Summary CIPP/E Revision Notes (2026)
Universal Declaration of Human Rights (UDHR) 1948, Art. 12
i. First international legal instrument announcing a right to privacy
ii. Catalyst for other human rights instruments in Europe.
iii. Recognized universal values and traditions of "the inherent dignity and the equal and inalienable
rights of all members of the human race in the foundation of freedom, justice, and peace in the
world."
European Convention on Human Rights (ECHR) 1950, Art. 8
i. International treaty to protect human rights and fundamental freedoms.
ii. Protects wide scope of fundamental rights and freedoms
Council of Europe (CoE)
i. Formed after WWII to unite Europe and promote rule of law, democracy, human rights and social
development.
Treaty of Rome (1957)
i. established European Economic Area (EEA)
ii. Adopted ECHR in 1950
a) International obligations
b) All CoE member states have now
incorporated or given effect to ECHR in their
national law
iii. EEA is all EU member states plus Iceland, Liechtenstein and Norway
Convention 108 (1981)
i. Convention for the protection of individuals w/ regard to automatic processing of personal data
a) Applies to all data processing carried out by both private/public sector
b) Protects individual from abuse
c) Regulates trans-border data flow
d) Includes FIPPs
e) Outlaws processing of sensitive data without proper legal safeguards
f) Data subject rights
ii. The only legally binding international instrument in the data protection field.
iii. Ratified by ALL EU Member States
Treaty of Maastricht (1992)
i. Established the EU
EU Data Protection Directive (95/46/EC) (1995)
i. Aimed to further reconcile the individual data protection rights with free flow of data between
member states.
ii. Will be replaced by GDPR, May 28, 2018
, Summary CIPP/E Revision Notes (2026)
Charter of Fundamental Rights of the European Union (2000)
i. Incorporated human rights protections (the original treaties of the European Communities did not
contain any reference to human rights or their protection)
ii. Became legally binding as EU primary law (Art 6(1) of TEU) when the Lisbon Treaty came into force
in 2009.
iii. respect for private and family life (Art. 7)
iv. right to data protection (Art. 8)
Treaty on European Union (TEU) (2007)
i. Forms the basis of EU law
Lisbon Treaty (2009)
i. Aimed to strengthen and improve the core structures of the EU to enable it to function more
efficiently.
ii. Amended the two core EU treaties:
a) Treaty on European Union (TEU)
b) Treaty Establishing the European
Community (renamed Treaty on the Functioning
of the European union, or TFEU)
iii. Promoted Charter of Fundamental Rights and requires countries wishing to join the EU to respect
its core values—this was not previously required.
What 7 EU institutions established by Lisbon Treaty?
d. Establishes 7 EU institutions
i. European Parliament (> 700 members) - Legislative
ii. European Council (28 heads of member states)
iii. Council of the EU (groups of 28 ministers by theme) = Legislative
iv. European Commission (28 commissioners and 23,000 civil servants)
v. The Court of Justice of the EU (CJEU)
vi. European Central Bank
vii. Court of Auditors
Council of Europe (1949)
a. International organization (distinct from EU) focused on protecting human rights, democracy, rule
of law in Europe and promoting European culture.
b. 47 member states
c. No country has ever joined the EU w/o first belonging to the Council of Europe.
European Court of Human Rights (ECHR)
a. A body of the Council of Europe.
b. Enforces the European Convention on Human Rights (ECHR).
European Parliament
, Summary CIPP/E Revision Notes (2026)
a. Directly elected parliament of EU.
b. Together w/ Council of European Union and the European Commission, makes up legislative branch
of EU.
c. 751 members
European Commission
a. Proposes legislation
b. Implements decisions
c. Upholds EU treaties
d. Enforces EU law w/CJEU
e. Represents EU internationally
f. Manages day-to-day EU business
g. 28 members (commissioners)
European Council
a. Defines EU's overall political direction and priorities
b. Comprises the heads of state/government of member states
c. Includes President of European Council
d. Includes President of European Commission
European Court of Justice (ECJ)
a. Part of CJEU
b. Highest court in EU
c. 1 judge per member state (28)
i. Normally hears cases in panels of 3, 5 or 15 judges
d. Interprets EU law and ensures equal application across all EU member states
Council of the European Union ("the Council")
a. Can adopt EU laws together w/ Parliament upon proposal of Commission
b. Made up of government ministers from each EU member state
CoE Convention 108 (1981)
a. CoE Convention 108
i. the 1st (and only) international legally binding instrument to specifically address data protection.
ii. Protects individuals from abuse
iii. Regulates trans-border flow of personal data
Treaty No. 181
i. Improves upon Convention 108
a) Provides for setting up of national supervisory authorities responsible for ensuring compliance w/
data protection/trans-border data flow laws adopted in pursuance of the convention
b) Data may only be transferred to third-countries if recipient State or international organization is
able to afford adequate level of protection
, Summary CIPP/E Revision Notes (2026)
The EU Data Protection Directive (95/46/EC)
a. Principal EU legal instrument on data protection (for now, until GDPR)
b. Adopted 1995
c. Aimed to harmonize data protection law at national level
d. Sets a floor for data protection law
e. Seeks to give substance to and expand the principles in Convention 108
f. Extends beyond the EU, including non-member states that are part of the EEA
g. CJEU has jurisdiction to determine whether a Member State has fulfilled its obligations under the
Directive
The EU Directive on Privacy and Electronic Communications (2002/58/EC) (e-Privacy Directive)
i. Complements the Data Protection Directive
ii. Addresses requirements of new digital technologies and eases advance of electronic
communications services
iii. Security obligations
iv. Duty to inform subscribers of risk (virus, malware, etc.)
v. Confidentiality
vi. Member States should prohibit wire-tapping, interception, surveillance, etc. of communications
b. Unsolicited e-mail and other messages
i. Use of email addresses for marketing purposes is prohibited
ii. Opt-in only for unsolicited emails
c. Cookies
i. Exempts cookies that are "strictly necessary for the delivery of a service requested by the user"
(e.g., shopping cart cookies)
ii. Cookies allowed only if user:
a) is provided notice about purpose, storage, access to the cookie information; and
b) Gives consent (opt-in only).
The EU Directive on Electronic Commerce (2000/31/EC) (e-Commerce Directive)
a. Addresses legal aspects of e-commerce.
EU Data Retention Directive (2006/24/EC)
i. Declared invalid in April 2014.
a) In absence, Member States may still provide their own data retention scheme, but they must still
comply with the ePrivacy Directive, the EU Charter of Fundamental Rights and the CJEU ruling.
ii. Member states must store citizens/ telecommunications data for minimum 6 months and max 24
months.
iii. Service providers are obligated to erase/anonymize traffic data processed when no longer needed,
unless exception applies
Personal Data
Universal Declaration of Human Rights (UDHR) 1948, Art. 12
i. First international legal instrument announcing a right to privacy
ii. Catalyst for other human rights instruments in Europe.
iii. Recognized universal values and traditions of "the inherent dignity and the equal and inalienable
rights of all members of the human race in the foundation of freedom, justice, and peace in the
world."
European Convention on Human Rights (ECHR) 1950, Art. 8
i. International treaty to protect human rights and fundamental freedoms.
ii. Protects wide scope of fundamental rights and freedoms
Council of Europe (CoE)
i. Formed after WWII to unite Europe and promote rule of law, democracy, human rights and social
development.
Treaty of Rome (1957)
i. established European Economic Area (EEA)
ii. Adopted ECHR in 1950
a) International obligations
b) All CoE member states have now
incorporated or given effect to ECHR in their
national law
iii. EEA is all EU member states plus Iceland, Liechtenstein and Norway
Convention 108 (1981)
i. Convention for the protection of individuals w/ regard to automatic processing of personal data
a) Applies to all data processing carried out by both private/public sector
b) Protects individual from abuse
c) Regulates trans-border data flow
d) Includes FIPPs
e) Outlaws processing of sensitive data without proper legal safeguards
f) Data subject rights
ii. The only legally binding international instrument in the data protection field.
iii. Ratified by ALL EU Member States
Treaty of Maastricht (1992)
i. Established the EU
EU Data Protection Directive (95/46/EC) (1995)
i. Aimed to further reconcile the individual data protection rights with free flow of data between
member states.
ii. Will be replaced by GDPR, May 28, 2018
, Summary CIPP/E Revision Notes (2026)
Charter of Fundamental Rights of the European Union (2000)
i. Incorporated human rights protections (the original treaties of the European Communities did not
contain any reference to human rights or their protection)
ii. Became legally binding as EU primary law (Art 6(1) of TEU) when the Lisbon Treaty came into force
in 2009.
iii. respect for private and family life (Art. 7)
iv. right to data protection (Art. 8)
Treaty on European Union (TEU) (2007)
i. Forms the basis of EU law
Lisbon Treaty (2009)
i. Aimed to strengthen and improve the core structures of the EU to enable it to function more
efficiently.
ii. Amended the two core EU treaties:
a) Treaty on European Union (TEU)
b) Treaty Establishing the European
Community (renamed Treaty on the Functioning
of the European union, or TFEU)
iii. Promoted Charter of Fundamental Rights and requires countries wishing to join the EU to respect
its core values—this was not previously required.
What 7 EU institutions established by Lisbon Treaty?
d. Establishes 7 EU institutions
i. European Parliament (> 700 members) - Legislative
ii. European Council (28 heads of member states)
iii. Council of the EU (groups of 28 ministers by theme) = Legislative
iv. European Commission (28 commissioners and 23,000 civil servants)
v. The Court of Justice of the EU (CJEU)
vi. European Central Bank
vii. Court of Auditors
Council of Europe (1949)
a. International organization (distinct from EU) focused on protecting human rights, democracy, rule
of law in Europe and promoting European culture.
b. 47 member states
c. No country has ever joined the EU w/o first belonging to the Council of Europe.
European Court of Human Rights (ECHR)
a. A body of the Council of Europe.
b. Enforces the European Convention on Human Rights (ECHR).
European Parliament
, Summary CIPP/E Revision Notes (2026)
a. Directly elected parliament of EU.
b. Together w/ Council of European Union and the European Commission, makes up legislative branch
of EU.
c. 751 members
European Commission
a. Proposes legislation
b. Implements decisions
c. Upholds EU treaties
d. Enforces EU law w/CJEU
e. Represents EU internationally
f. Manages day-to-day EU business
g. 28 members (commissioners)
European Council
a. Defines EU's overall political direction and priorities
b. Comprises the heads of state/government of member states
c. Includes President of European Council
d. Includes President of European Commission
European Court of Justice (ECJ)
a. Part of CJEU
b. Highest court in EU
c. 1 judge per member state (28)
i. Normally hears cases in panels of 3, 5 or 15 judges
d. Interprets EU law and ensures equal application across all EU member states
Council of the European Union ("the Council")
a. Can adopt EU laws together w/ Parliament upon proposal of Commission
b. Made up of government ministers from each EU member state
CoE Convention 108 (1981)
a. CoE Convention 108
i. the 1st (and only) international legally binding instrument to specifically address data protection.
ii. Protects individuals from abuse
iii. Regulates trans-border flow of personal data
Treaty No. 181
i. Improves upon Convention 108
a) Provides for setting up of national supervisory authorities responsible for ensuring compliance w/
data protection/trans-border data flow laws adopted in pursuance of the convention
b) Data may only be transferred to third-countries if recipient State or international organization is
able to afford adequate level of protection
, Summary CIPP/E Revision Notes (2026)
The EU Data Protection Directive (95/46/EC)
a. Principal EU legal instrument on data protection (for now, until GDPR)
b. Adopted 1995
c. Aimed to harmonize data protection law at national level
d. Sets a floor for data protection law
e. Seeks to give substance to and expand the principles in Convention 108
f. Extends beyond the EU, including non-member states that are part of the EEA
g. CJEU has jurisdiction to determine whether a Member State has fulfilled its obligations under the
Directive
The EU Directive on Privacy and Electronic Communications (2002/58/EC) (e-Privacy Directive)
i. Complements the Data Protection Directive
ii. Addresses requirements of new digital technologies and eases advance of electronic
communications services
iii. Security obligations
iv. Duty to inform subscribers of risk (virus, malware, etc.)
v. Confidentiality
vi. Member States should prohibit wire-tapping, interception, surveillance, etc. of communications
b. Unsolicited e-mail and other messages
i. Use of email addresses for marketing purposes is prohibited
ii. Opt-in only for unsolicited emails
c. Cookies
i. Exempts cookies that are "strictly necessary for the delivery of a service requested by the user"
(e.g., shopping cart cookies)
ii. Cookies allowed only if user:
a) is provided notice about purpose, storage, access to the cookie information; and
b) Gives consent (opt-in only).
The EU Directive on Electronic Commerce (2000/31/EC) (e-Commerce Directive)
a. Addresses legal aspects of e-commerce.
EU Data Retention Directive (2006/24/EC)
i. Declared invalid in April 2014.
a) In absence, Member States may still provide their own data retention scheme, but they must still
comply with the ePrivacy Directive, the EU Charter of Fundamental Rights and the CJEU ruling.
ii. Member states must store citizens/ telecommunications data for minimum 6 months and max 24
months.
iii. Service providers are obligated to erase/anonymize traffic data processed when no longer needed,
unless exception applies
Personal Data
