Lecture 1: Data Protection – Why do we care?

Why do we care about data protection & privacy?

 Three ways of discovering the why:

 History of both rights

 Define both and unpack what is behind it
 Cases

History of the right to privacy

 No legal definition

 Also not defined in case law

 But indications from courts:

 US Supreme Court: “reasonable expectation of privacy”  what is the

expectation of the person in this particular situation to expect privacy in
this particular situation  all elements come into play (such as being a
criminal)  depends on the person (it is subjective) including the
criterion “reasonable”

 Mass data gathering (CJEU and ECtHR)

- Bulks of data  gathering data around other data

- Necessity of proportionality  if you have sufficient suspicion of the

person  has to be necessary and proportionate.

- Giving consent

 And indications from data protection authorities (DPA)

 Examples of how the right to privacy is included in legal instruments:

- Court systems help interpret law  mostly it is US and EU dominated.

Example: right to privacy in Universal Declaration

 - Article 29: how the right to privacy can be interfered/breached legally.

 should be determined by law under which conditions your privacy can be

breached.  there is a higher good that needs to be protected.

- Problematic: we have not defined privacy  why is it not defined?  privacy is

subjective (depends on person to person, technological development, location/time,
but also because of living situations)

- Privacy: depended on time, location (difference between Europe and US for

example), and evolution.  how it is framed  In Europe we see privacy as a human
right.

- Privacy is not defined for a very good reason.

Example: right to privacy in ECHR

  Article 8:

- Privacy is protected, but not defined.

Example: right to privacy in US Bill of Rights

 Fourth Amendment:

- Strong influence of criminal law.

- Warrant  traditional authorization to make it legitimate (to violate your privacy?)

- Still no definition of privacy

So what is the right to privacy?

 Origins of the right are focused on:
  No arbitrary interference (by public authority!)

 Not defining what “private” or “privacy” mean

 US Fourth Amendment

 Does not mention “private” or “privacy”

 Limited to criminal investigations

Academic definition of privacy

 1890 Harvard Law Review

 Samuel Warren & Louis Brandeis

 The right to privacy is

 “The right to be let alone”

 In other words, it is none of your business  it is my right to talk about

preferences, lifestyle or hobbies for example.

 the right covers the heart of privacy and keeps valid over time.

 it is not a legal definition, but rather an academic definition (you will not find
it in any law).  there is a difference between legal and academic.

 Broader than just government interference

 Applicable even in a digital world

Data protection
 Protection of personal data
  Personal data:

 Any information
 that identifies or enables to identify  “singling out”
 an individual

 singling out the person of a whole population

 a combination of data that is connected to one individual and sufficient to call

out someone from the whole population.

 IP addresses, make distinction between dynamic IP addresses (these change)

and state IP addresses (point to an individual) which may refer to personal data
which may be used by just one individual or a whole household.  therefore, in
the case of IP addresses, it depends on the conditions whether it concerns
personal data.

 Can overlap with privacy but is a different right in the EU

 Difference between information that singles you out or not

 Since 2009  take the two apart (the right of privacy as a separate human right?)

- Right of data protection

 Before 2009 and outside the EU: included in privacy

Example: EU Charter
 Article 7 – Respect for private and family life
  Everyone has the right to respect for his or her private and family life, home and
communications

 Article 8 – Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the
consent of the person concerned or some other legitimate basis laid down by law.
Everyone has the right of access to data which has been collected concerning him or
her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent

authority.

Privacy & Data Protection

 Privacy

 Data protection

- Picture on a public square example  Relying on privacy is difficult on a public

square, however, revealing your face is personal data which can be protected by
blurring your face (data protection).

Examples to illustrate the difference:

 Cambridge Analytica Facebook case
  Data retention (= data storage) by telecommunication providers for police purposes

 “Facebook papers”

- Right to privacy is difficult on social media, but there is data protection

- Use of personal data is easier to prove in court

A global look
 Emphasis in different parts of the world:

 Europe: human right “within” right to privacy

 EU: independent human right in Charter

 US:

 Personal data = commodity

 Specific laws and self-regulation
 US: let the industry do it by themselves and rely on integrity  this is what EU finds
difficult.

 African Union:

 2014 Convention on Cyber Security and Personal Data Protection (not yet into
force)

 China:

 New data protection act entered into force 1 November 2021

 India:

 New data protection bill in preparation for years

 Withdrawn in August 2022 over surveillance concerns

 Brazil:

 Revised General Data Protection Law since start of 2020

International Legal Frameworks

 EU

 Economic union  this is the rational why the EU existed in the first place, to
create an economic union

 Directives & Regulations

  Implemented in national law

- Conferral principle

 Council of Europe (CoE)

 Human Rights

 Conventions & Recommendations

  implemented after ratification process

 UN

 Peacekeeping & human rights  cannot do on a national basis  setup for

peacekeeping and human rights initiatives
  Conventions & Resolutions

  implemented after ratification process

- These are the big three regional entities

- Difference in member size

- EU is not the same as Europe.

- The EU is a club of 27 member states whereas Europe is a region.

- UN is gobal coverage?

- Distinctions  differences in member size

European Union

- The EU has its own human rights instrument.  2 basis data protection laws.

Council of Europe
 - Made the mother convention

United Nations
 Universal Declaration of Human Rights

- Does not have data protection in its competence

 International Covenant for Civil and Political Rights

 Human Rights Council

 Special Rapporteur on the Right to Privacy, Prof. dr. Ana Brian Nougrères

 Special Rapporteur on contemporary forms of racism, racial discrimination,

xenophobia and related intolerance, Prof. dr. E. Tendayi Achiume:

 2 reports on racism and digital technologies and digital borders

Lecture 2: Data Protection – What are personal data?

Context

 Council of Europe

 ECHR

 1981 Data Protection Convention  lays down principles which are picked up by the
EU by their own Directive in a more detailed manner  translation in a more legal
sense?

 1980 OECD recommendation on privacy

 = first comprehensive data protection convention

 = principles for commercial & criminal matters  any kind of information that is
processed for criminal purposes is highly sensitive data  taking away liberty
when taking crime within criminal law.

 criminal law  you could be dealing with data of innocent victims or criminals
 therefore you have to be careful with the data.  additional safeguards

 EU

 Charter

 1995 Directive replaced by 2016 GDPR

 = more detailed rules based on principles

  = only for commercial matters  important!  the EU just uses a different
method as you can see.

- Misinterpreted is a better word than contested as personal data need to be defined

on a case-by-case method.

- The definition on personal data has a background

- Council of Europe  Mother Convention

- Privacy as a right is no longer enough/sufficient to protect all these data, digital or

not.

- CoE was the binding convention, for those states that ratified it  only binding when
states sign it and ratify it.

- Ratification is a thing to keep in mind when you hear convention.

- Data protection convention of 1981 was a first multilateral rule for data protection?

- GDPR is a regulation only applicable for commercial matters

- Regulation = legal instrument coming from the EU applicable in all its aspects 
distinction with Directives as Directives are only applicable in the goal they set out –>
member states can set out themselves and thus this gives them more leeway.

- Countries can consider criminal behavior by themselves?  states can criminalize

which is closely related to their cultural/religious/historical identity for example.
 Criminal law from various perspectives

- We need to cooperate more in criminal matters, however, we do not want EU to

decide our criminal law?

- Directives are the instrument to use in criminal law as these give flexibility for
member states  criminal matters

- Regulation  tell member states what to do  used in commercial matters which is

binding.

- GDPR is a regulation, but if you read through it, you would find about 20 points in
the GDPR where it does give flexibility to member states which is strange for a
 regulation  GDPR is so contested, that it has points that allow member states to go
further than what the GDPR offers

 GDPR is technically a regulation, but it does not look like a regulation.

What are personal data?

Original CoE definition
 ‘personal data’ means any information relating to an identified or identifiable natural
person (‘data subject’);  original CoE definition

Added by GDPR
 An identifiable natural person is one who can be identified, directly or indirectly,

 in particular by reference to an identifier such as a name, an identification number,

location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural
person

- Location data, which is an online identifier

Comparing definitions of personal data of your countries

- Angola  the scope is quite the same as the EU

- Aruba  does not need to identify the person, however, it needs to be associated
with the person  broadening the scope.

- Ghana  completely different  touches upon the recording and processing rather
than identifying the person.
- Indonesia  combining personal data with other data  more data being generated
on a minute basis which is more applicable as we live in a digital world, which was
not 20 years ago.

- Suriname  emphasizes on a living person, so not for people who passed away? 
where do we draw the line for these persons?  remaining discussions whether it
should be extended, last forever etc., it is an ethical discussion.

- Syria  no law adopted for privacy at the moment, it is implemented in other laws?

- Vietnam  they go the same way as Aruba  similar definition ‘associated with’,
however, also mentioned professions as example (which is not part of the
definition).
What are personal data?
 What is “personal”?

 Natural persons = human beings

 Only living natural persons?

 Legal persons = companies, NGO’s, associations, …

 CoE and EU: only natural persons

 National laws can expand to legal persons

 Court of Justice in 2010 (Schecke case): Legal persons have a right to data
protection when their title refers to one or more natural persons. 
personal data of the company or personal data of the founders of the
company?  legal information behind the company  data protection
by proxy and not per se of the legal person, but of the information behind
the legal person.

- Germany and Norway have some case laws on that?

Identify or enable to identify
 Direct: no effort or resources required

 Indirect: assessed based on

 The likelihood of availability of

 Reasonable means of indication, and the  there is some proportionality in

reasonable  enable to identify?

 Likelihood of them being administered by foreseeable data users, including third

party information.  foreseeable: how foreseeable is it that someone still uses
an old-fashioned phonebook for example.

 Considering 4 factors:  needed to identify a person

 Time

 Effort

 Resources

 Technical state of the art  accessibility of technologies in the time we

are living?  such as facial recognition

- All these 4 factors on a case-by-case basis!  cannot just say in general whether
data are personal data or not, therefore look at the circumstances of the case.

Examples for discussion

  Example 1:

 A retired citizen is frustrated with speeding cars in his street and installs camera’s
photographing license plates of speeding cars.

- It is not necessarily the owner of the car who is driving it  a citizen cannot link the
person to the license plate  likelihood of knowing the person is very low.

 Example 2:

 A local authority is frustrated with speeding cars in the streets and installs
camera’s photographing license plates of speeding cars.

- How likely would it be finding a person based on a license plate?

- Identifying people from pictures without them being a public figure  how likely
would it be to find the person without people having public profiles on the Internet?

- A local authority would have the power to contact the data base.

Example from case law

 EU Court of Justice (2003), Lindqvist case:

 Not-commercial website

 Mentioning a community member who had injured her foot, and was
subsequently on half-time on medical grounds

- This was not a commercial website and there was a big exception in data protection?
 everything you do in a household does not fall under these data protection rules.
 is it a household activity or commercial?  it wasn’t both.

- There was no consent in this case.

 -> CJEU: info is identifiable enough to constitute personal data concerning health

In-house example
 - Classroom scanners  counting how many people entered the classroom.  filming
everyone coming in and out the classroom and count them  lead to interesting
situations while not being informed as lecturers and students.

- Privacy settings were set to blur the faces of the students, but recognized the
bodies/clothing which are identifiable.

 Point: if you blur someone’s face, you can still identify the person.  violation
because of necessity and proportionality  need to be a link to data collection
method and the necessity of the invasive means  could have been used less
invasive means to achieve the same goal.

- Marathon method would be sufficient which is less invasive to achieve the same
goal.

- It is a discussion between experts and very emotional.

Identification and security

 Masking techniques:

 Anonymization:

 Cutting out the identifying factor

 Irreversible and permanent  No longer personal data

 Pseudonymization:

 Separating the identifying factor  this happens with Brightspace for

example, so it is not fully anonymous but reveals student names after
grading everything/everyone?

 Reversible and (potentially) temporary  Data remain personal data

 Means there is identifying but it can be reversed?

 Authentication:

 Having the correct identity for the purpose of access rights  are you
who you say your are?
- If you can be singled out  something is personal data?
 Therefore, it needs to be assessed on a case-by-case method as it always depends on the
circumstances.

- Surfing behavior as personal data, which is many times discussed in courts.

Other types of data

 Content data  the content of an email for example

 Subscriber data  your data as a subscriber to a specific phone plan for example
which someone can provide.

 Traffic/location or metadata  these are often put in the same mix which is
metadata, which means data about data and also includes traffic (communication
traffic) or location data (what kind of servers have been used in the process of
communication?)  Are metadata in need of protection due to the increase in data
we generate?

- Metadata on a picture for example if you swipe up on a picture on an iphone for

example, such as the resolution, location, the pixels, and maybe the time the picture
was taken and with which data = metadata  the combination of metadata can
create a big picture of our lives

- Can metadata be qualified as personal data?

Metadata
  Schneier on Security
(see slide)

- He said in 2013 that metadata equals surveillance  so many metadata generated

as we live our lives online  with enough metadata you hardly need any more
content data?  be sufficient to identify a person depending on the circumstances.

Metadata
 UN High Commissioner for Human Rights, judge Navanethem Pillay (2014):

 “In a similar vein, it has been suggested that the interception or collection of data
about a communication, as opposed to the content of the communication, does
not on its own constitute an interference with privacy.

 From the perspective of the right to privacy, this distinction is not persuasive.
The aggregation of information commonly referred to as “metadata” may give
an insight into an individual’s behaviour, social relationships, private preferences
and identity that go beyond even that conveyed by accessing the content of a
private communication.”

- She is early on warning about the identification power metadata can have.

 European Commission (2017) in proposal on e-privacy directive:

 “metadata derived from electronic communications may also reveal very

sensitive and personal information. These metadata includes the numbers called,
the websites visited, geographical location, the time, date and duration when an
individual made a call etc., allowing precise conclusions to be drawn regarding
the private lives of the persons involved in the electronic communication, such
as their social relationships, their habits and activities of everyday life, their
interests, tastes etc.”

- You can easily put habits in here such as surfing behavior.  those can give up a lot.

 ECtHR Big Brother Watch et al (2021) case:

  Bulk data gathering is not per se illegal  it can be allowed under some
circumstances such as necessity and proportionality.

 Data gathering procedure needs to be assessed in full  argument ECtHR usually

has, look at the entire picture?

 No conclusion on the status of metadata  that was also at stake here, the
courts ruling disappointed on that  still not a clear position if metadata should
be protected as personal data.

(see slide of tweets etc.)

- How location data, how you could make a list of which smartphones were present at
exactly the rally of that particular data/moment.
 first, the phones can be one data point as it does not have to be with you.
 secondly, the fact that you were there does not mean that you were participating
in the violence.

- All based on metadata  the role metadata can play in an investigation like this.

Other types of data

 Surfing behavior

 Shopping behavior

 Open-source data  just because it is open-source does not mean that it is fair
game, it does not mean that they are not identifiable/do not identify people.

- The cartoon explanation: nobody knows you are a dog, however, based on your
behavior it can be revealed what/who you are.
Sensitive personal data
 Some data are in need of further protection

 2 approaches:

 Closed list of special categories:

 EU and CoE

 Brazil

 Angola

 Mexico

 …

 Open definition of sensitive data: China

Comparing definitions
 Chinese Personal Information Protection Law (PIPL):

 Sensitive information means “personal information that once leaked or illegally

used may cause discrimination against individuals or grave harm to personal or
property security, including information on race, ethnicity, religious beliefs,
individual biometric features, medical health, financial accounts, individual
location tracking, etc.
Comparing definitions of sensitive personal data of your countries
- Angola  includes private life and philosophical which is confusing

- Aruba  is on the same track

- Indonesia  also includes financial data as sensitive personal data to give them an
extra layer of protection.

- Mexico  banking information and signature to additionally protect, specifically

protect signatures.

- Thailand  any data which may affect the data in the same way  open ended list
 room to expand it.
What is processing?
 GDPR:

 ‘processing’ means any operation or set of operations which is performed on

personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or
destruction.

 it is basically everything and does not necessarily need to be automated or digital

 Automated processing

 Automated means: computer, router, mobile phone, etc.

 Non-automated (manual) processing needs protection if:

 Data is structured, and

 Accessible by certain criteria

 Processing activities:

 Every organization processes data

 Inventory of data processing activities:

 Which data (personal data or not personal)  applicable legal instrument

 What is the PURPOSE of the data processing?  the goal

o = aim/reason for processing

 the purpose is key here, determines everything what you are

allowed to do with it  purpose limitation?
  Purpose should be:

o Specified  Vodaphone needs personal data to make you pay for

the service for example.

o Explicit  so it cannot be a guessing/assumed purpose

o Legitimate  it cannot be an illegal purpose

 Foreseeability = legal certainty = informed choices

- You as a citizen have the right to know the purpose so you know what you are
consenting to  not the only reason for data processing.

 Do you have a right to complain when no processing has taken place?

 Belgian DPA Case (2021):

 Electronic ID card required for loyalty card in a shop

 DPA:

 Disproportionate collection of data

 No free consent

 Court of Commerce: there was no processing of data

 Court of Cassation: no need for processing of data to complain

- You do not have to go to far to get your data processed as you can complain?
Data Breach – comparing definitions
 GDPR:

 A breach of security leading to the accidental or unlawful destruction, loss,

alteration, unauthorized disclosure of, or access to, personal data transmitted,
stored or otherwise processed;

 India Data Protection Bill (withdrawn):

 An unauthorized or accidental disclosure, acquisition, sharing, use, alteration,

destruction of or loss of access to, personal data that compromises the
confidentiality, integrity or availability of personal data to a data principal;

- Data breaches should be reported but that happens not always  leaving things on
the printer/copy machines

Data Breach – US definitions

 California

 Unauthorized acquisition of computerized data that compromises the security,

confidentiality, or integrity of personal information maintained by the person,
business, or agency.

- Only computerized data

- Pretty limited scope

 Colorado:

 Security breach means the unauthorized acquisition of unencrypted

computerized data that compromises the security, confidentiality, or integrity of
personal information maintained by a covered entity. Good faith acquisition of
personal information by an employee or agent of a covered entity for the
covered entity’s business purposes is not a security breach if the personal
information is not used for a purpose unrelated to the lawful operation of the
business or is not subject to further unauthorized disclosure.

- Limited to unencrypted?

- Good faith  than it is okay  making a large exception based on good faith
 Hawaï

 Incident of unauthorized access to and acquisition of unencrypted or unredacted

records or data containing personal information where illegal use of personal
information has occurred, or is reasonably likely to occur and that creates a risk
of harm to a person.

 Idaho:

 Illegal acquisition of unencrypted computerized data that materially

compromises the security, confidentiality, or integrity of personal information for
one or more persons maintained by an agency, individual or a commercial entity.

 Kentucky:

 Unauthorized acquisition of unencrypted and unredacted computerized data

that compromises the security, confidentiality or integrity of personally
identifiable information maintained by the information holder as part of a
database re multiple individuals that actually causes, or leads the information
holder to reasonably believe has caused or will cause, identity theft or fraud
against any KY resident.

- Limited to identity theft and/or fraud  which is very old-fashioned

- Even in the US based on a state-by-state basis  they do not agree.

Lecture 3: Data Protection – Who is involved in data
protection?
Actors on different levels
 International (EU) level

 EDPB

- GDPR having effect to a certain effect

 National level

 DPA

- States

 Organizational level

 DPO

 Data processor

 Data controller

- Talking about companies

 Citizen level

 Data subject

- Citizen involved

Citizen level
 Data subject = whoever is identified by the personal data

 Multiple data subjects possible

 Being a data subject without your knowledge:

 Not necessarily in certain circumstances, f.e. criminal investigations

 not necessary needed to have knowledge on it (the consent)?

 Use of cookies

 Algorithmic decision making

 means that algorithms are trained to understand something like

human behavior and are trained then to understand patterns in data
bases and what data bases you have?  use algorithms to make
decisions which influences a person’s life.  banks use it for example. 
it makes it easier, however, algorithms can decide a lot then which is a big
deal.  However, the end decision needs to be made by a human, but
technology is still heavily involved in decision-making.

- Several data subjects can be identified within several examples.

- A data subject = the person who is identified by personal data.

Comparing definitions in your countries

- The GDPR includes any information relating to an identifying person, which is

personal data?  relates to the natural person who is identified or identifiable.

- Copyright says who owns the right to use the picture for example, however, Mexico
says ‘belongs’, which is according to the lecturer not right “who is in control”?  it is
however not clear who owns data, therefore she is not a fan of the Mexican
definition.
Citizen level: Example 1:
 The service register of a car held by a mechanic or garage.

 Who is the data subject?

- Different layers of data subjects, therefore it depends.

Example 2:
 A system of satellite location is set up by a taxi company which makes it possible to
determine the position of available taxis in real time.
The purpose of the processing is to provide better service and save fuel, by assigning
to each client ordering a cab the car that is closest to the client’s address.

 Who is the data subject?

- The taxi drivers could have an issue with this  monitoring movements

- Clients with a derivable home address  however, you need more information of
them to make them identifiable.

- Famous people or another politician might be in the public interest?  with famous
people you have to be careful because of the element of public interest.

- Strava  giving away a location of a secret military base  making a certain

(running) route could also be a security hazard.

- Downloading an app and consent to features can make you a data subject?
Citizen level
 Data subject under the GDPR:

 Citizens who are in the EU at the time of processing, or

 Citizens whose data are processed by organization established in the EU

 Not limited to EU citizens

 Exception for household activities!  private social media profiles for example?

 Scale & frequency of data processing are criteria to decide on this

- American based countries had to comply with EU established rules (EU law).

 In the shape of the territorial scope of the GDPR, citizens who are in the EU at the
time of processing fall under the scope of the GDPR  every company that collects
data with the service that is targeted at EU citizens, has to comply with the GDPR 
that is Google and Meta for example  follow the rules of the GDPR even if they are
American companies.  However, it is not just limited to EU citizens.

Organizational level
 Data controller:  India data protection bill used the term “data fiduciary” 
fiduciary implies trust

 (Legal) person who determines the purpose and the means of the processing

 How and why?

 Data processor:

 (Legal) person who processes the data on behalf of the data controller

 makes the decisions on data?

 On behalf of  executing

- The purposes and the means

Comparing definitions

- In most countries, the definition is the same. However, the phrasing is a bit different.

Organizational level
 Depends on the data processing activity  what purpose are they using data for?

 Controller & processor can be the same organization  what are the main activities
of the organization?  mapping these activities out.

 Departments of 1 organization can each have a different role only IF they have a
separate identity

 One organization can be controller for some activities and processor for others 
that is why the mapping of different activities is so important.
Example 1:
 Google

 Google is a data processor as it provides a list of websites where your search

appears, Google just processes the data and does not control it. However, Google
has more products, such as Drive, Hangouts etc which make it another story (it
depends).

- The right answer: for the data processing activities, Google has an algorithm for
sorting the websites in the ranking  because of that algorithm, for that specific
activity, Google was considered a data controller.  For the ranking of the data
results (putting them in an order), they are a data controller.

Organizational level
 Many organizations use external processors

 Working with vendors is a potential cyber security issue!

 Contract between the two is crucial

- A clear-cut contract between the two is essential and is quite of an effort where data
protection lawyers are concerned with.

 Before GDPR: different responsibilities for controller & processor

 After GDPR: similar responsibilities but distinction remains relevant for liability
purposes  We will come back to this in the coming weeks.

 Joint controllership

 = 2 or more controllers can together determine the purpose & means of processing

 = joint responsibility for data protection

 Specific contract is essential!

- Examples of where banks together are managing a database of people who do not
pay their duce, or people caught for money laundering  a joint controllership
Controller of processor?
 Example 2:

 Law firm Johnson & Smith representing Apple in a dispute with 2 of its
employees and processing their data in preparing for the trial

- They are representing Apple, Apple is deciding and doing the processing on their
own behalf.

 Example 3:

 Law firm Johnson & Smith processing data of their own employees

- Both controller and processor

Organizational level
 Data Protection Officer (DPO) =

 An independent
 in content & organization  the person has its own budget, decide on the
staff that they hire  no asking for money  advice needs to be independent 
they can not be fired for giving advice that they do not like  have to be the bad
guy once in a while  do the data processing on the level of the organization.

 Advisor within organization

 On data protection compliance

 GDPR obliges organizations to appoint a DPO if:

 It is a public authority that processes personal data, or

 Core activity is regular, systematic large-scale monitoring, or

 Core activity is large-scale processing of special categories of personal data or

data related to criminal convictions/offences

- Example of Europol
National level
 Data Protection Authority (DPA) =

 An independent  content & organization!

 Supervisory authority

 GDPR obliges each member state to have a DPA

 Tasks:

 Monitoring data protection

 Advise data subjects, controllers, governments and public

 Hear complaints

 Supervise controllers and processors

 Warn, intervene, sanction or refer to court.

Comparing definitions

- Most countries do have a DPA.

- Indonesia and Vietnam have specific DPAs  different way in organizing per sector
National level - EU’s “one stop shop mechanism”
 Clarity for companies with establishments in several member states:

 DPA of state of main establishment = leading DPA

 Main establishment:

 Central administration, or

 Location where purpose and means of data processing are decided

 Consumer protection:

 Complaint with DPA in home state

- One stop shop mechanism offers clarity for consumers and companies.  to which
DPA have they comply to?  EU wanted to end these discussions  every country
have a main establishment where the decisions are made of the purpose and means
of data processing (not necessarily in the headquarters)  the main establishment is
the part where the decisions are made  that country where this is, the DPA will be
the lead DPA. The DPA of that particular state will take the lead in any type of
complaint that is filed.

- You as the data subject can go to the DPA of your country to file a complaint to
Spotify in Sweden for example. You do not have to contact a Swedish lawyer for
example to complain about Spotify  do it now in the comfort of your own country
and language.  the lead DPA of Spotify will be the Swedish one, however, your
country’s DPA will work together with the Swedish DPA.  You do not have to bear
the burden to go to another country in a different structure you are not familiar
with  so just stay in your own country and comfort.
International (EU) level
 European Data Protection Board (EDPB)

 = EU body of all DPAs + European Data Protection Supervisors (EDPS)

 Tasks:

 Consistency in applying data protection rules

 Can take legally binding decisions

 Consultation to European Commission on GDPR changes or on third state data

transfers

 Guidance and best practices  these are usually very interesting documents that
tell us how to interpret personal data  necessity and proportionality

- EDPS = the DPA of the EU institutions/agencies

A look across the border

 United States:

- More enforcement authority

 Federal Trade Commission:

 Independent law enforcement authority:

 Consumer protection in many ways, not just by enforcing data protection

 Tasks:

o Create industry-wide regulations;

o Investigate and hear cases, sanction;

o Advisory opinions and education.

 Privacy and Civil Liberties Oversight Board:

 Independent agency set up after 9/11 Commission report

 Task: balancing fight against terrorism with the protection of privacy and civil
liberties

 Supervising data collection by NSA, CIA and FBI

Actors on different levels – Law enforcement
 International (EU) level

 EDPB

 National level

 DPA

 Organizational level

 DPO

 Data processor

 Data controller

 Citizen level

 Data subject

- Free movement and criminal law  police cooperation in information exchange 

which is personal data

- Criminal law, states do not want to give it to the EU.

National level – Law enforcement authorities:
 2016 Law Enforcement Directive

 Personal data processed for the purposes of prevention, investigation, detection or

prosecution of criminal offences or the execution of criminal penalties

 Authorities involved:

 Local and national police

 Prosecution authorities

 Prison/detention authorities  the management of a prison who are dealing

with a lot of data of people who are (not) convicted (yet)

- We need a separate document as data processing deals with much more sensitive
data than you are thinking of.  it contains data on suspects who are not yet
convicted  inno cence is in play

- Law enforcement in the U.S. covers much more authorities than we are used to?

- The word “Law enforcement” can mean something more in different countries. 
police can be localized on the local or national level, it depends.
National level – Law enforcement authorities:
 Important to consider:

 Identifying individual(s) is the core task

 Highly sensitive data

 Personal data on:

 Suspects

 Presumption of innocence!

 Victims

 Vulnerability of minors

 Witnesses

 General data protection principles + additional safeguards

- Communication becomes crucial in some cases.

Regional level
 Europol:

 Receiving and analyzing data from national police authorities:

 A lot transferring of data

 A lot of “connecting the dots” between data sets, potentially identifying

individual(s)

 EU police cooperation unit?  Only organized type of theft involves at

least two member states

 Tailor-made data protection regime in line with general data protection

principles

 Criticized for using large databases

- Europol is an EU agencies/body  set up by all the governments of the member

states who agreed.  many movies got it wrong.

- Interpol is set-up by the police itself (from the ground, police organizations all
around the world working together to connect the dots)  has to do with police
cooperation and consists of police.  Interpol is competent for all crimes, but they
choose to cooperate on the more serious type of crimes, but are not limited by the
list of crimes which Europol is.

 differences in establishment between the two. However, both cannot do anything

if they are not fed information by police authorities.

- Data can only be stored for a period depending on the purpose.

Lecture 4: Data Protection – How to protect personal data
Where do you find them?
 Rules & principles  Rights

 CoE data protection convention

 GDPR and law enforcement directive

 Case law and guidelines

 National laws

 Rules & principles

 Data controllers
 See slide
(see slide for picture)

 Data processing should be:

 Lawful

 Fair

 Transparent

 Based on 3 key principles:

 Data quality & minimization

 Purpose limitation

 Data retention
Rules & principles
Rules & principles
 Lawful data processing = 6 legal bases:

1. Consent by data subject  most important and most obvious

2. Necessity for contract

3. Legal obligation

4. Public interest

5. Vital interests of data subjects or others

6. Legitimate interests of data controller or third party

Rules & principles
 Consent should be:

 Freely given

 No form of force/influence

 Informed

 Controller’s identity and purposes

 Including how to withdraw consent  Giving consent = right to withdraw

at any time (this means you can withdraw your consent, taking it back as
you change your mind)  then, data processing becomes unlawful 
need to provide information/option on withdrawing consent

 you should know what you are saying “yes” to, which is not always
entirely clear  who is asking for my data (who is the data controller?) 
you need to know the identity of the controller for what purpose the data
is being processed.

 Every organization needs an inventory of data including the purpose

why.

 Specific

 No general formulations of consent  we need your consent or please

give it as we need your consent for (etc) --> this is not specific

 Split up per data processing activity

 Making inventory

 Unambiguous

 Clear on intentions of data subject to agree

 you need to be able to be clear on your intentions concerning data

processing
Example 1 – Rules & principles
(see slide)

- In this example, you cannot ask people for their consent until the end  they need
to be able to withdraw their consent at any time.

Rules & principles

 Consent should also be:

 Verbal or written  verbal on phone for example when a call is recorded in some
way (audio recording)

 But demonstrable by data controller

 Affirmative act  participant needs to be actively agreeing on something

without assuming their consent.  “dark patterns”

 No assumptions

 No pre-ticked boxes  this is an assumption if so.

 Renewed if type of processing is added

A note about dark patterns

 More than just consent to use personal data

 Form of nudging = steering people’s behavior

 You still have a choice but you are “pushed” into making a specific choice

- It is not illegal  more of a grey zone.  for example by using colors or influencing a
choice by making buttons big/small  the grey zone lies in ‘influencing choice’,
however, this case is hard to prove for the data subject that the website had an
intention.  the prove of intention is extremely difficult.
(see slide for the button example)
(the other slide for another example)
(another one on the next slide)
 - The fourth example is playing into people do not understand how it works as cookies
automatically saves data about the data subject.

- Websites are getting better  seeing more ‘reject all’ buttons instead of going
through all the options and manually switch them off.

Rules & principles – Bert-Jaap Koops:

 “Particularly in private and commercial contexts, individuals’ consent to data
processing is usually considered the main legal ground for data processing. However,
consent here is largely theoretical and has no practical meaning.”

 Do you agree?

- Bert-Jaap Koops is actually saying: ‘why are we still bothering with these policies as it
is just a theoretical thing’.

Necessity for contract

Rules & principles – Necessity for contract
 Processing necessary to perform a contract:

 Limited to data necessary to execute the contract

 Overlaps partially with consent

 F.e. buying a car, gym membership

- Gyms need your data for insurance for example.  certain data in order to get the
membership as they have a legitimate interest in that.  partially does overlap with
consent.
Legal obligation
Rules & principles - Legal obligation
 Controller needs to comply with a specific law

 Mostly for public authority’s processing

 F.e. paying taxes

 Increasingly for private companies:

 F.e. banks and anti-money laundering laws, airlines and passenger name records

- Banks are a good example to illustrate the legal obligation.  airlines as well to
indicate whether you pose a risk or have a tendency to change seats or drink too
much alcohol.

Public interest
Rules & principles - Public interest
 Can overlap with legal obligation

 F.e. public health, taxation, social security

 Authorities need to know for example

Vital interest of data subject or others

Rules & principles - Vital interest of data subject or others:
 Health or life of individual is at stake

 F.e. humanitarian emergency

 Only when no other legal basis is possible

 Can overlap with public interest

Legitimate interest of data controller or others
Rules & principles - Legitimate interest of data controller or others:
 Only when interests and rights of data subject are not overriding

 Reasonable expectation of data subject

 F.e. preventing fraud, direct marketing purposes, insurance

A look across the border

 India draft bill – 7 legal bases for data processing:

(see slide)

 U.S. – No general requirement of legal basis

 But:

 Consent requirement only for sensitive data

 And FTC recommendation to notify consumers of data collection and

processing purposes

- These are federal rules, however, on a state basis it can differ.

- These examples show how some countries handle this, however, many countries do
it different and have a European influence (where they come from a human rights
perspective).
Fair processing:
 Relationship between data subject and data controller

 if the data controller is a powerful big company, when the data controller is a big
company and has a lot of data processing processes  it is quite interesting to look
at the ethical way of processing.

 No secret processing  means that data controller as well as subjects needs to be

aware of risks

 Awareness of risks  liability, what are the risks of data processing?  what is the
risk?  having profiles on people and when you are going to make them personal
advertisements

 Close to ethics  to you have a free choice in purchasing?

Transparent processing:
 Informing data subject (proactively)

 Explain processing in understandable manner

 is it understandable for the average person?

 Right to access

Data quality and minimization:

- Means: As little data for the purpose should be collected.

 Data should be accurate and up to date

 Data should be adequate, relevant and limited to what is necessary

 Link to the purpose of processing

- Data minimization: only collect for the means of the purpose

- Data should be fitting to the purpose (for example, religion does not fit for the
purpose of a gym membership).
Purpose limitation:
- Means: data should be collected and processed for a specific and legitimate purpose

 Data should be collected and processed for a specific, explicit and legitimate
purpose

 They should only be processed for the original purpose or a purpose compatible
therewith

 Assessing compatibility:

 Relationship between both purposes

 Reasonable expectation of data subject

 Impact of further processing on data subject

 Presence of additional safeguards  how much protection is on the data?

(encryption for example)  secondary data protection purpose  whether
purpose limitation is expected or not?

- For example: What is the link between the original purpose and the secondary
purpose of the project?  there is no link for example  is their a reasonable
expectation of the data subject that a gym needs to know your relation, no  te
hreasonable expectation is a guideline (something the U.S. Supreme Court came up
with and Europe got influenced as they incorporated it in the data protection law?).

Example 1:
 A customer contracts an online retailer to deliver an organic vegetable box each
week to their home. After initial ‘collection’ of the customer’s address and banking
information, these data are ‘further processed’ by the retailer <..>

Example 2:
(see slide)
Data retention:
 Data should be stored only for as long as is necessary for the purpose

 Longer storage = more chance of misuse

 Can be stored longer if anonymized (taking the identifying factor out permanently)
 if you remove the identifying factor

- The longer you store them, the higher risk is that the data is used for other purposes
or being the subject of a data breach.

- How long are these data stored? (Alexa commend to play music for example, for
how long is it saved as once the music is done the purpose is done as well?)  then
the data should not be retained any longer.

Exceptions
 Right to data protection can be breached if, it is

 Legal  it should be in the law, it should be accessible and foreseeable.

 Necessary

 Direct link between data and purpose  direct link between collected
data and the purpose it is processed for.

 Proportionate (goes together with necessity)

 Intertwined with necessity

 Goal cannot be achieved with less intrusive means  you can also use
sensors instead of cameras for example.
Rights
Withdrawing consent:
 Data subject must know how  know how to withdraw consent

 Can be done at any time

 With no negative repercussions

 Data processing before withdrawal remains lawful  this can be recorded for
example  important to register exactly when these things happen.

Right to have data erased or corrected

- A.k.a. “the right to be forgotten”

 On several grounds:

 Data are no longer necessary for purpose

 Consent was withdrawn (and no other legal basis available)

 Data are otherwise unlawfully processed

 Court of Justice: 2014 Google Spain vs Mario Gonzales

 Google is data controller for indexing search results

 Processing can be unlawful at first, but become unlawful in the course of time,
when no longer necessary for the purpose of the processing
Court’s reasoning in Google Spain vs Gonzalez:
(see slide)

Context:
 Not a new right  Only new thing is to use it for search engines

 Not “forgetting” but removing a link

 Not for inconvenient data

 Data is still available on individual websites

 Data can still be search with other search engines

- Do not overestimate ‘the right to be forgotten’

Impact on Google:
(see slide)
- Google have been dealing with a lot of requests to delist URLs?

- Google is now publishing these transparency reports.  Google is not giving us all
the information.

- Google decides what we see or not

 Finland – Request (example)

 We received a request from a former high-ranking Finnish politician to delist

seven news articles and the politician’s own Wikipedia page from Google Search
because the individual had left politics and changed their name.

 Outcome

 We did not delist any of the URLs, considering the individual’s significant
historical role in public life.
  Greece – Request (example)

(see slide)
 Spain – Request (example)

(see slide)

 Netherlands – Request (example)

(see slide)

- Google decides what we get to see here (scary evolution that a company decides on
this).

New development
 Does the “right to be forgotten” extend to newspaper archives?

 Cases pending before European Court of Human Rights

Right to object to processing and restrict it:

 When:

 Accuracy of data should be verified

 Data are processed unlawfully  Complain via a DPO (Data Protection Authority)

 Decision is pending on whose interest prevail

 Can be a temporarily restriction

 Implies right to access to data

Right to data portability:
 = to have your personal data transferred from one controller to the other  who is
delivering the same service

 Only when legal basis is consent or contract and when processing is automated

 Promises to give data subjects more control but has practical implications

- Data portability  opportunity to take matters in your own hands.

Lecture 5: How to enforce data protection?
Two scenarios
 Scenario 1:

 Data processing is not compliant with law

 Scenario 2:

 Law is not compliant with data protection principles

Scenario 1: data processing is not compliant with law
Scenario 1: data processing is not compliant with law
 Risk-based approach:

 In both GDPR and Law Enforcement Directive

 High risk processing and (low) risk processing

 Security measures depend on the impact of the data processing on data subject’s
rights

 If high risk, then advice of DPO!

 High risk indicators:

 Considering nature, scope, context and purposes of processing

 New technologies

 Large-scale processing

 Profiling data

 Special categories of data

 Monitoring publicly accessible areas on a large scale

 High risk = data protection impact assessment (DPIA) required!

 = Evaluation of origin, nature, particularity and severity of the risk

 DPIA should include:

 Data processing activities + purposes

 Necessity & proportionality

 Risks

 Security & risk mitigation measures

 Prior consultation:

 = Advice from DPA before starting high risk data processing

 Required for high risk processing

 DPA audits:

 Can be proactively organized by the DPA

 Can be subject-specific, f.e. tracking cookies or appointment of a DPO

 Can lead to intervention or sanctions

Scenario 1: Compliant or Data breach – data processing is not compliant with law
 Complaints:

 By data subjects

 On (potentially) unlawful data processing

 Data breach:

 Accidental or criminal

 Reporting duty

 To DPA within 72 hours

 To data subjects asap IF high risk for them

 Complaints to DPA:

 By data subject ( one-stop-shop-mechanism)

 Non-profit organization may represent data subject

 Can be a collective complaint

 The DPA can:

 Issue warnings & reprimands

 Order:

 Compliance with data subject requests

 Compliance within specific time period

 Data breach notification to data subject

 Stop data processing

 Impose administrative fines

  Fines in the GDPR:

 Depending on a number of factors, incl. duration and severity of breach,

mitigation measures, previous breaches, etc.

 2 categories:

 Minor offences: up to 10m € or 2% worldwide annual turnover

 Major offences: up to 20m € or 4% worldwide annual turnover

Biggest fines
 746 million € for Amazon Europe by Luxembourg DPA

 225 million € for Whatsapp Ireland by Irish DPA

 90 million € for Google International by French DPA

 5 billion USD for Facebook by US FTC

 575 million USD for Equifax by US FTC

 Right to a judicial remedy:

  Against controller/processor:

 For unlawful processing

 Against DPA:

 For inaction

 For unlawful binding decision

 Can be mandated to a non-profit organization

 Questions for preliminary ruling to CJEU:

  National courts ask question for interpretation to CJEU

 Harmonized interpretation of EU law

 F.e. Facebook case by Belgian DPA before CJEU

 Facebook case by Belgian DPA before CJEU, June 2021:

 Pixel/cookies gathering data on non-Facebook users

 Jurisdiction question before deciding on the merits of the case

 Key conclusion: leading DPA is not the only one who can bring legal claims
against a company with establishments in more countries

Two scenarios
Scenario 2: Rules & principles
Exceptions – Right to data protection can be breached if, it is
 Legal

 Necessary

 Direct link between data and purpose

 Proportionate

 Intertwined with necessity

 Goal cannot be achieved with less intrusive means

Scenario 2: law is not compliant with data protection principles
Overreach in data for police use:
 EU legal instruments annulled by CJEU:

 Data Retention Directive – annulled in 2014

 EU-US Safe Harbor agreement – annulled in 2015

 EU-US Privacy Shield – annulled in 2020

Overreach in data for police use:
 National laws ruled against by European Court of Human Rights:

 2015 Zakharov vs Russia

 National law unclear + too much discretion

 2018 Big Brother Watch vs UK (final ruling May 2021)

 Bulk interception in national law

 No judicial authorization

 Transfer to NSA
  ECtHR, Big Brother Watch v UK:

 No clear position on metadata (§342)

 No condemnation of bulk interception per se

 But safeguards needed (§361)

 Data transfers to other states is ok if there is (§497):

 Legal basis

 Effective safeguards

 Independent supervision

 Review afterwards

FYI: overview of courts

 Court of Justice of EU

 European Court of Human Rights

 International Court of Justice

 International Criminal Court

Lecture 6: How to transfer?

International Data Transfers

 Why international data transfers?

 Commercial trade

 Criminal investigations

 What is at stake?

 Data protection standards

 Individuals involved

 Business

 Prosecution of criminal acts

 International relations
How to obtain data from abroad?
 Commercial purposes

 Request data subject

 Request data controller

 Direct access

 Law enforcement purposes

International Data Transfers
Adequacy requirement
 = 3rd states must have adequate level of data protection to receive personal data
from EU

 = EU idea

 In Directive 95/46 and GDPR (+copied by CoE)

 Reason: avoiding “data laundering”

 Adequacy decision by European Commission

 Based on:

 Data protection legal framework

 Respect for rule of law & human rights

 Supervision and enforcement

 International commitments

 Court of Justice:
  Adequate is not necessarily identical

 Adequate is “essentially equivalent”

 Criteria for assessment:

 Legal authority for surveillance measures

 Restricted scope of surveillance

 Proper oversight

 Legal remedies and redress

 States/territories that have received an adequacy decision for data transfers in

commercial matters:

 Andorra,
 Japan,
 Argentina,
 Jersey,
 Canada,
 New Zealand,
 Faroe Islands,
 Switzerland,
 Guernsey,
 United Kingdom,
 Israel,
 Uruguay
 Isle of Man,
 South Korea

The “Brussels Effect”

  Anu Bradford’s research

 EU regulatory power

 Strong effect in commercial trade

 Less strong effect in criminal investigations

EU – US Data Transfers
 d