adam's notes

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) is a law that covers data protection and privacy for all individuals in the European Union.

  • Est. 2018
  • Applies to anyone collecting data about EU citizens, regardless of the country in which you’re working
  • https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en
  • states and clarifies the responsibilities of data processors
  • provides guidelines for compliance
  • specifies the incurred penalties for violations
  • defines notions useful to privacy protection including
    • personal data
    • acts of processing
    • data protection principles
    • obligations of data processors
  • very costly fines for noncompliance

Scope

  • aims to protect all personal data for everyone in the EU by any entity handling personal data

Personal Data

Personal data is any information that can be used to identify a natural person.

  • individuals protected by GDPR are referred to as natural persons or data subjects
  • e.g.
    • Name, date of birth, address, pictures
    • Phone number, email address, IP address, geolocation
    • Membership number (of associations, political parties, etc.)
    • etc.
  • special categories of personal data require more stringent measures of protection:
    • religion
    • ethnicity
    • sexual orientation
    • trade union membership
    • medical information

Data Controllers and Processors

  • GDPR applies to both:
    • data controllers
      • is the entity that ultimately is in charge of data
      • ”… determines the purposes and means of processing of personal data…”
    • data processors
      • is any other entity that handles personal data for the controller

Territorial Jurisdiction

  • jurisdiction applies to
    • all organizations established in the EU
    • organizations that control or process data on EU data subjects

Acts of Processing

  • acts on data that need protection:
    • Collecting, recording, organizing, structuring, and storing data
    • Adapting, combining, updating, retrieving, consulting, and using data
    • Disclosing and disseminating data
    • Authorizing/restricting access to data
    • Erasing and destroying data
    • Migration of data from a location to another

Requirements

  • Organizations must get informed consent before collecting, processing, or retaining personal data
    • informed consent means:
      • data must be collected and processed only for the stated purpose
      • that purpose must be clearly described to the user in plain language
    • individuals have right to withdraw consent
  • Report data breaches
  • Give individuals the right to access, amend, and remove collected data
  • Set specific guidelines for privacy and privacy programs

Data Subject Rights

  • GDPR grants EU citizens 8 privacy rights:
    1. The right to be informed
    2. The right of access
    3. The right to rectification
      • can request corrections to information about them
    4. The right to erasure (right to be forgotten)
    5. The right to restrict processing
      • can request controllers to halt processing activities
    6. The right to data portability
      • right to get a copy of data in a machine-readable format
    7. The right to object
      • can object to any processing of personal data they believe is out of compliance
    8. Rights in relation to automated individual decision-making and profiling
      • means that AI or any automated processing alone can’t make any decisions that have significant or legal impact on a person
  • Contained in Articles 15-22

Principles of Data Protection

  1. Lawfulness, fairness, and transparency
  2. Data collection / purpose limitation
    • collect data for specified, explicit, and legitimate purposes
  3. Data minimization
    • collect adequate, relevant, and limited amount of data to what is necessary
  4. Data accuracy
    • collect accurate and keep up to date
  5. Data storage limitation
    • keep data for no longer than necessary for the specified purpose
  6. Integrity and confidentiality (security)
  7. Accountability

Data Transfers

  • GDPR prohibits transfer of data to non-EU countries unless recipient offers equal privacy protections
  • data transfer mechanisms
    • EU-US Privacy Shield program
    • Binding Corporate Rules
    • Standard Contractual Clauses

Adequacy Decisions

Adequacy decision occurs when the EU reviews the privacy laws of another nation and decides those laws are adequate to protect EU data subjects’ privacy commensurate with GDPR.

  • allows data transfers to occur between the countries without further legal approval

US-EU Safe Harbor and Privacy Shield

Safe harbor programs establish a common set of privacy regulations, and member nations commit to enforcing those privacy standards.

  • allow companies in strict privacy regulation nations to transfer data to and from nations with less-strict laws
  • typically aligned to the strictest laws
  • nation first becomes a member of the safe harbor program
    • then company can join by seeking third-party certification to verify their privacy practices

Privacy Shield program provides a framework to allow U.S. companies to transfer data to and from the EU

  • framework matches the requirements of GDPR
  • EU has an adequacy decision for this program allowing data transfers
  • in 2020 Privacy Shield was struck down by EU courts

Binding Corporate Rules

  • GDPR allows data transfer outside the EU when all parties in a given corporate group agree to adopt specific rules for data privacy

Binding Corporate Rules (BCR) are complex agreements wherein each party agrees to adhere to GDPR standards for data protection.

  • must be legally binding in all relevant jurisdictions
  • an EU org that acts as controller or processor must assume liability for any damages from violations by non-EU partners
    • unless can prove they were not at fault
  • requires approval by EU member state supervisory authority
  • good way to facilitate ongoing data transfer arrangements among multiple MNCs
  • complex because some nations have conflicting regulations
    • e.g., US requires some disclosures of personal data that GDPR prohibits

Standard Contractual Clauses

  • two companies entering into a contract can include contract language that obligates the non-EU company to follow GDPR practices
    • better for smaller companies and simpler
  • European Commission issues standardized clauses that can be used
  • EU company that plans to share data is designated as the data exporter
  • non-EU company receiving the data is designated as a data importer

Other Transfer Mechanisms

Derogation describes specific and limited exemptions when an isolated data transfer may take place.

  • permit data transfer without the protections of an adequacy decision, BCR, or SCC
  • allowed circumstances:
    • with informed consent of data subject
    • to fulfill contractual obligations with data subject
    • for “important reasons of the public interest”
    • to fulfil legal obligations
    • to safeguard the “vital interests” of the data subject
      • only if unable to provide consent
    • if the information is already publicly available
  • other exemptions apply to one-time transfers that affect a small number of data subjects
  • exemptions represent an elevated legal risk under GDPR

Graph View

Backlinks