CIPP/US

Enroll

CIPP/E

Enroll

CIPM

Enroll

CIPP/E

0%

Table of Contents

TOC

Welcome

incomplete

I. Introduction to European Data Protection

Section A: Historical Background to E.U. Data Regulation

+

0/7

1. Introduction

incomplete

2. Human Rights Laws

incomplete

a. The Universal Declaration of Human Rights

b. The European Convention on Human Rights

3. Early Data Protection Laws and Regulations

incomplete

a. Early Attempts at a Cohesive Approach

b. OECD Guidelines

c. Convention 108

i. Chapter Two of Convention 108 – Principles of Data Protection

ii. Chapter Three of Convention 108 – Transborder Data Flow

iii. Chapter Four of Convention 108 – Mutual Assistance

d. “Additional Protocol” to Convention 108

e. Convention 108+

4. The Need for a Harmonized European Approach

incomplete

a. Directives vs. Regulations

b. The Data Protection Directive

c. Charter of Fundamental Rights

5. The Treaty of Lisbon

incomplete

6. A Modern Framework

incomplete

a. The General Data Protection Regulation (“GDPR”)

b. Convention 108+

c. The Law Enforcement Data Protection Directive

d. The ePrivacy Directive

e. Brexit

f. A Timeline of Data Protection in Europe

Section I.A Review

incomplete

Section B: E.U. Institutions

+

0/8

1. Introduction

incomplete

2. European Parliament

incomplete

a. The Role of the Parliament

i. The Legislative Process

ii. Budgetary Authority

iii. Democratic and Political Authority

b. The Functioning of the Parliament

3. Council of the European Union

incomplete

a. The Role of the Council

b. The Functioning of the Council

c. Distinction from the Council of Europe

4. European Council

incomplete

5. European Commission

incomplete

a. Role in Data Protection

b. Representation and Independence

6. Court of Justice of the European Union

incomplete

a. The General Court

b. The European Court of Justice

c. Role in Data Protection

7. European Court of Human Rights

incomplete

a. Jurisdiction of the Court

b. Data Protection Decisions by the Court

Section I.B Review

incomplete

Section C: E.U. Legislative Framework

+

0/9

1. Introduction and Revisiting Convention 108

incomplete

2. The Data Protection Directive

incomplete

a. Overview

b. Scope

c. Key Principles

d. Article 29 Working Party

3. The ePrivacy Directive

incomplete

a. Background of the ePrivacy Directive

b. Scope

c. Key Provisions

d. 2009 Amendments – “The Cookie Directive”

e. The “ePrivacy Regulation”

4. The E-Commerce Directive

incomplete

a. “Information Society Services”

b. Key Principles

c. Relationship to Data Protection

d. The Data Services Act

5. European Data Retention Regimes

incomplete

6. The General Data Protection Regulation (“GDPR”)

incomplete

a. Background of the GDPR and the LEDP Directive

b. Structure of the GDPR

c. “Opening Clauses”

d. The European Data Protection Board

e. Relationship to Other Legislation

i. References to the Data Protection Directive

ii. The ePrivacy Directive

iii. The E-Commerce Directive

iv. The LEDP Directive

7. The Law Enforcement Data Protection Directive (“LEDP Directive”)

incomplete

8. The Network and Information Security Directive (“NIS Directive”)

incomplete

Section I.C Review

incomplete

Knowledge Review #1

incomplete

II. E.U. Data Protection Law and Regulation

Section A: Data Protection Concepts

+

0/7

1. Introduction

incomplete

2. Personal Data

incomplete

a. “Any Information”

b. “Relating To”

c. “An Identified or Identifiable”

d. “Natural Person”

3. Sensitive Personal Data

incomplete

a. Special Categories of Personal Data

b. Prohibition on Processing and Exceptions

c. Criminal Convictions and Offenses

4. The Role of Encryption, Anonymization, and Pseudonymization

incomplete

a. Pseudonymization of Data

b. Anonymous Data

5. Processing

incomplete

6. Roles in Data Processing

incomplete

a. Data Subject

b. Data Controller

i. Natural or Legal Person, Public Authority, Agency or Other Body

ii. Alone or Jointly with Others

iii. Determines the Purposes and Means of Data Processing

c. Data Processor

d. Distinguishing a Controller from a Processor

Section II.A Review

incomplete

Section B: Territorial and Material Scope of the GDPR

+

0/5

1. Introduction

incomplete

2. Territorial Scope (Establishment in the E.U.)

incomplete

a. How to Determine “Establishment”

b. How to Determine if “the Context of the Activities” is in the Establishment

c. Application to Data Processors

3. Territorial Scope (Non-Establishment in the E.U.)

incomplete

a. Data Subjects in the Union

b. Targeting Criteria

i. Offering of Goods and Services

ii. Monitoring Behavior

c. Application to Data Processors

d. Application Due to Public International Law

4. Material Scope of the GDPR

incomplete

a. National Security Exceptions

b. Household Activities

c. Prevention, Investigation, Detection, and Prosecution of Criminal Offenses

d. Processing by E.U. Institutions

Section II.B Review

incomplete

Section C: Data Processing Principles

+

0/8

1. Introduction

incomplete

2. Lawfulness, Fairness, and Transparency

incomplete

a. Lawfulness

b. Fairness

c. Transparency

3. Purpose Limitation

incomplete

4. Data Minimization (Proportionality)

incomplete

5. Accuracy

incomplete

6. Storage Limitation

incomplete

7. Integrity and Confidentiality

incomplete

Section II.C Review

incomplete

Section D: Lawful Processing Criteria

+

0/8

1. Introduction

incomplete

2. Consent

incomplete

a. The Elements of Consent

i. Freely Given

ii. Specific to the Processing

iii. Informed

iv. Unambiguous

b. Demonstrating Consent

c. Consent and Alternative Legal Bases

d. Obtaining Consent from Children

3. Contractual Necessity

incomplete

4. Legal Obligations, Vital Interests, and Public Interest

incomplete

a. Legal Obligations

b. Protecting Vital Interests

c. Public Interest

5. Legitimate Interests

incomplete

a. What is a “Legitimate Interest”?

b. What are the Interests and Fundamental Rights of Data Subjects?

c. The Balancing Test

6. Special Categories of Processing

incomplete

a. Sensitive Data Types

b. Prohibition and Derogations

7. Processing That Does Not Require Identification

incomplete

Section II.D Review

incomplete

Knowledge Review #2

incomplete

Section E: Information Provision Obligations

+

0/6

1. Transparency Principle

incomplete

2. When Information is Collected from the Data Subject

incomplete

3. Information Collected from Third Parties

incomplete

a. Timing of Information Provision

b. When Disclosures are Not Necessary

i. When Data Subject Already Has the Information

ii. Impossibility or Disproportionate Effort

iii. Obtaining or Disclosing is Laid Down by Law

iv. Confidentiality by Virtue of a Secrecy Obligation

4. Disclosure Requirements Under the ePrivacy Directive

incomplete

5. Privacy Notices

incomplete

a. Designing an Effective Privacy Notice

i. Common Elements

ii. Accounting for Children

iii. Layered Notices

iv. Just-in-Time Notices

v. Privacy Dashboards

vi. Privacy Icons and Visualization Tools

vii. One or Multiple Privacy Notices?

b. Updating a Privacy Notice

Section II.E Review

incomplete

Section F: Data Subject Rights

+

0/10

1. Introduction

incomplete

2. Right to Access Information

incomplete

3. Right to Rectification

incomplete

4. Right to Erasure (“Right to be Forgotten”)

incomplete

5. Right to Restrict Processing

incomplete

6. Right to Data Portability

incomplete

7. Right to Object to Processing

incomplete

8. Right to Not Be Subject to Automated Decision-Making and Profiling

incomplete

9. Restrictions on Data Subject Rights

incomplete

Section II.F Review

incomplete

Section G: Security of Personal Data

+

0/6

1. Technical and Organizational Security Measures

incomplete

a. The CIA Triad

b. Security Controls and Protection Mechanisms

i. Purpose of Controls: Preventative, Detective, and Corrective

ii. Types of Controls: Physical, Administrative, and Technical

c. Security Controls Under Article 32

d. Managing Employees

2. Privacy Incidents: Planning, Detection, and Response

incomplete

a. Response Planning

i. Developing a Plan

ii. Training

iii. Key Roles and Responsibilities

iv. Insurance Coverage

v. Managing Vendors

b. Incident Detection

c. Incident Response

d. Incident Follow-Up

3. Breach Notification

incomplete

a. What is a “Personal Data Breach”

b. Notifying Regulators (Article 33)

i. When is Notification Required?

ii. What Must be Included in a Notice to a DPA?

iii. Notification by Processors

c. Notifying Data Subjects

i. When is Notification Required?

ii. What Must be Included in a Notice to Data Subjects?

4. Vendor Management and Data Sharing

incomplete

a. Choosing a Third-Party Data Vendor

b. Data Sharing Agreements

5. Cybersecurity and the NIS Directive

incomplete

a. CSIRTs and NIS Cooperation Group

b. Operators of Essential Services and Digital Service Providers

Section II.G Review

incomplete

Knowledge Review #3

incomplete

Section H: Accountability Requirements

+

0/8

1. Introduction to the Accountability Principle

incomplete

a. Accountability Generally

b. Accountability Under the GDPR

2. Responsibilities of Controllers and Processors

incomplete

a. Organizational Privacy Policies

b. The Privacy Policy Life Cycle

c. Key Components of a Privacy Policy

d. Implementing a Privacy Policy

e. Responsibilities of Joint Controllers and Article 26

3. Data Protection by Design and by Default

incomplete

a. The Seven Principles of PbD

b. Data Protection by Design and Default Under the GDPR

4. Documentation and Cooperation with Regulators

incomplete

a. Records of Processing Activities

b. Article 31 – Cooperation with DPAs

5. Data Protection Impact Assessment

incomplete

a. Privacy Impact Assessments

b. Data Protection Impact Assessments

i. When is a DPIA Required?

ii. What Must Be Included in a DPIA?

iii. Consultation with Supervisory Authorities

6. Data Protection Officers

incomplete

a. When is Appointment of a DPO Required?

b. The Role of a DPO

7. Auditing a Privacy Program

incomplete

a. Types of Audits

b. The Audit Life Cycle

c. Attestations and Self-Assessments

Section II.H Review

incomplete

Section I: International Data Transfers

+

0/8

1. Introduction

incomplete

a. The Risks of International Data Transfers

b. The Surprise Minimization Rule

c. The Framework for Data Transfers to Third Countries Under the GDPR

d. What Constitutes a “Transfer”?

2. Adequacy Decisions

incomplete

a. The Making of an Adequacy Decision

b. Adequacy Decisions and the United States

3. Binding Corporate Rules (BCRs)

incomplete

4. Standard Contract Clauses

incomplete

a. Schrems II and the Use of SCCs

b. New Standard Contract Clauses (2021)

c. Ad Hoc Contract Clauses

5. Codes of Conduct and Certifications

incomplete

a. Codes of Conduct

b. Certification Mechanisms

6. Derogations

incomplete

7. Transfer Impact Assessments

incomplete

Section II.I Review

incomplete

Section J: Supervision and Enforcement

+

0/9

1. Introduction

incomplete

2. National Supervisory Authorities and Their Powers

incomplete

a. DPA Tasks

b. DPA Powers

i. Investigatory Powers

ii. Corrective Powers

iii. Advisory Powers

c. Activity Reports

d. Prior Consultation Under Article 34(4)

e. Competence and Cooperation

i. Competence

ii. Cooperation

3. The European Data Protection Board

incomplete

a. Structure of the EDPB

b. Tasks of the EDPB

c. Consistency Mechanism

i. Consistency Opinions

ii. Dispute Resolution

iii. Urgency Procedure

4. European Data Protection Supervisor

incomplete

a. Independence and Secrecy

b. Tasks and Powers

5. Self-Regulation Under the GDPR

incomplete

6. Regulation by Data Subjects

incomplete

7. Infringements and Fines

incomplete

a. Article 83(4)

b. Article 83(5)

c. Factors to Consider in Establishing a Fine

d. Additional Member State Penalties

e. What Constitutes an Undertaking for Article 83?

8. Data Subject Liability

incomplete

a. Representative Actions

b. Data Subject Compensation

Section II.J Review

incomplete

Knowledge Review #4

incomplete

III. Compliance with the GDPR

Introduction

incomplete

Section A: Employment Relationships

+

0/8

1. Introduction

incomplete

2. Legal Basis for Processing of Employee Data

incomplete

a. Legal Basis for Processing

i. Consent of the Employee

ii. Necessary to Fulfill an Employment Contract

iii. Necessary to Comply with a Legal Obligation

iv. Necessary for the Employer’s Legitimate Interests

b. Special Categories of Employee Data

3. Storage of Personnel Records

incomplete

4. Workplace Monitoring

incomplete

a. Background Checks

b. Monitoring the Workplace

i. Necessity

ii. Transparency and Notice

iii. Legitimacy

iv. Proportionality

5. E.U. Work Councils

incomplete

6. Whistleblowing Systems

incomplete

a. Whistleblowing Policies

b. Sarbanes-Oxley Act

7. Bring Your Own Device (“BYOD”) Programs

incomplete

Section III.A Review

incomplete

Section B: Surveillance Activities

+

0/6

1. The Conflict Between Surveillance and Privacy

incomplete

2. Interception of Communications

incomplete

3. Video Surveillance

incomplete

a. Lawfulness of Processing

b. The Household Use Exception

c. Conducting a DPIA

d. Video Surveillance as Biometric Data

e. Data Subject Rights

4. Geolocation Data

incomplete

5. Biometric Data

incomplete

Section III.B Review

incomplete

Section C: Direct Marketing

+

0/6

1. Overview of Direct Marketing

incomplete

a. WP29 Guidance on What Constitutes Direct Marketing

b. Digital vs. Non-Digital Direct Marketing

c. Direct Marketing Under the GDPR

i. Direct Marketing as a Legitimate Interest

ii. The Right to Opt-Out

d. Direct Marketing Under the ePrivacy Directive

e. Robinson Lists

2. Telemarketing

incomplete

a. Person-to-Person vs. Automated Calls

b. Business-to-Business vs. Business-to-Consumer Calls

3. Email Marketing

incomplete

a. “Electronic Mail” Defined

b. Consent Requirements

c. Restrictions and Information Provision Obligations

d. B2B vs. B2C Email Messages

4. Other Types of Direct Marketing

incomplete

a. Postal Mail Marketing

b. Fax Marketing

c. Location-Based Marketing

5. Behavioral Advertising

incomplete

a. Tracking Consumers Across the Internet

i. Cross-Device Tracking

ii. Examples of Other Methods

iii. Creating Consumer Profiles

b. Parties Involved in Behavioral Advertising

c. Legal Framework

i. Application of the GDPR

ii. Application of the ePrivacy Directive

d. Compliance Challenges

i. Who is the Data Controller?

ii. Providing Processing Information

iii. Legal Basis for Processing

iv. Special Categories of Data

Section III.C Review

incomplete

Section D: Internet Technologies and Communications

+

0/6

1. Cloud Computing

incomplete

a. Controllers and Processors in Cloud Computing

b. Cloud Computing Contracts

2. Web Cookies and Similar Technologies

incomplete

a. Web Cookies

i. Overview

ii. Cookies as Personal Data

iii. Who is the Controller?

iv. Consent Requirements

v. Recent Changes to the Browser

b. IP Addresses and the Internet “Phonebook”

i. Overview

ii. IP Address as Personal Data

3. Social Media Targeting

incomplete

a. Who is the Data Controller?

b. Types of Data Used to Target

c. Compliance Challenges

i. Data Subjects and Personal Data

ii. Transparency Requirements

iii. Right of Access

iv. Special Categories of Data

v. Personal Data of Others

vi. Children’s Data

4. Search Engine Targeting

incomplete

a. Data Controllers

b. Compliance Challenges

i. Data Retention

ii. Further Processing

iii. Data Subject Rights

5. Internet of Things (IoT), Artificial Intelligence (A.I.), and Data Ethics

incomplete

a. Internet of Things (IoT)

b. Machine Learning and Big Data

c. Data Ethics

Section III.D Review

incomplete

Knowledge Review #5

incomplete

Conclusion

incomplete

Full Exam #1

incomplete

Full Exam #2

incomplete

Council of the Europe Union

The Council of the European Union—sometimes informally referred to as the “Council of Ministers,” or more simply, the “Council”—is the oldest of all E.U. governing institutions. Its genesis can be traced to the early treaties establishing a common European market. The Council of the Europe Union should not be confused with the European Council, a separate E.U. institution discussed in the next Module. Nor should it be confused with the Council of Europe, a distinction we discuss further below. When reference is made simply to the “Council,” this is a reference to the Council of the Europe Union—not the European Council or the Council of Europe.

The Council is comprised of one representative from each member state of the European Union.1 This representative is intended to speak on behalf of the nation it represents, and it may cast its vote on behalf of that nation.2 The representative, therefore, is ultimately accountable to the citizens of the member state that it represents, along with that member state’s national parliament.

The Council is led by a President, a position that rotates among member states every six months on an equal basis.3 The role of the President is to preside over meetings of the Council, set its agenda, and represent the Council in its relationship with the European Commission and Parliament.4

a. The Role of the Council

Under the modern E.U. framework, the Council plays a legislative, political, and budgetary role—similar to the European Parliament. Article 16(1) of the Treaty on European Union, as amended, provides: “The Council shall, jointly with the European Parliament, exercise legislative and budgetary functions. It shall carry out policy-making and coordinating functions as laid down in the Treaties” governing the E.U.5

As discussed in the preceding Module, there are three primary procedures used to enact legislation in the E.U. In the ordinary procedure, both the Council and Parliament must agree on legislation. In the consultative procedure, the Council has sole authority to enact legislation, though it must consult the Parliament in a non-binding process. In either procedure, the Council has authority to amend proposed legislation before its adoption. As noted previously, data protection legislation must be adopted according to the ordinary legislative procedure. Therefore, the Council plays a roughly equal role with the Parliament in the development of such legislation.

When the Council meets to deliberate and vote on draft legislation, it must conduct such meetings in public.6 The text of the Treaty on European Union is silent on whether the Council’s meetings must be open to the public when it meets for purposes other than exercising its legislative functions. Presumably, therefore, such meetings can be held in private.

b. The Functioning of the Council

The voting procedure within the Council is governed by the treaties establishing the E.U. In some cases, members are permitted only one vote each. But, in other instances, members are permitted several votes based upon the percentage of the E.U. population that the member represents.

Acts by the Council can include both regulations and directives. Additionally, however, the acts of the Council can take the form of decisions, common actions, common positions, recommendations, opinions, conclusions, declarations, or resolutions. The treaties establish whether a simple majority, qualified majority, or unanimous consent are necessary to take any of these listed actions.

The Council is intended to function as a unified entity. When the Council meets, however, it does not necessarily meet as a collective group. Rather, the Treaty on European Union calls for the Council to “meet in different configurations.”7 There are currently ten different configurations, which include: (1) Agriculture and Fisheries; (2) Competitiveness; (3) Economic and Financial Affairs; (4) Education, Youth, Culture, and Sport; (5) Employment, Social Policy, Health and Consumer Affairs; (6) Environment; (7) Foreign Affairs; (8) General Affairs; (9) Justice and Home Affairs; and (10) Transport, Telecommunications and Energy.8

c. Distinction from the Council of Europe

As noted above, the Council of the European Union should not be confused with the European Council, another E.U. institution. It is equally as important, however, not to confuse the Council of the European Union with the Council of Europe.

The Council of Europe was first established in 1949 as a consultative body.9 Unlike the Council of the European Union and the European Council, the Council of Europe is not an institution of the E.U. Rather, the Council of Europe is an international organization of 47 member states that is entirely separate from the E.U. In its early years, it produced the European Convention on Human Rights.10 “[T]he aim of the Council of Europe is to achieve a greater unity between its Members for the purpose of safeguarding and realizing the ideals and principles which are their common heritage, and facilitating their economic and social progress.”11

In contrast, the European Union is a political and economic union of 27 member states (following the exit of the United Kingdom). Every member of the European Union is also a member of the Council of Europe. Being a part of the Council of Europe, however, is not a prerequisite for inclusion into the European Union.

exclaim

Explanatory Note: Another distinction to be aware of is that between the E.U. and the European Economic Area (“EEA”). The EEA consists of all E.U. member states, along with non-member states of Iceland, Lichtenstein, and Norway. The EEA is based on a 1994 agreement, which allows these non-member states to participate fully in the E.U.’s internal market. Switzerland is not a member of the EEA, but it has a set of bilateral agreements with the E.U. that also permits it to take part in Europe’s internal market.

Bodies of the E.U.
Key Points
  • The Council of the European Union (a/k/a “the Council of Ministers” or “the Council”) plays a role similar to that played by Parliament – legislative, budgetary, and political roles
  • Composed of one member for each member state and led by a President that rotates every six months
  • Must deliberate legislation and vote in public; other actions may be private
  • Should not be confused with the European Council (another E.U. institution) or the Council of Europe (a separate international organization)
Sources

+

1. Consolidated Version of the Treaty on European Union art. 16(2), June 7, 2016, 2016 O.J. (C 202) 1, 15.

2. Consolidated Version of the Treaty on European Union art. 16(2), June 7, 2016, 2016 O.J. (C 202) 1, 15.

3. Council of the European Union, The Presidency of the Council of the EU: A Rotating Presidency, https://www.consilium.europa.eu/en/council-eu/presidency-council-eu/.

4. Council of the European Union, The Presidency of the Council of the EU: A Rotating Presidency, https://www.consilium.europa.eu/en/council-eu/presidency-council-eu/.

5. Consolidated Version of the Treaty on European Union art. 16(1), June 7, 2016, 2016 O.J. (C 202) 1, 15.

6. Consolidated Version of the Treaty on European Union art. 16(8), June 7, 2016, 2016 O.J. (C 202) 1, 15.

7. Consolidated Version of the Treaty on European Union art. 16(6), June 7, 2016, 2016 O.J. (C 202) 1, 15.

8. Council of the European Union, Council Configurations, https://www.consilium.europa.eu/en/council-eu/configurations/.

9. Council of Europe, About the Council of Europe – Overview: History, https://www.coe.int/en/web/yerevan/the-coe/about-coe/overview.

10. Council of Europe, About the Council of Europe – Overview: History, https://www.coe.int/en/web/yerevan/the-coe/about-coe/overview.

11. Council of Europe, Statute on the Council of Europe, Art. 1(a), https://rm.coe.int/1680306052.

Previous

Next