A complete summary of all the information needed for the 2023 CIPP/E exam. Compiled from the European Data Protection Law & Practice textbook, EDPB guidelines and background reading.
Used to obtain an overall score across all three sections of 98.7%.
Clear, organized and, above all, compact. Not the idea that something is missing. Good test preparation
Seller
Follow
lpc-bpp
Reviews received
Content preview
Chapter 2: European Union Institutions: Questions: 1-2
All roles and powers set out in the Treaty of Lisbon.
European Central Bank (can make binding decisions) and Court of Auditors (just know exist)
EUROPEAN COUNCIL
Meet 4 x per year to define political agenda, cannot create laws.
1974: Started as an informal body.
1992: Treaty of Maastricht - forum for governments to discuss community issues.
Now: Made up of all 27 Heads of State (EU) and the President of the Commission.
President is elected by a qualified majority of the European Council - 2.5 years, renewable once.
Decisions usually made by consensus, but sometimes need to be unanimous (set out in treaties).
EUROPEAN COMMISSION
1965: Created by merging the Coal and Steel, Economic and Atomic Energy Communities.
Made up of state Commissioners who are independent from their nominating country.
Overseen by Parliament (so that democratically elected representatives oversee everything).
First role is to propose legislation to the Council of the European Union and Parliament.
Second role is to oversee enforcement through CJEU.
Only institution that can make adequacy decisions.
COUNCIL OF THE EUROPEAN UNION
1950s: Established by the treaties that laid the foundations of the EU.
Jointly makes decisions with Parliament – can amend proposals before adoption.
Issues regulations, directives, decisions, recommendations and opinions.
Made up of 1 national minister from each state (27 total), e.g. Minister for Agriculture.
President voted in by qualified majority and need at least 65%.
Only their meetings to vote on laws must be held in public – not full transparency.
1. Legislative
Shares legislative power with the Council.
Cannot create legislation itself, only ask Commission to submit to the Council.
Can invite Commission and Council to consider amending or developing new policies.
a.Ordinary procedure: Both Parliament and Council agree to legislation – equal (DP Legislation).
b. Consultation procedure: Council must consult Parliament but can go ahead anyway.
c.Consent procedure: Council must consult Parliament and needs their consent.
2. Political
Elects the President of the Commission.
Can censure the Commission and require all Commissioners to resign.
Commission must regularly submit reports to Parliament for scrutiny.
Known for advocating privacy rights.
3. Budgetary
Jointly agrees the budget with the Council so influences EU spending subject to spending limits.
4. Membership
Members directly elected by EU citizens every 5 years.
, Proportional representation, minimum 6, maximum 96 – 751 total.
Sit in political groups of at least 25 members and at least ¼ states represented in each group.
5. Plenary Sessions
Members prepare for plenary sessions in parliamentary committees.
One member is appointed as rapporteur – prepared report on proposed legislative text.
Debate and amend within committee and political groups, then submit to Parliament.
Political groups can propose amendments in plenary sessions then adopted by Parliament.
Procedure repeated one or more times depending on if the Council agrees.
Adopted by simple majority vote.
COURT OF JUSTICE OF THE EUROPEAN UNION (CJEU)
Treaty of Paris 1951: Started with EU Coal and Steel Community.
Treaty of Rome 1957: Became the European Community’s court.
Treaty of Maastricht 1992: Foundational Treaty for the EU. Powers expanded.
Treaty of Lisbon: Extended jurisdiction and renamed from CJE-Communities to CJE-Union.
Commission brings actions against state or for individuals and enforces CJEU actions.
Court of Justice (ECJ):
o 27 judges, 1 from each state, 6 year term.
o Judges elect one of the judges to be President for 3 years
o 8 Advocates General – non-binding decisions about how to decide the case.
o Hears appeals from the Court of First Instance.
Role of ECJ in DP:
o Jurisdiction on GDPR - hears cases referred from national courts on interpretation of EU law.
o Hears cases brought by Commission against states for failure to ratify treaties.
o 2010: UK failed to implement rules on confidentiality of electronic communications.
o BUT Supervisory Authorities have the power to impose administrative fines, not CJEU.
Key Cases:
o Google Spain: Right to be Forgotten - Search engines "established" and remove listings.
o Digital Rights Ireland: Invalidated the Data Retention Directive.
o ANAF: Must inform individuals before making a transfer between public administrative bodies.
o Weltimmo: Even minimal activities in a member state can trigger that state’s laws.
o Schrems: Invalidated Safe Harbour.
o Tele2 Sverige and Tom Watson: Cannot indiscriminately retain PD, even for fighting crime.
EUROPEAN COURT OF HUMAN RIGHTS (ECtHR)
NOT an EU institution, oversees ECHR which was created by Council of Europe (non-EU institution)
Receives complaints (‘Applications’) from individuals (directly been a victim) and states.
Issues binding judgements – gives reasons for decision and dissenting can give a separate opinion.
Can go beyond states’ partial reparation to afford just satisfaction.
Judges equal to the number of members, sit in individual capacity and do not represent any state.
No more than 1 judge can be a national of a state.
Chamber of 7 judges considers each case.
Cannot overrule national decisions or annul national laws – cannot force to implement EU law.
ECtHR decisions enforced by Council of Europe.
Cases around A.8 right to respect for private and family life so active in DP:
o MM v UK (2012): Cannot indiscriminately collect criminal data – need clear safeguards.
o Copeland v UK (2007): Cannot monitor email at work (no law allowing this).
o Gaskin v UK (1989): Have to allow individuals to access their data.
, Chapter 1: Origins and Development of European Data Protection Law: Questions: 0-1
Chapter 3: Legislative Framework: Questions: 3-7
Rationale
1970’s: More computers and international trade from European Economic Community (EEC).
Public bodies and corporations created data banks and automated storage.
Bad for privacy, worse when transferred internationally.
Individual states had different laws.
Need to give individuals control over privacy but still allow international free flow in EEC.
Human Rights Law
1. Universal Declaration of Human Rights – FIRST PRIVACY LAW
1948: General Assembly of the United Nations
A.12 (RIGHT): No arbitrary interference with privacy, family, home or correspondence.
A.19: Freedom of expression.
A.29(2) (LIMIT): Individual rights are not absolute - limited to secure rights of others (balance).
2. European Convention on Human Rights
1953: Council of Europe – built on the Universal Direction of Human Rights.
ONLY applies to member states.
Enforced by the European Court of Human Rights – binding rulings for changes to laws and practice.
Council of Europe can request ECtHR gives advisory opinions.
Need for balance and justifiable interference.
o A.8(1): Right to respect for private and family life, home and correspondence
o A.8(2): Can interfere if necessary in interests of national security, public safety, economic
wellbeing, prevent crime, protect health and morals, protect others’ right and freedoms.
o A.10(1): Right to freedom of expression and to share information and ideas.
o A.10(2): Can interfere where prescribed by law and necessary.
Early DP Laws
3. 1960-1980: State Laws
Created own laws to control use of PD by governments and companies.
Austria, Denmark, France, Germany, Luxembourg, Norway and Sweden.
Spain, Portugal and Austria – DP included as fundamental right in constitutions.
.
4. 1968: Recommendation 509
On human rights and modern scientific and technological developments.
Council of Europe – Framework of principles and standards to deal with new tech harming A.8
Principles for automated databanks.
Objective – persuade states to develop own legislation.
Failed as needed clear needed binding international standards.
6. OECD Guidelines (ANY COUNTRY, BUT NOT BINDING)
Organisation for Economic Co-operation and Development (OECD)
Role to promote policies for economic growth and employment to raise standard of living.
ANY COUNTRY can be a member.
1980: Guidelines on the Protection of Privacy and Transborder Flows of PD
o Seeks to harmonise DP laws between countries.
, o Prepared with Council of Europe and European Community.
o NOT BINDING – just basis for those with no DP laws or principles to add to existing.
o Covers both electronic and manual.
Free flow of data:
o Cooperate with other countries – balance privacy without stopping flow.
o Take reasonable and appropriate steps to ensure transfers uninterrupted and secure.
o Can impose restrictions on transfer to countries that do not observe the Guidelines.
o Avoid developing laws and policies that create obstacles beyond needed for protection.
Principles:
o Collection Limitation: Fairly and lawfully, if appropriate with knowledge or consent.
o Data Quality: Relevant, complete, accurate and up to date.
o Purpose Specification: Specify purpose at least by collection and use compatibly.
o Use Limitation: Disclose consistent with purpose unless consent or lawful authority.
o Security Safeguards: Reasonable safeguards against loss, destruction, use, disclosure.
o Openness: Open about uses and controller’s identity and location.
o Individual Participation: Sets out what DS can receive if requests PD.
o Accountability: Controller accountable for complying with principles.
7. CONVENTION 108 (FIRST LEGALLY BINDING AND OPEN TO ANY COUNTRY)
Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
1981: Signed by member states of Council of Europe, and open to any country.
Convention 108 Advisory Committee monitors implementation and decides new accessions.
If sign up then must enact in own legislation – a response to the Resolutions having no effect.
GDPR, Recital 105: Consider if country has acceded to Convention 108 when deciding adequacy.
Use data in computerised form then have responsibility to safeguard – decisions made using PD.
Goal for unity and extend safeguards for privacy given international transfers.
Only allowed exemptions if necessary in a democratic society and proportionate
27 Articles, including –
o Chapter 2: Basic Principles (based on Resolutions and Guidelines) – still used in GDPR.
Obtained and processed fairly and lawfully.
Stored for specified and legitimate purposes and used compatibly.
Adequate, relevant and not excessive for purposes.
Accurate and kept up to date.
Kept for no longer than required for purposes.
Appropriate security measures – accidental loss and unauthorised access.
Special Categories: Racial, political, religious, health, sexual life, criminal – need safeguards.
DS Rights of communication, rectification and erasure.
o Chapter 3: International Transfers
Principle that should avoid developing laws in the name of privacy that stop data
transfers.
A.12: Signatories cannot impose prohibitions or special authorisations on each other –
already offer minimum protections.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller lpc-bpp. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $17.14. You're not tied to anything after your purchase.
