CIPP/E PRACTICE QUESTION CORRECTLY TACKLED 2024/2025.

Rationales for Data Protection - Answers1) Increase in internet use 2) databanks more prevalent 3) Telecommunications allow internet across borders 4) Cross border sharing made sharing more prevalent which makes misuse more likely 5) Sharing data is generally a good thing for society 6) Balance free trade and personal privacy E.U. v U.S. difference in Fundamental Right to Privacy - AnswersIn E.U. it is a fundamental right. It is also a fundamental right under the Universal Declaration of Human Rights (adopted by U.N.) Universal Declaration of Human Rights [Generally what did it provide] - AnswersAdopted in 1948 by the U.N. states that people have an undeniable right to privacy. Via Article 12 - Right to Privacy and Family Life Article 19 Freedom of Expression Must be balanced with legitimate interests of democratic society, morality, and public order Universal Declaration of Human Rights [Article 12 - Right to Privacy and Family Life - AnswersNo person shall have their home, family, privacy, correspondence, honor, or reputation arbitrarily interfered with Universal Declaration of Human Rights [Article 19 - Right to Expression] - AnswersPerson shall have the right to express or impart opinion/ideas in any media without interference Universal Declaration of Human Rights [Article 29 - Limit on Fundamental Rights] - AnswersRights under 12 and 19 are not obsolete and instead must be balanced with morality, democratic society, and public order European Declaration of Human Rights [Generally] - AnswersAdopted in 1958 by the European Commission; applied only to European member states; similar to Constitution of the U.S. fundamental rights + data privacy rights of the Universal Declaration of Human Rights European Declaration of Human Rights [Rights] - AnswersLife liberty opinion no torture no slavery marriage privacy in home and family (similar to article 12 of UDHR) speech association religion expression fair trial European Declaration of Human Rights [Enforcement] - AnswersOriginally it was the European Court of Human Rights, which was then changed to a single court dedicated to human rights that can issue opinions on the EDHR Court findings are binding on member states Organization of Economic Co-operation and Development [Generally] - Answers1) Non-binding on the EU states 2) intended to provide guidance in order to create a common set of principles to facilitate cross border data exchange while protecting privacy 3) EU states are free to interpret and implement how they want 4) Does not discriminate based on technology or sector (private or public) 5) 1980 Organization of Economic Co-operation and Development [8 Principles] - AnswersAccountability (will take accountability for compliance with OECD) Collection (fair and lawful and consent where necessary) Openness (general transparency to data practices) Individual Participation (data rights) Purpose (limited purpose and data collection based on that purpose and use based on that purpose, state the purpose) Quality (relevant, accurate, up to date) Use (use in accordance with purpose) Security Convention 108 [Generally] - Answers1) the first worldwide, binding data privacy law where any country could participate 2) Based off of earlier Council of Europe resolutions 73, 74 and 507 Convention 108 [Chapter II Substantive Law - Principles of 108] - Answers1) PI is processed lawfully and fairly 2) Limited collection to what is necessary (relevant and non-excessive) 3) Not retained longer than necessary 4) Reasonable security as to prevent unauthorized access, use, disclosure 5) Processing in line with purpose 6) Sensitive data is not automatically processed 7) Accurate and kept up to date 8) Right to communicate, rectify, and erase data (end user data right) Convention 108 [Chapter II Substantive Law - Exceptions to Principles] - AnswersWhere a measure is necessary for state security or criminal investigation Convention 108 [Chapter III Trans-border Flows] - Answers1) If a country is part of 108, then no other requirements can be placed on that country by another country in order to conduct a trans-border data flow (limited exception); rationale is that they've met the requirements of 108 2) Exceptions: (i) if not a 108 entity then can place additional safeguards; (ii) can place additional safeguards if for a particular kind of data and the other country doesn't have similar safeguards Convention 108 [Sensitive Data] - AnswersSexual life, religion, gender, politics, health Convention 108 [Mutual Assistance] - AnswersSection 108 members must appoint a data supervisory authority of which helps assist end users exercise their data rights European Data Protection Directive [Reason for Implementation] - AnswersA replacement to 108 because 108 was too open-ended and allowed member states too much authority to interpret and implement; made it difficult for compliance in each state. European Data Protection Directive [Generally] - Answers1) Binding on all member states 2) Allowed the to adopt implementation schemes 3) Was intended to replace 108 4) Still provided too much discretion on how to implement Charter of Fundamental Rights of the European Union [Generally] - AnswersConsolidates the fundamental rights within the EU. Similar to EDHR in privacy Charter became binding after the Treaty of Lisbon made it so. Charter of Fundamental Rights of the European Union [Article 8 - Privacy] - Answers1) Everyone has right to protection of their personal information 2) Right to access 3) Right to rectify 4) Supervisory authority oversee compliance 5) Processed fairly based on consent or some other legitimate purpose Treaty of Lisbon - AnswersA European Union-sanctioned treaty that will allow the European Parliament to become the co-equal legislator for almost all European laws Incorporates the Charter of Fundamental Human Rights and makes it binding on EU. There was no mention of fundamental rights in the EU charter, so treaty of Lisbon incorporated it GDPR [Very General Overview] - AnswersReplaces the Directive. One set of rules across the EU GDPR [Who Negotiated the GDPR] - AnswersCouncil of Europe Union, European Commission, European Parliament GDPR [Implementation Dates] - AnswersMay 2016 enacted. May 25, 2018 is when DPAs can enforce. GDPR [Preemption and Exceptions] - AnswersGDPR preempts state law generally. Exceptions include: legal interests, processing for public interests, processing where have official authority GDPR [Examples of where States can enact stricter legislation] - Answers1) legal obligation 2) historical research 3) science research 4) public interest 5) Sensitive data 6) Sector specific laws (i.e. HR employment) GDPR Major Changes from Directive - Answers1) the "one stop shop" concept 2) Accountability is heightened 3) Penalties of 2-4% 4) Increased data rights 5) DPAs have more authority 6) Data protection by design and default 7) Broader applicability - anyone targeting EU or tracking or established in EU