Data Privacy Law Flashcards

Flashcards on Data Privacy Law

Impact of Information Technology on Personal Information

The impact of information technology has made data collection and storage faster, easier, and more economical, leading to increased access and economic value of personal information.

Data Collection Methods and Concerns

Collection of data is now commonplace, occurring both voluntarily and surreptitiously, raising privacy concerns with new wireless technologies and cloud computing.

Data Privacy Law Definition

A set of measures aimed at safeguarding data subjects from harm resulting from the computerised or manual processing of their personal information by data controllers.

Data Privacy Principles

Fair and lawful processing; purpose specification; minimality; quality; transparency; data subject participation; sensitivity; security and accountability.

International Harmonization of Data Privacy Laws

Data privacy is an international issue, international laws/conventions aim to harmonise data privacy laws across countries to allow free flow of information across national boundaries.

Aims of International Organizations in Data Privacy

Aim to lay down standards for the protection on a national level but at the same time allow the free flow of information across national boundaries.

OECD Guidelines Principles

Collection limitation, Data quality, Purpose specification, Use limitation, Security safeguards, Openness, Individual participation, Accountability.

Accountability of Data Controllers (OECD)

A data controller remains accountable for personal data under its control, and cross-border flow should be allowed if safeguarding measures are in place.

National Responsibilities (OECD)

Requires national privacy strategies and laws, privacy enforcement authorities, support for self-regulation, resident rights, and sanctions for violations.

Council of Europe Convention on Data Protection (Convention 108)

The first legally binding international instrument with worldwide impact (1981), updated in 2018 to align with the GDPR.

Basic Principles of Convention 108

The Convention has a few basic principles of data privacy and each county has to draft its own legislation to ensure compliance.

Scope of Application of Convention 108

Convention applies to both private and public sphere. It must protect all people in the state and not just citizens of that state.

GDPR Objectives

To protect the fundamental rights of natural persons when their personal data is processed without limiting the free movement of personal data within the Union.

Data Controller

The party who determines the purposes and means of the processing of personal data.

Data Processor

The party who processes personal data on behalf of the controller.

GDPR Territorial Scope

Depends on either the location of the controller and processor, or location of data subject.

GDPR Material Scope

Includes collection, recording, use, storage etc. and applies to personal data of data subjects when the processing be done via automated or non-automated means. ONLY natural persons (and not the dead either)

GDPR Principles Relating to Processing of Personal Data

Lawfulness, fairness & transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; Accountability

Grounds for Lawful Processing of Non-Sensitive Data (GDPR)

Informed, unambiguous Consent by the data subjects; Contract; Legal obligation; Public law duty; Vital interest of the data subject or third party; Legitimate interest of controller or third party

Grounds for Lawful Processing of Sensitive Data (GDPR)

Explicit consent is given; employment and social security fields; Required to protect the vital interest of the data subject or other natural person; religious, political or philosophical association; Data is made public by the data subject; legal claims or defend themselves against such claims

Data Subject Rights (GDPR)

Right to be informed, access, rectification, erasure, restriction of processing, data portability, object to processing, not to be subjected to automated individual decision-making including profiling, restriction on the data subject’s rights in the public interest.

African Union Convention Key Provisions

Parties must establish legal frameworks that would strengthen fundamental rights and public freedoms and Violation of privacy should be punished.

African Union Convention 6 Basic principles for processing data

Consent and Legitimacy, Lawfulness and Fairness, Purpose, Relevance and Storage, Accuracy, Transparency, Confidentiality and Security.

Role of Data Protection Authority (DPA) in African Union Convention

The DPA must allow for certain data processing activities to take place by declaring it possible and give consent for certain sensitive data to be processed.

Cross-border Data Transfer (African Union Convention)

Personal data may not be transferred to a non-member State, unless that State “ensures an adequate level of protection” – unless prior authorization for such transfer was received by the DPA.

Model Law on Data Protection

Aims to ensure all member States provide the same level of protection to allow free flow of information, but is not legally binding.