Week 7:
Lecture:
An introduction to data privacy law:
Objective:
- Enable participants to critically analyse regulatory responses to the personal data processing phenomenon - Weeks 7-11
o Introduction to Data Privacy Law
o Individualised Rights and Collective Responses
o State Surveillance, Data Flows and Data Sovereignty
o AI, Profiling and Automated Decision-Making
Global Data Privacy Frameworks:
- A lot of international attention
- Categorising them worldwide:
o [most regimes are a bit of both]
o Economic models: primary aim= free flow of data. Seeing it as a commodity
o Rights-based: starting point= individuals have a right to privacy/protection.
Rights-Based Regimes: Economic Models:
EU GDPR Revised OECD Privacy Guidelines
Modernised Council of Europe Convention 108 APEC Privacy Framework
African Union Convention ASEAN Framework
Introduction to EU Data Protection Law
The origins of EU Data Protection Law:
- 1995 Directive: background was ambivalent
- Legislative backdrop to Directive 95/46 EC:
o Disparate legal regimes emerging in EU
- Member States
o Concern in the European Parliament about impact of personal data processing on individual rights
e.g. consensus data
Concerns surrounding freedom of association
o At the same time, European Council- worried about it from an economic perspective. Car manufacturer had a head
office in Paris and a lot of offices in Italy. Fiat wanted to move data from Paris to Italy. Found impossible as Italy
provided no protection [compared to France]- an impediment of free movement of data from the EU.
- Dual Aims:
o To facilitate the free movement of personal data in the EU Internal Market
o To protect fundamental rights, in particular privacy
A lot of the case law shifts from economic to HRs- both critiqued and welcomed [depending on
perspective]
The General Data Protection Regulation [GDPR]
- Important shift- moving from directive to regulation. One set of rules for entire EU. Better from companies’ perspective-
especially digital companies; easier than keeping tabs on all 28 protections/rules.
- Has the potential to unify.
o But, no ordinary regulation. Like a directive, still giving MS a lot of scope to exercise their discretion.
Result: unnecessarily complicated some MS have national laws, so there’s a mix between national laws
and the requirements under the GDPR.
Within the EU, no real consensus about what we want data protection to do, especially in
balance w/ economics.
o Some countries have constitutional right to data protection, other countries [like UK],
don’t. So, different countries have a different vision of what this means. More of a tick-
boxing exercise. Probably why there needs to be discretion.
- EU legislation (a Regulation) to replace the 1995 Data Protection Directive
- Adopted in May 2016; entered into force in May 2018
- Enables EU Member States to implement certain provisions in domestic law (eg. UK Data Protection Act 2018)
GDPR: Continuity and Change:
- A lot of hype around the GDPR.
- Rules having capacity to fine companies up to 4% of their annual global turnover.
o Actual rules, a lot of the core provisions existed in 1995.
- ‘…in spite of all the innovation—there is also a lot of continuity. All the familiar basic concepts and principles will
continue to exist, subject to some clarification and smaller changes in details’.
o Former EDPS – Peter Hustinx (Sept. 2015)
, A system of checks and balances: GDPR:
- Personal scope: applies to the processing of personal data with limited exceptions [are you within the scope?]
o Interesting because it means that rules can apply to us as individuals as it can apply to Google. Subject is broad.
Subject to criticism. Once you’re within the scope of the rules, doesn’t mean that processing is prohibited.
Rather, the regime is permissive. Perhaps, too permissive.
- Permits processing provided: ALLOWED TO PROCESS WHEN:
o Processing has a legal basis [Art.6 [1][a]]
How to justify from legal perspective?
Consent - a legal justification from processing
If processing is necessary for the performance of the contract. e.g. ordering something online.
Public interest e.g. consensus.
Hospital - your info processed due to the vital interest of the data holder.
o These justifications existed in 1995
o Complies with specified safeguards [Art.6]
Some like data security
Others, more contestable. e.g. data minimisation -collecting the least amount of data needed to complete.
Contrasting Big Data.
These requirements existed in 1995
o We have rights.
o Basic framework from most data regimes
- Grants rights to individuals ‘data subjects’ and imposes obligations on ‘controllers’
RIGHTS HARMONISATION
GDPR
INNOVATIONS
ENFORCEMENT NEW REGULATORY
POWERS TECHNIQUES
- GDPR innovated in some different ways
o Right to data portability- telling company to move your data to another service provider [new right]
o Regulation - introducing more harmonisation [both substantive and procedural]
o Enforcement powers- the sanction 4%. Significantly, long run, giving individuals the right to mandate consumer
organisations to represent them on their behalf. e.g. Which.
o New regulatory techniques
Risk based approach
Rules in the theory applying to us all, the riskier the processing operation, the more onerous the
responsibility. If low risk data processing, less responsibility.
Characteristics of the EU regime:
- PROHIBITIVE STRUCTURE:
o Data processing is only lawful if it has a legal basis (Art 6 [1] [a])
Perhaps permissive, can process data if you have this, rather than only lawful when. Changing the
default rights over the information.
Relative to other global frameworks, the EU one is more protective. Contrast to APEC framework;
- PROTECTIVE:
o Safeguards/principles for personal data processing (Art 5)
o Specific rules for children’s data (Art 8) and sensitive data (Art 9) [sensitive= particularly personal]
o Enumerates rights of the data subject (Art.12-22)
o Data protection as a fundamental right, in addition to privacy (EU Charter, Art 8)
A right to data protection that is separate to right to privacy
Giving it an added value - some seeing data protection as only an extension of data privacy; seeing it
as digital privacy.
Relevant for the UK post-Brexit, if the UK doesn’t incorporate this, then no domestic right to data
protection so UK case law can separate out
The right to data protection:
- Article 8 EU Charter: Protection of personal data- general principle [separate to privacy]
Lecture:
An introduction to data privacy law:
Objective:
- Enable participants to critically analyse regulatory responses to the personal data processing phenomenon - Weeks 7-11
o Introduction to Data Privacy Law
o Individualised Rights and Collective Responses
o State Surveillance, Data Flows and Data Sovereignty
o AI, Profiling and Automated Decision-Making
Global Data Privacy Frameworks:
- A lot of international attention
- Categorising them worldwide:
o [most regimes are a bit of both]
o Economic models: primary aim= free flow of data. Seeing it as a commodity
o Rights-based: starting point= individuals have a right to privacy/protection.
Rights-Based Regimes: Economic Models:
EU GDPR Revised OECD Privacy Guidelines
Modernised Council of Europe Convention 108 APEC Privacy Framework
African Union Convention ASEAN Framework
Introduction to EU Data Protection Law
The origins of EU Data Protection Law:
- 1995 Directive: background was ambivalent
- Legislative backdrop to Directive 95/46 EC:
o Disparate legal regimes emerging in EU
- Member States
o Concern in the European Parliament about impact of personal data processing on individual rights
e.g. consensus data
Concerns surrounding freedom of association
o At the same time, European Council- worried about it from an economic perspective. Car manufacturer had a head
office in Paris and a lot of offices in Italy. Fiat wanted to move data from Paris to Italy. Found impossible as Italy
provided no protection [compared to France]- an impediment of free movement of data from the EU.
- Dual Aims:
o To facilitate the free movement of personal data in the EU Internal Market
o To protect fundamental rights, in particular privacy
A lot of the case law shifts from economic to HRs- both critiqued and welcomed [depending on
perspective]
The General Data Protection Regulation [GDPR]
- Important shift- moving from directive to regulation. One set of rules for entire EU. Better from companies’ perspective-
especially digital companies; easier than keeping tabs on all 28 protections/rules.
- Has the potential to unify.
o But, no ordinary regulation. Like a directive, still giving MS a lot of scope to exercise their discretion.
Result: unnecessarily complicated some MS have national laws, so there’s a mix between national laws
and the requirements under the GDPR.
Within the EU, no real consensus about what we want data protection to do, especially in
balance w/ economics.
o Some countries have constitutional right to data protection, other countries [like UK],
don’t. So, different countries have a different vision of what this means. More of a tick-
boxing exercise. Probably why there needs to be discretion.
- EU legislation (a Regulation) to replace the 1995 Data Protection Directive
- Adopted in May 2016; entered into force in May 2018
- Enables EU Member States to implement certain provisions in domestic law (eg. UK Data Protection Act 2018)
GDPR: Continuity and Change:
- A lot of hype around the GDPR.
- Rules having capacity to fine companies up to 4% of their annual global turnover.
o Actual rules, a lot of the core provisions existed in 1995.
- ‘…in spite of all the innovation—there is also a lot of continuity. All the familiar basic concepts and principles will
continue to exist, subject to some clarification and smaller changes in details’.
o Former EDPS – Peter Hustinx (Sept. 2015)
, A system of checks and balances: GDPR:
- Personal scope: applies to the processing of personal data with limited exceptions [are you within the scope?]
o Interesting because it means that rules can apply to us as individuals as it can apply to Google. Subject is broad.
Subject to criticism. Once you’re within the scope of the rules, doesn’t mean that processing is prohibited.
Rather, the regime is permissive. Perhaps, too permissive.
- Permits processing provided: ALLOWED TO PROCESS WHEN:
o Processing has a legal basis [Art.6 [1][a]]
How to justify from legal perspective?
Consent - a legal justification from processing
If processing is necessary for the performance of the contract. e.g. ordering something online.
Public interest e.g. consensus.
Hospital - your info processed due to the vital interest of the data holder.
o These justifications existed in 1995
o Complies with specified safeguards [Art.6]
Some like data security
Others, more contestable. e.g. data minimisation -collecting the least amount of data needed to complete.
Contrasting Big Data.
These requirements existed in 1995
o We have rights.
o Basic framework from most data regimes
- Grants rights to individuals ‘data subjects’ and imposes obligations on ‘controllers’
RIGHTS HARMONISATION
GDPR
INNOVATIONS
ENFORCEMENT NEW REGULATORY
POWERS TECHNIQUES
- GDPR innovated in some different ways
o Right to data portability- telling company to move your data to another service provider [new right]
o Regulation - introducing more harmonisation [both substantive and procedural]
o Enforcement powers- the sanction 4%. Significantly, long run, giving individuals the right to mandate consumer
organisations to represent them on their behalf. e.g. Which.
o New regulatory techniques
Risk based approach
Rules in the theory applying to us all, the riskier the processing operation, the more onerous the
responsibility. If low risk data processing, less responsibility.
Characteristics of the EU regime:
- PROHIBITIVE STRUCTURE:
o Data processing is only lawful if it has a legal basis (Art 6 [1] [a])
Perhaps permissive, can process data if you have this, rather than only lawful when. Changing the
default rights over the information.
Relative to other global frameworks, the EU one is more protective. Contrast to APEC framework;
- PROTECTIVE:
o Safeguards/principles for personal data processing (Art 5)
o Specific rules for children’s data (Art 8) and sensitive data (Art 9) [sensitive= particularly personal]
o Enumerates rights of the data subject (Art.12-22)
o Data protection as a fundamental right, in addition to privacy (EU Charter, Art 8)
A right to data protection that is separate to right to privacy
Giving it an added value - some seeing data protection as only an extension of data privacy; seeing it
as digital privacy.
Relevant for the UK post-Brexit, if the UK doesn’t incorporate this, then no domestic right to data
protection so UK case law can separate out
The right to data protection:
- Article 8 EU Charter: Protection of personal data- general principle [separate to privacy]
