Personal Data

Protection and
Management
Clare Keonha Shin
Assessment

• Group Project 30%

• Class participation 20%
• Final Exam 50%
How Much is Your
Personal Data Worth?
https://ig.ft.com/how-much-is-your-personal-dat
a-worth/
What does
"privacy"
mean to you?
 Managers need to develop a proactive
approach to legal matters

Promoting law-abiding
behaviour, preventing
illegal behavior and
managing legal risks
Proactive approach to ↑ legal ↓ legal
law certainty costs
Understanding and
using law as a source
of competitive
advantage

m.marzetti@ieseg.fr
 • Privacy is a broader concept than data protection. E.g.
Evolution of Privacy concerns imposes limitations to the interference
with family life, drone flying zones, etc.
the legal idea • Physical: Every man's home is his castle.” (Sir Edward
Cooke, 1604)
of privacy • "The Right to be left alone" by Samuel Warren and Louis
(US) Brandeis, 1890 Harvard Law Review
• Implicit right to privacy in US Constitution (14th
Amendment, fundamental right to privacy). The US
Supreme Court first recognized the right to privacy
in Griswold v. Connecticut (1965). (Privacy for
contraception for married couples).
• Roe v. Wade (1973). (Abortion, overturned by Dobbs).
• Lawrence v. Texas (2003). (Same sex).
 • Data protection is anchored in the European
Evolution of history (Nazi Germany and the Holocaust)
• Data protection as a reflection of the human right
the legal idea to one’s privacy
of privacy • The EU has created a legal framework to regulate
(EU) privacy, not a market one
• Early national privacy laws (France 1978),
Germany (1983)
• OECD Guidelines as the basis for EU Law
• Data Protection Directive (1995)
• General Data Protection Regulation (2018)
 • More than a 100 countries have already enacted privacy laws
Privacy Laws
Around the World • Recent important examples are the Brazilian LGPD and the Californian
CCPA
• There are different approaches to privacy, based on different
philosophical conceptions (US-EU)
• There are also economic and geopolitical dimensions to data protection
 • On 24 August 2017, the Supreme Court of India in a
historic judgement declared the right to privacy as a
Indian Supreme fundamental right protected under the Indian
Court Declares Constitution. In Puttuswamy v. Union of India.
Right To Privacy • The right to privacy is a fundamental right protected
A Fundamental under Part III of the Constitution of India.
Right • While primarily focused on the individual's right
against the State for violations of their privacy, this
landmark judgement will have repercussions across
both State and non-State actors and will likely result
in the enactment of a comprehensive law on privacy.
• Full article: https://www.mondaq.com/india/privacy-
protection/625192/supreme-court-declares-right-to-
privacy-a-fundamental-right
 Only California, Nevada
US State Privacy Laws and Maine have enacted
state privacy laws
 • The Fair Credit Reporting Act [FCRA] (1970)
• US Privacy Act (1974)
• Health Insurance Portability and Accountability
US Federal Act [HIPAA] (1996)
Privacy Laws • Children’s Online Privacy Protection Act
[COPPA] (2000)
• Gramm-Leach-Bliley Act [GLBA] (1999) –
financial institutions
Sources of EU
Rights of Privacy
Universal
Declaration of
Human Rights Article 12.
(UN, 1948) No one shall be subjected to arbitrary
interference with his privacy, family, home or
correspondence, nor to attacks upon his
honour and reputation. Everyone has the
right to the protection of the law against such
interference or attacks.
The European ARTICLE 8
Convention of Right to respect for private and family life.
Human Rights Everyone has the right to respect for his
private and family life, his home and his
take on Privacy correspondence.
(1953) 2. There shall be no interference by a public
authority with the exercise of this right
except such as is in accordance with the law
and is necessary in a democratic society in
the interests of national security, public safety
or the economic well-being of the country,
for the prevention of disorder or crime, for
the protection of health or morals, or for the
protection of the rights and freedoms of
others.
EU Charter of
Fundamental
Rights (2009) Article 7
Respect for private and family life
Everyone has the right to respect for his or
her private and family life, home and
communications.
 Article 8
EU Charter of Protection of personal data
Fundamental 1. Everyone has the right to the protection of
personal data concerning him or her.
Rights (2009)
2. Such data must be processed fairly for
specified purposes and on the basis of the
consent of the person concerned or some
other legitimate basis laid down by law.
Everyone has the right of access to data which
has been collected concerning him or her, and
the right to have it rectified.

3. Compliance with these rules shall be

subject to control by an independent
authority.
 EU Law

• Primacy of EU law over domestic law (subject to the

principle of conferral)
• Primary EU law (treaties)
• Secondary EU law
• Regulation
• Directives
• Decisions
• Recommendations
 What is Data Protection Law?

• Data Protection law is about giving the individual (data

subject) rights to know, control and decide what happens
with his personal data
• Data Protection imposes obligations on those controlling
and processing data subject’s personal data
• Certain categories of personal data have a higher degree of
protection than others (e.g. sensitive personal data)
What Are The Sources of EU Data Protection?

i. Regulation 2016/679, the EU

General Data Protection
Regulation (GDPR) replaces the
Data Protection Directive 95/46/EC
and was designed to harmonize
data privacy laws across Europe
ii. Directive (680/2016) on data
protection in the area of police
and justice, adopted on 5 May
2016, applicable as of 6 May 2018.
EU Data Protection
Laws
• 1995 – The (then) EC adopted Directive 95/46EC on
the protection of individuals with regards to the
processing of personal data and on the free
movement of data
• Problems with transposition, implementation
asymmetries
• 2016 – The General Data Protection Regulation
(GDPR) is adopted. It was a lengthy process of
negotiations (4 years)
• GDPR replaces Directive 95/46EC and entered into
force on 25 May 2018
Compliance and the
GDPR
• Compliance with the GDPR is not optional but
mandatory
• The GDPR imposes many obligations to data
controllers (e.g. to keep records of data processing
activities, to implement state-of-the-art security
measures such as encryption or pseudonymization,
etc.)
• The consequence of not complying with the GDPR
can be severe (hefty fines!)
Some tools for GDPR
Compliance
• Record of processing activities
• Privacy Impact Assessment (PIA)
• Codes of conduct
• Binding Corporate Rules (BCR)
7 Principles of GDPR
1. Lawfulness, fairness,
and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitations
6. Integrity and
confidentiality
7. Accountability
The E-Privacy Directive (2002)

• There is no E-Privacy Regulation (for the

moment)
• The Privacy and Electronic Communications
Directive (ePrivacy Directive) was passed in
2002 and amended in 2009 (in force in member
countries since 2011)
• The ePrivacy Directive is a lex specialis vis-à-vis
the GDPR
• General obligations: security and privacy (arts. 4
& 5)
• Deletion and anonymisation of traffic data (art.
6)
• Cookies: opt in rule, some exceptions (art. 5.3)
• Unsolicited email (spam): opt in rule (art 13)
How Much Control
Do You Think You
Have Over Your
Data?
 Clare Keonha
• Birthday?
Shin
• Age?
• Address? • Education? • Credit Score?
• Languages? • Published works? • Credit card?
• Personal e-mail? • Jobs? • Bank?
• City born in? • Titles? • Income?
• City raised in? • Disabilities? • Monthly spending?
• Citizenships? • Mental health? • Property owned?
• Relationship status? • Medications? • Car owned?
• Past/current partner? • Illnesses? • Technologies owned?
• Sexual orientation? • Surgery? • Vacations?
• Children? • Blood type? • Airline membership?
• Family members? • Organ donor?
• Pets and their names?
• Best friend?
• Hobbies