Download CIPP/E Certification: Comprehensive Outline of European Data Protection and more Study notes Information Technology in PDF only on Docsity!
CIPP - E - (Final) - IAPP certification
for privacy
CIPP/E OUTLINE
I. Introduction to European Data Protection A. Origins and Historical Context of Data Protection Law
- Rationale for data protection
- Balance between freedom/privacy & free trade
- Human rights laws
- Universal Declaration of Human Rights (Declaration) – adopted in 1948 by the General Assembly of the UN o Article 12 – right to private life and associated freedoms o Article 19 – freedom of expression o Article 29(2) – individual rights are not absolute and there will be an instance where a balance is struck
- European Convention on Human Rights (ECHR) o 1950, in Rome, Council of Europe invited states to sign the EHCR – an international treaty to protect human rights/fundamental freedoms (member state ratification/not constitutional) o Article 8 echoes Article 12 of the Declaration – right to privacy o Article 10 – freedom of expression o Article 10(2) – balance
- Early laws and regulations
- 1960s – 80s – countries took the lead by implement laws controlling use of personal information by government/large companies o National legislation didn’t adequately protect right to privacy w/emerging technologies under Article 8 of EHCR o Led to publication of Recommendation 509 on human rights & modern scientific and technological developments
- 1973 – 1974 – Council of Europe built on this initial work w/Resolution 73/22 & 74/29 (this was seen as an urgent requirement b/c of the diverging laws between the states)
- 1980 – Organization for Economic Co-operation & Development Guidelines on the Protection of Privacy & Transborder Flows of Personal Data) o Nonbinding just guidelines o No distinction between public/private sector o Protect personal data in a global economy (far reaching not just Europe) o 8 Principles on collection and use (collection limitation; data quality; purpose specification; use limitation; security safeguards; openness; individual participation; accountability)
- 1981 – Convention 108/CoE Convention o Open to countries outside of Europe o Legally binding treaty of member states first binding international instrument o Protect data subject privacy (social responsibility to safeguard such data) o Automatically processed data o Free flow of data between signatories o Additional protocol for countries that are not signatories (legitimate interest of the individual; public interest; transfer based on contractual clauses)
o Revamped so it aligns with GDPR, serves as a means for third countries outside of EU to adopt basic tenants of GDPR o Was signed by 20 states of the Council of Europe, including the UK B. European Union Institutions
- European Court of Human Rights (ECHR)
- Founded in 1959 to oversee the European Convention on Human Rights.
- Not an institution of the EU ; instead, it is a product of the Council of Europe, a broader group of member states than the EU.
- European Parliament
- Only institution where members are elected
- Primary responsibilities legislative development (legislation is where parliament plays biggest role in privacy), supervisory oversight of other institutions and budget development
- Council of the EU (legislative decision making along with Parliament) Legislation typically proposed by the European Commission before examined by Council of EU and Parliament One minister / state
- European Council
- Heads of state/government of all EU countries, European Council president, European Commission president, and High Rep for Foreign Affairs and Security Policy
- Defines EU’s priorities and sets political direction
- Granted institutional status (able to make binding decisions)
- European Commission (implements EU decisions and policies)
- Initiates legislation – EU legislation can only be adopted when proposed by the Commission
- Can take legal/administrative action against Member States that don’t comply with laws
- Can adopt adequacy findings on which non-EU Member States provide adequate levels of data protection; enforces Charter so ensures high level of protection of individual’s rights to privacy and data protection
- Court of Justice of the European Union (judicial body of the EU) (CJEU)
- Based in Luxembourg, set up w/Treaty of Paris 1951; CJEU is the judicial body of the EU
- Makes decisions on issues of EU law & enforces decisions based on: Actions taken by Commission against a Member State Actions taken by individuals to enforce their rights under EU law Difference between ECHR AND CJEU : CJEU can force national governments to implement and honour EU law, while the ECHR cannot. ECHR enforces the European Convention on Human Rights rather than EU law. While the ECHR’s powers don’t encompass the implementation of EU law, CJEU can force national governments to administer and honour EU law. The CJEU interprets EU law to make sure it is applied in the same way in all EU countries and settles legal disputes between national governments and EU institutions. It can
also, in certain circumstances, be used by individuals, companies or organizations to take action against an EU institution if they feel it has somehow infringed their rights. C. Legislative Framework
- The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention) First binding international instrument to set standards for personal data and balance w/free flow of information for international trade
- The EU Data Protection Directive (95/46/EC)
- The EU Directive on Privacy and Electronic Communications (2002/58/EC) (ePrivacy Directive) – as amended - Applies to electronic communications service, electronic communications network, and service and network publicly available and offered in the EU; website operators (e.g., for cookies) or other businesses (e.g., for direct marketing) - Co-exists with GDPR
- The EU Directive on Electronic Commerce (2000/31/EC)
- European data retention regimes
- GDPR (EU) 2016/679 and related legislation European Data Protection Board (EDPB) (replaced Directive’s WP29) – provides guidance about how GDPR is interpreted II. European Data Protection Law and Regulation A. Data Protection Concepts
- Personal Data
- any information (still personal data if information is publicly available)
- relating to
- an identified or identifiable
- natural person (data subject)
- Sensitive Personal Data (Article 9) (does not include financial data, but can be personal data if it used to identify a person)
- Personal data revealing racial/ethnic origin; political opinions; religious or philosophical beliefs; trade union membership
- Genetic data; biometric data used to uniquely identify a person
- health data
- data concerning a person’s sex life / sexual orientation.
- Personal Data related to criminal convictions and offences (Article 10)
- Only carried out by authorized Member state official authorities (e.g., police)
- Pseudonymous and anonymous data
- Anonymous data (Recital 26) – Not related to an identified or an identifiable natural person; has not been rendered identifiable (not considered personal data under GDPR)
- Pseudonymization (not fully anonymous) (Recital 26; Article 4(5)) – personal data can no longer be attributed to a specific data subject w/out use of additional information; security measure to ensure additional information not attributable to data subject (e.g., encryption, hashing)
determining applicability of the law. Processing personal data of individuals in the EU alone is not the trigger; the important element is targeting. o Offering of goods and services to data subjects residing in the EU (a website directed at the relevant jurisdiction) o Monitoring – digital tracking of behavior; CCTV usage and market surveys (not related to just online collection or analysis of personal data, but dependent on purpose)
- Processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law (requires a designated rep in the Union, really targeted to governments)
- Material Scope (Article 2)
- Processing of personal data wholly or partly by automated means (any processing operation performed w/out or partly w/out human intervention)
- Personal data which forms part of a filing system
- Exclusions: activities outside the scope of EU law (e.g., national security activities); law enforcement and public security; purely personal or household activities C. Data Processing Principles (See Article 5)
- Fairness, lawfulness, and transparency
- Honest practices, such as communicating openly w/data subjects about personal data processing activities
- Purpose limitation
- Collecting and processing personal data for the specified purpose only
- Proportionality (data minimization)
- Personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’
- Accuracy
- Processing complete and up to date personal data (may negatively impact data subject if information is out of date)
- Storage limitation (retention)
- Retaining only personal data that is relevant and necessary for the purpose
- Integrity and confidentiality
- Ensuring personal data is secure
- Accountability
- Processing personal data responsibly and demonstrating compliance with EU and member state protection laws (justification about why you’re operating that way, show your work) D. Lawful Processing Criteria (ART. 6 – Lawfulness of processing)
- Consent ( See Recitals 32, 42-43; Articles 4[11], 7, 8)
- Conditions for consent: demonstrable (if processing based on consent); if a written declaration, clearly distinguishable; right to w/draw at any time (as easy to w/draw as to give consent); not conditional for performance of a contract if not necessary Definition: o Freely given ( not freely given if contract is conditional upon consent; clear imbalance of power between data subject/controller) o Specific (informed of all intended purposes at the time of consent, additional consent is required if processing purpose changes); some flexibility for
research/scientific purpose, knowing other uses w/in the same general area of scientific research may arise o Informed Data subject informed, at least, of the controller’s identity, purpose for processing, and information about how processing may affect data subjects Controller can demonstrate data subject was informed prior to consent Clearly distinguishable from other matters Intelligible, clear and in plain language Compatible w/the original purpose o Unambiguous indication by statement or clear affirmative action Absolutely clear Clearly an affirmative action (e.g., opt-in; technical setting for information society services, browser setting) Not silence, inactivity, a pre-ticked box, or opt-out Implied through the provision of data
- Consent for processing children’s data must be given by a parent when the child is younger than 16 years old (member states can lower threshold to as young as 13 years old); more rigorous when information society services are being offered; controller must take reasonable steps to verify (e.g., child’s age and parent is giving consent to verify)
- Performance of a Contract
- If the processing is necessary to perform the contract and the data subject is a party to the contract, or if the data subject requests the processing in order to enter into a contract
- Legal obligation, vital interests and public interest
- Legal obligations required by EU and member state laws only
- Vital interest of the data subject or another natural person (personal data must be processed to ensure an individual's survival, emergency situation and if no other option is available)
- Legitimate interests ( See Recitals 47 – 49)
- Unless overridden by the interests, rights or freedoms of the data subject, in particular where the data subject is a child
- Accountability/transparency are important fort this lawful ground to take place
- Special categories of processing (See Article 9)
- PD that reveals: racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership; genetic data; biometric data (uniquely identifying purpose); health, sex life, or sexual orientation
- Higher standard of protection
- Prohibition to process, except if: o Explicit consent – unambiguous, freely given, specific and informed, and a clear affirmative act by the data subject o In the context of employment when the processing of special categories is necessary for the controller to comply with a legal obligation under employment, SSN, and social protection laws & is authorized by the Union or Member State law o Vital interest – Controller must be able to demonstrate that it is not physically or legally possible to obtain consent.
- A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal data
- Related terms: privacy statement, fair processing statement, privacy policy
- Large volume of required information = creative methods for communication
- Layered notices
- Transparency strategies for making privacy notices easier to navigate & more concise o Layered privacy notice – multiple layers of increasingly detailed notices; Article 29 Working party suggest 3 notices (Top layer = short notice, just key elements; second and third notice – condensed notice followed by full notice or full notice followed by FAQ) o ‘Just in time’ notice – delivered at or right before a user accepts a service/product or when previously collected data is to be used for a new purpose, helps facilitate a meaningful choice o Standardized icons (Article 12(7)) – visualization, challenge to design readable icons, European Commission F. Data Subjects’ Rights
- Access ( See Article 15 )
- Confirmation DS’s personal data is being processed and access to it
- Processing of DS’s information – purpose, categories of personal data, recipients, retention period, additional DS rights, source of personal data, automated decision making
- Information about appropriate safeguards for personal data transferred to a 3rd party/international organization
- Copy of personal data o Controller may charge reasonable fee for further copies requested o Commonly used electronic form when the request is made by electronic means (and unless otherwise requested) o Cannot adversely affect the rights and freedoms of others
- Rectification
- Correct or complete their personal data
- Correction of inaccurate personal data
- Completion of incomplete data
- Where data must be saved, the data subject may submit a supplementary statement Limitations to rights of access and rectification – identification of requester, protection of others’ rights and freedoms, purpose of the request, request is manifestly unfounded or excessive (e.g., repetitive in nature)
- Data portability (See Article 20)
- Right to receive personal data in a structured, commonly used and machinereadable format & have the right to transmit said data to another controller w/out hindrance from the controller (where technically feasible)
- Applies where consent or performance of a contract is used as lawful grounds for processing
- Extension of access right
- Does not trigger erasure, but is w/out prejudice to the right of erasure
- Will not adversely affect the rights and freedoms of others
- Erasure and the right to be forgotten (RTBF) (Articles 17, 19) Right to have personal data erased (and no longer processed) o Data no longer necessary for the purpose
o DS withdrew consent if processing is based on consent & there is no other legal ground to continue processing o objection to processing (if processing is based on legitimate interest) o data collected in relation to information society services from a child on the basis of consent o unlawful processing o compliance w/EU and member state law
- Right to have public data deleted
- Burden on the controller to remove the data
- Exceptions – not an absolute right o Exercising the rights of freedom of expression and information o Compliance w/legal obligations o Reasons of public interest o Archiving purposes where erasure is likely to render impossible/seriously impair the achievement of the objectives of that processing o Establishment, exercise or defence of legal claims
- Restriction (See Article 18) and objection (Article 21)
- Restriction o Personal data is stored w/out being further processed o Data is still stored b/c accuracy is contested and controller needs time to verify; processing is unlawful but data subject prefers restriction to erasure; no longer needs data but data subject needs it for establishment, exercise or defense of legal claims; data subject objects to processing, pending controller’s verification of legitimate grounds o Once restricted, data may only be further processed with new consent from the data subject, to exercise or defend claims; protect the rights of another person; for important public interest reasons o Controller must inform the data subject before lifting the restriction
- Objection i. Public interest or legitimate Not an absolute right Data subject’s right to object at any time processing based on the public interest or the controller’s legitimate interest Controller’s burden to demonstrate compelling, legitimate interest that overrides individual’s interests, rights and freedoms ii. Research or statistical purposes Not an absolute right Data subject’s right to object at any time to processing for scientific/historical research or statistical purposes On grounds relating to individual’s particular situation Overridden if processing is necessary for performance of a task carried out in the public interest iii. Direct marketing Absolute right, data subject can object at any time to processing for direct marketing purposes; must cease processing, includes profiling
- Automated decision making, including profiling (Article 22)
- Prohibition on a decision based solely on automated processing and produces legal or otherwise similarly significant effects
Controller becomes aware of the breach when the controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised Delay permitted if there is ‘reasoned justification’ Exempt if unlikely to result in in a risk to the rights and freedoms of natural persons Communication needs to include:
- Who? Categories of data subjects - How many? Approximate number of data subjects & data records - Contact Information - Name and contact details of DPO _- Description of likely consequences
- Follow up_ (measures taken or to be taken) If not possible to provide information at the same time, can provide in phases w/out undue further delay Controller will document any personal data breaches, comprising the facts of the breach, effects, and remedial action taken. Documentation will enable the SA to verify compliance with GDPR. iii. Controller notification to the data subject (Article 34) Applies if ‘ high risk’ Without ‘undue delay’ Exemptions for: unintelligible data, high risk negated by measures taken, and disproportionate effort = public communication instead of individually contacting each data subject regardless of controller’s decision, SA may decide data subject should be notified communication needs to be in clear and plain language
- Vendor Management
- Article 28(1) – flow down security principle and requirements to the processor o Processors must be limited to those who can provide ‘sufficient guarantees’ about the implementation of appropriate technical and organizational measures for compliance with the Regulation and for the protection of the rights of the data subjects
- Data sharing
- NIS Directive = first cybersecurity law to cover the entire EU (covers national capabilities, cross-border collaboration, national supervision of critical sectors) H. Accountability Requirements Accountability: ability to demonstrate that a data protection program has been implemented and run in compliance with the law Accountability Requirement Controller Processor Data protection by design Y N Data protection by default Y N Data protection impact assessment Y (where required) No (but duty to assist Article 28 terms)
DPO Yes (where required) Yes (where required) Record-keeping Yes Yes Security Yes Yes Data breach reporting Yes (to SA and DS) Yes (to controller)
- Responsibility of controllers and processors ( Article 24 & 28 ) a. Joint controllers – ( See Article 26 – Joint Controllers ) – jointly determine the purposes and means of processing personal data; DS may exercise their rights against either controller irrespective of the terms of the arrangement. Joint participation can take the form of a common decision taken by two or more entities or converging decisions by two or more entities; processing wouldn’t take place w/out both parties participation. b. Data protection policy ( Article 24(2) – Responsibility of the controller ) – used where proportionate in relation to processing activities c. Controller Records – ( Article 30 – Records of processing activities ) – purpose of processing; name & contact information of controller, representative & DPO; categories of data subjects; categories of personal data; recipients, international data transfers & appropriate safeguards; time limits for erasure; technical/org. security measures d. Processor Records - ( Article 30 – Records of processing activities ) – name & contact information of controller, representative & DPO; categories of processing; international data transfers & appropriate safeguards; technical/org. security measures
- Data protection by design and by default ( Article 25 ) Data Protection by Design o Implementation of technical and organizational measures should take place both at the time of the determination of the means for processing and at the time of the processing itself o Build data protection into products throughout their life cycles o Integrate necessary safeguards into the system (data minimization and pseudonymization) o Assess/mitigate product risks to meet data protection by design requirements Data Protection by Default o By default, the product/service processes only necessary personal data (purpose, amount of personal data collected, extent of processing and storage period) o Limited accessibility to personal data
- Documentation and cooperation with regulators
- Data protection impact assessment (DPIA) (Article 35) incorporate data protection considerations into organizational planning demonstrate compliance to supervisory authorities a. Established criteria for conducting
- Considerations – nature, scope, context, purpose, type of processing; use of new technologies
- Conditions – high risk to rights & freedoms of data subject (systemic, extensive evaluation of personal aspects based on profiling or processing of special
Financial resources, infrastructure and staff Communicating DPO designation to all staff Access to other services w/in the org Continuous training o Safeguards to enable DPO to perform tasks independently o DPO reports to highest level of management
- Auditing of privacy programs I. International Data Transfers Controller now obligated to inform the data subject about data transfers; must tell data subject of existence or absence of an adequacy decision. Transfers should be considered in the following order: Adequacy decisions, appropriate safeguards, and derogations 1. Rationale for prohibition
- Adequate jurisdictions (Article 45)
- Adequate level of data protection for a country, territory, sector (e.g., health care or financial services) and international org (ex., United Nations) / has the same protection requirements as the GDPR
- EC determines the adequacy (reviews every 4 years; ability to repeal, amend & suspend; already existing decisions (from Directive) in force until amended, replaced and appealed
- Criteria – respect of rule of law; access to justice; international human rights standards; general & sectoral laws and case law; effective and enforceable rights for individuals; data protection rules, professional rules and security measures; other international commitments or obligations
- Countries – Andorra, Argentina, Canada (PIPEDA, applicable to commercial orgs); Faroe Islands; Guernsey; Israel; Isle of Man; Japan; Jersey; New Zealand; South Korea; Switzerland; UK (GDPR & the LED); Uruguay
- Safe Harbor and Privacy Shield
- Appropriate Safeguards (Article 46)
- Standard Contractual Clauses iv. Adopted by the Commission or a national SA (and then approved by the Commission) v. For a company in the EEA that wants to send data to company outside the EEA vi. Different types for data controllers and processors vii. Standard form that is non-negotiable viii. Most commonly used tool for appropriate safeguards
- International Agreements between two countries for protection of personal data (example Passenger Name Records)
- Binding Corporate Rules (BCRs) (Article 47) o Internal and legally binding rules for companies engaged in joint economic activity. Only for transfers w/in the corporate group & group of enterprises. Doesn’t apply to companies outside of the group. o Approval by supervisory authority o Article 47: detailed conditions for transfers
- Codes of Conduct (Articles 40, 41) o Compliance-signaling tools for controllers and processors o Created/revised by associations/other bodies representing controllers or processors for GDPR application; demonstrating compliance;
creating market efficiencies; facilitating international data transfers (non-EU controllers/processors must also make ‘binding and enforceable commitments, via contractual or other legally binding instruments) o Binding & enforceable – approved codes of conduct must enable the mandatory monitoring of compliance with its provisions by accredited monitoring bodies; accredited body can suspend/exclude the infringing party from the code and notify the SA; adherence to the code is a factor to be considered in assessing an administrative fine
- Certifications (Articles 42, 43) o May be used to demonstrate compliance o May be issued by accredited certification bodies, competent SAs and the EDPB for: demonstrating compliance with Article 25 – data protection by design & default o Only good for 3 years, must be renewed o Consequences for non-compliance: accredited certification body responsible for withdrawing certification in the event of noncompliance. Must inform SA and provide reasons. Certification is a factor to be considered in assessing an administrative fine
- Derogations (an exemption from or relaxation of a rule or law can be used for a one off basis)
- Exemption from prohibition on transferring personal data outside EEA
- Used when a country outside EEA does not have adequacy decision and appropriate safeguards are not in place
- Last resort for limited circumstances/specific conditions; strict criteria to be narrowly interpreted o Explicit consent from data subject (must understand risk of transferring their personal data) o Necessary for the performance of a contract and/or conclusions of a contract with the data subject (must be no way to fulfil the contract unless data is transferred) o Public interest (recognized by EU or member state law only) o Establishment, exercise or defence of legal claims (international litigation scenarios) o Protection of vital interests of the data subject or other persons (emergency situations – e.g., individual needs emergency medical care) o Transfer from a register of public information o Legitimate interest from controller (transfer must be non-repetitive and concern limited number of individuals) o Restrictions (MLAT - an agreement between two + countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws) – Article 48
- Transfer Impact Assessments Process of assessing data protection equivalence See page 149 J. Supervision and Enforcement
- Supervisory authorities and their powers (aka Data Protection Authority) (Article 58)
- Appointed to enforce privacy or data protection laws and regulations in a particular jurisdiction
- Promote, monitor, and enforce GDPR
K. Consequences for GDPR violations
- Process and procedures
- Infringements and fines
- Fines issued by SA pursuant to Article 83 due to infringements of GDPR paragraphs 4, 5 and 6 shall be effective, proportionate, and dissuasive. SAs can levy significant fines against entities for GDPR violations which vary depending on the nature of the violation. However, before imposing a fine, the SA must consider a variety of factors (Article 83(2)). A proposed fine can be challenged in court and attempts to impose exorbitant fines have been rejected by the courts.
- Fines can be issued in addition to the following corrective powers: issue warnings to controller/processor that intended processing operations are likely to infringe GDPR; w/draw certification or not issue certification; order suspension of data flows to third country or international organization
- Class actions The European Court of Justice has issued an important judgment this morning confirming that consumer bodies can bring opt-out class action claims for breaches of data protection, including where the infringement also relates to consumer protection and unfair commercial practices laws.
- Data subject compensation Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered III. Compliance with European Data Protection Law and Regulation A. Employment Relationship
- Legal basis for processing of employee data
- Fulfillment of an employment contract (using information to process salaries)
- Legal obligation (sharing salary information with tax authorities); must be an obligation under EU or member state law
- Legitimate interests of the employer (migrating employee data from one data management system to another) – can’t be: adverse to employees’ rights and freedoms, grounds for processing special categories of data; relied on by public authorities
- Consent (has to be freely given, hard b/c of power dynamic)
- Sensitive Data: legal claims (e.g., claim of unfair dismissal) or carry out obligations and exercise specific rights under employment (SSN and social protection law)
- Storage of personal records
- Records should be stored during the employment lifecycle, but storing records after that period diminishes unless there is a reason to keep record (local law requirement). If that is the case, records should be archived and access should be limited.
- Workplace monitoring and data loss prevention
- Subject to member state data protection and local employment law
- Alternatives to monitoring always considered / prevention rather than detection (e.g., blocking websites that employer doesn’t want employees to visit)
- Types of monitoring: BG checks, data loss prevention (DLP) technology, whistleblowing schemes (US – EU Conflict: (SOX) protect identity of whistleblower vs. protect personal data of accused (EU)
- Monitoring must be: necessary (is there another less intrusive way to monitor?), legitimate (lawful grounds, fairness), proportional (proportionate to issue), transparent (clearly informed of monitoring)
- EU works councils
- information and consultation bodies representing employees in European multinational companies.
- Whistleblowing systems
- ‘BYOD’ programs – See page 162 B. Surveillance Activities
- Surveillance by public authorities Permits member state law to restrict the “Rights of the data subject” under GDPR only if the following interests are at stake and the restrictions safeguard such interests: o National security; defense and public security o Prevention/prosecution of criminal offenses or execution of criminal penalties o Public interest o Breach of ethics for regulated professions o Monitoring o Protection of data subjects rights o Enforcement of civil law claims
- Must respect the essence of fundamental rights enshrined in the Charter of Fundamental Rights (right to private & family life (Article 7) and protection of personal data (Article 8)) and be “necessary and proportionate measure in a democratic society”
- Law Enforcement Data Protection Directive (LEDP Directive) – Recital 66 – protection of personal data shouldn’t prevent law enforcement authorities from carrying out activities to prevent criminal offences or safeguard against threats to public security. Laws that fail to appropriately take into account rights/freedoms of data subjects may be struck down by CJEU
- Surveillance by private authorities – must be based on legitimate purposes; in addition to GDPR, national laws may concern confidentiality, privacy, data protection and other civil rights (employment law)
- Interception of communications
- Content data – Content of communication is protected by the right to freedom of expression
- Metadata – information generated as a consequence of a communication’s transmission (traffic data (called numbers in relation to a telephone call), location data, subscriber data) – all fall w/in GDPR b/c it can be used to identify an individual
- ePrivacy Directive – aka Cookie Directive and the Privacy & Electronics Communications Directive – sets out rules governing the processing of location,