Contents
Privacy & Data Protection notes............................................................................................................2
Class 1 (History, Concepts, Background + Key Concepts & Territorial Scope)....................................2
Class 2 (Main Principles)....................................................................................................................5
Class 3 (DS rights and DC obligations + Third country data transfers)...............................................8
Class 4 (Big data, data science, and profiling + DPO’s).....................................................................13
Class 5 (DPIA’s + Law Enforcement Directive)..................................................................................16
Class 6 (DPA’s + ePrivacy Directive).................................................................................................20
Important articles................................................................................................................................23
EU Charter of Fundamental Rights (2000).......................................................................................23
TFEU (Treaty on the Functioning of the European Union)...............................................................23
GDPR................................................................................................................................................24
ECHR................................................................................................................................................25
Cases....................................................................................................................................................26
Swift Case........................................................................................................................................26
Google Spain Case...........................................................................................................................26
Breyer Case (2016)...........................................................................................................................26
Reynes Case (2014)..........................................................................................................................27
Planet49, Case C-673/17 CJEU (ePrivacy, cookies)...........................................................................27
1
,Privacy & Data Protection notes
Class 1 (History, Concepts, Background + Key Concepts & Territorial Scope)
Four privacy dimensions:
Physical: Physical and mental integrity (e.g. drugtest, cavity search)
Territorial: Inviolability of the home (prohibition of anyone entering a home against
the will of the owner)
Communications: Secrecy of correspondence and telecommunications (The right of
privacy to one’s own letters; lawful interception can be made e.g. in suspicion of
crime)
Informational: Claims of individuals with respect to information on them
Brief timeline of data protection institutes:
1950: Council of Europe; European Convention on Human rights. This was the first
instrument to give effect and binding force to the rights stated in the Universal
Declaration of Human Rights, and its first supranational organ to ensure member
states to fulfill their obligations.
1981: Council of Europe; Convention for the Protection of Individuals with regard to
the Automatic Processing of Personal Data. This is a treaty that protects the right to
privacy of individuals, following the increasing amount of automatic processing. The
treaty aims to harmonize national legislations.
1995: European Communities; Directive 95/46/EC on the protection of individuals.
Directive to harmonize EU ways to deal with processing of personal data. In 2018,
this directive was replaced with the AVG (Algemene Verordeningen
Gegevensbescherming) / the GDPR (General Data Protection Regulation).
2009: EU Charter on Fundamental Rights. One legally binding document that brings
together the most important personal freedoms and rights enjoyed by citizens of the
EU. Charter was declared in 2000, came into force 2009 alongside Treaty of Lisbon.
2018: EU Regulation 2016/679. Protection of natural persons with regard to the
processing of personal data and on the free movement of such data.
The need for regulation, and thus harmonization comes from the following. In 1970 there
were only national data protection acts, resulting in different levels of protection across the
2
, EU. This was an incentive for companies to process data in countries with the lowest level of
protection. Resulting from this, other countries banned transfer of personal data to these low
protection countries. These restrictions are bad for economic prosperity of the EU as a whole,
since free flow of information and business is a crucial point of the Union. This results in
every member state acquiring ‘adequate’ protection, and thus harmonization.
National DP-law is the implementation of the GDPR for each individual EU member state
(NL=AVG). This is mainly interesting for special data and criminal data, health care and
social security, exemptions for the press (freedom of information). National DP-law regards
the establishment and organization of the supervisory authority.
The EDPB (European Data Protection Board) is an independent EU organ that coordinates
the national DP authorities, established in 2018. All national DPA (Data protection
Authorities) have a seat in the EDPB. The EDPB consists of rules with a broad scope and
dynamic concepts, and has general/vague norms. The reason for this is that this makes it
flexible and future-proof (specific rules on email would not apply to new technologies such
as WhatsApp). However, since it’s established in 2018, there aren’t a lot of court decisions
yet, making a lot of its legal concepts unclear. One could say that this gives to much power to
supervisory authorities (DPA’s).
Example vagueness EDPB: “The legal concept of anonymization is not an absolute
concept”. EDPB states that there is a difference between the technical impossibility of doing
something to the very end, and something which we would call effective anonymization. This
makes it unclear how much effort is needed in the anonymization of personal data.
European Court of Human Rights (ECtHR). An international court of the Council of
Europe that interprets the European Convection of Human Rights, in which human rights and
political freedom are protected in Europe.
Court of Justice of the EU (CJEU). This is the highest authority on interpreting EU law
(thus also EU DP-law), located in Luxembourg. National courts can ask CJEU advice on the
interpretation of EU law.
List of ‘players’ in data protection:
Data Subject: an identifiable person (natural person) who can, directly or indirectly,
be identified. An identifiable person is one who can be identified by reference to an
identifier such as name, ID number, location data, unique identifier or one or more
3
Privacy & Data Protection notes............................................................................................................2
Class 1 (History, Concepts, Background + Key Concepts & Territorial Scope)....................................2
Class 2 (Main Principles)....................................................................................................................5
Class 3 (DS rights and DC obligations + Third country data transfers)...............................................8
Class 4 (Big data, data science, and profiling + DPO’s).....................................................................13
Class 5 (DPIA’s + Law Enforcement Directive)..................................................................................16
Class 6 (DPA’s + ePrivacy Directive).................................................................................................20
Important articles................................................................................................................................23
EU Charter of Fundamental Rights (2000).......................................................................................23
TFEU (Treaty on the Functioning of the European Union)...............................................................23
GDPR................................................................................................................................................24
ECHR................................................................................................................................................25
Cases....................................................................................................................................................26
Swift Case........................................................................................................................................26
Google Spain Case...........................................................................................................................26
Breyer Case (2016)...........................................................................................................................26
Reynes Case (2014)..........................................................................................................................27
Planet49, Case C-673/17 CJEU (ePrivacy, cookies)...........................................................................27
1
,Privacy & Data Protection notes
Class 1 (History, Concepts, Background + Key Concepts & Territorial Scope)
Four privacy dimensions:
Physical: Physical and mental integrity (e.g. drugtest, cavity search)
Territorial: Inviolability of the home (prohibition of anyone entering a home against
the will of the owner)
Communications: Secrecy of correspondence and telecommunications (The right of
privacy to one’s own letters; lawful interception can be made e.g. in suspicion of
crime)
Informational: Claims of individuals with respect to information on them
Brief timeline of data protection institutes:
1950: Council of Europe; European Convention on Human rights. This was the first
instrument to give effect and binding force to the rights stated in the Universal
Declaration of Human Rights, and its first supranational organ to ensure member
states to fulfill their obligations.
1981: Council of Europe; Convention for the Protection of Individuals with regard to
the Automatic Processing of Personal Data. This is a treaty that protects the right to
privacy of individuals, following the increasing amount of automatic processing. The
treaty aims to harmonize national legislations.
1995: European Communities; Directive 95/46/EC on the protection of individuals.
Directive to harmonize EU ways to deal with processing of personal data. In 2018,
this directive was replaced with the AVG (Algemene Verordeningen
Gegevensbescherming) / the GDPR (General Data Protection Regulation).
2009: EU Charter on Fundamental Rights. One legally binding document that brings
together the most important personal freedoms and rights enjoyed by citizens of the
EU. Charter was declared in 2000, came into force 2009 alongside Treaty of Lisbon.
2018: EU Regulation 2016/679. Protection of natural persons with regard to the
processing of personal data and on the free movement of such data.
The need for regulation, and thus harmonization comes from the following. In 1970 there
were only national data protection acts, resulting in different levels of protection across the
2
, EU. This was an incentive for companies to process data in countries with the lowest level of
protection. Resulting from this, other countries banned transfer of personal data to these low
protection countries. These restrictions are bad for economic prosperity of the EU as a whole,
since free flow of information and business is a crucial point of the Union. This results in
every member state acquiring ‘adequate’ protection, and thus harmonization.
National DP-law is the implementation of the GDPR for each individual EU member state
(NL=AVG). This is mainly interesting for special data and criminal data, health care and
social security, exemptions for the press (freedom of information). National DP-law regards
the establishment and organization of the supervisory authority.
The EDPB (European Data Protection Board) is an independent EU organ that coordinates
the national DP authorities, established in 2018. All national DPA (Data protection
Authorities) have a seat in the EDPB. The EDPB consists of rules with a broad scope and
dynamic concepts, and has general/vague norms. The reason for this is that this makes it
flexible and future-proof (specific rules on email would not apply to new technologies such
as WhatsApp). However, since it’s established in 2018, there aren’t a lot of court decisions
yet, making a lot of its legal concepts unclear. One could say that this gives to much power to
supervisory authorities (DPA’s).
Example vagueness EDPB: “The legal concept of anonymization is not an absolute
concept”. EDPB states that there is a difference between the technical impossibility of doing
something to the very end, and something which we would call effective anonymization. This
makes it unclear how much effort is needed in the anonymization of personal data.
European Court of Human Rights (ECtHR). An international court of the Council of
Europe that interprets the European Convection of Human Rights, in which human rights and
political freedom are protected in Europe.
Court of Justice of the EU (CJEU). This is the highest authority on interpreting EU law
(thus also EU DP-law), located in Luxembourg. National courts can ask CJEU advice on the
interpretation of EU law.
List of ‘players’ in data protection:
Data Subject: an identifiable person (natural person) who can, directly or indirectly,
be identified. An identifiable person is one who can be identified by reference to an
identifier such as name, ID number, location data, unique identifier or one or more
3
