CIPP/E Exam
OECD Guidelines
(1) Collection Limitation (consent, fair, lawful) (2) Data Quality (complete, accurate, update-to-date) (3)Purpose Specification (specified at collection) (4) Use Limitation (consistent with purpose) (5) Security Safeguards (against loss, destruction, modification, unauthorized access) (6) Openness (use of info, Controller identity & loc) (7) Individual Participation (entitled to receive from Controller) (8) Accountability (controller complies with above)
Convention 108 aka CoE Convention
- 1981 - worldwide scope - Convention for the Protection of Individuals in regard to automatic processing (not profiling) of PD - first legally binding international instrument in the area of data protection. - requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information. - US was not signatory Global privacy day (1/28) - same as OECD except: (1) preserve info to identify person for no longer than needed (2) Special categories - race, religion, sex/health life, political views, criminal conv not auto processed without safeguards
Charter of Fundamental Rights of EU
- 2000 in Nice - created by EU - Lisbon Treaty made this binding for EU states - Art 7 - private life, family, home, comm - Art 8 - separate right to data protection - promotes individual civil, political, economic, and social rights for European citizens - similar principles as ECHR but refers to protection of personal data
ePrivacy Directive
- 2002 aka Cookie Directive - Privacy & Electronic Communication Directive (2002/58/EC) - processing data across public communication network (doesn't apply to private network) - telecomm, faxes, internet, email - must get consent to store cookies
GDPR Opening Clauses
- 50 open clauses allow for specific national laws - ex. parental consent
Fair Processing - language
- Concise - Transparent - Easily accessible - Intelligible & clear/plain language - Accurate and up-to-date
Consent verification
- Controller has to make reasonable effort to confirm consent given by parent - Min. age rule on in context of: 1. Info Society services offered to child 2. controller relies solely on consent
Fairness
- DS must be aware to make informed decisions about processing of personal data - have to evaluate if processing with negatively affect the DS (e.g. website increases ticket price b/c search history)
Consent - Unambiguous
- DS statement of clear affirmative act giving consent - DS checks box, pre-ticked box is not consent - controller has to demonstrate consent although no written doc req - consent is not same as not opting out - Special categories - explicit consent req
Data Protection Directive
- Direction 95/46/EC - not law, framework - 1995 - fragmented implementation across states - replaced by GDPR - only applied to Controllers - 78 recitals, 34 articles, 7 chapters
Fair Processing - Approaches for Comm
- Layered notices - short initial notice with more detail available; good for online, space/time limit - Just-in-time notice - at point of data collection - Dashboards - useful if service needed on mult devices - Alternative Formats - visuals & standardized icons - Adapting to diverse technologies - using sign posts for drones, social media, info on operators site, buzzer/lights on drones, signage of drone operator, IOT - QR codes, SMS
NIS Directive
- Network & Information Systems - first EU-wide cybersecurity law - 3 Focus Areas: (1) National capabilities - response teams, recovery exercises, (2) Cross-border collaboration, (3) National supervision of critical sectors 1. compel dev of cybersecurity strategies for EU 2. improve security levels of operators of essential services and digital service provides 3. enhance cooperation btw states and NIS group - EU Directives are not directly applicable to member states - to become law, they have to be implemented by national legislation
Pseudonymization
- PD can no longer be attributed to person without some other piece of data - GDPR promotes method as safeguard
Security Principal
- PD should be processed in a manner that ensures appropriate security of personal data - protection against unauthorized or unlawful processing, accidental loss, destruction or damage - using appropriate tech/org measures
Art 32 - Security of Processing
- Preventive security - limits risks - Incident detection & response - breach notifications - Remedial Security - take steps to improve security - both controllers and processors must prove they are applying appropriate security - protect against full spectrum - malware to negligent employee - C+P have to carry out risk assessments
Treaty of Lisbon
- Treaty signed in 2007 that made the European Parliament the co-equal legislator for almost all European laws and also created the position of the president of the European Council - made Charter of Fundamental Rights binding - Amended EU Treaty
DS Right: Transparent Comm & Info
- concise, transparent, intelligible, easily accessible, clear & plain language - controllers info, purpose, recipients of data, source of data coming from 3rd party
Data Minimization Principle
- controller must only process personal data that is relevant, necessary, and adequate for purpose - Necessity - reasonable to accomplish purpose, can purpose be accomplished by using anonymous data instead Proportionality - amt of data collected - save everything approach is not right
High-risk Data Breaches Examples
- cyberattack affecting online services - ransomware attacks that encrypt data that's not backed up - hospital medical records - direct marketing email exposing all emails
Main changes in GDPR from Directive
- directly applicable to all member states - stronger rights for individuals - data portability, right to be forgotten, profiling - new accountability regime - use of subprocessor requires consent of controller
EU Processor - does GDPR apply to Controller?
- doesn't automatically mean the controller will be subject to GDPR
OECD Guidelines - Member state considerations
- domestic processing & re-export of data - transborder flows are uninterrupted & secure - don't engage with other members unless guidelines are observed - member state can restrict if protection not provided - avoid laws to restrict TB data flows
Storage Limitation
- don't keep data beyond time needed for purpose - exception: if needed for public interest, stat. purposes, scientific or historical research - data can be kept forever if irreversibly anonymized
Accuracy
- ensure data is accurate and kept up-to-date - verify authenticity of data sources - ok to keep records of errors as long as not misleading facts (e.g. med misdiagnosis)
Fair Processing - Exemptions to providing Info
- if DS already has info - if laid down by union or member state law - if confidential due to prof secrecy of union - impossible or disproportionate effort - impair the objectives of processing
Fair Processing - When Info should be provided to DS
- if DS reqs info - w/in one month - if PD is used: first comm with DS - if PD is disclosed to another recipient - before disclosed - DS rights: in first comm - right to w/draw consent: before consent is given - purpose change: notice before processing starts
Fair Processing - How Info should be provided to DS
- in writing or other means - verbal if ID verification - free of charge - provide without DS searching among T&Cs - visualization & standardized icons - machine readable - obtaining consent - clear/plain lang - right to object - explicitly brought to attention good practice - use same means as PD was collected) - technology neutral
Controller vs Processor - Factors to consider
- level of instruction by controller - monitoring by controller - visibility portrayed by controller to DS - expertise of parties
DS Right: Erasure
- most scrutinized Can request verbally or in writing if: - no longer needed for purpose - DS withdraws consent - DS objects - data processed unlawfully - necessary for compliance with EU law Exemptions: - exercising freedom of expression - compliance with legal oblig for public interest - defense against legal claims - erasure from ALL systems - live & backup
Legitimate Interest
- necessary for purpose - legitimate interest of controller or third party - cannot be overridden by DS rights & freedom - must consider local data protection regulators - if justified objection from DS - controller must cease data processing has to be specified in privacy notice
Processing Sensitive Data
- new: genetic & biometric data Generally prohibited but exceptions are: - Explicit consent given - controller has legal obligation (e.g. social security) - protect vital interest - DS not able to give consent - defense of legal claim - substantial public interest - public interest for public health - non-profit orgs - PD made public (e.g. social media) - medical or social care purpose (e.g. drug test) - statistical purpose, historical and scientific research
Transparency
- notify DS how personal data is processed - provide in timely manner - info has to be clear, concise, easy to understand, & accessible manner Controller free from providing info on processing when: - disproportionate effort or impossible - protect legitimate interest - preserve confidentiality
Purpose Limitation
- only collect and process data for legitimate purpose - secondary processing permitted if compatible with org purpose (stat purpose, public interest, scientific or historical research)
Processor Contract
- only process PD as instructed - confidentiality of people doing processing - delete or return PD at end of contract - demonstrate compliance
Subcontracting by processor
- processor must get prior authorization by Controller - contract btw processor and subprocessor must include any provisions by Controller - Initial processor remains fully liable to controller for performance of subprocessor
Integrity & Confidentiality
- protect against unauthorized access, accidental loss, destruction, damage - promotes use of pseudonymization & encryption
DS Right: Rectification
- right to have inaccurate data corrected - if org denies request, they have right to complain to DPA
DS Right: Portability
- right to receive info in commonly used, machine readable format - DS also has right to transmit data to another controller (e.g. retrieve song playlist, contacts from webmail)
Consent - Freely Given
- some countries req separate consent - controllers can't say consent is req as part of contract - can't rely on consent if imbalance btw controller and DS (e.g. employer-employee rel)
Consent - Specific
- specific for processing in question - separate consent for multiple purposes To be specific, Controller must: - purpose specification to avoid scope creep - granularity in consent request - clear separation of info for processing & other act for scientific research, if can't be specific - DS can consent with assumption that ethical standards will be followed
Choosing a Processor
- suffered any data breaches - other clients - accredited under ISO 27001, CBEST, PCI, DSS - policy framework - site visits and audits - understand supply & subcontracting
Data Breach - Controller should Evaluate
- type of breach - nature, sensitivity & volume of data - how easily DS can be identified - severity of consequences of DS affected - special characteristics of DS affected and of Controller - number of DS affected - Use ENISA method for assessing breach severity - Controllers must keep full record of breaches even if not req to disclose - processors notify controller w/out delay
Culture of Security (hiring)
- understanding ppl risk - insider threats - Recruitment process - vetting - Offer letter & contract - security expectations - acceptance of job offer - policy docs - Induction day - onboarding, sec framework - monitory perf - sec. monitoring
Data Breach - Notify Regulator
- when Controller becomes aware - breach detection measures are needed - controller has to determine if breach causes risk to rights and freedoms of DS - within 72 HOURS
Personal Data Building Blocks
1. Any Info 2. Relating To 3. Identifiable 4. Natural person (not deceased)
European Courts
1. CJEU - Court of Justice of European Union - decision on EU laws - judicial body of EU 2. ECHR - European Court of Human Rights - not EU institution, intl court, applies ECHR
Lawfulness
1. Consent 2. Contract Performance 3. Legal Obligation 4. Vital Interest of DS 5. Public Interest 6. Legitimate Interest (except if overridden by rights and freedoms of DS)
Fair Processing - Addtl Info Required
1. DS subject has right to object (leg int, public int, direct marketing, profiling) 2. International Data Transfers - 3. New purpose 4. Joint Controllers
EU Institutions
1. European Parliament - Oversight - House of Rep - vote on legislation, elected by EU citizens 2. European Council - Direction - set priorities & political direction for EU 3. Council of EU - Decisions - Senate - minister from each state, main decision making body (works with Parliament) 4. European Commission - Executive - implements EU decisions, 1 commissioner per state, most active
Controller - source of control/competence
1. Explicit Legal Competence 2. Implicit Competence (employer with employee data) 3. Factual Influence (circumstances)
GDPR Chapters
1. General Provisions 2. Principles 3. DS Rights 4. Controller & Processor 5. Transfer of data to 3rd parties 6. Independent SA 7. Cooperation & Consistency 8. Remedies, liabilities, penalties 9. Provisions relating to specific process situations 10. Delegated acts and implementing acts 11. Final provisions
Data Processing Principles (GDPR Principles)
1. Lawful, Fair, Transparent 2. Purpose Limitation 3. Data Minimization 4. Accuracy 5. Storage Limitation 6. Integrity and Confidentiality 7. Accountability
DS Right: Object
1. if leg interest/public interest (burden of proof is on the controller) 2. Direct Marketing (only absolute right) 3. Research purposes - controller has to clearly and separately notify DS of their right to object
If further processing is not compatible with orig purpose
1. obtain separate consent from DS for new purpose 2. satisfy other legal criteria for processing
GDPR In Scope Factors (5)
1. use of EU language 2. marketing directed to EU audience 3. naming EU states in reference to goods/services 4. using EU in domain of site 5. monitoring behavior of EU subjects
Human Rights Declaration
1948 after WWII - right to private and family life and freedom of expression (Art 12) - created by Council of EU, adopted by United Nations
Processor
4 Obligations: - record-keeping - ensures intl data transfers comply with regulation - appropriate security - notify Controller of breach 2 building blocks: 1. separate legal entity from Controller 2. processes PD on behalf of Controller
Lindqvist Judgement
A case in which the European Court of Justice ruled that a woman who identified and included information about fellow church volunteers on her website was in breach of the Data Protection Directive. - Creating a website for a Church which includes personal information of co-workers - Reference to the fact that an individual has injured her foot and is on medical leave constitutes special category of personal data - Court did held that uploading data to a website was not an cross-border data transfer
Convention 108+
Aligns with GDPR
Encryption
Became part of regulatory framework because professional opinion
False Data
Can be considered PD as well
Data Breach Reporting
Controllers and Processors have to report to DPA within 72 hours unless no risk to rights and freedoms
Consent - Informed
DS given details in simple language, in a form that can understand & comprehend affect; accept button at end of form is not enough Per WP29: - Identify of Controller - at least - Purpose of each processing - at least - type of data collection and used - right to withdraw consent - info about automated decision making - possible risks of data transfers
Technology Stack
Encryption, antivirus, antispam, firewalls, identify/access mgmt, incident detection, data loss prevention, 2 factor authorization, IP log mgmt , pen test
DS Right: Access
Entitled to receive: - purpose - categories of PD - recipients of data - source of data - right to request rectification or erasure - right to lodge compliant to SA - retention period - if auto decision making Org must respond within 1 month to DS Org can req fee is excessive request
ECHR
European Convention on Human Rights - 1953 - created by Council of EU (not just EU) - open to member states (application) - like HRD, recognizes the need for balance - based on Universal Human Rights Declaration
ECHR (Court)
European Court of Human Rights - binding decisions - gives opinion on ECHR - personal info to be private but not absolute right
EEC
European Economic Community
Transborder Special Rules
For countries not signatory parties
Consent
Freely Given Specific Informed Unambiguous - cannot be bundled with T&Cs - clear and plain language - main criteria for legitimate processing
Parental Consent
GDPR is 16 but member states can go as low 13
GDPR
Global Data Privacy Regulation - May 2018 - states can make further legislation - stronger rights for online environment - SA have increased powers - broader application - anyone targeting EU cust - 173 recitals, 99 articles, 11 chapters
Google Spain vs AEPD & Mario Costeja)
Google Spain sold advertising space to fund Google Search Engine - SE outside EEA whose activities are economically linked to SE core activities - Google had refused to address complaints mainly on the basis that Google entity responsible for the search engine was outside of the territorial scope of EU data protection law and, therefore, beyond the reach of the AEPD. - ECJ ruled SEs are also controllers of PD contained in 3rd party web pages - Mario - right to be forgotten - house foreclosure
Rational for Data Protection
Increase in computers in 1970 and cross-border trade
**Art. 13 - Fair Proc Info - when PD directly collected from DS
Info has to be provided: - controller contact info & rep - contact info for DPO - purpose and legal basis - leg int of controller or 3rd party - recipients of data - where data will be transferred intl - retention period - DS rights - right to withdraw consent - if contractual or statutory - if profiling is used
IAPP
International Association of Privacy Professionals - founded in 2000
LEDP
Law Enforcement Data Protection - better protection for citizens data - must comply with necessity, proportionality, and legality
Data Breach - Comm to DS
Must notify if breach poses high risk to DS Exceptions: 1. where PD is unintelligible due to encryption (aka encryption safe harbor) 2. controller has taken step to prevent risk from materializing (good incident response plan) 3. Disclosure requires disproportionate effort - unable to identify all DS - broad public announcement instead
OECD
Organization for Economic Cooperation and Development - 1980 - created OECD guidelines on transborder flow of personal data - membership extends beyond Europe - focused on economic growth, NOT BINDING
Security Paperwork - layers
Orgs rules on security 1. Top - statement on policy/principles - secure data in transit 2. Middle - Controls - more detail - encryption 3. Lower - Operation procedures - encryption of laptops
Weltimmo
RE company - how laws protect citizens in cross-border activity - Weltimmo found to be established in Hungary even though Slovakian company because: 1. website targeting Hungary & using language 2. Rep in Hungary for court 3. letter box in Hungary 4. Hungarian bank account
Data Subject Rights
Right of: 1. Transparent Comm & Info 2. Access 3. Rectification 4. Erasure (right to be forgotten) 5. Restriction (block) 6. N notify recipients 7. Portability 8. Object 9. Profiling - Not subject to auto decision making
**Art. 14 - Fair Proc Info - when PD indirectly collected from DS
Same as Art 13 plus: - categories of PD - source of PD (e.g. publicly accessible)
Personal data breach definition
accidental or unlawful destruction, loss, ALTERATION, unauthorized disclosure/access to PD, transmitted, stored or processed - similar to security principle except alteration - controller should have incident response plan
Obligation to notify recipients
controller must notify 3rd parties if DS exercises right to rectify, erase, block
Household Exemption
data processing by persons in the course of personal or household activity (social networking) - Reg applies to controllers that provide means for processing PD
Mutual Assistance
designate SA to oversee compliance
Physical Environment
entry control system, CCTV, clean desk, lock & key
Rynes
home video of public footpath - not part of HH exemption
Joint Controllership
in Corp groups, parent co provides centralized IT services to subs
Schrems
invalidated Safe Harbor for FB to transfer data to US
Controller
key decision maker with regards to PD - legal or natural person 5 Obligations: - provides info to DS - ensures legitimate basis - data protection assessments - secures data - determine notification to DPA if breach
Copeland vs UK
monitoring emails at work violates article 8 of ECHR
Processing data on criminal convictions
not considered sensitive data
Org Inadvertently sell to EU citizens
not necessarily covered by GDPR
Photographs
not systematically considered special category
GDPR Outside Scope
processing data that concerns public safety, defense and national security
Fair Processing Information
requires controller to provide DS with certain info about processing of PD
DS Right: Profiling
right to object to automated decision making - obtain human intervention, express POV, obtain explanation of decision
DS Right: Restrict Processing (block)
temporary freezing of data assets DS has right it: - data accuracy is contested - unlawful processing - no longer needed for orig purpose - erasure req is pending to be overridden
