state should actively protect

right to data protection in GDPR

• allows processing of personal data following specific standards (fair and legitimate collection, storage, use and processing)

• right to data protection is both vertical and horizontal

GDPR material scope which article (what is covered by GDPR?)

art. 2(1)

what does the GDPR not apply to?

art. 2(2) exceptions

• activities outside the area of application of EU law

• activities falling in the area of common foreign and security policy

• purely household activities

which cases are relevant for the use of data for purely household activities

1. Case Bodil Lindquist

2. Case Ryneš

case Bodil Lindquist

• publishing info about others onlune

• accessible in principle by everyone

• does not qualify for the exception of purely personal household activities

case Ryneš

• installing CCTV cameras for the protection of property

• that has in the angle recording of a public area or property of others

• does not qualify for the exception

GDPR territorial scope which article

art. 3 GDPR

GDPR definitions

art. 4 GDPR

sensitive data

• data revealing:

  • racial or ethnic origin

  • religion

  • trade union membership

  • genetic data

  • biometric data

  • data concerning health

  • data concering sex life and sexual orientation

is processing of sensitive data allowed

• no, it is prohibited due to risk of discrimination

what are the exceptions to the prohibition of processing sensitive data

• explicit consent

• specific obligations of the employer in the field of employment and social security

• vital interest of data subject

• legitimate activities of foundations

• manifestly public data

GDPR data protection principles

• art. 5 GDPR

• lawfulnes, fairness, transparency

• purpose limitation

• data minimization

• accuracy

• integrity and confidentiality

• accountability

• storage limitation

GDPR lawfulness of processing personal data

• art. 6 GDPR

• consent = data subject gave consent for processing personal data for specific purposes

• contract = processing is necessary for the performance of a contract to which the data subject is party to

• legal obligation = processing is necessary for compliance with legal obligation to which the controller is subject

• protection of vital interest = processing is necessary for the protection of the vital interest of the data subject or another natural person

• public task = processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority

• legitimate authority = processing is necessary for the purposes of legitimate interests pursued by the controller or a third party

case asociatia de proprietari

facts

• TK lived in an apartment he owned

• the association of co-owners installed 3 video cameras in common parts of the building

• this was done because the lift was vandalised and there were many burglaries

• the association previously took alternative measures which have not worked

• TK objected to installation of cameras arguing it infringed his right to privacy

Decision

• consent not only ground for lawful data processing

• court assessed the lawfulness of data processing under the legitimate interest of the controller (legitimate interest = protection of property)

• controllers should limit data processing to what is strictly necessary to achieve pursued legitimate interests

• necessity test to ensure that pursued aim can’t be achieved by less intrusive means

• balancing exercise fundamental rights of data subjects vs legitimate interests

GDPR consent requirements

1. Freely given

2. Specific

3. Informed

4. Unambiguous

Characteristics of consent

• affirmative action = consent should be obtained using affirmative action and should be freely given, specific, informed and unambigouos

• clear language = consent forms should have transparent info in clearly written language so that data subjects can make informed decision

• withdrawal of consent = data subjects must be able to withdraw consent at any given time, as easily as they gave consent

• explicit consent = explicit consent needed for processing of sensitive data, for transfers to 3rd countries in the absense of safeguards, for the use of automated decision making techniques

• proof of consent = controllers must be able to prove that they have obtained the lawful and affirmative consent of data subjects

• age of consent = 16 years old, unless member states allow for younger age (not below 13), otherwise authorization by parents is needed

Data subject rights

1. Right to be informed

2. Right of access (art. 15)

3. Right to rectification (art. 16)

4. Right to erasure (art. 17)

5. Right to restrict processing (art. 18)

6. Right to data portability (art. 20)

7. Right to object (art. 21)

8. Right to automated decision-making and profiling (art. 22)

Data transfers to 3rd countries

• data transfers within the EU = free flow

• adequacy decision (3rd country) = free flow

• if no adequacy decision = appropriate safeguards introduced between countries

adequacy decision

• when the commission has found that the 3rd country offers adequate level of data protection rights to data subjects in the EU

what are examples of appropriate safeguards between parties

1. Legally binding instruments between public authority = govs sign a legally binding treaty / contract promising to protect citizens data privacy

2. Binding coorporate rules = global code of coduct for massive multinational corporations

3. Standard Contractual clauses = contract between EU member states and foreign companies, in case of mishandling of data foreign companies they can be fined / sued

4. Codes conduct = industry specific rules created by collective association of business

5. Certification Mechanisms = a company in a 3rd country gets audited by a certified agency to prove their security and privacy are up to EU standards

Data transfers to the US relevant case

Scherms II

Scherms II

facts

• “privacy shield” was introduced to regulate the data transfers between the US and EU

• although the privacy agreement was supposed to impose clearer safeguards and obligations on the US government in regards to its access to personal data of EU subjects, as well as stronger protection of individual rights through data protection

• it failed to effectively achieve these aims

• moreover, concerns were raised as to whether standard contractual clauses can truly ensure compliance with the GDPR

Decision

• privacy shield agreement does not guarantee a level of protection which would be equivalent to that of the GDPR

• it confirmed the concerns that the survaillence of the US governmental agencies is not limited to what is strictly necessary

• disproportionate interference with data protection and privacy rights

• not only did the privacy shield not sufficiently limit the power of the US government, it also lacked actionable rights of the EU subjects against the US authorities

• Ombudsman mechanism also provided to be ineffective

• CJEU invalidated the agreement

• court upheld the validity of Standard contractual clauses as a mechanism for international data transfers

• it emphasized that data controllers or operators who want to transfer data based on SCC

• must verify whether law in recipient country ensures adequate protection of EU personal data

• if such protection cannot be ensured = data transfers must be suspended

administrative fines for data protection infringments

• mild infringments = up to 10,000 or 2% world annual turnover of proceeding financial year

• severe infringments = up to 22,000,000 or 4% world annual turnover of proceedings financial year

examples of mild infringments

• obligations for consent of minors or data that does not require identification

• obligations for data controller and processors

• obligations for the certification body

• obligations of the monitoring body

examples of severe infringments

• the basic principles and sensitive personal data

• data subject rights

• rules on transfers to 3rd countries

• non-compliance with orders of supervisory authorities