Legal Aspects (2) + Data Protection Impact Assessment (DPIA)

Legal Aspects (2) + Data Protection Impact Assessment (DPIA)

Historical Timeline of Privacy/Data Protection Laws

• 1948: UN UDHR (Universal Declaration of Human Rights)
• 1950: Council of Europe ECHR (European Convention on Human Rights) ⇒ UK Human Rights Act 1998
• 2000: Charter of Fundamental Rights of the EU
• 1995: EU Data Protection Directive ⇒ UK Data Protection Act (DPA) 1998
• 2016: EU GDPR (General Data Protection Regulation) ⇒ UK Data Protection Act (DPA) 2018 + UK GDPR (2021-)
• 2002: EU ePrivacy Directive ⇒ UK Privacy and Electronic Communications (EC Directive) Regulations (PECR) 2003
• 2017-?: EU ePrivacy Regulation (to replace ePrivacy Directive 2002, still in the proposal stage)

UN UDHR 1948

• UDHR = Universal Declaration of Human Rights
• One of the most fundamental documents made by the UN (United Nations).
• The other three fundamental documents: UN Charter, Convention on the Rights of the Child, Statute of the International Court of Justice.
• Article 12:
  • “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour or reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Council of Europe ECHR 1950

• ECHR = European Convention on Human Rights
• Official title: “The Convention for the Protection of Human Rights and Fundamental Freedoms”
• Came into force from 1953.
• Implementation in the UK: Human Rights Act 1998
• Article 8 – Right to respect for private and family life
  • Everyone has the right to respect for his private and family life, his home and his correspondence.
  • There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Charter of Fundamental Rights of the European Union (2000)

• Article 7 Respect for private and family life
  • Everyone has the right to respect for his or her private and family life, home and communications.
• Article 8 Protection of personal data
  1. Everyone has the right to the protection of personal data concerning him or her.
  2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  3. Compliance with these rules shall be subject to control by an independent authority.

EU Data Protection Directive 1995

• Official title: “Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data”
• 3 principles for processing personal data
  • Transparency
  • Legitimate purpose
  • Proportionality
• Supervisory authority and the public register of processing operations in the UK
  • Information Commissioner’s Office (ICO)
• Transfer of personal data to third countries
  • Only if the third country has an adequate level of protection.
• Personal data and data subject
  • “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Article 2a)
• Processing of personal data
  • “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” (Article 2b)
• (Data) Controller
  • “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data” (Article 2d)
• (Data) Processors
  • “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller” (Article 2e)

UK Data Protection Act 1998

• UK implementation of the EU Data Protection Directive 1995
• Scope
  • Personal data (Section 1): “data which relates to a living individual who can be identified– a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”
  • Sensitive personal data (Section 2): personal data consisting of information as to the data subject’s race, ethnicity, politics, religion, trade union status, health, sex life, criminal record
  • Direct personal data
  • Indirect personal data
• 8 data protection principles (in Schedule 1)
  1. Fair and lawful
     • Special conditions must be met for processing personal data (Schedule 2) and sensitive personal data (Schedule 3)
  2. Processed only for specified and lawful purposes
  3. Adequacy: Adequate, relevant and not excessive
  4. Accuracy: Accurate (and up to date where necessary)
  5. Retention: Not kept for longer than is necessary
  6. Processed in line with your rights
  7. Security: Measures against unauthorised / unlawful processing and against accidental data loss / destruction / damage
  8. International transfer: Not transferred outside the European Economic Area (EEA) without adequate protection
• EEA = Blue + Green
• Data processing essentially allowed only if:
  • Part of a contract
  • Necessary to protect
  • Consent given
  • Legitimate interest (limited)
  • For sensitive personal data instead
    • Legal obligation, consent or necessary to protect vital interest
  • Applies to digital and non-digital data!
  • Personal liability if acting outside authority.
• Data subject’s rights (Part II)
  • Right of access to personal data
  • Right to prevent processing likely to cause damage or distress
  • Right to prevent processing for purposes of direct marketing
  • Rights in relation to automated decision-taking
  • Right to request incorrect information be rectified, blocked, erased or destroyed
  • Rights to request compensation for failure to comply with certain requirements
• (D)SAR = (Data) Subject Access Request
  • “A SAR is a request made by or on behalf of an individual for the information which they are entitled to ask for … ” (ICO website)
  • Organisations holding your data (data controllers) should reply within one month.
  • They may charge a fee up to an amount.
  • In most cases they may give you a copy for free.
  • A reasonable fee is to cover the administrative costs.
  • If a fee is charged, you will not get a copy until you pay the fee.
• Offences
  • 21(1): processing without registration
  • 21(2): notification issues
  • 55: unlawful obtaining
  • 56: requiring (forcing) an individual to make an SAR relating to cautions or convictions for the purposes of recruitment, continued employment, or the provision of services (new since 10th March 2015)
  • Prosecution and penalties
    • Penalty max £500k (since 6th April 2010)
    • Offenders often prosecuted for related offences (e.g., misconduct in public office)
• Exemptions
  • National security
  • Domestic
  • Crime
  • Health
  • Tax
  • Social work
  • Students
  • Research
  • Statistical purpose
  • Journalism (public interest)
  • Employment references
  • Staff planning

EU GDPR 2016

• GDPR = General Data Protection Regulation
• Part of EU Digital Single Market, Digital Agenda
• Passed in 2016
• Became effective from 25th May 2018
• As an EU regulation, no national legislation was needed for its being enforceable immediately across the whole EU.
• A major change of a term and its scope
  • “sensitive personal data” (Article 9) ⇒ “special categories of personal data”
  • Added genetic and biometric data
• 7 data processing principles (UK ICO guidelines)
  1. ‘lawfulness, fairness and transparency’
  2. ‘purpose limitation’: Processed only for specified, explicit and legitimate purposes
  3. ‘data minimisation’: Adequate, relevant and not excessive limited to what is necessary
  4. ‘accuracy’: Accurate (and up to date where necessary)
  5. ‘storage limitation’: Not kept for longer than is necessary
  6. Processed in line with your rights
  7. ‘integrity and confidentiality’ (= ‘security’): Measures against unauthorised / unlawful processing and against accidental data loss / destruction / damage
  8. International transfer
  9. ‘accountability’ Addressed separately in Chapter V
• Data subject’s rights (UK ICO guidelines)
  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure (“Right to be forgotten”)
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights related to automated decision making including profiling
• Need to define a lawful basis for data processing (UK ICO guidelines)
  • Consent: added focus on consent being explicitly, unambiguously and freely given
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests
  • Need to be ‘necessary’ for a specific purpose.
  • Users should be informed about the lawful basis.
  • More rules for special category data and criminal defence data.
• Monetary penalties
  • The higher maximum: max(€20m or £17.5m, 4% of global annual revenue)
    • Applied to any failure to comply with any data protection principles, any rights an individual may have or in relation to any transfers of data to third countries
  • The standard maximum: max(€10m or £8.7m, 2% of global annual revenue)
    • Any other infringements such as administrative failures
• Pseudonymisation as a solution
  • Article 4: “processing of personal data … that the data can no longer be attributed to a specific data subject without the use of additional information, … such additional information is kept separately and is subject to … measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
  • The GDPR encourages the use of pseudonymisation as a “data protection by design” mechanism.
  • Data controllers are exempt to provide data subjects the rights to access, rectification, erasure or data portability, if the data cannot be re-identified any more (= additional info deleted + reasonably low risks to re-identify).
  • Residual risks of re-identification do exist!
  • Pseudonymisation is NOT anonymisation!
• Other highlights in the EU GDPR 2016
  • A wider territorial scope (Article 3)
    • “an establishment of a controller or a processor” in the EU
    • “offering of goods or services” to data subjects in the EU or for monitoring data subjects’ behaviour in the EU
  • Data protection impact assessments (DPIAs) for more risky processing (Article 35)
  • A data protection officer (DPO) sometimes required (Section 4)
  • “one-stop-shop mechanism” (Articles 56)
    • A lead supervisory authority (LSA) can be appointed by organisations processing cross-border data.
  • Data breach notifications to the authority and data subject (Articles 33 and 34)
  • Data protection by design and by default (Article 25)
    • An application of the Privacy by Design (PbD) principles, which include privacy by default

Standard Contractual Clauses (SCCs)

• SCCs are “standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law.” (source)
• They are not mandatory, so can be voluntarily used to demonstrate compliance.
• In June 2021, the European Commission published two sets of SCCs for the EU GDPR:
  • SCCs for controllers and processors in the EU/EEA
  • SCCs for the transfer of personal data outside the EU/EEA
• Other SCCs have also been created by other bodies, e.g., the UK’s ICO defined its national SCCs and an addendum to the EU SCCs.

From EU GDPR to UK GDPR

• A UK GDPR is needed because some articles and wordings in the EU GDPR are no longer valid after Brexit.
• The EU GDPR becomes the UK GDPR because of Brexit, according to the European Union (Withdrawal) Act 2018.
• The EU GDPR was amended into the UK GDPR according to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.
• The UK GDPR came into effect from 1st January 2021.
• Differences between the two GDPRs:
  • ICO guidelines on the UK GDPR
  • Tracked changes in the DCMS GDPR Keeling Schedule (2020) from (the web version of - UK-GDPR.org the above)
• Key areas of differences (ICO guidelines) (also see a later slide on
  • International data transfers EEA⇔UK data transfer)
  • European representatives (for data controllers and processors outside of the UK falling into the scope of the UK GDPR) - UK representatives
  • EU regulatory oversight
  • Wording, e.g., “Directive 95/46/EC (General Data Protection Regulation)” is replaced by “United Kingdom General Data Protection Regulation”

From GDPR to UK DPA 2018

• The EU/UK GDPR was/is already part of the UK law.
• DPA (Data Protection Act) 2018 is a supplement.
• It adapts the EU GDPR, e.g., specific conditions for processing sensitive data, UK-specific exemptions, ICO’s functions and powers, and enforcement in the UK.
• It implements another EU law in the UK, the EU Law Enforcement Directive (LED).
• It covers additional data protection areas not in the GDPR/LED.
• It creates a specific data protection regime for the intelligence services, based on the standards in the modernised Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
• Broadly speaking, UK DPA 2018 =
  • EU GDPR++ (2018-2020) ⇒ UK GDPR++ (2021-)
• Timeline of the UK DPA 2018
  • Passed on 24th May 2018
  • Came into effect on 25th May 2018, together with the EU GDPR
  • Amended on 1st January 2021 by the European Union (Withdrawal) Act 2018, after Brexit
• Structure of the UK DPA 2018
  • Part 1: Preliminary
  • Part 2: General Processing (EU/UK GDPR)
  • Part 3: Law Enforcement Processing (EU LED)
  • Part 4: Intelligence Service Processing
  • Part 5: The Information Commissioner
  • Part 6: Enforcement
  • Part 7: Supplementary and Final Provision
  • Schedules 1-20: Additional information

The Overall Timeline (2016-2021)

• 14 April 2016: EU GDPR was passed
• 23 May 2018: UK DPA 2018 was passed
• 25 May 2018: EU GDPR + UK DPA 2018 came into effect
• 26 June 2018: European Union (Withdrawal) Act 2018 was passed
• 28 February 2019: Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 was passed, for amending EU GDPR into UK GDPR
• 17 December 2020: Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 was passed (EU GDPR ⇒ UK GDPR)
• 1 January 2021: UK GDPR + UK DPA 2018 (with amendments) came into effect

EU/EEA⇔UK Data Transfer

• On 28th June 2021, the EU approved the UK’s adequacy for the EU GDPR (and the LED).
• “adequacy” = “essentially equivalent” (the same level of data protection level as the EU/EEA member states)
• This decision will last until 27th June 2025 if not extended.
• ⇒ Personal data can continue to flow between the EU/EEA and the UK as before Brexit, in most cases.
• Two exceptional areas
  • EU-to-UK data for the purposes of the UK’s immigration control
  • Data that would fall within the scope of the immigration exemption as defined in the UK DPA 2018
• Further reading: ICO’s brief and detailed guidelines on “Data Protection and the EU”

A New Data Protection Law is Coming?

• 10 September 2021: The UK Government opened a consultation on “Data: a new direction”.
• As part of the UK’s National Data Strategy 2020.
• 17 June 2022 (updated on 23 June 2022): The UK Government published its full response to the consultation.
• 18 July 2022: The Data Protection and Digital Information Bill 2022-23 was introduced by the UK Government in the UK Parliament.
• 8 March 2023: Data Protection and Digital Information (No. 2) Bill was introduced by the UK Government in the UK Parliament.
• DSIT’s press release says: “ … to cut down pointless paperwork for businesses and reduce annoying cookie pops-up”.

EU ePrivacy Directive 2002

• Official title
  • Privacy and Electronic Communications Directive: “ … the processing of personal data and the protection of privacy in the electronic communications sector”
• Complements the Data Protection Directive 1995
• Key areas covered
  • Phone calls, emails, security and confidentiality, notice and consent, data retention and erasure, traffic data, location data, unsolicited communications (for direct marketing), cookies
• To be replaced by the EU ePrivacy Regulation?
  • 2017: Proposed to become effective with the GDPR in May 2018
  • As of now (03/2025): still not passed yet because the Council of the European Union and the European Parliament disagree on some issues

EU “Cookie Law” 2009

• EU ePrivacy Directive 2002 was amended by 2009/136/EC to enforce all web sites in the EU to get explicit consent from their visitors about the use of web cookies (except those “strictly necessary”).
• Implementation in the UK implements this EU Directive in the UK.
• UK PECR 2003
  • PECR = Privacy and Electronic Communications (EC Directive) Regulations
  • This came into effect in the UK since 26th May 2011.
  • There was a phase-in period of 12 months. ⇒ From 26th May 2012 all websites in EU should comply with the new regulations.
  • It refers to the UK DPA 1998: “Nothing in these Regulations shall relieve a person of his obligations under the Data Protection Act 1998 in relation to the processing of personal data.” (Article 4)

UK ICO Children’s Code

• Section 123 of the UK DPA 2018 requires the ICO to define a Children’s code on standards of age-appropriate design of relevant information society services (ISSs) which are likely to be accessed by children.
• On 12 August 2020, ICO issued the Children’s code (formally known as the “Age appropriate design code”).
• It refers to the UK GDPR and the UK PECR 2023.
• It contains 15 standards that ISSs need to follow.
• Example ISSs: apps; programs; search engines; social media platforms; online messaging or internet based voice telephony services; online marketplaces; content streaming services; online games; news or educational websites; any websites offering other goods or services to users over the internet; electronic services for controlling connected toys and other connected devices.

UK FOIA 2000

• FOIA = Freedom of Information
• Right of access
  • The act creates a general right of access, on request, to information held by public authorities.
• Scotland is covered by the Freedom of Information (Scotland) Act 2002.
• Came into force on 1st January 2005.
• Why does this matter for data protection?
  • It can have implications on protection of such data if a request relates to personal data!
  • It modifies the UK DPA 1998 for public bodies and authorities.
  • It led to the renaming of the Data Protection Commissioner (which administered the UK DPA 1998) to the Information Commissioner (and its office ICO).

Information Commissioner’s Office (ICO)

• What is on its website
  • “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”
• Legislation covered
  • UK GDPR (formerly EU GDPR 2016) + UK DPA 2018
  • UK PECR 2003
  • UK NIS Regulations 2018
  • UK eIDAS Regulations (formerly EU eIDAS Regulation 2014)
  • UK IPA 2016
  • UK FOIA 2020 (and several other related statutory instruments)
  • The UK Re-use of Public Sector Information Regulations 2015
  • Two environmental information related regulations
  • Provides general advice on privacy and data protection

What is a DPIA?

• UK ICO DPIA guidance
  • “ … a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan.”
• EU/UK GDPR (1):
  • Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

When is a DPIA required?

• A DPIA is always required by the EU/UK GDPR for the following three types of processing:
  • Systematic and extensive profiling with significant effects
    • “any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”
  • Large scale use of sensitive data
    • “processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10”
  • Public monitoring
    • “a systematic monitoring of a publicly accessible area on a large scale”

What is in a DPIA?

• It shall contain (Article 35(6) for the UK GDPR, Article 35(7) for the EU GDPR)
  • “a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
• + Prior consultation “where appropriate” (Article 36)

UK ICO Guidance: Key Steps of a DPIA

• Step 1: identify the need for a DPIA
• Step 2: describe the processing
• Step 3: consider consultation
• Step 4: assess necessity and proportionality
• Step 5: identify and assess risks
• Step 6: identify measures to mitigate the risks
• Step 7: sign off and record outcomes
• More guidelines from ICO including checklists
  • DPIA template and a sample DPIA
  • Examples of processing ‘likely to result in high risk’
• Two additional steps (DPIA++)
  • Integrate outcomes into plan
  • Keep under review

Key Knowledge Points

• The historical background: fundamental human rights
• Important EU/UK data protection laws and relationships between them: EU Data Protection Directive 1995 and UK DPA (Data Protection Act) 1998; EU GDPR 2016, UK GDPR and UK DPA 2018
• Some key data protection law concepts: personal data, special categories of personal data (previously known as “sensitive personal data”), data subject, data controller, data processor, data processing principles, data subject’s rights, lawful basis, monetary penalty, (D)SAR, international transfer and adequacy (and EEA), SCCs, pseudonymisation, territorial scope, DPO, “one-stop-shop mechanism”, data breach notifications, data protection by design and by default
• Other relevant laws: EU ePrivacy Directive 2002 and UK PECR Regulation 2003, EU “cookie” law 2009, ICO’s Children’s code (Age appropriate design code), UK FOIA 2000
• DPIA (data protection impact assessment): when a DPIA is required, content of a DPIA, the ICO-recommended steps

Art. 29 WP ⇒ EDPB

• Art. 29 WP = Article 29 Working Party
  • Formally, Working Party on the Protection of Individuals with regard to the Processing of Personal Data
  • An independent advisory group set out in Article 29 of the EU Data Protection Directive 1995
  • Launched in 1996
• EDPB = European Data Protection Board
  • Established by the EU GDPR 2016 as the successor of Art. 29 WP
  • Replaced Art. 29 WP on 25th May 2018
  • It has a juridical personality and aims at ensuring consistent application of the EU GDPR and promoting cooperation among the EU’s data protection authorities.
  • It issues guidelines, recommendations and best practice documents regarding the EU’s data protection laws.

EUDPR 2018 + EDPS

• EUDPR 2018 = Regulation (EU) 2018/1725
  • The Data Protection Regulation applicable to EU institutions, bodies, offices and agencies
  • It “brings the data protection rules for the EU institutions and bodies (EUI) in line with the standards imposed on other organisations and businesses by the GDPR.”
  • It can be seen as EUI-GDPR, the specialised edition of the GDPR for EUIs.
  • It also defines the rules and duties of the European Data Protection Supervisor (EDPS) as the EU’s independent data protection authority.
• EDPS was initially formed in 2004, under the now out-dated Regulation (EC) No 45/2001 (predecessor of EUDPR 2018).

Post-Brexit Relevant EU Laws (1)

• European Data Strategy 2020
  • “Making the EU a role model for a society empowered by data”
  • “European rules, in particular privacy and data protection, as well as competition law, are fully respected”
  • “A single market for data”
  • Make the EU “an attractive, secure and dynamic data economy”
• DGA (Data Governance Act) 2022 = Regulation (EU) 2022/868
  • “to increase trust in data sharing, strengthen … data availability and overcome technical obstacles to the reuse of data”, “regulates processes and structures that facilitate voluntary data sharing”
  • Support the setup and development of Common European Data Spaces (currently for 14 sectors: agriculture, cultural heritage, energy, financial, green deal, health, language, manufacturing, media, mobility, public administration, R&I, skills, tourism)

Post-Brexit Relevant EU Laws (2)

• Data Act 2023 = Regulation (EU) 2023/2854
  • Complement European Data Governance Act 2022
  • “Regulation on harmonised rules on fair access to and use of data”
  • “clarifies who can create value from data and under which conditions”
  • “makes more data available for the benefit of companies, citizens and public administrations”
• EHDS (European Health Data Space) Regulation = Regulation (EU) 2025/3
  • The first European Common Data Space dedicated to a specific sector
  • “to establish a common framework for the use and exchange of electronic health data across the EU”