CIPP/E Exam 2023 with complete solutions

IAPP - Answer- International Association of Privacy Professionals - founded in 2000 GDPR - Answer- Global Data Privacy Regulation - May 2018 - states can make further legislation - stronger rights for online environment - SA have increased powers - broader application - anyone targeting EU cust - 173 recitals, 99 articles, 11 chapters Rational for Data Protection - Answer- Increase in computers in 1970 and cross-border trade EEC - Answer- European Economic Community Human Rights Declaration - Answer- 1948 after WWII - right to private and family life and freedom of expression (Art 12) - created by Council of EU, adopted by United Nations ECHR (Court) - Answer- European Court of Human Rights - binding decisions - gives opinion on ECHR - personal info to be private but not absolute right ECHR - Answer- European Convention on Human Rights - 1953 - created by Council of EU (not just EU) - open to member states (application) - like HRD, recognizes the need for balance - based on Universal Human Rights Declaration OECD - Answer- Organization for Economic Cooperation and Development - 1980 - created OECD guidelines on transborder flow of personal data - membership extends beyond Europe - focused on economic growth, NOT BINDING OECD Guidelines - Answer- (1) Collection Limitation (consent, fair, lawful) (2) Data Quality (complete, accurate, update-to-date) (3)Purpose Specification (specified at collection) (4) Use Limitation (consistent with purpose) (5) Security Safeguards (against loss, destruction, modification, unauthorized access) (6) Openness (use of info, Controller identity & loc) (7) Individual Participation (entitled to receive from Controller) (8) Accountability (controller complies with above) OECD Guidelines - Member state considerations - Answer- - domestic processing & re-export of data - transborder flows are uninterrupted & secure - don't engage with other members unless guidelines are observed - member state can restrict if protection not provided - avoid laws to restrict TB data flows Convention 108 aka CoE Convention - Answer- - 1981 - worldwide scope - Convention for the Protection of Individuals in regard to automatic processing (not profiling) of PD - first legally binding international instrument in the area of data protection. - requires signatories to take steps to ensure fundamental human rights with regard to the processing of personal information. - US was not signatory Global privacy day (1/28) - same as OECD except: (1) preserve info to identify person for no longer than needed (2) Special categories - race, religion, sex/health life, political views, criminal conv not auto processed without safeguards Transborder Special Rules - Answer- For countries not signatory parties Mutual Assistance - Answer- designate SA to oversee compliance Data Protection Directive - Answer- - Direction 95/46/EC - not law, framework - 1995 - fragmented implementation across states - replaced by GDPR - only applied to Controllers - 78 recitals, 34 articles, 7 chapters Charter of Fundamental Rights of EU - Answer- - 2000 in Nice - created by EU - Lisbon Treaty made this binding for EU states - Art 7 - private life, family, home, comm - Art 8 - separate right to data protection - promotes individual civil, political, economic, and social rights for European citizens - similar principles as ECHR but refers to protection of personal data Treaty of Lisbon - Answer- - Treaty signed in 2007 that made the European Parliament the co-equal legislator for almost all European laws and also created the position of the president of the European Council - made Charter of Fundamental Rights binding - Amended EU Treaty Convention 108+ - Answer- Aligns with GDPR ePrivacy Directive - Answer- - 2002 aka Cookie Directive - Privacy & Electronic Communication Directive (2002/58/EC) - processing data across public communication network (doesn't apply to private network) - telecomm, faxes, internet, email - must get consent to store cookies EU Institutions - Answer- 1. European Parliament - Oversight - House of Rep - vote on legislation, elected by EU citizens 2. European Council - Direction - set priorities & political direction for EU 3. Council of EU - Decisions - Senate - minister from each state, main decision making body (works with Parliament) 4. European Commission - Executive - implements EU decisions, 1 commissioner per state, most active European Courts - Answer- 1. CJEU - Court of Justice of European Union - decision on EU laws - judicial body of EU 2. ECHR - European Court of Human Rights - not EU institution, intl court, applies ECHR Copeland vs UK - Answer- monitoring emails at work violates article 8 of ECHR Google Spain vs AEPD & Mario Costeja) - Answer- Google Spain sold advertising space to fund Google Search Engine - SE outside EEA whose activities are economically linked to SE core activities - Google had refused to address complaints mainly on the basis that Google entity responsible for the search engine was outside of the territorial scope of EU data protection law and, therefore, beyond the reach of the AEPD. - ECJ ruled SEs are also controllers of PD contained in 3rd party web pages - Mario - right to be forgotten - house foreclosure Weltimmo - Answer- RE company - how laws protect citizens in cross-border activity - Weltimmo found to be established in Hungary even though Slovakian company because: 1. website targeting Hungary & using language 2. Rep in Hungary for court 3. letter box in Hungary 4. Hungarian bank account Schrems - Answer- invalidated Safe Harbor for FB to transfer data to US GDPR Chapters - Answer- 1. General Provisions 2. Principles 3. DS Rights 4. Controller & Processor 5. Transfer of data to 3rd parties 6. Independent SA 7. Cooperation & Consistency 8. Remedies, liabilities, penalties 9. Provisions relating to specific process situations 10. Delegated acts and implementing acts 11. Final provisions Consent - Answer- Freely Given Specific Informed Unambiguous - cannot be bundled with T&Cs - clear and plain language - main criteria for legitimate processing Data Breach Reporting - Answer- Controllers and Processors have to report to DPA within 72 hours unless no risk to rights and freedoms Main changes in GDPR from Directive - Answer- - directly applicable to all member states - stronger rights for individuals - data portability, right to be forgotten, profiling - new accountability regime - use of subprocessor requires consent of controller LEDP - Answer- Law Enforcement Data Protection - better protection for citizens data - must comply with necessity, proportionality, and legality NIS Directive - Answer- - Network & Information Systems - first EU-wide cybersecurity law - 3 Focus Areas: (1) National capabilities - response teams, recovery exercises, (2) Cross-border collaboration, (3) National supervision of critical sectors 1. compel dev of cybersecurity strategies for EU 2. improve security levels of operators of essential services and digital service provides 3. enhance cooperation btw states and NIS group - EU Directives are not directly applicable to member states - to become law, they have to be implemented by national legislation GDPR Opening Clauses - Answer- - 50 open clauses allow for specific national laws - ex. parental consent Parental Consent - Answer- GDPR is 16 but member states can go as low 13 Personal Data Building Blocks - Answer- 1. Any Info 2. Relating To 3. Identifiable 4. Natural person (not deceased) False Data - Answer- Can be considered PD as well Pseudonymization - Answer- - PD can no longer be attributed to person without some other piece of data - GDPR promotes method as safeguard Photographs - Answer- not systematically considered special category Controller - Answer- key decision maker with regards to PD - legal or natural person 5 Obligations: - provides info to DS - ensures legitimate basis - data protection assessments - secures data - determine notification to DPA if breach Processor - Answer- 4 Obligations: - record-keeping - ensures intl data transfers comply with regulation - appropriate security - notify Controller of breach 2 building blocks: 1. separate legal entity from Controller 2. processes PD on behalf of Controller Joint Controllership - Answer- in Corp groups, parent co provides centralized IT services to subs Controller - source of control/competence - Answer- 1. Explicit Legal Competence 2. Implicit Competence (employer with employee data) 3. Factual Influence (circumstances) Processor Contract - Answer- - only process PD as instructed - confidentiality of people doing processing - delete or return PD at end of contract - demonstrate compliance Subcontracting by processor - Answer- - processor must get prior authorization by Controller - contract btw processor and subprocessor must include any provisions by Controller - Initial processor remains fully liable to controller for performance of subprocessor Controller vs Processor - Factors to consider - Answer- - level of instruction by controller - monitoring by controller - visibility portrayed by controller to DS - expertise of parties EU Processor - does GDPR apply to Controller? - Answer- - doesn't automatically mean the controller will be subject to GDPR Org Inadvertently sell to EU citizens - Answer- not necessarily covered by GDPR GDPR In Scope Factors (5) - Answer- 1. use of EU language 2. marketing directed to EU audience 3. naming EU states in reference to goods/services 4. using EU in domain of site 5. monitoring behavior of EU subjects GDPR Outside Scope - Answer- processing data that concerns public safety, defense and national security Household Exemption - Answer- data processing by persons in the course of personal or household activity (social networking) - Reg applies to controllers that provide means for processing PD Lindqvist Judgement - Answer- A case in which the European Court of Justice ruled that a woman who identified and included information about fellow church volunteers on her website was in breach of the Data Protection Directive. - Creating a website for a Church which includes personal information of co-workers - Reference to the fact that an individual has injured her foot and is on medical leave constitutes special category of personal data - Court did held that uploading data to a website was not an cross-border data transfer Rynes - Answer- home video of public footpath - not part of HH exemption Data Processing Principles (GDPR Principles) - Answer- 1. Lawful, Fair, Transparent 2. Purpose Limitation 3. Data Minimization 4. Accuracy 5. Storage Limitation 6. Integrity and Confidentiality 7. Accountability Lawfulness - Answer- 1. Consent 2. Contract Performance 3. Legal Obligation 4. Vital Interest of DS 5. Public Interest 6. Legitimate Interest (except if overridden by rights and freedoms of DS) Fairness - Answer- - DS must be aware to make informed decisions about processing of personal data - have to evaluate if processing with negatively affect the DS (e.g. website increases ticket price b/c search history) Transparency - Answer- - notify DS how personal data is processed - provide in timely manner - info has to be clear, concise, easy to understand, & accessible manner Controller free from providing info on processing when: - disproportionate effort or impossible - protect legitimate interest - preserve confidentiality Purpose Limitation - Answer- - only collect and process data for legitimate purpose - secondary processing permitted if compatible with org purpose (stat purpose, public interest, scientific or historical research) If further processing is not compatible with orig purpose - Answer- 1. obtain separate consent from DS for new purpose 2. satisfy other legal criteria for processing Data Minimization Principle - Answer- - controller must only process personal data that is relevant, necessary, and adequate for purpose - Necessity - reasonable to accomplish purpose, can purpose be accomplished by using anonymous data instead Proportionality - amt of data collected - save everything approach is not right Accuracy - Answer- - ensure data is accurate and kept up-to-date - verify authenticity of data sources - ok to keep records of errors as long as not misleading facts (e.g. med misdiagnosis) Storage Limitation - Answer- - don't keep data beyond time needed for purpose - exception: if needed for public interest, stat. purposes, scientific or historical research - data can be kept forever if irreversibly anonymized Integrity & Confidentiality - Answer- - protect against unauthorized access, accidental loss, destruction, damage - promotes use of pseudonymization & encryption Consent - Freely Given - Answer- - some countries req separate consent - controllers can't say consent is req as part of contract - can't rely on consent if imbalance btw controller and DS (e.g. employer-employee rel) Consent - Specific - Answer- -