























Studia grazie alle numerose risorse presenti su Docsity
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Prepara i tuoi esami
Studia grazie alle numerose risorse presenti su Docsity
Prepara i tuoi esami con i documenti condivisi da studenti come te su Docsity
Trova i documenti specifici per gli esami della tua università
Preparati con lezioni e prove svolte basate sui programmi universitari!
Rispondi a reali domande d’esame e scopri la tua preparazione
Riassumi i tuoi documenti, fagli domande, convertili in quiz e mappe concettuali
Studia con prove svolte, tesine e consigli utili
Togliti ogni dubbio leggendo le risposte alle domande fatte da altri studenti come te
Esplora i documenti più scaricati per gli argomenti di studio più popolari
Ottieni i punti per scaricare
Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium
Appunti del primo modulo di Privacy&Security con Prof. Bachelet (corso Innovation and Technology Management, 2020-2021) + questions for the exam Voto: 30 Argomenti: Characteristics of EU data protection regulation, dual objective of the data protection regulation, Court of Justice of EU, Policy of the ECJ about the Data Protection, Principle of Conferral, Harmonising attitude of GDPR, DP and Privacy in European Legal Order, DP&Privacy, ECHR, ECtHR, DP and the other rights
Tipologia: Appunti
1 / 31
Questa pagina non è visibile nell’anteprima
Non perderti parti importanti!
























In order to explain privacy and security we can use the metaphor of a window: privacy is using a curtain on the window to stop the unwanted vision of others; the security is a stronger application on data protection, we can use a gasp to protect our home by the incoming of other people inside. Privacy and security concern personal data of course; it’s a sort of war between individuals that are generally accepting it, government and firms are using this data for porpoise of economic and commercial application, the third driver is the technology that is the main tools used to use them. Why there’s an increase appetite for data? It allows to have huge control on citizen and can be analyse in a specific way, allowing companies to profiles people and allow them to understand what we like (advertising for example). Allows google or Facebook to gain a lot selling our datas. Privacy paradox: people are concern with their personal data but they use and share a lot of them. They want protection in theory but they act in a different way. Legal respond in the UE: three steps in the history of UE regarding the legal respond on the protection of data. The first was in 1975 it wasn’t specific to internet, the second 1995 first data protection directive, but the use of internet was like 1% of UE population; the last 2016 we had the first important protection regulation with the GDPR, used until 2018. Distinction between regulation and directive, the two most important legal acts in UE legal system: regulation aims to uniform the legal framework and are binding in their interactive, directive try to harmonise the legal framework but they are more free to choose the way to adopt them, they set an objective. Regulation are similar to our formal legal acts, binding; directive implies more discretion of the states, they are binding the goals, they harmonise but not uniform. The states normally has time to execute the directive, so when this time finish if the directive provides a rule that doesn’t require a rule, in case of delay citizen may ask for the application of this prohibition not against another citizen, so there’s anyway the possibility of the citizen to applicate this to the state (vertical application). Distinction between primary and secondary registration in UE legal order: the primary legislation is made by the treaties, the first is EU and the second one; the secondary legislation is more wire, is based on the treaties. We have a sort of pyramid, on the top the primary, made by the two treaties TFU and TFIU. On the bases of these two all the secondary legislation can be created. Primary legislation, in the history of the constitution of the treaties, we have the 1957 Treaties of Rome, then from 92 Treat of Maastricht, Treat of Lisbon. 27 member states.
In general when it comes to secondary legislation it requires the ordinary esecutive procedure: the initiative is at the commission, the approve or amend by the council and the parliament (co-legislators), we had a directive on the protection of data in 95 and since 2018 the regulation (GDPR). In theory the goal of the UE regarding data protection moved from harmonised to uniform. The hybrid nature of the EU data collection: economic and social. Economic is related to the possibility to trade data in markets, the social is related to the dignity of the data protection right. According to the treaties more and more competences move from every single states to the Union. According to it we saw that just an economic state moved the intervene of UE, because it affect the market of the UE. A social right based competence arises because the community change from and economic one to a something more. Since the protection of data and privacy becomes something that doesn’t require anymore a simply link on the market. The UE keeps a hybrid nature, maintains even economic aspect in itself.
What was the main innovation according to the Treaty of Lisbon (2007, in force by 2009) this treaty has brought significant changes from 2 points of view:
2. Exemptions for the public sector: Art. 23 GDPR (Restrictions) EU or MS (member states) law may restrict by way of a legislative measure the scope of certain obligations and rights when such a restriction is a necessary and proportionate measure to safeguard: national security, defence, public security, criminal offences (PJCCM) and other important objectives of general public interest of the UE o MS. (See the entire article!) There’re a lot of restrictions applying to GDPR when that restrictions of the fundamental rights and values. No such broad carve-outs apply to privates! When it comes to public sector the regime could be very different in each MS because of these broad conditions. In the US we have a propter sector regime, when it comes to private sector there’re some just rules in specific areas: health, banking, the approach is on an ad-hoc basis; some specific sector need a regulation because they are likely to have harmful effect. 1988 Video, 2015 Consumer… it’s a sectoral regime. 3. Enforcement, independent DPAs : how the rule are in practice applied; we should consider first on primary legislation the art. 26 or 16 (2-last part) TFEU: compliance with these rules shall be subject to the control of independent authorities; art. 4(21) GDPR what is a supervisory authority: an independent public authority which is established by a MS pursuant to art. 51. art. 52 about independence of authority required to execute rules in the field of DP, independence: each supervisory authority should act in complete independence and members remain free from external influence. B. LEGITIMISING REGIME What does it mean? To understand go to art. 6 GDPR “lawfulness of processing”, processing shall be lawful only if and to the extent at at least one of the following applies: a. The data subject has given CONSENT to the processing of PD for one or more specific purposes. Art. 4 (11) Data Subject’s “consent”: freely given, specific, informed, unambiguous -> Agreement by a statement or by a clear affirmative action. b. (Legal reason) for the performance of a contract to which the data subject is party (CONTRACT) c. (Legal reason) for compliance with a legal obligation to which the controller is subject d. (Public/individual purposes) for the performance of a task carried out in the public interest e. (Public/individual purposes) for the purposes of a legitimate interests except where such interests are overridden by the interest of FRs and freedoms of the DS (data subject) PROCESSING SAFEGUARDS: Art. 5 GDPR (PD-processing principles): a. Lawfulness, fairness and transparency b. Purpose limitation c. Data minimisation d. Accuracy e. Storage limitation f. Integrity and confidentiality So legitimate PD processing of UE is given by CRITERIA (ART. 4) and SAFEGUARDS (ART. 5). C. RIGHT-BASED REGIME The system is a rights-conferring one , it means that it confirms right of the data subject (Chapter 3 GDPR): art. 15 right of access of DS + information: clear language/free of charge; art. 16 right to rectification; art. 17 right to erasure “right to be forgotten” (“diritto all’oblio”) (…) so number of right for every citizen. Those rights are considered as fundamental rights, it means that there’s a minimum non negotiable level of protection of data. ECFR (2000) art. 8 and recital no.1; an essence that any states can’t reduce (not allowed application of art. 23 GDPR).
Art. 45 GDPR (Transfers on the basis of an adequacy decision): a transfer of PD to a third country may take place where the Commission has decided that the third country ensures an adequate level of protection. Non-exhaustive list of factors to be considered (for example the rule of law, respect of rights and freedom…). About this topic there’s a very important case: Max Schremps (1) case 2015 and Schremps (2) 2020 Austrian guy against social platform. This is called supremacy by default (95 Dir.) There’s another aspect of the extraterritorial impact, the Supremacy by design: art. 3 (2) GDPR (territorial scope), this regulation applies to the processing of PD of DS who are in the union by a controller or processor not established in the Union, where the processing activities are related to: a. The offering of goods or services, irrespective of whether a payment of the data subject is required to such data subject in the Union; b. The monitoring of their behaviour as far as their behaviour takes place within the Union. This is the attempt of the UE to extent GDPR territorial scope, to exercise supremacy over the regulation of other countries.
The preliminary rulings: art. 267 TFEU the ECJ shall have jurisdiction concerning the interpretation of the treaties and then the validity and interpretation of acts of the EU institutions, bodies and agencies… when it comes to primary legislation the ECJ has only the power of interpretation, so to get the normative meaning. While when it comes to secondary legislation the ECJ also deals with validity, not only interpretation of acts, but also the validity. Why? Because the validity of the secondary legislation according to the importance pyramid, we have on top the primary TEU, TFEU and the secondary is just based on the primary legislation. This is very important because only in the areas that members states gives away its sovereignty they can intervene. There’re procedures on the treaties to adopt for example a directive, if a regulation has been adopted in respective of these rules and inside the area where the EU has competence. Who is gonna referred to the court? When it comes to preliminary rulings, Art. 267 TFEU: they are not citizen that can ask, but a judge of every member state, if necessary to give judgement. Normally so it’s up to single judge to decide if it’s necessary. According to the 3rd paragraph, in case of pending court (in Italia court of cassation, court of last resource), there’s no possibility to ask justice for another court, definitive decision; so normally it’s up to the judge to go on the ECJ, while if the judge belongs to a court that is making the last decision, just because this decision is definitive, it’s important and mandatory for the judge to go in from of the ECJ if there’s any doubt for interpretation or validity. Tribunale, Corte d’Appello, Cassazione in Italy, if you are a judge of cassazione you have to refer to ECJ. Another competence is annulment or failure to act: art. 263 TFEU the ECJ shall review Lack of competence for example EU institution adopted an act out of its competence, so the ECJ can intervene. It’s a direct appeal from MS or EU institution against an institution or viceversa; Or I have the competences but I didn’t respect the essential procedure requirement / infringement of procedure requirement. Who is entitled to refer to ECJ? A member state or any EU institution (Council, Commission or Parliament).
The general advocate said that it was outside the scope of the Directive, but since they were in this development harmonisation of the market, they applied the Directive. The goal was the market harmonisation, by pursuing this goals they wanted to ensure the protection by enlarging the scope of the DP Directive.
A negative externality is an activity that imposes costs on others and they are not reflected in the price (company dumps its waist in a local river), a company that holds PD for one purpose and they could sell them for another one or use them for other purposes. Public good: DP is not, because it’s non excludable and also non rejectable (fundamental).
USA society: privacy in the fourth amendment before the article of warren; this was corrected by the supreme court. The privacy act 1974; US are not homogeneous world, so it’s interesting how the different states react. California is the most strong regulated about privacy, directly reference to privacy. FRANCE: has the most strict privacy regulation now, in the art. 8 of ECFR, France has is own regulation even before the article. For example had initiative against google for cookies. The article was based on the principle of “individual must have the full protection”, but In contrast with before age.