DIGITAL PRIVACY SEMINAR NOTES

FROM DATA PROTECTION DIRECTIVE TO THE GDPR

Legal norms are sources that produce or have legal effects. They need to have 2 characteristics:
1. EFFECTIVENESS: a norm’s ability to produce its own legal effects or to be imposed as a legal duty
2. FORCE: a norm’s ability to innovate the positive legal system

Supranational bodies that originate sources of law for EU countries:

1. COUNCIL OF EUROPE: the leading human rights organisation. All members have to sign up to the European
Convention on Human Rights (ECHR), a treaty designed to protect human rights, democracy and rule of law. It
has influence over the European Union too
2. EUROPEAN UNION: empowered by its founding treaties (principle of attribution) to enact legislation. Principle
of supremacy and direct effect: norms of EU law take precedence over domestic norms. Sources of law
a. Binding acts:
i. Regulations: directly applicable within the legal systems of MS (generally applicable)
ii. Directives: binding as to the results
iii. Decisions: directly applicable acts binding in their entirety to legal persons or MS (individually)
b. Non-binding acts: (not legal norms stricto sensu, failure to comply with them does not lead to sanction)
i. Recommendations
ii. Opinions
c. Soft law:
i. Interinstitutional agreements
ii. Preparatory acts that precede the adoption of a legislative acts
iii. Acts that establish rules of conduct

Art. 8 ECHR: “Everyone has the right to respect for his private and family life” [...] “There shall be no
interference by a public authority with the exercise of this right except…”
No regard to ‘data protection’
Convention of the Council of Europe for the Protection of Individuals with regard to Automated
Processing of Personal Data → from privacy to data protection

Charter of fundamental rights of the EU

● Art. 7 respect for private and family life
● Art. 8 protection of personal data

Change of Privacy and Data Protection in EU:

Definitions from 95/46/EC Directive
● PERSONAL DATA: any info relating to an identified or identifiable natural person (data subject)
● PROCESSING OF PERSONAL DATA: any operation performed upon Personal Data, whether or not
by automatic means. Personal data can processed ONLY IF:
○ The data subject has given consent to the processing
○ The processing is necessary for the performance of a contract
○ The processing is necessary for the compliance with a legal obligation
○ The processing is necessary for the purposes of the legitimate interests pursued by the controller
● CONTROLLER: natural or legal person, public authority, agency or any other body which determines
the purposes and means of the Processing of Personal Data
● PROCESSOR: natural or legal person, public authority, agency or any other body which processes
Personal Data on behalf of the controller
● Data Subject’s CONSENT: any freely given specific and informed indication of his/her wishes by which
the data subject signifies his/her agreement to personal data relating to him/her being processed

Data Retention Directive

Mandatory retention of traffic and location data (Art.5) for ISP and ECS, identifying: source and destination,
location, users’ device, data and time, duration, type of communication. Content of communication excluded
Retention period: btw 6 months and 2 years
Directive 2006/24/EC:
- No definition of “serious crime” and “competent authorities”
- No objective and procedural criteria to establish limits of access to the metadata by the authorities →
excessive length of the retention period
- The court refuses the idea of mass surveillance of the “entire European population”
- Absence of any relationship btw the retained data and the serious crime
- The directive doesn’t ensure a high level of protection since it doesn’t guarantee the “destruction of the
data at the end of the data retention period”
- The directive doesn’t require that the data in question is to be retained within the European Union
=> the directive is INVALID

Art. 15 of the Directive, the Court answer:

● It ensures a correct level of protection to limit the powers of Authorities to interfere with the right to
privacy
● It prevents MS to provide the public authorities access to personal data without a previous scrutiny of
judicial or administrative organisms on certain conditions (e.g. vital national security)

Key role of principle of proportionality

National legislation governing the conditions under which the providers of electronic communications
services must grant the competent national authorities access to the retained data must ensure that such
access does not exceed the limits of what is strictly necessary

Importance of security measures

“Providers of electronic communications services must, in order to ensure the full integrity and
confidentiality of that data, guarantee a particularly high level of protection and security by means of
appropriate technical and organisational measures.”

Principle of storage limitation, art. 5(1)(e) GDPR

● Personal data (PD) shall be kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed
 ● PD may be stored for longer periods insofar as the PD will be processed solely for archiving purposes in
the public interest, scientific or historical research purposes or statistical purposes subject to
implementation of the appropriate technical and organisational measures
● No indication of how long data should be retained. Data controller has to justify it
● Data controller must also be able to justify the need to keep PD in a form that permits identification of
individuals. If not necessary, data controller should anonymise the data so that identification is no longer
possible

From Google Spain to the GDPR

Google Spain, Google Inc., v. AEPD
1. Does the activity carried out by Google as a search engine amount to a processing of personal data?
YES
2. If so, does Google qualify as a data controller?
YES. It has no relevance whether the search engine has actually knowledge of the fact that PD
are contained in the websites subject to indexing → it amounts to a data controller and as such it
bears the obligations provided by the Directive 95/46
=> search engine provider as controller: finding not supported by empirical evidence but relies
on the goal of affording individuals’ data privacy broad protection
3. Does a “right to be forgotten” (RTBF) have any legal grounds?
YES. Art 12, lit. b of the Directive as legal ground, but extensive interpretation of this provision
4. May a national data protection authority order Google to remove links to indexed information without
prior consulting the owner of the web page?
Artt. 12 and 14 Directive 95/46: Right to objection and to request the erasure/ blocking of PD in
case of unlawful processing of the same
5. Is such an obligation excluded when the info contains PD lawfully published by third parties?
Since not up-to-data news amounts to not correct information, an unlawful processing of
personal data is at stake. The rights under Artt. 12 and 14 are enforceable against the search
engine provider (broad interpretation of “unlawful processing”)

US “free speech zone” is expressing concerns about possible implementation of a RTBF in the EU
Enforcement of such a right is supposed to undermine the protection afforded to freedom of expression and
particularly freedom of information → collective “right to know” is sacrificed for individual’s RTBF

Applicability of EU regulation to US-based companies continues to be challenged. BUT Google Spain said that
EU law applies even to companies established in EU for commercial purposes only

but for orders to remove content

still a constitutional distinction btw data and content

From SCHREMS to the GDPR
Art. 25, Directive 95/46/EC
1. Transfer to a third country of PD undergoing processing/intended for processing after transfer may
take place ONLY IF the 3rd country in question ensures an adequate level of protection
2. Adequacy of the level of protection shall be assessed in the light of all the circumstances surrounding
a data transfer operation or set of data transfer operations. Particular consideration to: nature of the data,
purpose and duration of the proposed processing operation(s), country of origin and of final destination,
rules of law in force, professional rules and security measures complied with in that country
3. The commission may find that a third country ensures an adequate level of protection within the
meaning of para 2 of Art.25, by reason of its domestic law or of international commitments it has
entered into [...] for the protection of the private lives and basic freedoms and rights of individuals

Decision 2000/520/EC: on the adequacy of the protection provided by the safe harbour privacy principles
SAFE HARBOUR
● Mechanism of self-certification intended for US organisations that process PD collected in the EU
● Designed to assist eligible organisations to comply with the EU Data Protection Directive and maintain
the privacy and integrity of that data
● US companies can opt into the program (i.e. self-certify) as long as they adhere to the 7 principles and
15 frequently asked questions. The principles:
1. Principle of notice
2. Principle of choice
3. Principle of onward transfer
4. Principle of security
5. Principle of data integrity
6. Principle of access
7. Principle of enforcement

SCHREMS CASE (v. Facebook Ireland)

Facts: Schrems asked to Data Protection Commission (DPC) to prohibit fb Ireland from transferring his PD to
the US, contending laws and practice in US don’t ensure adequate protection of the PD against the surveillance
activities engaged by the public authorities → DPC rejected the complaint
The High Court held that the mass and undifferentiated accessing of PD is contrary to the principle of
proportionality and fundamental values in the Irish Constitution. According to the High Court, Decision
2000/520 does not satisfy the requirements flowing both from Artt. 7 and 8 of the Charter.
Court of Justice:
● Directive 95/46 does not contain any definition of the concept of an adequate level of protection
● The word “adequate” admittedly signifies that a 3rd country cannot be required to ensure a level of
protection identical to that guaranteed in the EU legal order. However, it should have a level of
protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed in EU
● In the Decision 2000/520
○ “national security, public interest, or law enforcement requirements” have primacy over the safe
harbour principles
○ Self-certified US organisations receiving PD from the EU are bound to disregard those
principles without limitation where they conflict with those requirements → prove incompatible
by virtue of primacy
○ NOT contain any finding regarding the existence, in the US, of rules intended to limit any
interference with the fundamental rights of the persons whose data is transferred from the EU
○ NOT refer to existence of effective legal protection against interference of that kind
→ is INVALID
Aftermath of the Schrems judgement:
● US-EU Umbrella Agreement set up a data protection framework for PD transferred for the purpose of
prevention, detection, investigation, and prosecution of criminal offences
● Judicial Redress Act affords persons, whose data are shared by EU and other countries with US law
enforcement agencies for the purpose of investigating, detecting or prosecuting criminal offences,
access to civil remedies for certain violations of those protections, and access to court proceedings in
which those remedies can be pursued
● EU-US Privacy Shield - main principles:
○ Notice
○ Choice
○ Accountability for Onward Transfer
○ Security
○ Data integrity and Purpose Limitation
○ Access
○ Recourse, Enforcement and Liability

SCHREMS II
Facts: Schrems went to DPC again, alleging that fb’s use of the standard contractual clauses (SCCs) for data
transfers approved by Commission Decision 2010/87 couldn’t provide a valid legal basis for transfers to the
US, in part because fb is obliged to make the PD of its users available to US government in the context of their
surveillance programs.
Proceedings also dealt with US law and practice regarding surveillance and level of protection provided by the
EU-US Privacy Shield. Irish High Court stayed the proceedings and referred questions to the CJEU

Court’s decision:
● Agreed to the use of SCCs as a data transfer mechanism
● Affirmed that the Commission has no obligation to evaluate the level of data protection in countries to
which data are transferred under them
● Declared the EU-US Privacy Shield INVALID because of:
a. Primacy of US law enforcement requirements over those of the Privacy Shield
b. Lack of necessary limitations and safeguards on the power of the authorities under US law,
particularly in light of proportionality requirements
c. Lack of an effective remedy in the US by EU data subjects
d. Deficiencies in the Privacy Shield Ombudsman mechanism (def: new mechanism to facilitate
the processing of and response to requests relating to the possible access for national security
purposes by US intelligence authorities to personal data transmitted from the EU to the US)

There’s a disconnect btw the political pressure to reach an accommodation with the US to which the
Commission seems to be subject, and the Court’s insistence on a high standard of data protection
THE GDPR: General Principles (and consent)
Overview:
● Directly applicable in all 28 MS
● Replaces the 1995 Data Protection Directive and the national laws transposing the 1995 Directive
● National laws applied until 25 May 2018

From Directive to Regulation

Broad margins of manoeuvre for MS

● Lawfulness of processing: “MS may maintain or introduce more specific provisions to adapt the application of
the rules of this Regulation with regard to processing for compliance with points c) and e) by determining more
precisely specific requirements..”
c. processing is necessary for compliance with a legal obligation to which the controller is subject
e. necessary for the performance of a task carried out in the public interest/ exercise of official authority
● Conditions applicable to child’s consent in relation to information society services: MS may provide by law for
a lower age for those purposes provided that such lower age is not below 13 yrs
● Processing of special categories of PD: e.g. racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union membership, genetica data, biometric data for the purpose of uniquely identifying a natural
person; data concerning health or sex life or sexual orientation shall be prohibited → processing necessary for
reasons of substantial public interest on the basis of Union or MS law

Material Scope of Application (Art. 2 GDPR)

Applies to the processing of PD wholly or partly by automated means and to the processing other than by automated
means of PD which form (or intended to form) part of a filing system.
Exceptions:
a. In the course of an activity which falls outside the scope of Union law
b. By the MS when carrying out activities which fall within the scope of the Common Foreign and Security Policy
c. By a natural person in the course of a purely personal or household activity
d. By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or execution of criminal penalties

Territorial Scope of Application (Art. 3 GDPR)

Application:
1. In the context of the activities of an establishment of a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or not (Google Spain)
2. To the data processing of data subjects located in the EU by a controller or processor not established in the EU,
where the processing activities are related to:
- The offering of goods/services, irrespective of whether a payment of the data subject is required, to such
data subjects in the Union; OR
- The monitoring of their behaviour as far as their behaviour takes place within the Union
3. By a controller not established in the Union, but in a place where MS national law applies by virtue of public
international law
Extraterritoriality effects of GDPR
Application #1 → broad and flexible concept of “establishment”: an organisation is established when it exercises a real
and effective activity through stable arrangements in the EU
Non-EU established organisations are subject to the GDPR where they process PD concerning EU data subjects in
connection with the offering of goods/ services/ monitoring their behaviour within the EU

Principles:
● Lawfulness, fairness and transparency
● Purpose limitation
● Data minimization
● Accuracy
● Storage limitation
● Integrity and confidentiality
● Accountability (guiding principle of the entire EU data protection system)

ACCOUNTABILITY
Art. 5: the controller shall be responsible for, and be able to demonstrate compliance with the GDPR principles
Security measures:
● Art. 24: controller shall implement appropriate technical and organisational measures to ensure and to be able to
demonstrate that processing is performed in accordance with GDPR → controller’s responsibility/ liability
● Art. 32: controller and processor shall implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk

Risk-based approach
● The required level of data security must be identified on a case-by-case basis through an objective risk
assessment. Particularly, account should be taken of the risks presented from accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of or access to PD
● GDPR encourages controllers to engage in risk analysis and to adopt risk-measured responses → additional
obligations for data processing activities that pose a high risk to individuals while requiring controllers to account
for risk in complying with many provisions of the GDPR
● Controllers that engage in low-risk processing activities (or adequately address risk) may avoid specific
requirements (e.g. notifying a data protection authority of a data breach). The GDPR also requires the supervisory
authorities to consider the risk level of the activity when deciding whether to impose fines for violation

Heightened obligations:
- Art. 35: data protection impact assessment
- Art. 36: prior consultation
- Art. 34: data breach notification to individuals
TRANSPARENCY
● Ensuring correct and transparent processing implies that the data subject is informed about the processing and its
purposes
● Data controller should provide the data subject with any additional information necessary to ensure correct and
transparent processing, taking into consideration the specific circumstances and context of processing
● The interested party should be informed of the existence of the profiling and its consequences
● Information shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and
plain language, in particular for any information addressed specifically to a child
● Information shall be provided in writing, or by other means, including by electronic means
● Artt. 13 and 14: the controller must provide the data subject with minimum information on processing prior to
carrying out any processing activity
○ At the time of the collection of the data from the data subject
○ Within a reasonable period from the collection of the data from a source other than the data subject

LAWFULNESS OF PROCESSING
Consent
● Main legal basis to process PD and it has to be:
- Freely given
Freedom of choice of the data subject
Execution of a contract is made conditional on the provision of consent to the processing of PD
- Specific and informed
Data subject made aware of the identity of the controller and the purposes for PD processing.
If multiple purposes, must obtain consent for all of them
- Unambiguous
Silence, pre-ticked boxes or inactivity NOT valid consent
- Revocable
Data subject has the right to withdraw his/ her consent at any time. The withdrawal shall not
affect the lawfulness of processing based on consent before its withdrawal
- Provable
Controller shall be able to demonstrate that the data subject has consented to the processing
● Consent is NOT required when the processing is necessary to:
○ Performance of a contract to which the data subject is party or in order to take steps at the request of the
data subject prior to entering into a contract
○ To comply with a legal obligation which the controller is subject to
○ Performance of a task carried out in the public interest or in the exercise of official authority
○ Protect the vital interests of the data subject or of another natural person
○ For purposes of the legitimate interests pursued by the controller, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data subject which require
protection of PD
● Explicit consent for processing personal categories of data (art. 9), automated individual decision-making (art.
22) and transfer in the lack of appropriate safeguards (art. 49)
○ Requirement referred to the way consent is expressed by the data subject. Written form not required
○ Examples: filling out an electronic form, sending an email, uploading a signed document or using an
electronic signature
○ Oral form is in principle compatible but it is necessary to consider the need to prove the explicit nature of
consent
Legitimate interest
● Data controller may lawfully process PD without consent of the data subjects
● To assess the legitimate interest of the data controller, it’s necessary to take into consideration:
○ The reasonable expectations of the data subject based on his/her relationship with the data controller.
GDPR leaves this evaluation to the data controller
○ Interests or fundamental rights and freedoms of the data subject which can prevail on the legitimate
interest of the data controller
 ● Factors to consider for ensuring adequate protection for those affected without jeopardising the sufficient degree
of flexibility of the operators:
- Nature and origin of legitimate interest
- Impact on the data subject
- Additional guarantees to avoid undue impact on the data subjects
● Should NOT be treated as a “last resort” for rare or unexpected situations. Should NOT be automatically chosen
● Cases in which the basis of legitimate interest may be used:
- Fraud prevention
- Direct marketing
- Transmission of PD within a business group for internal administrative purposes, including the
processing of PD of customers and employees
- Processing of traffic data, to the extent strictly necessary and proportionate to ensure network and
information security
● According to WP29, it’s possible to use one or more legal bases wrt the use of data for multiple purposes. Each
purpose must be legitimised by a specific legal basis. However:
○ NOT possible to change the pre-defined legitimacy assumption once the processing has started
○ NOT possible to retrospectively use the legitimate interest to justify the processing based on consent
○ Legal bases CANNOT be used according to the contingent needs of the data controller

PURPOSE LIMITATION
● PD should be only collected for specified, explicit and legitimate purposes and not further processed in a manner
that is incompatible with those purposes
● Purpose of data processing has a key role for the lawfulness of the controller/processor’s activities as it permits to
determine whether the basic principles of data minimization, accuracy and storage limitation are being respected
● If new processing activities are carried out that aren’t compatible with the initial purpose, they will only be lawful
if the consent is renewed or by way of statutory justification in EU MS allowing for a change of the data
processing purpose

DATA MINIMIZATION
● PD shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed
● Data processing should NOT be limited to an absolute minimum, but rather to an adequate level regarding the
purposes of processing
● Technical and organisational measures should ensure adherence to this principle, e.g. through anonymisation,
pseudonymisation, through concepts of privacy by design and privacy by default
● Excess or irrelevant data should be deleted asap. Advantages:
○ In the event of a data breach, unauthorised individuals will only have access to a limited amount of data
○ Data minimisation makes it easier to keep data accurate and up to date.

Data protection by design and by default

Art. 25: controllers must ensure that, both in the planning phase of processing activities and the implementation phase of
any new product/ service, data protection principles, and appropriate safeguards, are addressed and implemented
→ compliance with data protection law should not be an after-thought, but treated as a key issue in the planning
and implementation of any new product/ service that affects PD
ACCURACY
● PD should be accurate and kept up to date (where necessary) → at any given time, data shall reflect reality
● Every step must be taken to ensure that inaccurate data, having regard to the purposes of the processing, is erased
or rectified without delay → right to rectification and to erasure

STORAGE LIMITATION
● Data storage periods should be limited to a strict minimum
● PD shall be kept in a form that permits identification of data subjects for no longer than necessary for the
processing purposes
● Time limits should be established by the controller for erasure or for a periodic review
● Art. 17: controller’s obligation to erase PD

INTEGRITY AND CONFIDENTIALITY

● PD shall be processed in a way that ensures appropriate security of the PD, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate
technical and organisational measures
● GDPR is deliberately vague about what measures organisations should take because technological and
organisational best practises are constantly changing
○ Currently, organisations should encrypt and/or use pseudonymous PD wherever possible, but they should
also consider whatever other options are suitable

THE GDPR: Data subject rights

Categories of data that CANNOT be processed:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Data concerning health or sex life and sexual orientation
- Genetic data
- Biometric data where processed to uniquely identify a person

Exceptions to the general prohibition of processing special categories of PD

1. Data subject has given explicit consent to the processing of those PD for one or more specified purposes, except
where Union or MS law provide that the prohibition may not be lifted by the data subject
2. Processing is necessary for the purposes of performing the obligations and exercising rights of the controller or of
the data subject in the field of employment and social security and social protection law
3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data
subject is physically or legally incapable of giving consent
4. Processing carried out in the course of its legitimate activities with appropriate safeguards by a foundation,
association or any other not-for-profit body with a political, philosophical, religious or trade union aim. On the
condition that
a. The processing relates solely to the members or to former members of the body or to strictly related
persons; and
b. The PD are not disclosed outside the body without the consent of the data subjects
5. Processing related to PD which are manifestly made public by the data subject
6. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in
their judicial capacity
7. Processing is necessary for reasons of substantial public interest
 8. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the
working capacity of the employee, medical diagnosis, the provision of health/ social care/ treatments..
9. Processing is necessary for reasons of public interest in the area of public health or ensuring high standards of
quality and safety of health care/ medical products
10. Processing is necessary for archiving purposes in the public interest, scientific/ historical research purposes or
statistical purposes in accordance with Art. 89(1)

Case scenario: Covid-19 pandemic

The processing of health- related PD has been subject to stringent limitations and justified for reasons of
1. Public interest in the area of public health
2. Performance of specific legal obligations (safeguards of health and safety at the workspace)
3. Scientific research, where authorised by a national provision or the data subject
Specific clarifications were provided also for the processing of “location data” for contact tracing Apps

DATA SUBJECT’S RIGHTS

Rights as a European data subject:
● Right to be informed
● Right of access
● Right to rectification
● Right to erasure
● Right to restrict processing
● Right to data portability
● Right to object
● Rights in relation to automated decision making and profiling

RIGHT TO ACCESS
● Data subject has the right to obtain from the controller confirmation as to whether or not PD concerning him/her
are being processed, and access to the PD
● Controller shall provide a copy of the PD undergoing processing
● The right to obtain a copy of data shall not adversely affect the rights and freedoms of other parties
● If request by electronic means, the information shall be provided in a commonly used electronic form
● Information to be provided:
a. Purposes of the processing
b. Categories of PD concerned
c. Recipients to whom the PD have been or will be disclosed
d. Where possible, the envisaged period for which the PD will be stored, or the criteria used to determine
that period when not possible
e. Existence of the right to request from the controller rectification/ erasure/ restriction of processing of PD
f. Right to lodge a complaint with a supervisory authority
g. Where PD are not collected from the data subject, any available information as to their source
h. Existence of automated decision-making, including profiling, meaningful information about the logic
involved, the significance and the envisaged consequences of such processing for the data subject

RIGHT TO RECTIFICATION (and INTEGRATION)

● Data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate
PD concerning him/her
● Taking into account the purposes of processing, the data subject shall have the right to have incomplete PD
completed (incl. supplementary statement)
RIGHT TO ERASURE
● Data subject has the right to obtain from the controller the erasure of PD concerning him/her without undue delay
● Controller shall have the obligation to erase PD without undue delay
● Conditions
○ No longer necessary to the purposes for which they were collected or other processed
○ Data subject withdraws consent on which the processing is based
○ Data subject objects to the processing
○ PD have been unlawfully processed
○ Erased for compliance with a legal obligation
○ PD have been collected in relation to the offer of information society services
● Exceptions
○ For exercising the right of freedom of expression and information
○ For compliance with a legal obligation which requires processing
○ For reasons of public interest in the area of public health
○ For archiving purposes in the public interest, scientific or historical research/ statistical purposes

RIGHT TO RESTRICTION OF PROCESSING

Right to obtain restriction of processing where:
a. The accuracy of the PD is contested by the data subject, for a period enabling the controller to verify the accuracy
of the PD
b. Processing is unlawful and the data subject opposes the erasure of the PD and requests restriction instead
c. Controller no longer needs the PD for the purposes of the processing, but they are required by the data subject for
the establishment, exercise or defence of legal claims
d. Data subject has objected to processing pending the verification whether the legitimate grounds of the controller
override those of the data subject

RIGHT TO OBJECT
● Right to object on the grounds relating to data subject’s particular situation, at any time to the processing of PD
concerning him/her where processing is necessary for
- Performance of a task carried out in the public interest or in the exercise of official authority
- Purposes of the legitimate interests pursued by the controller
● Controller shall no longer process the PD unless the controller demonstrates compelling legitimate grounds
● Case of direct marketing:
○ Where PD are processed for direct marketing purposes, the data subject shall have the right to object at
any time to processing of PD for such marketing, which includes profiling to the extent that it is related to
such direct marketing → PD no longer be processed for such purposes

RIGHT TO DATA PORTABILITY

● Right to receive the PD concerning him/ her, in a structured, commonly used and machine-readable format AND
have the right to transmit those data from the controller to a new controller, without hindrance, where
○ The processing is based on a contract or consent
○ The processing is automated
● This right shall not adversely affect the rights and freedoms of others
● Inferred and derived data DON’T fall within the scope of the right as they aren’t considered as “provided by the
data subject”. ONLY raw data do.
● Data relating to third parties are only portable if
○ Provided by the data subject; AND
○ Used exclusively for personal purposes (e.g. social contacts, telephone records)
Reuse the data
AUTOMATED INDIVIDUAL DECISION-MAKING (including profiling)
● Right NOT to be subject to a decision based solely on automated processing, including profiling, which produces
legal effects concerning him/her or similarly significantly affects him/her
● It does NOT APPLY where the processing is
a. Necessary for entering into, or performance of, a contract btw data subject and a data controller;
b. Authorised by Union or MS law to which the controller is subject and which also lays down suitable
measures to safeguard the data subject’s rights and freedoms and legitimate interests; OR
c. Based on the data subject’s explicit consent

THE GDPR: Structure and Obligations

DATA CONTROLLER
Art. 4(7) GDPR: “entity that determines the purposes for which and the means by which PD are processed”
Primary responsibility: ensuring that processing activities are compliant with EU data protection law
Joint controllership: in relation to any processing activity, possible to have more than one entity as controller
→ Joint liability:
- Primary focus: ensure that the data subject is protected
- Each joint controller is liable for the entirety of the damage. A controller may be exempted from liability if it
proves that it is not in any way responsible for the damage
- If one joint controller has paid full compensation, it may then bring proceedings against the other joint controllers
to recover their portions of the damages

EDPB guidelines on the concept of controller:

● Concept should be interpreted broadly
● “Controllership” can stem from a legal provision or factual influence (i.e. concrete influence on the processing
activity)
● A controller must determine both the purposes and the “ essential” means of the processing.
○ “Non-essential” means are more practical aspects of implementation (e.g. choice of hard or software) and
may be left to others to decide on

OBLIGATIONS
- Appointment of representatives
Controllers established outside the EU must appoint a representative unless for occasional processing
- Appointment of processors: permitted practice under certain requirements
- Record keeping of processing activities, no obligation to notify DPAs
- Cooperation with DPAs
- Data breaches reporting and notification obligations, respectively to DPAs and data subjects
- Data security
Must implement appropriate technical and organisational measures to protect PD against accidental or
unlawful destruction or loss, alteration, unauthorised disclosure or access. Measures may include:
- Encryption of the PD
- On-going reviews of security measures
- Redundancy and back-up facilities
- Regular security testing
- Responsibility for implementing appropriate measures to ensure and demonstrate that processing activities are
compliant with the requirements of the GDPR
- Accountability: must be able to demonstrate compliance with the GDPR
DATA PROCESSOR
Art. 4(8): Entity that processes PD on behalf of the controller
Art. 28(1)-(3): appointment of a processor by the controller in the form of a binding written agreement
stating that the process must:
- Only act on the controller’s documented instructions
- Impose confidentiality obligations on personnel who processes relevant data
- Ensure the security of the PD that it processes
- Abide by the rules regarding appointment of sub-processors
- Implement measures to assist the controller in complying with the rights of data subjects
- Assist the controller in obtaining approval from DPAs where required
- At the controller’s election, either return or destroy the PD at the end of the relationship
- Provide the controller with all info necessary to demonstrate compliance with GDPR

EDPB guidelines on the concept of processor:

● 2 basic conditions qualifying a processor
1. Being an separate entity
2. Processing PD on the controller’s behalf
● Processors may have a certain discretion about how to serve the controller’s interests (e.g. by
choosing non-essential means)
● Processors can never determine the purpose of the data processing

OBLIGATIONS of Processor
- Appointment of sub-processors: need prior written consent of the controller
- Confidentiality: extended to all persons authorised to process the PD
- Compliance with the controller’s instructions
If a processor, in breach of the GDPR, determines the purposes and means of any
processing activity, that processor is treated as a controller in respect of that processing
- Records of processing activities: records including
- Details of the controller/processor and any representatives
- Categories of processing activities performed
- Information regarding cross-border data transfers
- A general description of the security measures implemented in respect of the processed
data
- Cooperation with DPAs
- Data security (see data controller’s)
- Data breach reporting to the data controller without undue delay
- Liability
Data subjects can bring claims directly against processors. However, a processor is liable
for the damage caused by its processing activities only where
- It has not complied with GDPR obligations that are specifically directed to
processors
- It has acted outside/contrary to lawful instructions of the controller
Security of Processing
In assessing the appropriate level of security, account shall be taken in particular of the risks that are
presented by processing, in particular from accidental or unlawful
- Destruction
- Loss
- Alteration
- Unauthorised disclosure of/ access to
of PD transmitted, stored or otherwise processed
→ DATA BREACH
● NOTIFICATION
○ In the case of a PD breach without undue delay and, where feasible, not later than 72
hours after becoming aware of it, the controller shall notify the PD breach to the
competent supervisory authority
○ Unless the PD breach is unlikely to result in a risk to the rights and freedoms of natural
persons
○ The controller shall document any PD breaches, comprising the facts relating to the PD
breach, its effects and the remedial action taken
● COMMUNICATION
○ When the PD breach is also likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall communicate the PD breach to the data subject
without undue delay

Exemptions from the obligation to keep record of processing activities

● Does not apply to an enterprise or an organisation employing fewer than 250 persons, unless:
- The processing it carries out is likely to result in a risk to the rights and freedoms of the
data subject
- The processing is not occasional
- The processing includes special categories of data or PD relating to criminal offences
● According to WP29, a small organisation is likely to regularly process data regarding its
employees. Such processing cannot be considered occasional and must therefore be included in
the record of processing activities
● Other “occasional” processing activities do NOT need to be included in the record of processing
activities, provided they are unlikely to result in a risk to the rights and freedoms of data
subjects and do not involve special categories of data or PD relating to criminal offences
● WP29: a processing activity can only be considered as “occasional” if it is not carried out
regularly and occurs outside the regular course of business/ activity of the controller/processor

DPIA (Data Protection Impact Assessment)

● WP29: a DPIA is a process designed to:
- Describe the processing
- Assess the necessity and proportionality of a processing
 - Help manage the risks to the rights and freedoms of natural persons resulting from the
processing of PD (by assessing them and determining the measures to address them)
● DPIA are important tools for accountability, as they help controllers to comply with GDPR
requirements and to demonstrate that appropriate measures have been taken to ensure
compliance → a process for building and demonstrating compliance
● The controller shall carry out, prior to the processing, an assessment of the impact of the
envisaged processing operation on the protection of PD
● A DPIA shall in particular be required in the case of
● Supervisory authorities shall establish and make public a list of the kind of processing
operations which are subject to the requirement for a DPIA and of the kind of processing
operations for which no DPIA is required

DPO (Data Protection Officer)

Who?
● The DPO shall be designated on the basis of professional qualities and, in particular, expert
knowledge of data protection law and practises and the ability to fulfil the tasks provided by
Art. 39 GDPR
● May be a staff member of the controller/ processor, or fulfil the tasks on the basis of a service
contract
● Controller/ processor shall publish the contact details of the DPO and communicate them to the
supervisory authority

Designation
● Controller/ processor shall designate a DPO in any case where
○ The processing is carried out by a public authority or body, except for courts acting in
their judicial capacity
○ The core activities of the controller/ processor consist of processing operations which, by
virtue of their nature, scope and/or purposes, require regular and systematic monitoring
of data subjects on a large scale
○ The core activities of the controller/processor consist of processing on a large scale of
special categories of data and PD relating to criminal convictions and offences
● In cases other than those in which the designation is mandatory, the controller/ processor/
associations and bodies representing categories of controllers and processors may or, when
required by EU/ national law, shall designate a DPO
● The DPO may act for such associations and other bodies representing controllers/ processors

Position of the DPO

● Controller/ processor shall ensure that the DPO is involved, properly and in a timely manner, in
all issues which relate to the protection of PD
● Controller/ processor shall support the DPO in performing the relevant tasks by providing
resources necessary to carry out the same and access to PD and processing operations, and to
maintain his/her expert knowledge
● Controller/ processor shall ensure that the DPO does NOT receive any instructions regarding the
exercise of those tasks. DPO shall NOT be dismissed or penalised by the controller/ processor
 for performing his tasks. DPO shall directly report to the highest management level of the
controller/ processor
● Data subjects may contact the DPO with regard to all issues related to processing of their PD
and to the exercise of their rights under the GDPR
● DPO shall be bound to secrecy or confidentiality concerning the performance of the tasks
● DPO may fulfil other tasks and duties. The controller/ processor shall ensure that any such tasks
and duties do not result in a conflict of interests

TRANSFERS of PD to third countries

● ADEQUACY DECISION
○ Transfer of PD to a third country may take place where the Commission has decided that
the third country or international organisation in question ensures an adequate level of
protection
○ Such transfer shall NOT require any specific authorisation
● APPROPRIATE SAFEGUARDS
○ In the absence of a decision based on an adequacy decision, a controller/ processor may
transfer PD to a third country only if the controller/ processor has provided appropriate
safeguards, and on condition that enforceable data subject rights and effective legal
remedies for data subjects are available
○ Examples
- Standard contractual clauses: Commission has the power to decide that certain
standard contractual clauses offer sufficient safeguards as required by the GDPR
- Binding corporate rules: rules adopted by the competent supervisory authority as
internal rules for data transfers within multinational companies. They are like a
code of conduct
● DEROGATIONS FOR SPECIFIC SITUATIONS
○ In the absence of an adequacy decision, or of appropriate safeguards, a transfer of PD to
a third country shall take place only on the specific conditions provided by Art. 49 (e.g.
explicit consent of the data subject)
○ Even in the lack of these conditions, may take place only if
■ The transfer is not repetitive
■ concerns only a limited number of data subjects
■ is necessary for the purposes of compelling legitimate interests pursued by the
controller which are not overridden by the interests, rights and freedoms of the
data subject, and
■ The controller has assessed all the circumstances surrounding the data transfer and
has on the basis of that assessment provided suitable safeguards with regard to the
protection of PD

Penalties
● Three possible layers:
○ Criminal penalties
 ○ Administrative fines
○ Appropriate measures, reprimand
● Recitals 148: “Due should be given to the nature, gravity and duration of the infringement, the
intentional character of the infringement, actions taken to mitigate the damage suffered, degree
of responsibility or any relevant previous infringements, the manner in which the infringement
became known to the supervisory authority, compliance with measures ordered against
controller/ processor, adherence to a code of conduct and any other aggravating or mitigating
factor”
● Infringements of the following provisions shall be subject to fines up to 10M€, or up to 2% of
the total worldwide annual turnover of the preceding financial year, whichever is higher
- Obligations of the controller and the processor
- Obligations of the certification body
- Obligations of the monitoring body
● Infringements of the following provisions shall be subject to fines up to 20M€, or up to 4% of
the total worldwide annual turnover of the preceding financial year, whichever is higher
- Basic principles for processing, including conditions for consent
- Data subject’s rights
- Transfers of PD to a recipient in a third country or international organisation
- Any obligation pursuant to MS law (e.g. “freedom of information” exception)
- Non-compliance with an order, or limitation on processing, or the suspension of data
flows by the supervisory authority, or failure to provide access to the same
- Non-compliance with an order by the supervisory authority

BIG DATA AND GDPR

Big Data Protection

● “... means a dynamic and multi-disciplinary approach with concerned action on an
international scale”, European Data Protection Supervisor 2015
● Problems with the regulation of big data:
- There is no single exact definition of “big data”
- The big data process occurs at 3 different connected levels: collection, analysis and use
- Big data is not an isolated phenomenon, but a development correlated with technical,
social and legal developments
● WP29 opinion on big data impact
○ It raises social, legal and ethical questions → concerns for privacy and data protection
rights
○ The benefits of big data analysis may be reached only on condition that corresponding
privacy expectations of users are appropriately met and their data protection rights are
respected
○ Big data challenges might require innovative thinking on how some of these and other
key data protection principles are applied in practice
○ Key issues:
- Purpose limitation
 - Anonymization techniques
- Legitimate interest
- Necessity and proportionality principles
○ International cooperation with relevant regulators
○ Complying with the data protection framework is key to create and maintain the trust
needed by stakeholders to develop a stable business model based on the processing of PD
○ Compliance and investment in privacy-friendly solutions is essential to ensure fair and
effective competition btw economic players on relevant markets. In particular, upholding
the purpose limitation principle is necessary to ensure that companies which have built
monopolies or dominant positions before the development of big data technologies hold
no undue advantage over newcomers to these markets
● Not all big data necessarily raise issues for data protection, whether they fall in the scope of the
GDPR regime depends on the nature of the data involved in each specific case
- Personal → GDPR applies
- Non-personal → outside GDPR scope
○ But definitory boundaries btw personal and non-personal data are blurred, considering
also that most businesses process a mix of personal and non-personal data in their
databases (“mixed”)
○ PD can be turned into non-PD through anonymisation, but it depends on the context in
which the data are processed and the capacity of the relevant organisation to combine the
data in question with other data

BIG DATA vs. GDPR

1. Principle of “fairness and transparency”
● Requires the controller to provide info to individuals about its processing of their data,
unless the individual already has this info
● In a big data context, transparency can become particularly challenging and implies that
“individuals must be given clear information on what data is processed, including data
observed or inferred about them; better informed on how and for what purposes their
information is used, including the logic used in algorithms to determine assumptions and
predictions about them”
● Reconcile the use of complex algorithms and their decision-making processes with the
acquisition and re-use of PD
→ Transparency Paradox
2. Legal grounds for processing
● Finding the most adequate legal ground to permit the processing in the context of big
data analytics may prove difficult, as the conditions are stringent and may limit or
prohibit certain processing activities
● Thorough assessments may enable finding the most appropriate processing ground, while
having to demonstrate the reasoning of processing (accountability principle)
3. Principle of purpose limitation
● Requires PD to be collected and processed for specified, explicit and legitimate purposes
● PD cannot be further processed in a way which is incompatible with the original
purposes of collection
 ● In a big data context this may become difficult because “at the time PD is collected, it
may still be unclear for what purpose it will later be used. However, the blunt statement
that the data is collected for any big data analytics is not a sufficiently specified
purpose”
4. Data minimization
● PD must be adequate, relevant and limited to what is necessary in relation to the purposes
for which they are processed
● The concepts of data minimisation and big data are at first sight opposed → “the
perceived opportunities in big data provide incentives to collect as much data as possible
and to retain this data as long as possible for yet unidentified future purposes”
5. Accuracy
● PD must be accurate and, where necessary, kept up-to-data
● “Big data applications typically tend to collect data from diverse sources, and without
careful verification of the relevance or accuracy of the data thus collected”
● Accuracy of raw data + accuracy of the inferences drawn from the data
6. Difficulty to distinguish btw different categories of data
● Data controllers implement big data analytics to find correlations and models by
processing vast amounts of data. This approach leads to find correlations between
different types of data e.g. raw data and PD
● The distinction btw PD and particular categories of data tends to fade. Due to
unpredictable outcomes of automated decision-making processing or the merger of
different datasets, data controllers could end up processing information falling under the
scope of “particular categories of data” even if they initially relied solely on PD
7. Storage limitation
● PD must be kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the PD are processed → GDPR does not
specify the exact data retention periods given that these are context-specific
● The principle may undermine the ability to predict which is one of the opportunities of
big data analytics, precisely because algorithms can compare current data with stored
past data to determine what is going to happen in the future
8. Integrity and risks involved with management of large quantities of data
● Greater the processing, greater the risk to handle such processing (e.g. storage/ accuracy)
● Principle of integrity imposes data controllers to set appropriate safeguards to mitigate
the risks coming from potential data breaches
9. Transfer of data across jurisdictions
● Communication and transfer of data across borders, where 3rd parties’ data controllers
and authorities entails the exercise of their powers or interests to use transferred PD for
different purposes, including law enforcement and security purposes
10. Automated decision-making
● Prohibition of automated processing undermines big data initiatives
● Even where exceptions are met (i.e. limited human intervention), specific disclosures
calling for human response to machines’ decisions are still required → interpretability
requirement
● Human intervention may further burden the automated process and hinder innovative
technologies
 ● Core GDPR principles are in contradiction with some of the key features of big data analytics
● Rethinking some processing activities and IT developments may help comply with GDPR
principles, for instance, by having well-managed, up-to-date and relevant data, improving data
quality and thus contribute to the analytics

Open questions:
- Will the GDPR ensure an adequate balance between the protection of individual privacy and the
interests to extract value from big data and promote innovation and competitiveness?
- Should big data initiatives be regulated ad hoc?
- Is a static concept of PD still relevant in today’s technological environment?

e-PRIVACY DIRECTIVE AND THE CYBERSECURITY FRAMEWORK

e-Privacy def: the exchange of info through public electronic communication services, such as the
internet and mobile and landline telephony and via their accompanying networks, requires specific
rules and safeguards to ensure the service and that network users’ right to privacy and confidentiality
are respected

e-PRIVACY DIRECTIVE
● The Electronic Privacy Directive (2002/58) was drafted specifically to address the requirements
of new digital technologies, ease the advance of electronic communications services and create
favourable market conditions for the digital economy
● The subject of the directive is the “right to privacy in the electronic communications sector” and
“free movement of data, communication equipment and services”
● It was designed to complement the data protection rules and other rules on telecoms
● Scope of application
○ It also protects the interests of legal persons, unlike the GDPR
○ It applies to processing of PD in connection with the provision of publicly available
electronic communications services in public communications networks
 ○ Does NOT apply to activities outside the scope of EU law, or concerning public security,
defence and State security and the areas of the State in criminal law
○ Note: e-Privacy rules under the directive only cover traditional telecom providers, not
other services like Skype, WhatsApp, Gmail, etc.
● It sets out rules to
- Ensure security in the processing of PD (including the notice for data breaches)
- Ensure confidentiality of communications
- Introducing safeguards in the processing of traffic data
- Ban unsolicited communications where the user has not given consent
● Key provisions
○ Providers must secure their services by at least
- Ensuring PD are accessed only authorised persons
- Protecting PD from being destroyed, lost or accidentally altered and from other
unlawful/ unauthorised forms of processing
- Ensuring the implementation of a security policy on the processing of PD
○ Service providers must inform the national authority of any PD breach within 24 hrs.
Individuals must also be informed if the PD is likely to harm their privacy, unless
specifically identified technological measures have been taken to protect the data
○ EU MSs must ensure the confidentiality of communications made over public networks,
in particular they must:
- Prohibit the listening, taping, storage or any type of surveillance/ interception of
communications and traffic data without the consent of users, except where there
is a legal authorisation and in compliance with specific requirements
- Guarantee that the storing of/ access to info on users’ personal equipment is
permitted only if the user has been clearly and fully informed of the purpose of
access and has been given the right of refusal
- When traffic data are no longer required for communication/ billing, they must be
erased or anonymized. These data may be processed for marketing purposes as
long as the user gives consent that can be withdrawn at any time
○ Prior user consent is required in a number of situations
- To send unsolicited communications (spam)
- To store information (cookies) on users’ devices or to obtain access to that info
- For the appearance of telephone numbers, email addresses or postal addresses in
public directories
○ EU MS are required to have a system of penalties including legal sanctions for
infringements of the directive
○ Scope of the rights and obligations can only be restricted by national legislative measures
when such restrictions are necessary and proportionate to safeguard specific public
interests, such as to allow criminal investigations or to safeguard national security

● Relationship with GDPR

○ GDPR gives effect to Art. 8 EU Charter (right to data protection) vs. e-Privacy
Regulation to Art. 7 EU Charter (right to privacy and respect for private life)
○ e-Privacy Regulation is intended to complement and enhance the GDPR rules
○ e-Privacy constitutes lex specialis to GDPR
 ● The Directive was amended in 2009 but a lot has changed since then..

● Proposed e-Privacy Regulation: key provisions

○ Set out to replace the e-Privacy Directive and specify GDPR
○ “New” providers are covered to ensure they guarantee the same level of confidentiality of
communications as traditional telecoms operators → OTTs communications services
○ The same rules and level of protection will directly apply across the EU

The European Electronic Communications Code

● Established by Directive (EU) 2018/1972
● Provides a set of rules to regulate electronic communications networks, telecom services and
associated facilities and services
● Sets out tasks for national regulatory authorities and establishes a set of procedures to ensure
that the regulatory framework is harmonised throughout the EU
● Aims to stimulate competition and increased investment in 5G and very high capacity networks,
to achieve high quality connectivity, a high level of consumer protection and an increased
choice of innovative digital services
CYBERSECURITY
● Ensures the security of network and information systems. It consists of the protection of
internet-connected systems, including hardware, software and data, from different types of
cyber attacks
● Challenges
○ Fundamental rights and freedoms
○ Internet and network integrity
○ Control by multiple entities
○ Shared responsibility
● EU strategic priorities on cybersecurity
○ Cyber Resilience
■ EU approach (European Critical infrastructures Directive):
- Economic logic → develop a secure information society for all
- Security logic→ protecting critical infrastructure against terrorist attacks
■ Note: e-Privacy and data protection frameworks provide relevant requirements to
manage risks, security requirements, reporting obligations for security or data
breaches
○ Drastic reduction of cybercrime
○ Develop cyber defence policy and capabilities
○ Develop the industrial and technological resources for cyber security
○ Establish a coherent international cyberspace policy
● Cyber Crime
○ One of the fastest growing types of crime: high-profit and low-risk by exploiting
anonymity of website domains. It can severely hamper the economy and national/
regional plans of economic growth
○ EU approaches in parallel with information society strategies → promoting
public-private partnership
○ The European Law Enforcement Agency (EUROPOL): central role as a platform for
providing data and identifying offenders and offences and exchange of best practises
between MS
○ Emphasis on common definition of cybercrime, common incriminations and introducing
EU enforcement mechanisms
○ Procedurally focus on criminal law and improved cooperation of law and enforcement
agencies
○ The Directive on combating the sexual exploitation of children online and child
pornography sets out minimum rules concerning the definition of criminal offences
○ The Directive on attacks against information systems with a focus on penalising the
exploitation of cybercrime tools, in particular botnets sets out minimum rules on the
definition of criminal offences and sanctions, to facilitate prevention and improve
cooperation btw competent authorities

EU Agency for Network and Information Security (ENISA)

● Established by EU Regulations 460/2004 and 526/2013, repealed by the Cybersecurity Act
 ● Provides practical advice for the public and private sector in EU countries and for the EU
institutions, including:
- Organising cross-Europe cyber crisis exercises
- Assist in the development of National Cyber Security Strategies
- Promoting cooperation btw computer emergency response teams and capacity building
● Supports drafting of EU policy and law on network and information security
● Maintains a network of private and public stakeholders
● Works closely on joint research and communication activities
● Supports other EU agencies

The NIS Directive (Directive 2016/1148)

● Broad set of measures to boost the level of security of network and information systems to
secure services vital to the EU economy and society
● Aims to ensure that EU MS are well prepared and ready to handle and respond to cyberattacks
through:
- Designation of competent authorities
- Set-up of computer-security incident response teams (CSIRTs)
- Adoption of national cybersecurity strategies
● Establishes EU-level cooperation at strategic and technical level
● Introduces the obligation on essential service providers and digital providers to take appropriate
security measures and to notify the relevant national authorities about serious incidents

The EU Cybersecurity Act 2017

● Enters into force on 27th June 2019
● EU market is globally one of the largest for consumption of ICT products and the EU
cybersecurity certification system may become a global model for the certification sector
(estimated turnover of 250 billion USD in 2023)
● Cybersecurity management model based on political paradigms opposed to technoliberalism and
digital authoritarianism → the European “third way”
● Given the EU’s role as an international regulatory power, if it successfully maintains and
innovates cybersecurity certificates, European companies could be enabled to acquire important
positions in the tech and digital sectors worldwide