Data Science and Law Module 4 Part 1

Right to Privacy

Right to be let alone is conceived as the freedom from any unauthorized intrusion or interference by public and private bodies into private life

Right to data protection

It is based on the concept of personal data, requires that the (authorized) use of the same by private and public bodies is made in accordance with specific legal standards

Treaty on the Functioning of the EU (TFEU)

Everyone has the right to the protection of personal data concerning them (Art. 16)

Charter of the Fundamental Rights of the EU (CFREU)

Respect for private and family life (Art. 7) and Protection of personal data (Art. 8)

General Data Protection Regulation (GDPR)

EU Standard that gives EU citizens control over data and their privacy

Scope of GDPR Application

applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system

Processing of personal data

any operation or set of operations which is performed on personal data

Personal Data

any information relating to an identified or identifiable natural person (‘data subject’)

Identified vs Identifiable

Identified: Person is distinguishable from others

Identifiable: Not identified, possible to do so

Possible identifiers

name, an identification number; location data; age; any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity

Psuedonymization

processing of personal data in such a way that this data can no longer be attributed to a specific individual, without the use of additional information

GDPR Exceptions

Areas outside EU law, national security, personal household use, law enforcement and criminal justice

Territorial Scope

Concerns processing of data for commercial and behavioral purposes within EU territory, regardless of where the controller/processor has their operations in

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

Processor

natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Other Actors in Data Protection Law

Data Protection Officers (DPO), Data Protection Authorities

Data Protection Officers

independent security and legal expert responsible for overseeing an organization's data protection strategy and ensuring compliance with privacy laws like the GDPR.

Data Protection Authorities

independent public watchdog established by a government to monitor and enforce privacy laws

Data Protection Principles

Lawfulness, Fairness and Transparency - Purpose Limitation - Storage Limitation - Data Minimization - Accuracy - Integrity and Confidentiality - Accountability

Lawfulness

a legal ground is required to justify the processing of personal data

Transparency

data subjects need to be informed about how their personal data are processed in clear and simple language - so they need to understand how their data are being used by the data controller

Fairness

personal data must be processed in a transparent and even ethical manner

Purpose Limitation

Data controllers must determine, in advance of any processing, why they want to process certain personal data, purpose chosen needs to be specific and clear so that data subjects know what to expect. Personal data shall not be further processed in a manner that is

incompatible with those purposes

Data Minimization

personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Accuracy

Data controllers must make sure that the personal data they process are

accurate and up to date. Data that is inaccurate, having regard to the purposes of the processing, is erased or rectified without delay

Storage Limitation

Data controllers need to establish time limits for keeping the data and erasing them permanently when they are no longer necessary (data retention)

Integrity and Confidentiality

Data controllers need to make sure that the processing of personal data ensures adequate security, by putting in place technical and organizational measures

Integrity and Confidentiality: Technical Measures

encryption, pseudonymization

Integrity and Confidentiality: Organizational measures

placing personal data copies in a locked room inside the office building, only giving permissions to access the data to certain employees that need it to carry out their tasks

What happens if data is breached?

It must be notified to the Supervisory Authority in 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of natural persons, data subjects must also be communicated to the data subjects

Accountability

Data controllers are responsible for compliance with data protection law rules and must be able to demonstrate compliance

How can compliance be demonstrated?

maintaining a record of all processing activities the company carries out. if relying on consent, must demonstrate valid consent has been obtained; if relying on legitimate interest, must demonstrate balancing exercise was carried out, etc

Risk-based approach

required level of data security must be identified on a case-by-case basis through an objective risk assessment. GDPR encourages controllers to engage in risk analysis and to adopt risk-measured responses, to account for possible scenarios.